πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since June 16th 2026, 12:22 AM PDT

Report generated on June 17th 2026, 12:22 AM PDT

πŸ“Š Summary

43
Total Commits
1
New Files
30
Modified Files
0
Deleted Files
9
Contributors

πŸ†• New Documentation Files

NEW docs/global-secure-access/concept-ai-agent-discovery.md
Added by Jennifer Fields on Jun 16, 2026 5:25 PM
πŸ“– View on learn.microsoft.com
+80 lines added
Commit: Add AI agent discovery (preview) doc for Global Secure Access (#13334)

πŸ“ Modified Documentation Files

MODIFIED docs/identity-platform/scenario-daemon-app-configuration.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+33 / -11 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
---
title: How to configure daemon apps that call web APIs
description: Learn how to configure the code for your daemon application that calls web APIs (app configuration)
author: Dickson-Mwendia
manager: dougeby
ms.author: dmwendia
ms.date: 03/25/2025
ms.reviewer: jmprieur
ms.service: identity-platform
ms.subservice: workforce
ms.topic: how-to
#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
---
 
 
Daemon applications use application permissions rather than delegated permissions. So their supported account type can't be an account in any organizational directory or any personal Microsoft account (for example, Skype, Xbox, Outlook.com). There's no tenant admin to grant consent to a daemon application for a Microsoft personal account. You need to choose *accounts in my organization* or *accounts in any organization*.
 
The authority specified in the application configuration should include ypur tenant ID or a domain name associated with your organization.
 
Even if you want to provide a multitenant tool, you should use a tenant ID or domain name, and **not** `common` or `organizations` with this flow, because the service can't reliably infer which tenant should be used.
---
title: How to configure daemon apps that call web APIs
description: Learn how to configure daemon apps that call web APIs using secrets, certificates, or client assertions.
author: Dickson-Mwendia
manager: dougeby
ms.author: dmwendia
ms.date: 06/15/2026
ms.reviewer: jmprieur
ms.service: identity-platform
ms.subservice: workforce
ms.topic: how-to
ai-usage: ai-assisted
ms.custom: msecd-doc-authoring-1013
#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
---
 
 
Daemon applications use application permissions rather than delegated permissions. So their supported account type can't be an account in any organizational directory or any personal Microsoft account (for example, Skype, Xbox, Outlook.com). There's no tenant admin to grant consent to a daemon application for a Microsoft personal account. You need to choose *accounts in my organization* or *accounts in any organization*.
 
The authority specified in the application configuration should include your tenant ID or a domain name associated with your organization.
MODIFIED docs/agent-id/microsoft-entra-sdk-for-agent-identities.md
Modified by Dickson Mwendia on Jun 16, 2026 3:41 PM
πŸ“– View on learn.microsoft.com
+20 / -20 lines changed
Commit: Standardize naming to 'Microsoft Entra ID Auth SDK (sidecar)' (#13496)
Changes:
Before
After
---
title: Acquire tokens and call downstream APIs with Microsoft Entra SDK for Agent ID
titleSuffix: Microsoft Entra Agent ID
description: Learn how autonomous agents acquire tokens using the Microsoft Entra SDK for Agent ID to call downstream APIs independently.
ms.topic: how-to
ms.date: 11/05/2025
ms.reviewer: jmprieur
#Customer intent: As a developer building autonomous agents, I want to acquire tokens using the Microsoft Entra SDK for Agent ID so that my agents can independently call downstream APIs with proper authentication.
---
 
# Acquire tokens and call downstream APIs with Microsoft Entra SDK for Agent ID
 
The Microsoft Entra SDK for Agent ID is a containerized web service that handles token acquisition, validation, and downstream API calls for agents. This SDK communicates with your application through HTTP APIs, providing consistent integration patterns regardless of your technology stack. Instead of embedding identity logic directly in your application code, the Microsoft Entra SDK for Agent ID manages token acquisition, validation, and API calls through standard HTTP requests.
 
