MODIFIED docs/fundamentals/entra-admin-center.md

Modified by shlipsey3 on Jun 18, 2026 7:49 PM
📖 View on learn.microsoft.com

+4 / -15 lines changed

Commit: fine-tune

Changes:

Before

After

 
- **[Entra ID](#entra-id)** — Manage users, groups, devices, applications, roles, and authentication methods.
- **[ID Protection](#id-protection)** — Monitor and respond to identity-based risks with risk policies and reports.
- **[Identity Governance](#identity-governance)** — Control access lifecycle with entitlement management, access reviews, and lifecycle workflows.
- **[Verified ID](#verified-id)** — Issue and manage verifiable credentials.
- **[Global Secure Access](#global-secure-access)** — Secure access to apps and resources with Private Access and Internet Access.
- **[Agent ID](#agent-id)** — Create and manage identities for AI agents, with built-in governance, protection, and access controls.
 
## Explore the Microsoft Entra admin center
 
 
* [Users and groups](~/identity/users/directory-overview-user-model.md)
* [Devices](~/identity/devices/overview.md)
* [Enterprise applications](~/identity/enterprise-apps/what-is-application-management.md)
* [App registrations](~/identity-platform/application-model.md)
* [Roles and admins](~/identity/role-based-access-control/custom-overview.md)
* [Risky users](~/id-protection/howto-identity-protection-investigate-risk.md)
* [Risky workload identities](~/id-protection/concept-workload-identity-risk.md)
 
### Identity governance

 
- **[Entra ID](#entra-id)** — Manage users, groups, devices, applications, roles, and authentication methods.
- **[ID Protection](#id-protection)** — Monitor and respond to identity-based risks with risk policies and reports.
- **[ID Governance](#id-governance)** — Control access lifecycle with entitlement management, access reviews, and lifecycle workflows.
- **[Verified ID](#verified-id)** — Issue and manage verifiable credentials.
- **[Global Secure Access](#global-secure-access)** — Secure access to apps and resources with Private Access and Internet Access.
 
## Explore the Microsoft Entra admin center
 
 
* [Users and groups](~/identity/users/directory-overview-user-model.md)
* [Devices](~/identity/devices/overview.md)
* [Agents](~/agent-id/what-is-microsoft-entra-agent-id.md)
* [Enterprise applications](~/identity/enterprise-apps/what-is-application-management.md)
* [App registrations](~/identity-platform/application-model.md)
* [Roles and admins](~/identity/role-based-access-control/custom-overview.md)
* [Risky users](~/id-protection/howto-identity-protection-investigate-risk.md)
* [Risky workload identities](~/id-protection/concept-workload-identity-risk.md)
 
### ID Governance

MODIFIED docs/includes/definitions/entra-offerings.md

Modified by shlipsey3 on Jun 18, 2026 5:41 PM
📖 View on learn.microsoft.com

+12 / -6 lines changed

Commit: e7-licensing-061826 (#13548)

Changes:

Before

After

>The licensing options on this page aren't comprehensive. You can get detailed information about the various options at the [Microsoft Entra pricing page](https://www.microsoft.com/security/business/microsoft-entra-pricing) and at the [Compare Microsoft 365 Enterprise plans and pricing page](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing).
 
 
**Microsoft Entra ID Free** - Included with Microsoft cloud subscriptions such as Microsoft Azure, Microsoft 365, and others.
 
**Microsoft Entra ID P1** - Microsoft Entra ID P1 is available as a standalone product or included with Microsoft 365 E3, F1, F3, and Enterprise Mobility + Security E3 for enterprise customers. Entra ID P1 is also included in Microsoft 365 Business Premium for small to medium businesses.
 
**Microsoft Entra ID P2** - Microsoft Entra ID P2 is available as a standalone product. It is also included with the following offers for enterprise customers:
 
- Microsoft 365 E5
- Microsoft Defender Suite (formerly Microsoft 365 E5 Security)
- Microsoft Defender Suite FLW
- Microsoft Defender + Purview Suite FLW
- Enterprise Mobility + Security E5
 
Entra ID P2 is also included in Microsoft Defender Suite for Microsoft 365 Business Premium and Microsoft Defender and Purview Suites for Microsoft 365 Business Premium for small to medium businesses.
 
