📝 Modified Documentation Files

MODIFIED docs/identity/saas-apps/alexishr-tutorial.md

Modified by Jackline Omondi on Jun 25, 2026 5:22 PM
📖 View on learn.microsoft.com

+66 / -67 lines changed

Commit: Improve clarity of AlexisHR SSO tutorial (#13655)

Changes:

Before

After

title: Configure AlexisHR for Single sign-on with Microsoft Entra ID
description: Learn how to configure single sign-on between Microsoft Entra ID and AlexisHR.
ms.topic: how-to
ms.date: 03/25/2025
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and AlexisHR so that I can control who has access to AlexisHR, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
 
# Configure AlexisHR for Single sign-on with Microsoft Entra ID
 
In this article,  you learn how to integrate AlexisHR with Microsoft Entra ID. When you integrate AlexisHR with Microsoft Entra ID, you can:
 
* Control in Microsoft Entra ID who has access to AlexisHR.
* Enable your users to be automatically signed-in to AlexisHR with their Microsoft Entra accounts.
 
## Scenario description
 
In this article,  you configure and test Microsoft Entra SSO in a test environment.
 
* AlexisHR supports **IDP** initiated SSO.
 

title: Configure AlexisHR for Single sign-on with Microsoft Entra ID
description: Learn how to configure single sign-on between Microsoft Entra ID and AlexisHR.
ms.topic: how-to
ms.date: 06/25/2026
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and AlexisHR so that I can control who has access to AlexisHR, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
 
# Configure AlexisHR for Single sign-on with Microsoft Entra ID
 
In this article, you learn how to integrate AlexisHR with Microsoft Entra ID. When you integrate AlexisHR with Microsoft Entra ID, you can:
 
* Control in Microsoft Entra ID who has access to AlexisHR.
* Enable your users to be automatically signed-in to AlexisHR with their Microsoft Entra accounts.
 
## Scenario description
 
In this article, you configure and test SAML SSO between Microsoft Entra ID and AlexisHR in a test environment.
 
* AlexisHR supports **IdP-initiated** SSO.

MODIFIED docs/identity/hybrid/cloud-sync/tutorial-pilot-aadc-aadccp.md

Modified by Nuno Alexandre on Jun 25, 2026 11:04 AM
📖 View on learn.microsoft.com

+61 / -36 lines changed

Commit: Update tutorial-pilot-aadc-aadccp.md (#13419)

Changes:

Before

After

 
Before you try this tutorial, consider the following items:
 
 - Ensure that you're familiar with the basics of Microsoft Entra Cloud Sync.
 - Ensure that you're running Microsoft Entra Connect Sync version 1.4.32.0 or later and that you configured the sync rules as documented.
 - Ensure that for a pilot that you remove a test organizational unit (OU) or group from Microsoft Entra Connect Sync scope. Moving objects out of scope leads to deletion of those objects in Microsoft Entra ID.
 
    - User objects in Microsoft Entra ID are soft-deleted, so you can restore them.
    - Group objects in Microsoft Entra ID are hard-deleted, so you can't restore them.
 
     Microsoft Entra Connect Sync introduces a new link type, which prevents the deletion in a piloting scenario.
 
 - Ensure that the objects in the pilot scope have `ms-ds-consistencyGUID` populated so that Microsoft Entra Cloud Sync hard matches the objects.
 
   Microsoft Entra Connect Sync doesn't populate `ms-ds-consistencyGUID` by default for group objects.
 
- Follow the steps in this tutorial precisely. This configuration is for advanced scenarios.
 
## Prerequisites

 
Before you try this tutorial, consider the following items:
 
- Ensure that you're familiar with the basics of Microsoft Entra Cloud Sync.
 
- Ensure that you're running Microsoft Entra Connect Sync version 1.4.32.0 or later and that you configured the sync rules as documented.
 
- During the pilot or coexistence phase, don't remove the pilot organizational unit (OU), group, domain, or any related referenced objects from Microsoft Entra Connect Sync scope. Keep the objects in scope and use the custom `cloudNoFlow` inbound rule and `JoinNoFlow` outbound rule described in this tutorial to prevent Microsoft Entra Connect Sync from exporting object adds, object deletes, and non-reference attribute updates.
 
  Removing objects from Microsoft Entra Connect Sync scope removes them from the Active Directory connector space, metaverse, and Microsoft Entra connector space. This removal can remove references in the connector space and cause reference deletes, such as group membership removals, to be exported to Microsoft Entra ID.
 