## Prerequisites
 
Before you begin, ensure you have:
 
- [Set up the Microsoft Entra SDK for Agent ID](/entra/msidweb/agent-id-sdk/installation)
- [An agent identity](./create-delete-agent-identities.md). Record the agent identity client ID.
---
title: Acquire tokens and call downstream APIs with Microsoft Entra ID Auth SDK (sidecar)
titleSuffix: Microsoft Entra Agent ID
description: Learn how autonomous agents acquire tokens using the Microsoft Entra ID Auth SDK (sidecar) to call downstream APIs independently.
ms.topic: how-to
ms.date: 11/05/2025
ms.reviewer: jmprieur
#Customer intent: As a developer building autonomous agents, I want to acquire tokens using the Microsoft Entra ID Auth SDK (sidecar) so that my agents can independently call downstream APIs with proper authentication.
---
 
# Acquire tokens and call downstream APIs with Microsoft Entra ID Auth SDK (sidecar)
 
The Microsoft Entra ID Auth SDK (sidecar) is a containerized web service that handles token acquisition, validation, and downstream API calls for agents. This SDK communicates with your application through HTTP APIs, providing consistent integration patterns regardless of your technology stack. Instead of embedding identity logic directly in your application code, the Microsoft Entra ID Auth SDK (sidecar) manages token acquisition, validation, and API calls through standard HTTP requests.
 
## Prerequisites
 
Before you begin, ensure you have:
 
- [Set up the Microsoft Entra ID Auth SDK (sidecar)](/entra/msidweb/agent-id-sdk/installation)
- [An agent identity](./create-delete-agent-identities.md). Record the agent identity client ID.
MODIFIED docs/agent-id/sidecar-local-development.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+24 / -13 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 04/28/2026
ms.custom: agent-id, msecd-doc-authoring-1012
ai-usage: ai-assisted
 
#customer intent: As a developer building AI agents, I want to run the Microsoft Entra SDK auth sidecar locally so that I can see agent authentication working end-to-end before deploying to production.
 
# Run the sidecar for local development
 
This article shows how to run the [Microsoft Entra Auth SDK sidecar](https://mcr.microsoft.com/en-us/product/entra-sdk/auth-sidecar/about) in your local environment by using Docker Compose. You start a four-container stack - chat agent, sidecar, downstream weather API, and a local LLM ([Ollama](https://ollama.com)). Then you send a query through the chat UI and observe the full token flow from agent to API.
 
The sample demonstrates two execution modes and two identity flows:
 
 
## Clone the sample repository
 
Clone the repository and navigate to the `sidecar/dev` directory:
 
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 06/15/2026
ms.custom: agent-id, msecd-doc-authoring-1013
ai-usage: ai-assisted
 
#customer intent: As a developer building AI agents, I want to run the Microsoft Entra SDK auth sidecar locally so that I can see agent authentication working end-to-end before deploying to production.
 
# Run the sidecar for local development
 
This article shows how to run the [Microsoft Entra Auth SDK sidecar](https://mcr.microsoft.com/en-us/product/entra-sdk/auth-sidecar/about) in your local environment by using Docker Compose. You start a four-container stack - chat agent, sidecar, downstream weather API, and a local large language model (LLM) such as ([Ollama](https://ollama.com)). Then you send a query through the chat UI and observe the full token flow from agent to API. Before you begin, review the [Prerequisites](#prerequisites) for required tools, Microsoft Entra tenant objects, and local environment setup.
 
The sample demonstrates two execution modes and two identity flows:
 
 
## Clone the sample repository
 
Run the following commands to download the sample project and change into the sidecar directory, which contains the Docker Compose configuration and agent source code for this walkthrough:
 
MODIFIED docs/agent-id/migrate-custom-app-registrations-to-agent-id.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+22 / -12 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 04/30/2026
ms.custom: agent-id, msecd-doc-authoring-1012
ai-usage: ai-assisted
#customer intent: As a developer or IT admin who built AI agents using standard app registrations, I want to migrate them to Microsoft Entra Agent ID so that I can take advantage of agent-specific governance, Conditional Access, and audit capabilities.
---
| **Migrate** | Create Agent ID resources (blueprint + agent identity) and update your agents to use them. | New agent identities running on Agent ID with matching permissions and credentials. |
| **Validate and decommission** | Confirm the new identity works end-to-end, parallel-run if needed, then retire the legacy identity with safeguards. | Legacy identities removed; agents running fully on Agent ID. |
 
## Phase 1: Discover
 
Before migrating anything, build a complete inventory of the agent-related identities in your tenant. Start with an organization-wide sweep to find all migration candidates, then narrow down to individual agents to capture the configuration details you need during migration.
 
### Organization-level inventory
 
Scan your tenant for all service principals that might represent AI agents. The goal is to create a structured report that surfaces usage signals and helps you classify each identity in the next phase.
 