**Microsoft Entra Suite** - The suite combines Microsoft Entra products to secure access for your employees. It allows administrators to provide secure access from anywhere to any app or resource whether cloud or on-premises, while ensuring least privilege access. A Microsoft Entra ID P1 subscription is required. The Microsoft Entra suite includes five products:
 
- Microsoft Entra Private Access

>The licensing options on this page aren't comprehensive. You can get detailed information about the various options at the [Microsoft Entra pricing page](https://www.microsoft.com/security/business/microsoft-entra-pricing) and at the [Compare Microsoft 365 Enterprise plans and pricing page](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing).
 
 
**Microsoft Entra ID Free**: Included with Microsoft cloud subscriptions such as Microsoft Azure, Microsoft 365, and others.
 
**Microsoft Entra ID P1**: Microsoft Entra ID P1 is available as a standalone product. It is also included with the following offers for enterprise customers:
 
- Microsoft 365 E3, E5, E7
- Microsoft 365 F1, F3
- Enterprise Mobility + Security E3
 
Entra ID P1 is also included in Microsoft 365 Business Premium for small to medium businesses.
 
**Microsoft Entra ID P2**: Microsoft Entra ID P2 is available as a standalone product. It is also included with the following offers for enterprise customers:
 
- Microsoft 365 E5, E7
- Microsoft Defender Suite (formerly Microsoft 365 E5 Security)
- Microsoft Defender Suite FLW
- Microsoft Defender + Purview Suite FLW
- Enterprise Mobility + Security E5

MODIFIED docs/identity/users/groups-bulk-import-members.md

Modified by Ken Withee on Jun 18, 2026 10:19 PM
📖 View on learn.microsoft.com

+7 / -10 lines changed

Commit: Clarify group member bulk CSV templates (#13558)

Changes:

Before

After

---
title: Bulk upload to add or create members of a group
description: Add group members in bulk by using a comma-separated values (CSV) file.
ms.date: 12/05/2025
ms.topic: how-to
ms.custom: it-pro, sfi-image-nochange
ms.reviewer: jeffsta
---
 
## Understand the CSV template
 
Download and fill in the bulk upload CSV template to successfully add Microsoft Entra group members in bulk. Your CSV template might look like this example:
 
:::image type="content" source="./media/groups-bulk-import-members/template-with-callouts.png" alt-text="Screenshot that shows the spreadsheet for upload and call-outs explaining the purpose and values for each row and column.":::
 
### CSV template structure
 
The rows in a downloaded CSV template are:
 
- **Column headings**: The format of the column headings is &lt;*Item name*&gt; [PropertyName] &lt;*Required or blank*&gt;. An example is `Member object ID or user principal name [memberObjectIdOrUpn] Required`. Some older versions of the template might have slight variations. For group membership changes, you can use either the member object ID or the user principal name (UPN).

---
title: Bulk add group members by uploading a CSV file
description: Add group members in bulk by using a comma-separated values (CSV) file.
ms.date: 06/18/2026
ms.topic: how-to
ai-usage: ai-assisted
ms.custom: it-pro, sfi-image-nochange
ms.reviewer: jeffsta
---
 
## Understand the CSV template
 
Download and fill in the bulk upload CSV template to successfully add Microsoft Entra group members in bulk. Use the template that you download for the group member import operation. The current group member template starts with the column header, not a `version:v1.0` row.
 
### CSV template structure
 
The rows in a downloaded CSV template are:
 
- **Column headings**: Preserve the full downloaded column header exactly as-is. The property name in brackets is only one part of the header, so don't replace the full header with only `memberObjectIdOrUpn`. The current group member import header is `Member object ID or user principal name [memberObjectIdOrUpn] Required`. For group membership changes, you can use either the member object ID or the user principal name (UPN) in the rows under this header.
- **Examples row**: If the template includes a row of example values, such as `Example: 9832aad8-e4fe-496b-a604-95c6eF01ae75`, remove the examples row and replace it with your own entries.

MODIFIED docs/identity/users/groups-bulk-remove-members.md

Modified by Ken Withee on Jun 18, 2026 10:19 PM
📖 View on learn.microsoft.com

+6 / -9 lines changed

Commit: Clarify group member bulk CSV templates (#13558)

Changes:

Before

After

---
title: Bulk remove group members by uploading a CSV file
description: Remove group members in bulk operations by using a comma-separated values (CSV) file.
ms.date: 12/05/2025
ms.topic: how-to
ms.custom: it-pro, sfi-image-nochange
ms.reviewer: jeffsta
---
 
## Understand the CSV template
 
Download and fill in the bulk upload CSV template to successfully remove Microsoft Entra group members in bulk. Your CSV template might look like this example:
 
:::image type="content" source="./media/groups-bulk-remove-members/template-example.png" alt-text="Screenshot that shows the spreadsheet for upload and call-outs explaining the purpose and values for each row and column.":::
 
### CSV template structure
 
The rows in a downloaded CSV template are:
 
- **Column headings**: The format of the column headings is &lt;*Item name*&gt; [PropertyName] &lt;*Required or blank*&gt;. An example is `Member object ID or user principal name [memberObjectIdOrUpn] Required`. Some older versions of the template might have slight variations. For group membership changes, you can use either the member object ID or the user principal name (UPN).