 
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 06/15/2026
ms.custom: agent-id, msecd-doc-authoring-1013
ai-usage: ai-assisted
#customer intent: As a developer or IT admin who built AI agents using standard app registrations, I want to migrate them to Microsoft Entra Agent ID so that I can take advantage of agent-specific governance, Conditional Access, and audit capabilities.
---
| **Migrate** | Create Agent ID resources (blueprint + agent identity) and update your agents to use them. | New agent identities running on Agent ID with matching permissions and credentials. |
| **Validate and decommission** | Confirm the new identity works end-to-end, parallel-run if needed, then retire the legacy identity with safeguards. | Legacy identities removed; agents running fully on Agent ID. |
 
<a name="phase-1-discover"></a>
## Phase 1: Discover existing app registrations
 
Before migrating anything, build a complete inventory of the agent-related identities in your tenant. Start with an organization-wide sweep to find all migration candidates, then narrow down to individual agents to capture the configuration details you need during migration.
 
<a name="organization-level-inventory"></a>
### Create an organization-level inventory
 
Scan your tenant for all service principals that might represent AI agents. The goal is to create a structured report that surfaces usage signals and helps you classify each identity in the next phase.
MODIFIED docs/agent-id/migrate-copilot-studio-agents-to-agent-id.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+22 / -11 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 05/14/2026
ms.custom: agent-id, msecd-doc-authoring-1012
ai-usage: ai-assisted
#customer intent: As an IT admin or Copilot Studio maker, I want to understand how to recreate my Copilot Studio agents with Microsoft Entra Agent ID so that I can take advantage of agent-specific governance, Conditional Access, and audit capabilities.
---
 
Some agents created in Microsoft Copilot Studio authenticate by using platform-managed service principals. These agents could have been created before Copilot Studio began automatically creating agent identities for all new agents, which happened on March 18, 2026. These agents could have also been created before your organization opted in to the [Microsoft Entra Agent ID integration with Copilot Studio](/microsoft-copilot-studio/admin-use-entra-agent-identities) or if your organization opted out of creating agent identities.
 
These service principals let agents communicate with Azure Bot Service, Microsoft Teams, and Bot Framework skills, but Microsoft Entra treats them as standard applications, not as AI agents. Adopting Microsoft Entra Agent ID gives you agent-specific governance, including Conditional Access policies, centralized audit logging, and lifecycle management.
 
This article describes the manual process of recreating Copilot Studio agents with Microsoft Entra Agent ID and decommissioning the legacy service principals. Because Copilot Studio manages the agent code, credentials, and deployment lifecycle, this process differs from custom-built agents. For agents where you own the code and identity configuration, see [Migrate custom app registrations to Agent ID](migrate-custom-app-registrations-to-agent-id.md).
 
 
## Prerequisites
 
- One or more Copilot Studio agents that use legacy service principals, created before March 18, 2026 or before your tenant opted in to Microsoft Entra Agent ID.
- Access to the **Copilot Studio admin center** and the **Microsoft Entra admin center**.
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 06/15/2026
ms.custom: agent-id, msecd-doc-authoring-1013
ai-usage: ai-assisted
#customer intent: As an IT admin or Copilot Studio maker, I want to understand how to recreate my Copilot Studio agents with Microsoft Entra Agent ID so that I can take advantage of agent-specific governance, Conditional Access, and audit capabilities.
---
 
Some agents created in Microsoft Copilot Studio authenticate by using platform-managed service principals. These agents could have been created before Copilot Studio began automatically creating agent identities for all new agents, which happened on March 18, 2026. These agents could have also been created before your organization opted in to the [Microsoft Entra Agent ID integration with Copilot Studio](/microsoft-copilot-studio/admin-use-entra-agent-identities) or if your organization opted out of creating agent identities.
 
These service principals let agents communicate with Azure Bot Service, Microsoft Teams, and Bot Framework skills, but Microsoft Entra treats these service principals as standard applications, not as AI agents. Adopting Microsoft Entra Agent ID gives you agent-specific governance, including Conditional Access policies, centralized audit logging, and lifecycle management.
 
This article describes the manual process of recreating Copilot Studio agents with Microsoft Entra Agent ID and decommissioning the legacy service principals. Because Copilot Studio manages the agent code, credentials, and deployment lifecycle, this process differs from custom-built agents. For agents where you own the code and identity configuration, see [Migrate custom app registrations to Agent ID](migrate-custom-app-registrations-to-agent-id.md).
 