---
title: Bulk remove group members by uploading a CSV file
description: Remove group members in bulk operations by using a comma-separated values (CSV) file.
ms.date: 06/18/2026
ms.topic: how-to
ai-usage: ai-assisted
ms.custom: it-pro, sfi-image-nochange
ms.reviewer: jeffsta
---
 
## Understand the CSV template
 
Download and fill in the bulk upload CSV template to successfully remove Microsoft Entra group members in bulk. Use the template that you download for the group member removal operation. The current group member template starts with the column header, not a `version:v1.0` row.
 
### CSV template structure
 
The rows in a downloaded CSV template are:
 
- **Column headings**: Preserve the full downloaded column header exactly as-is. The property name in brackets is only one part of the header, so don't replace the full header with only `memberObjectIdOrUpn`. The current group member removal header is `Member object ID or user principal name [memberObjectIdOrUpn] Required`. For group membership changes, you can use either the member object ID or the user principal name (UPN) in the rows under this header.
- **Examples row**: If the template includes a row of example values, such as `Example: 9832aad8-e4fe-496b-a604-95c6eF01ae75`, remove the examples row and replace it with your own entries.

MODIFIED docs/fundamentals/add-custom-domain.md

Modified by Ken Withee on Jun 18, 2026 4:40 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Clarify add custom domain wording

Changes:

Before

After

title: Add your custom domain
description: Instructions about how to add your custom domain name to your tenant.
ms.topic: how-to
ms.date: 12/04/2025
ms.reviewer: elkuzmen
ms.custom: ge-structured-content-pilot, sfi-ga-nochange
#Customer Intent: As an IT admin, I want to add a custom domain to my Microsoft Entra tenant so that I can use my organization's domain name for user accounts.
> [!TIP]
> If you plan to federate on-premises Windows Server Active Directory with Microsoft Entra ID, then you need to select **I plan to configure this domain for single sign-on with my local Active Directory** when you run the Microsoft Entra Connect tool to synchronize your directories.
>
> You also need to register the same domain name you select for federating with your on-premises directory in the **Microsoft Entra Domain** step in the wizard. To see what that setup looks like, see [Verify the domain selected for federation](~/identity/hybrid/connect/how-to-connect-install-custom.md#verify-the-azure-ad-domain-selected-for-federation). If you don't have the Microsoft Entra Connect tool, you can download the latest version from the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/GetStarted) under the **Manage** tab of the **Microsoft Entra Connect | Get started** page.
 
## Add your custom domain name
 
1. Go back to your domain registrar and create a new TXT or MX record for your domain based on your copied DNS information. Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record.
 
> [!IMPORTANT]
> You can register as many domain names as you want. However, each domain gets its own TXT or MX record. Be careful when you enter the information at the domain registrar. If you enter the wrong or duplicate information by mistake, you'll have to wait until the TTL times out (60 minutes) before you can try again.
 
## Verify your custom domain name

title: Add your custom domain
description: Instructions about how to add your custom domain name to your tenant.
ms.topic: how-to
ms.date: 06/18/2026
ms.reviewer: elkuzmen
ms.custom: ge-structured-content-pilot, sfi-ga-nochange
#Customer Intent: As an IT admin, I want to add a custom domain to my Microsoft Entra tenant so that I can use my organization's domain name for user accounts.
> [!TIP]
> If you plan to federate on-premises Windows Server Active Directory with Microsoft Entra ID, then you need to select **I plan to configure this domain for single sign-on with my local Active Directory** when you run the Microsoft Entra Connect tool to synchronize your directories.
>
> You also need to add and verify the same domain name you select for federating with your on-premises directory in the **Microsoft Entra Domain** step in the wizard. To see what that setup looks like, see [Verify the domain selected for federation](~/identity/hybrid/connect/how-to-connect-install-custom.md#verify-the-azure-ad-domain-selected-for-federation). If you don't have the Microsoft Entra Connect tool, you can download the latest version from the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/GetStarted) under the **Manage** tab of the **Microsoft Entra Connect | Get started** page.
 
## Add your custom domain name
 
1. Go back to your domain registrar and create a new TXT or MX record for your domain based on your copied DNS information. Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record.
 