 
## Prerequisites
 
Before you begin, make sure you meet the following requirements:
 
MODIFIED docs/identity-platform/scenario-desktop-acquire-token-interactive.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+23 / -10 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
author: Dickson-Mwendia
manager: dougeby
ms.author: dmwendia
ms.date: 01/15/2024
ms.service: identity-platform
ms.subservice: workforce
ms.topic: how-to
#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform for developers.
---
 
 
`AcquireTokenInteractive` has only one mandatory parameter, `scopes`. It contains an enumeration of strings that define the scopes for which a token is required. If the token is for Microsoft Graph, you can find the required scopes in the API reference of each Microsoft Graph API in the section named "Permissions." For instance, to [list the user's contacts](/graph/api/user-list-contacts), you must use both `User.Read` and `Contacts.Read` as the scope. For more information, see [Microsoft Graph permissions reference](/graph/permissions-reference).
 
On both desktop and mobile applications, it's important to specify the parent by using `.WithParentActivityOrWindow`. In many cases, it's a requirement and MSAL will throw exceptions.
 
For desktop applications, see [Parent window handles](./scenario-desktop-acquire-token-wam.md#parent-window-handles).
 
 
### Optional parameters in MSAL.NET
 
author: Dickson-Mwendia
manager: dougeby
ms.author: dmwendia
ms.date: 06/15/2026
ms.service: identity-platform
ms.subservice: workforce
ms.topic: how-to
ai-usage: ai-assisted
ms.custom: msecd-doc-authoring-1013
#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform for developers.
---
 
 
`AcquireTokenInteractive` has only one mandatory parameter, `scopes`. It contains an enumeration of strings that define the scopes for which a token is required. If the token is for Microsoft Graph, you can find the required scopes in the API reference of each Microsoft Graph API in the section named "Permissions." For instance, to [list the user's contacts](/graph/api/user-list-contacts), you must use both `User.Read` and `Contacts.Read` as the scope. For more information, see [Microsoft Graph permissions reference](/graph/permissions-reference).
 
On both desktop and mobile applications, it's important to specify the parent window or activity for the interactive sign-in UI by using `.WithParentActivityOrWindow`. In many cases, it's a requirement and MSAL will throw exceptions.
 
For desktop applications, see [Parent window handles](./scenario-desktop-acquire-token-wam.md#parent-window-handles).
 
 
MODIFIED docs/identity-platform/scenario-daemon-acquire-token.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+20 / -9 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
author: Dickson-Mwendia
manager: dougeby
ms.author: dmwendia
ms.date: 03/25/2025
ms.reviewer: jmprieur
ms.service: identity-platform
ms.subservice: workforce
ms.topic: how-to
#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
---
 
 
[!INCLUDE [applies-to-workforce-only](../external-id/includes/applies-to-workforce-only.md)]
 
After you've constructed a confidential client application, you can acquire a token for the app by calling `AcquireTokenForClient`, passing the scope, and optionally forcing a refresh of the token.
 
## Scopes to request
 
The scope to request for a client credential flow is the name of the resource followed by `/.default`. This notation tells Microsoft Entra ID to use the *application-level permissions* declared statically during application registration. Also, these API permissions must be granted by a tenant administrator.
 
author: Dickson-Mwendia
manager: dougeby
ms.author: dmwendia
ms.date: 06/15/2026
ms.reviewer: jmprieur
ms.service: identity-platform
ms.subservice: workforce
ms.topic: how-to
ai-usage: ai-assisted
ms.custom: msecd-doc-authoring-1013
#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
---
 
 
[!INCLUDE [applies-to-workforce-only](../external-id/includes/applies-to-workforce-only.md)]
 
## Acquire a token for a confidential client application
 
Daemon applications and other confidential client apps that run without user interaction use the OAuth 2.0 client credentials flow to acquire app-only access tokens. This article explains how to configure the required scopes, call the `AcquireTokenForClient` API (or its platform equivalent) to acquire a token, and troubleshoot common errors. Before you proceed, make sure you've already created a confidential client application.
 