> [!IMPORTANT]
> You can add as many custom domain names as you need. However, each domain gets its own TXT or MX record. Be careful when you enter the information at the domain registrar. If you enter the wrong or duplicate information by mistake, you'll have to wait until the TTL times out (60 minutes) before you can try again.
 
## Verify your custom domain name

MODIFIED docs/includes/licensing-agent-id.md

Modified by shlipsey3 on Jun 18, 2026 5:41 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: e7-licensing-061826 (#13548)

Changes:

Before

After

---
title: Microsoft Entra Agent ID licensing
description: Microsoft Entra Agent ID licensing details
author: garrodonnell
ms.service: entra
ms.topic: include
ms.date: 05/14/2026
ms.author: godonnell
ms.custom: include file
---
 
Microsoft Entra Agent ID is a product within Microsoft Entra that provides the platform for creating and managing agent identities and agent identity blueprints. Agent ID is available for all Microsoft Entra customers.
 
Integration with [Microsoft Agent 365](/microsoft-agent-365/overview) enables agents to operate across Microsoft 365 services and enterprise workflows, which requires a **Microsoft Agent 365** license for each user. For pricing details, see [Microsoft Agent 365 plans and pricing](https://www.microsoft.com/microsoft-agent-365#plans-and-pricing).
 
Technical requirements that enable the security features for agents within Microsoft Entra require **Microsoft 365 E5** or the following licensing:
 
- **Conditional Access for agents**: Microsoft Entra ID P1
- **ID Protection for agents**: Microsoft Entra ID P2

---
title: Microsoft Entra Agent ID licensing
description: Microsoft Entra Agent ID licensing details
author: shlipsey3
ms.service: entra
ms.topic: include
ms.date: 05/14/2026
ms.author: sarahlipsey
ms.custom: include file
---
 
Microsoft Entra Agent ID is a product within Microsoft Entra that provides the platform for creating and managing agent identities and agent identity blueprints. Agent ID is available for all Microsoft Entra customers.
 
[Microsoft Agent 365](/microsoft-agent-365/overview) enables agents to operate across Microsoft 365 services and enterprise workflows, which requires a **Microsoft Agent 365** license for each user. For pricing details, see [Microsoft Agent 365 plans and pricing](https://www.microsoft.com/microsoft-agent-365#plans-and-pricing).
 
Extending Microsoft Entra security features to agents requires **Microsoft 365 E7** (includes Agent 365 and Microsoft Entra Suite) or **Microsoft 365 E5** paired with a **Microsoft Agent 365** license. Customers without E5 or E7 can use the following standalone licensing options with a **Microsoft Agent 365** license:
 
- **Conditional Access for agents**: Microsoft Entra ID P1
- **ID Protection for agents**: Microsoft Entra ID P2

MODIFIED docs/fundamentals/what-is-entra.md

Modified by shlipsey3 on Jun 18, 2026 7:49 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: fine-tune

Changes:

Before

After

description: Introduction to the Microsoft Entra product family including links to get started.
ai-usage: ai-assisted
ms.topic: overview
ms.date: 04/09/2026
# Customer intent: As a new customer, I want an overview of all Microsoft Entra products including links to get started.
---
# What is Microsoft Entra?
 
#### Microsoft Entra Agent ID
 
[Microsoft Entra Agent ID](~/agent-id/what-is-microsoft-entra-agent-id.md) is an identity and security framework that extends Microsoft Entra capabilities to AI agents. As organizations deploy assistive, autonomous, and user-like agents, Agent ID provides purpose-built identity constructs to authenticate, authorize, govern, and protect these nonhuman identities at enterprise scale.
 
> **Scenario:** An organization deploys AI agents that access corporate data on behalf of users. Agent ID provides each agent with a governed identity, enforces least-privilege access, and maintains an audit trail of the agent's actions.
 
## Prepare your environment
 

description: Introduction to the Microsoft Entra product family including links to get started.
ai-usage: ai-assisted
ms.topic: overview
ms.date: 06/18/2026
# Customer intent: As a new customer, I want an overview of all Microsoft Entra products including links to get started.
---
# What is Microsoft Entra?
 
#### Microsoft Entra Agent ID
 
[Microsoft Entra Agent ID](~/agent-id/what-is-microsoft-entra-agent-id.md) is an identity and security framework that extends Microsoft Entra capabilities to AI agents. As organizations deploy assistive, autonomous, and user-like agents, Entra Agent ID provides purpose-built identity constructs to authenticate, authorize, govern, and protect these nonhuman identities at enterprise scale.
 