MODIFIED docs/agent-id/integrate-n8n-agent.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+17 / -11 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
description: Deploy n8n on Azure Container Apps and secure AI agent workflows with Microsoft Entra Agent ID and Microsoft Graph MCP Server for Enterprise.
ms.service: entra
ms.topic: how-to
ms.date: 04/30/2026
author: Dickson-Mwendia
ms.author: dmwendia
ms.reviewer: astaykov
ms.custom: agent-id, msecd-doc-authoring-1012
 
#customer intent: As a developer or IT admin, I want to secure n8n workflows with Microsoft Entra Agent ID so that my n8n agents can access Microsoft Graph and MCP Server for Enterprise using agent identities.
 
 
This guide shows how to deploy [n8n](https://n8n.io/) on Azure Container Apps with Microsoft Entra Agent ID integration. The deployment uses the Azure Developer CLI (`azd`) to provision infrastructure, create Microsoft Entra identity objects, and configure n8n workflows automatically.
 
Unlike the [sidecar pattern](authentication-with-auth-sdk-sidecar.md) used for custom agents, this integration uses the [n8n-nodes-entraagentid](https://www.npmjs.com/package/@astaykov/n8n-nodes-entraagentid) community node to manage token acquisition directly within n8n workflows. The deployed workflows demonstrate both autonomous (app-only) and on-behalf-of (OBO) token flows, with access to Microsoft Graph and the Microsoft Graph MCP Server for Enterprise, `https://mcp.svc.cloud.microsoft/enterprise`.
 
> [!NOTE]
> This sample demonstrates the use of the `n8n-nodes-entraagentid` community node within n8n. It isn't guidance for deploying n8n on Azure in production.
- [Microsoft.Entra PowerShell module](/powershell/entra-powershell/) v1.2 or later.
- Git.
description: Deploy n8n on Azure Container Apps and secure AI agent workflows with Microsoft Entra Agent ID and Microsoft Graph MCP Server for Enterprise.
ms.service: entra
ms.topic: how-to
ms.date: 06/15/2026
author: Dickson-Mwendia
ms.author: dmwendia
ms.reviewer: astaykov
ms.custom: agent-id, msecd-doc-authoring-1013
ai-usage: ai-assisted
 
#customer intent: As a developer or IT admin, I want to secure n8n workflows with Microsoft Entra Agent ID so that my n8n agents can access Microsoft Graph and MCP Server for Enterprise using agent identities.
 
 
This guide shows how to deploy [n8n](https://n8n.io/) on Azure Container Apps with Microsoft Entra Agent ID integration. The deployment uses the Azure Developer CLI (`azd`) to provision infrastructure, create Microsoft Entra identity objects, and configure n8n workflows automatically.
 
Unlike the [Authentication with Microsoft Entra Auth SDK sidecar](authentication-with-auth-sdk-sidecar.md) pattern used for custom agents, the n8n integration uses the [n8n-nodes-entraagentid](https://www.npmjs.com/package/@astaykov/n8n-nodes-entraagentid) community node to manage token acquisition directly within n8n workflows. The deployed workflows demonstrate both autonomous (app-only) and on-behalf-of (OBO) token flows, with access to Microsoft Graph and the Microsoft Graph MCP Server for Enterprise, `https://mcp.svc.cloud.microsoft/enterprise`.
 
> [!NOTE]
> This sample demonstrates the use of the `n8n-nodes-entraagentid` community node within n8n. It isn't guidance for deploying n8n on Azure in production.
- [Microsoft.Entra PowerShell module](/powershell/entra-powershell/) v1.2 or later.
MODIFIED docs/identity/enterprise-apps/whats-new-docs.md
Modified by Jackline Omondi on Jun 16, 2026 2:51 PM
πŸ“– View on learn.microsoft.com
+16 / -9 lines changed
Commit: Update what's new in application management for June 2026 (#13493)
Changes:
Before
After
---
title: What's new in Microsoft Entra application management
description: This article shows the new and updated documentation for the Microsoft Entra application management.
ms.date: 01/16/2026
ms.topic: whats-new
 
#customer intent: As an IT admin responsible for managing applications in Microsoft Entra ID, I want to stay updated on new documentation and significant updates, so that I can effectively manage and troubleshoot application-related issues in the platform.
 
Welcome to what's new in Microsoft Entra application management documentation. This article lists new docs and those articles that had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Microsoft Entra ID](~/fundamentals/whats-new.md).
 
## December 2025
 
### New articles
 
- [Deactivate an enterprise application](deactivate-application-portal.md)
 
## November 2025
 
### New articles
 
---
title: What's new in Microsoft Entra application management
description: This article shows the new and updated documentation for the Microsoft Entra application management.
ms.date: 06/16/2026
ms.topic: whats-new
 
#customer intent: As an IT admin responsible for managing applications in Microsoft Entra ID, I want to stay updated on new documentation and significant updates, so that I can effectively manage and troubleshoot application-related issues in the platform.
 
Welcome to what's new in Microsoft Entra application management documentation. This article lists new docs and those articles that had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Microsoft Entra ID](~/fundamentals/whats-new.md).
 
## May 2026
 
No updates for this month.
 
## April 2026
 
### Updated articles
 
- Performed copy edit pass to improve clarity and readability on the following articles:
 
MODIFIED docs/agent-id/autonomous-agent-authentication-authorization-flow.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+14 / -10 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 03/30/2026
ms.reviewer: jomondi, dastrock
 
#customer-intent: As a developer building autonomous agents, I want to authenticate my agent, grant it application permissions, and optionally create an agent's user account, so that my agent can operate independently and access Microsoft Graph and other resources.
---
 
# Authenticate and acquire tokens for autonomous agents
 
### [Microsoft.Identity.Web](#tab/microsoft-identity-web)
 
For production, use a managed identity as a federated identity credential:
 
```json
{
 
### [Microsoft Graph API](#tab/Microsoft-graph-api)
 
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 06/15/2026
ms.reviewer: jomondi, dastrock
 
#customer-intent: As a developer building autonomous agents, I want to authenticate my agent, grant it application permissions, and optionally create an agent's user account, so that my agent can operate independently and access Microsoft Graph and other resources.
ai-usage: ai-assisted
ms.custom: msecd-doc-authoring-1013
---
 
# Authenticate and acquire tokens for autonomous agents
 
### [Microsoft.Identity.Web](#tab/microsoft-identity-web)
 
Configure *Microsoft.Identity.Web* to authenticate your agent identity blueprint using a federated identity credential. For production, use a managed identity as the federated identity credential:
 
```json
{
 
MODIFIED docs/identity-platform/scenario-desktop-acquire-token-username-password.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+10 / -9 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
---
title: Acquire a token to call a web API using username and password (desktop app)
description: Learn how to build a desktop app that calls web APIs to acquire a token for the app using username and password.
author: Dickson-Mwendia
manager: dougeby
ms.author: dmwendia
ms.date: 01/15/2024
ms.service: identity-platform
ms.subservice: workforce
ms.topic: how-to
#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
---
 
In your desktop applications, you can use the username and password flow, also known as Resource Owner Password Credentials (ROPC), to acquire a token silently.
 
>[!WARNING]
> The username and password flow has been deprecated due to security risks. Microsoft recommends using a more secure authentication flow. Follow the guidance on how to [Migrate from ROPC](https://aka.ms/msal-ropc-migration).. For more information about the risks and challenges the ROPC flow poses, refer to ["What’s the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/).
 
Additionally, by using a username and password, developers give up a number of things, including:
 
---
title: Acquire a token to call a web API using username and password (desktop app)
description: Understand how the username and password (ROPC) flow works in desktop apps, why it is deprecated, and how to migrate to more secure authentication flows.
author: Dickson-Mwendia
manager: dougeby
ms.author: dmwendia
ms.date: 06/15/2026
ms.service: identity-platform
ms.subservice: workforce
ms.topic: how-to
ai-usage: ai-assisted
ms.custom: msecd-doc-authoring-1013
#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
---
 
In your desktop applications, you can use the username and password flow, also known as Resource Owner Password Credentials (ROPC), to acquire a token silently.
 
>[!WARNING]
> The username and password flow has been deprecated due to security risks. Microsoft recommends using a more secure authentication flow. Follow the guidance on how to [Migrate away from the resource owner password credentials (ROPC) flow](https://aka.ms/msal-ropc-migration).. For more information about the risks and challenges the ROPC flow poses, refer to ["What’s the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/).
 