> **Scenario:** An organization deploys AI agents that access corporate data on behalf of users. Entra Agent ID provides each agent with a governed identity, enforces least-privilege access, and maintains an audit trail of the agent's actions.
 
## Prepare your environment
 

MODIFIED docs/fundamentals/licensing.md

Modified by shlipsey3 on Jun 18, 2026 5:41 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: e7-licensing-061826 (#13548)

Changes:

Before

After

title: Microsoft Entra licensing
description: This article documents licensing requirements for Microsoft Entra features.
ms.topic: concept-article
ms.date: 12/01/2025
#Customer Intent: As an IT admin, I want to understand Microsoft Entra licensing so that I can choose the right license tier for my organization's needs.
---
 
 
## Microsoft Entra Internet Access
 
[Microsoft Entra Internet Access](../global-secure-access/overview-what-is-global-secure-access.md) is available on its own or as part of the Microsoft Entra Suite.
 
## Microsoft Entra monitoring and health
 
 
## Microsoft Entra Private Access
 
[Microsoft Entra Private Access](../global-secure-access/overview-what-is-global-secure-access.md) is available on its own or as part of the Microsoft Entra Suite.
 
## Microsoft Entra Privileged Identity Management

title: Microsoft Entra licensing
description: This article documents licensing requirements for Microsoft Entra features.
ms.topic: concept-article
ms.date: 06/18/2026
#Customer Intent: As an IT admin, I want to understand Microsoft Entra licensing so that I can choose the right license tier for my organization's needs.
---
 
 
## Microsoft Entra Internet Access
 
[Microsoft Entra Internet Access](../global-secure-access/overview-what-is-global-secure-access.md) is available on its own or as part of the Microsoft Entra Suite. It's also included in Microsoft 365 E7.
 
## Microsoft Entra monitoring and health
 
 
## Microsoft Entra Private Access
 
[Microsoft Entra Private Access](../global-secure-access/overview-what-is-global-secure-access.md) is available on its own or as part of the Microsoft Entra Suite. It's also included in Microsoft 365 E7.
 
## Microsoft Entra Privileged Identity Management

MODIFIED docs/fundamentals/users-default-permissions.md

Modified by Ken Withee on Jun 18, 2026 4:42 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Clarify guest invite default permissions

Changes:

Before

After

title: Default user permissions
description: Compare the default user permissions available in Microsoft Entra ID and learn how to restrict access.
ms.topic: concept-article
ms.date: 05/18/2026
ms.reviewer: vincesm
ms.custom: sfi-ga-nochange, sfi-image-nochange
#Customer Intent: As an IT admin, I want to understand default user permissions in Microsoft Entra ID so that I can manage what actions users can perform by default.
* *Member users* can register applications, manage their own profile photo and mobile phone number, change their own password, and invite B2B guests. These users can also read all directory information (with a few exceptions). 
* *Guest users* have restricted directory permissions. They can manage their own profile, change their own password, and retrieve some information about other users, groups, and apps. However, they can't read all directory information. 
 
  For example, guest users can't enumerate the list of all users, groups, and other directory objects. Guests can be added to administrator roles, which grant them full read and write permissions. Guests can also invite other guests.
 
> [!NOTE]
> As Intune employs its own RBAC system to manage access to device management features, restricted guest users will be able to access the Intune portal with the appropriate permissions.
 
| **Area** | **Member user permissions** | **Default guest user permissions** | **Restricted guest user permissions** |
| ------------ | --------- | ---------- | ---------- |
| Users and contacts | <ul><li>Enumerate the list of all users and contacts<li>Read all public properties of users and contacts</li><li>Invite guests<li>Change their own password<li>Manage their own mobile phone number<li>Manage their own photo<li>Invalidate their own refresh tokens</li></ul> | <ul><li>Read their own properties<li>Read display name, email, sign-in name, photo, user principal name, and user type properties of other users and contacts<li>Change their own password<li>Search for another user by object ID (if allowed)<li>Read manager and direct report information of other users</li></ul> | <ul><li>Read their own properties<li>Change their own password</li><li>Manage their own mobile phone number</li></ul> |
| Groups | <ul><li>Create security groups<li>Create Microsoft 365 groups<li>Enumerate the list of all groups<li>Read all properties of groups<li>Read nonhidden group membership<li>Read hidden Microsoft 365 group membership for joined groups<li>Manage properties, ownership, and membership of groups that the user owns<li>Add guests to owned groups<li>Manage group membership settings<li>Delete owned groups<li>Restore owned Microsoft 365 groups</li></ul> | <ul><li>Read properties of nonhidden groups, including membership and ownership (even nonjoined groups)<li>Read hidden Microsoft 365 group membership for joined groups<li>Search for groups by display name or object ID (if allowed)</li></ul> | <ul><li>Read object ID for joined groups<li>Read membership and ownership of joined groups in some Microsoft 365 apps (if allowed)</li></ul> |
| Applications | <ul><li>Register (create) new applications<li>Enumerate the list of all applications<li>Read properties of registered and enterprise applications<li>Manage application properties, assignments, and credentials for owned applications<li>Create or delete application passwords for users<li>Delete owned applications<li>Restore owned applications<li>List permissions granted to applications</ul> | <ul><li>Read properties of registered and enterprise applications<li>List permissions granted to applications</ul> | <ul><li>Read properties of registered and enterprise applications</li><li>List permissions granted to applications</li></ul> |