MODIFIED docs/identity/users/groups-dynamic-membership.md
Modified by Ken Withee on Jun 16, 2026 7:13 PM
πŸ“– View on learn.microsoft.com
+15 / -3 lines changed
Commit: Clarify assignedPlans dynamic membership guidance
Changes:
Before
After
| `jobTitle` |Any string value or `null` | ```user.jobTitle -eq "value"``` |
| `mail` |Any string value or `null` (SMTP address of the user) | ```user.mail -eq "value"```<br><br>```user.mail -notEndsWith "@Contoso.com"``` |
| `mailNickName` |Any string value (mail alias of the user) | ```user.mailNickName -eq "value"```<br><br>```user.mailNickname -endsWith "-vendor"``` |
| `memberOf` | Any string value (valid group object ID) | ```user.memberOf -any (group.objectId -in ['value'])``` |
| `mobile` |Any string value or `null` | ```user.mobile -eq "value"```|
| `objectId` |GUID of the user object | ```user.objectId -eq "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"```|
| `onPremisesDistinguishedName` | Any string value or `null` | ```user.onPremisesDistinguishedName -eq "value"```|
 
##### Example 1
 
`assignedPlans` is a multi-value property that lists all service plans assigned to the user. The following expression selects users who have the Exchange Online (Plan 2) service plan (as a GUID value) that's also in an `Enabled` state:
 
```
user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled")
```
 
You can use a rule like this one to group all users for whom a Microsoft 365 or other Microsoft Online Services capability is enabled. You could then apply the rule with a set of policies to the group.
 
##### Example 2
 
| `jobTitle` |Any string value or `null` | ```user.jobTitle -eq "value"``` |
| `mail` |Any string value or `null` (SMTP address of the user) | ```user.mail -eq "value"```<br><br>```user.mail -notEndsWith "@Contoso.com"``` |
| `mailNickName` |Any string value (mail alias of the user) | ```user.mailNickName -eq "value"```<br><br>```user.mailNickname -endsWith "-vendor"``` |
| `memberOf` | Array of strings (group object GUIDs) | ```user.memberOf -any (group.objectId -in ['value'])``` |
| `mobile` |Any string value or `null` | ```user.mobile -eq "value"```|
| `objectId` |GUID of the user object | ```user.objectId -eq "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"```|
| `onPremisesDistinguishedName` | Any string value or `null` | ```user.onPremisesDistinguishedName -eq "value"```|
 
##### Example 1
 
`assignedPlans` is a multi-value property that lists all service plans assigned to the user. Service plans aren't the same as licenses or products. For more information, see [Product names and service plan identifiers for licensing](/entra/identity/users/licensing-service-plan-reference).
 
To find the service plan IDs assigned to a user, use Microsoft Graph PowerShell with the `Organization.Read.All` permission:
 
```powershell
Get-MgUser -UserId [email protected] -Property assignedPlans |
Select-Object -ExpandProperty assignedPlans |
Select-Object service, servicePlanId, capabilityStatus | Format-List
```
 
MODIFIED docs/identity/users/manage-dynamic-group.md
Modified by Ken Withee on Jun 16, 2026 8:29 PM
πŸ“– View on learn.microsoft.com
+5 / -1 lines changed
Commit: Add stale object note to dynamic group guidance
Changes:
Before
After
ms.topic: concept-article
ms.date: 04/08/2025
ms.reviewer: mbhargava
---
 
# Understand and manage dynamic group processing in Microsoft Entra ID
 
- **Number of object changes**: A high volume of user or device changes can create a long processing queue and extend the processing time. Examples include changes to extension attributes, device additions or removals, and bulk user updates.
 
- **Rule configuration**: Certain rule configurations can affect processing time. For instance, the choice of inefficient operators like `Match`, `Contains`, or `memberOf` can increase processing time. Rule complexity is also a contributing factor.
 
## Best practices for dynamic membership groups in your tenant
 
 
 
 
 
ms.topic: concept-article
ms.date: 04/08/2025
ms.reviewer: mbhargava
ai-usage: ai-assisted
---
 
# Understand and manage dynamic group processing in Microsoft Entra ID
 
- **Number of object changes**: A high volume of user or device changes can create a long processing queue and extend the processing time. Examples include changes to extension attributes, device additions or removals, and bulk user updates.
 
- **Rule configuration**: Certain rule configurations can affect processing time. For instance, the choice of inefficient operators like `Match`, `Contains`, or `memberOf` can increase processing time. Rule complexity is also a contributing factor.
 
> [!NOTE]
> Stale devices and inactive user accounts can remain in scope for dynamic membership rules and can be added to groups when they satisfy the rule conditions. Review and clean up [stale devices](/entra/identity/devices/manage-stale-devices) and [inactive users](/entra/identity/monitoring-health/howto-manage-inactive-user-accounts) so your dynamic groups include only the objects you intend to manage.
 