title: Default user permissions
description: Compare the default user permissions available in Microsoft Entra ID and learn how to restrict access.
ms.topic: concept-article
ms.date: 06/18/2026
ms.reviewer: vincesm
ms.custom: sfi-ga-nochange, sfi-image-nochange
#Customer Intent: As an IT admin, I want to understand default user permissions in Microsoft Entra ID so that I can manage what actions users can perform by default.
* *Member users* can register applications, manage their own profile photo and mobile phone number, change their own password, and invite B2B guests. These users can also read all directory information (with a few exceptions). 
* *Guest users* have restricted directory permissions. They can manage their own profile, change their own password, and retrieve some information about other users, groups, and apps. However, they can't read all directory information. 
 
  For example, guest users can't enumerate the list of all users, groups, and other directory objects. Guests can be added to administrator roles, which grant them full read and write permissions. Guests can also invite other guests when **Guest invite settings** allow it.
 
> [!NOTE]
> As Intune employs its own RBAC system to manage access to device management features, restricted guest users will be able to access the Intune portal with the appropriate permissions.
 
| **Area** | **Member user permissions** | **Default guest user permissions** | **Restricted guest user permissions** |
| ------------ | --------- | ---------- | ---------- |
| Users and contacts | <ul><li>Enumerate the list of all users and contacts<li>Read all public properties of users and contacts</li><li>Invite guests<li>Change their own password<li>Manage their own mobile phone number<li>Manage their own photo<li>Invalidate their own refresh tokens</li></ul> | <ul><li>Read their own properties<li>Read display name, email, sign-in name, photo, user principal name, and user type properties of other users and contacts<li>Invite other guests if allowed by Guest invite settings</li><li>Change their own password<li>Search for another user by object ID (if allowed)<li>Read manager and direct report information of other users</li></ul> | <ul><li>Read their own properties<li>Invite other guests if allowed by Guest invite settings</li><li>Change their own password</li><li>Manage their own mobile phone number</li></ul> |
| Groups | <ul><li>Create security groups<li>Create Microsoft 365 groups<li>Enumerate the list of all groups<li>Read all properties of groups<li>Read nonhidden group membership<li>Read hidden Microsoft 365 group membership for joined groups<li>Manage properties, ownership, and membership of groups that the user owns<li>Add guests to owned groups<li>Manage group membership settings<li>Delete owned groups<li>Restore owned Microsoft 365 groups</li></ul> | <ul><li>Read properties of nonhidden groups, including membership and ownership (even nonjoined groups)<li>Read hidden Microsoft 365 group membership for joined groups<li>Search for groups by display name or object ID (if allowed)</li></ul> | <ul><li>Read object ID for joined groups<li>Read membership and ownership of joined groups in some Microsoft 365 apps (if allowed)</li></ul> |
| Applications | <ul><li>Register (create) new applications<li>Enumerate the list of all applications<li>Read properties of registered and enterprise applications<li>Manage application properties, assignments, and credentials for owned applications<li>Create or delete application passwords for users<li>Delete owned applications<li>Restore owned applications<li>List permissions granted to applications</ul> | <ul><li>Read properties of registered and enterprise applications<li>List permissions granted to applications</ul> | <ul><li>Read properties of registered and enterprise applications</li><li>List permissions granted to applications</li></ul> |

MODIFIED docs/fundamentals/users-restore.md

Modified by Ken Withee on Jun 18, 2026 4:43 PM
📖 View on learn.microsoft.com

+4 / -2 lines changed

Commit: Clarify deleted users navigation

Changes:

Before

After

title: Restore or permanently remove recently deleted user
description: How to view restorable users, restore a deleted user, or permanently delete a user with Microsoft Entra ID.
ms.topic: how-to
ms.date: 03/05/2025
ms.reviewer: jeffsta
ms.custom: ge-structured-content-pilot, sfi-image-nochange
#Customer Intent: As an IT admin, I want to restore or permanently remove recently deleted users so that I can manage user lifecycle in my directory.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator).
 