## Best practices for dynamic membership groups in your tenant
 
MODIFIED docs/agent-id/key-concepts.md
Modified by Dickson Mwendia on Jun 16, 2026 3:41 PM
πŸ“– View on learn.microsoft.com
+3 / -3 lines changed
Commit: Standardize naming to 'Microsoft Entra ID Auth SDK (sidecar)' (#13496)
Changes:
Before
After
 
### Traditional service principal (not recommended for AI agents)
 
Traditional service principals were designed for static, deterministic workloads. Microsoft Entra Agent ID exists because service principals lack the governance infrastructure AI agents need.There's no enforced sponsorship, no agent-aware audit entries, and no blueprint-managed lifecycle. For more information, see [Agent identities, service principals, and applications](agent-service-principals.md).
 
### Regular user account (not recommended for AI agents)
 
 
For more information, see [Administrative relationships for agent identities (Owners, sponsors, and managers)](agent-owners-sponsors-managers.md)
 
## Microsoft Entra SDK for agent ID
 
The Microsoft Entra SDK for Agent ID is a containerized web service that handles token acquisition, validation, and secure downstream API calls for agents registered in the Microsoft identity platform. It runs as a companion container alongside your application, allowing you to offload identity logic to a dedicated service. For more information, see [Microsoft Entra SDK for Agent ID](/entra/msidweb/agent-id-sdk/overview).
 
## Related content
 
 
### Traditional service principal (not recommended for AI agents)
 
Traditional service principals were designed for static, deterministic workloads. Microsoft Entra Agent ID exists because service principals lack the governance infrastructure AI agents need. There's no enforced sponsorship, no agent-aware audit entries, and no blueprint-managed lifecycle. For more information, see [Agent identities, service principals, and applications](agent-service-principals.md).
 
### Regular user account (not recommended for AI agents)
 
 
For more information, see [Administrative relationships for agent identities (Owners, sponsors, and managers)](agent-owners-sponsors-managers.md)
 
## Microsoft Entra ID Auth SDK (sidecar)
 
The Microsoft Entra ID Auth SDK (sidecar) is a containerized web service that handles token acquisition, validation, and secure downstream API calls for agents registered in the Microsoft identity platform. It runs as a companion container alongside your application, allowing you to offload identity logic to a dedicated service. For more information, see [Microsoft Entra ID Auth SDK (sidecar)](/entra/msidweb/agent-id-sdk/overview).
 
## Related content
 
MODIFIED docs/agent-id/interactive-agent-authentication-authorization-flow.md
Modified by Dickson Mwendia on Jun 16, 2026 9:53 AM
πŸ“– View on learn.microsoft.com
+4 / -1 lines changed
Commit: Improve Entra IdP docs per AIRA dashboard
Changes:
Before
After
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 06/03/2026
ms.reviewer: dastrock, jomondi
ai-usage: ai-assisted
 
#customer-intent: As a developer building interactive agents, I want to authenticate users, configure authorization, and acquire tokens through the On-Behalf-Of flow, so that my agent can securely act on behalf of users to access protected resources.
---
 
# Authenticate users and acquire tokens for interactive agents
 
##### [Microsoft Graph PowerShell](#tab/microsoft-graph-powershell)
 
```powershell
Connect-MgGraph -Scopes "AgentIdentityBlueprint.ReadWrite.All" -TenantId <your-test-tenant>
 
 
 
 
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 06/15/2026
ms.reviewer: dastrock, jomondi
ai-usage: ai-assisted
 
#customer-intent: As a developer building interactive agents, I want to authenticate users, configure authorization, and acquire tokens through the On-Behalf-Of flow, so that my agent can securely act on behalf of users to access protected resources.
ms.custom: msecd-doc-authoring-1013
---
 
# Authenticate users and acquire tokens for interactive agents
 
##### [Microsoft Graph PowerShell](#tab/microsoft-graph-powershell)
 
Use Microsoft Graph PowerShell to update the agent identity blueprint with the redirect URI.
 
```powershell
Connect-MgGraph -Scopes "AgentIdentityBlueprint.ReadWrite.All" -TenantId <your-test-tenant>
 

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to [email protected]

πŸ”— Visit Repository