1. Browse to **Entra ID** > **Users** > **Deleted users**.
 
1. Review the list of users that are available to restore.
 
 
 

title: Restore or permanently remove recently deleted user
description: How to view restorable users, restore a deleted user, or permanently delete a user with Microsoft Entra ID.
ms.topic: how-to
ms.date: 06/18/2026
ms.reviewer: jeffsta
ms.custom: ge-structured-content-pilot, sfi-image-nochange
#Customer Intent: As an IT admin, I want to restore or permanently remove recently deleted users so that I can manage user lifecycle in my directory.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator).
 
1. Browse to **Entra ID** > **Users**, and then select **Deleted users**.
 
    If you don't see **Deleted users**, use the Microsoft Entra admin center search box to search for and select **Deleted users**.
 
1. Review the list of users that are available to restore.
 

MODIFIED docs/fundamentals/bulk-operations.md

Modified by Ken Withee on Jun 18, 2026 4:41 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Update bulk member download instructions

Changes:

Before

After

title: Bulk operations in Microsoft Entra ID (Preview)
description: Learn about the new Microsoft Entra bulk operations experience for managing users, groups, and devices.
ms.topic: article
ms.date: 02/24/2026
ms.custom: it-pro
#Customer Intent: As an IT admin, I want to understand bulk operations in Microsoft Entra ID so that I can perform large-scale user management tasks efficiently.
---
 
    :::image type="content" source="Media/bulk-operations/group-members-tab.png" alt-text="Screenshot of a selected group’s Members tab listing users and service principals.":::
 
3. Select **Bulk operations** > **Download members**.
 
    :::image type="content" source="Media/bulk-operations/bulk-operations-download-members.png" alt-text="Screenshot of the Bulk operations menu on the Members tab with Download members selected.":::
 
4. Enter a filename and select **Start bulk operation**.
 

title: Bulk operations in Microsoft Entra ID (Preview)
description: Learn about the new Microsoft Entra bulk operations experience for managing users, groups, and devices.
ms.topic: article
ms.date: 06/18/2026
ms.custom: it-pro
#Customer Intent: As an IT admin, I want to understand bulk operations in Microsoft Entra ID so that I can perform large-scale user management tasks efficiently.
---
 
    :::image type="content" source="Media/bulk-operations/group-members-tab.png" alt-text="Screenshot of a selected group’s Members tab listing users and service principals.":::
 
3. On the **Members** page command bar, select **Download members**.
 
    If you see a **Bulk operations** menu instead, select **Bulk operations** > **Download members**.
 
4. Enter a filename and select **Start bulk operation**.
 

MODIFIED docs/identity/monitoring-health/howto-analyze-activity-logs-with-microsoft-graph.md

Modified by Ken Withee on Jun 18, 2026 4:00 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Fix sign-up query sample formatting

Changes:

Before

After

   > Error code 1002013 indicates an expected (and successful) interrupt of the sign-up flow. [Learn more](howto-troubleshoot-sign-up-errors.md#sign-up-error-codes)
 
- For sign-ups during a date range:
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?&$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z)`
 
- For sign-ups for a specific application:
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=appId eq 'AppId'`
 
- For local account sign-ups:
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=signUpIdentityProvider eq 'Email OTP' or signUpIdentityProvider eq 'Email Password'`
 
- For social account sign-ups (Google in this example):
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=signUpIdentityProvider eq ‘Google'`
 
- To see entries for a specific user, for example `[email protected]`:
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=signUpIdentity/signUpIdentifier eq '[email protected]'`

   > Error code 1002013 indicates an expected (and successful) interrupt of the sign-up flow. [Learn more](howto-troubleshoot-sign-up-errors.md#sign-up-error-codes)
 
- For sign-ups during a date range:
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z)`
 
- For sign-ups for a specific application:
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=appId eq 'AppId'`
 
- For local account sign-ups:
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=signUpIdentityProvider eq 'Email OTP' or signUpIdentityProvider eq 'Email Password'`
 
- For social account sign-ups (Google in this example):
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=signUpIdentityProvider eq 'Google'`
 
- To see entries for a specific user, for example `[email protected]`:
  - GET `https://graph.microsoft.com/beta/auditLogs/signUps?$filter=signUpIdentity/signUpIdentifier eq '[email protected]'`

MODIFIED docs/includes/bulk-operations-csv-guidance.md

Modified by Ken Withee on Jun 18, 2026 10:19 PM
📖 View on learn.microsoft.com

+3 / -2 lines changed

Commit: Clarify group member bulk CSV templates (#13558)

Changes:

Before

After

manager: pmwongera
ms.service: entra-id
ms.topic: include
ms.date: 12/05/2025
ms.author: kenwith
ms.custom: include file
---
 
- The first row(s) of the upload template must not be removed or modified, or the upload can't be processed.
- The required columns are listed first.
- We don't recommend adding new columns to the template. Any additional columns you add are ignored and not processed.
- We recommend that you download the latest version of the CSV template as often as possible.
 

manager: pmwongera
ms.service: entra-id
ms.topic: include
ms.date: 06/18/2026
ms.author: kenwith
ai-usage: ai-assisted
ms.custom: include file
---
 
- Keep any version row and column header row in the upload template exactly as downloaded, or the upload can't be processed.
- The required columns are listed first.
- We don't recommend adding new columns to the template. Any additional columns you add are ignored and not processed.
- We recommend that you download the latest version of the CSV template as often as possible.

MODIFIED docs/includes/bulk-operations-csv-template-note.md

Modified by Ken Withee on Jun 18, 2026 10:19 PM
📖 View on learn.microsoft.com

+3 / -2 lines changed

Commit: Clarify group member bulk CSV templates (#13558)

Changes:

Before

After

manager: pmwongera
ms.service: entra-id
ms.topic: include
ms.date: 12/05/2025
ms.author: kenwith
ms.custom: include file
---
 
> [!NOTE]
> CSV template formats vary by operation. Some templates (like bulk create or delete users) include a `version:v1.0` row as the first row, while others (like group member operations) start directly with the column headers. Always use the template downloaded directly from the portal for your specific operation, and don't modify the first row(s).
 

manager: pmwongera
ms.service: entra-id
ms.topic: include
ms.date: 06/18/2026
ms.author: kenwith
ai-usage: ai-assisted
ms.custom: include file
---
 
> [!NOTE]
> CSV template formats vary by operation. Some templates, such as bulk create or delete users, include `version:v1.0` as the first row. Other templates, such as group member operations, start with column headers. Download the template for your specific operation from the portal. Don't add a version row or any other row that isn't in the downloaded template. Keep any version row and column header row unchanged.

MODIFIED docs/fundamentals/identity-fundamental-concepts.md

Modified by shlipsey3 on Jun 18, 2026 7:37 PM
📖 View on learn.microsoft.com

+3 / -2 lines changed

Commit: entra-agent-id-061826

Changes:

Before

After

description: Learn the core concepts of identity and access management (IAM), including authentication, authorization, and identity providers, to secure resources effectively.
manager: dougeby
ms.topic: concept-article
ms.date: 07/31/2025
ms.reviewer: null
ms.custom:
  - ai-gen-docs-bap
 
Identities are used to authenticate and authorize access to resources, enable communication, facilitate transactions, and serve other purposes.
 
Identities are categorized into three types:
 
- **Human identities** represent people, including employees (internal and frontline workers) and external users (customers, consultants, vendors, and partners).
- **Workload identities** represent software workloads such as an application, service, script, or container.
- **Device identities** represent devices, including desktop computers, mobile phones, IoT sensors, and IoT-managed devices. They're distinct from human identities.
 
## Authentication
 
 

description: Learn the core concepts of identity and access management (IAM), including authentication, authorization, and identity providers, to secure resources effectively.
manager: dougeby
ms.topic: concept-article
ms.date: 06/18/2026
ms.reviewer: null
ms.custom:
  - ai-gen-docs-bap
 
Identities are used to authenticate and authorize access to resources, enable communication, facilitate transactions, and serve other purposes.
 
Identities are categorized into four types:
 
- **Human identities** represent people, including employees (internal and frontline workers) and external users (customers, consultants, vendors, and partners).
- **Workload identities** represent software workloads such as an application, service, script, or container.
- **Device identities** represent devices, including desktop computers, mobile phones, IoT sensors, and IoT-managed devices. They're distinct from human identities.
- **Agent identities** represent AI agents that act autonomously or on behalf of users. [Microsoft Entra Agent ID](~/agent-id/what-is-microsoft-entra-agent-id.md) provides purpose-built identity constructs to authenticate, authorize, govern, and protect these identities at enterprise scale.
 
## Authentication
 

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files