- Ensure that the objects in the pilot scope have `ms-ds-consistencyGUID` populated so that Microsoft Entra Cloud Sync hard matches the objects.
 
  Microsoft Entra Connect Sync doesn't populate `ms-ds-consistencyGUID` by default for group objects.
 
- Follow the steps in this tutorial precisely. This configuration is for advanced scenarios.
 
### Plan scope removal from Microsoft Entra Connect Sync
 
Don't remove OUs, groups, or domains from Microsoft Entra Connect Sync scope during the coexistence or pilot phase. Do this only after migration for that scope is complete and you've verified that Cloud Sync is authoritative for the objects and their references.

MODIFIED docs/identity-platform/single-sign-on-saml-protocol.md

Modified by Jeevan Desarda on Jun 25, 2026 10:22 PM
📖 View on learn.microsoft.com

+50 / -1 lines changed

Commit: Document SAML AMR and ACR values per authentication method

Changes:

Before

After

  </AuthnContext>
</AuthnStatement>
```
#### authnmethodreferences
 
This element asserts that the assertion subject was authenticated by a particular means at a particular time. This is available in the claims section for applications to consume and verify that subject has done authentication using Password or using a stronger authentication method like MFA or Passkeys. 
              <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
  </Attribute>
 
```

  </AuthnContext>
</AuthnStatement>
```
 
The `AuthnContextClassRef` value reflects the method the user used to authenticate. If the user authenticates with more than one method, the strongest method is reflected in the `AuthnContextClassRef`. The following table lists the `AuthnContextClassRef` class names that Microsoft Entra ID sends for each authentication method. The full value is `urn:oasis:names:tc:SAML:2.0:ac:classes:<className>`.
 
| Microsoft Entra authentication method | `AuthnContextClassRef` class name | Description |
|---|---|---|
| Password | `Password` | The user authenticated with a username and password. |
| Microsoft Authenticator push | `MobileOneFactorUnregistered`, or `MobileTwoFactorContract` when another factor is also completed | Push notification approval in Microsoft Authenticator. The two-factor class is sent when the method contributes to MFA. |
| Microsoft Authenticator TOTP | `TimeSyncToken` | Time-based one-time passcode (TOTP) generated by Microsoft Authenticator. |
| Hardware OATH token | `TimeSyncToken` | Time-based one-time passcode generated by a hardware OATH token. |
| Phone sign-in (passwordless Authenticator) | `MobileTwoFactorContract` | Passwordless phone sign-in approved in Microsoft Authenticator. |
| SMS | `MobileOneFactorUnregistered`, or `MobileTwoFactorContract` when another factor is also completed | One-time passcode delivered by text message. |
| Phone call | `Telephony`, or `MobileTwoFactorContract` when another factor is also completed | Approval through a voice phone call. |
| Email | `MobileOneFactorUnregistered`, or `MobileTwoFactorContract` when another factor is also completed | One-time passcode delivered by email. |
| FIDO2 security key (phishing-resistant MFA) | `SmartcardPKI` | A FIDO2 security key, reported as a smartcard-backed certificate with a private key and PIN. |
| Passkey - device-bound (phishing-resistant MFA) | `SmartcardPKI` | A device-bound passkey. |
| Passkey - synced | `SoftwarePKI` | A synced passkey, reported as a software-based PKI credential. |
| Windows Hello for Business (phishing-resistant MFA) | `SmartcardPKI` | Windows Hello for Business. |

MODIFIED docs/identity/role-based-access-control/includes/ai-administrator.md

Modified by Faith Moraa Ombongi on Jun 25, 2026 2:25 PM
📖 View on learn.microsoft.com

+41 / -1 lines changed

Commit: AI admin and reader manual overrides (#13640)

Changes:

Before

After

title: AI Administrator
description: AI Administrator
ms.topic: include
ms.date: 06/17/2026
ms.custom: include file
---
 
> | --- | --- |
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
> | microsoft.directory/agentUsers/assignLicense | Assign product licenses for agent users |
> | microsoft.directory/agentUsers/basic/update | Update basic properties on agent users, such display name, user type, and mail nickname |
> | microsoft.directory/agentUsers/create | Create agent users<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |
> | microsoft.directory/agentUsers/sponsors/update | Update sponsors of agent users |
> | microsoft.directory/agentUsers/usageLocation/update | Update usage location of agent users |
> | microsoft.directory/agentUsers/userPrincipalName/update | Update the user principal name of agent users<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |
> | microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Microsoft Entra entitlement management |
> | microsoft.directory/subscribedSkus/standard/read | Read basic properties on subscriptions |
> | microsoft.directory/users/allProperties/read | Read all properties of users<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |
 

title: AI Administrator
description: AI Administrator
ms.topic: include
ms.date: 06/25/2026
ms.custom: include file
---
 
> | --- | --- |
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
> | microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks | Manage admin consent request policies in Microsoft Entra ID |
> | microsoft.directory/agentIdentities/allProperties/read | Read all properties of agent identities |
> | microsoft.directory/agentIdentities/appRoleAssignedTo/update | Update agent identity role assignments |
> | microsoft.directory/agentIdentities/authentication/update | Update authentication on agent identities |
> | microsoft.directory/agentIdentities/basic/update | Update basic properties on agent identities |
> | microsoft.directory/agentIdentities/create | Create agent identities |
> | microsoft.directory/agentIdentities/delete | Delete agent identities |
> | microsoft.directory/agentIdentities/disable | Disable agent identities |
> | microsoft.directory/agentIdentities/enable | Enable agent identities |
> | microsoft.directory/agentIdentities/owners/update | Update owners on agent identities |

MODIFIED docs/identity/hybrid/cloud-sync/migrate-group-writeback.md

Modified by Nuno Alexandre on Jun 25, 2026 11:04 AM
📖 View on learn.microsoft.com

+17 / -7 lines changed

Commit: Update tutorial-pilot-aadc-aadccp.md (#13419)

Changes:

Before

After

- Cloud-created [security groups](../../../fundamentals/concept-learn-about-groups.md#group-types).
- Groups written back to Active Directory with the scope of [universal](/windows-server/identity/ad-ds/manage/understand-security-groups#group-scope).
 
Mail-enabled groups and distribution lists written back to Active Directory continue to work with Microsoft Entra Connect Group Writeback but revert to the behavior of Group Writeback v1. In this scenario, after you disable Group Writeback v2, all Microsoft 365 groups are written back to Active Directory independently of the **Writeback Enabled** setting in the Microsoft Entra admin center. For more information, see [Provision to Active Directory with Microsoft Entra Cloud Sync FAQ](reference-provision-to-active-directory-faq.yml).
 
## Prerequisites
 
## Step 3: Create a custom group inbound rule
 
In the Microsoft Entra Connect Synchronization Rules Editor, create an inbound sync rule that targets cloud-created groups that are currently mastered in Microsoft Entra ID and have a `NULL` mail attribute. This inbound sync rule is a join rule that sets the `cloudNoFlow` attribute to True.
 
The purpose of this rule is to flag these groups so that Microsoft Entra Connect continues to recognize them as joined objects after Group Writeback is disabled, preventing them from being treated as out-of-scope objects. This rule is required to preserve existing on-premises group objects during the transition from Group Writeback in Microsoft Entra Connect Sync to group provisioning using Microsoft Entra Cloud Sync.
You can create this sync rule by using either the user interface or PowerShell with the provided script.
 
### Create a custom group inbound rule in the user interface
 
## Step 4: Create a custom group outbound rule
 
You also need an outbound sync rule with a Link Type of `JoinNoFlow` and a scoping filter that selects groups where `cloudNoFlow` is set to `True`.
This outbound rule ensures that, after Group Writeback is disabled in Microsoft Entra Connect, it maintains the join relationship without flowing changes or triggering deprovisioning.

- Cloud-created [security groups](../../../fundamentals/concept-learn-about-groups.md#group-types).
- Groups written back to Active Directory with the scope of [universal](/windows-server/identity/ad-ds/manage/understand-security-groups#group-scope).
 
> [!IMPORTANT]
> During migration, don't remove written-back groups, the Group Writeback target OU, or related referenced objects from Microsoft Entra Connect Sync scope until Microsoft Entra Cloud Sync is configured and validated to provision those groups to Active Directory.
>
> The supported coexistence model is to keep Microsoft Entra Connect Sync aware of the existing written-back groups and use the `cloudNoFlow` and `JoinNoFlow` rules in this article to preserve the join relationship while Microsoft Entra Cloud Sync takes over group provisioning.
>
> `JoinNoFlow` isn't a full staging (read-only) mode. It prevents object adds, object deletes, and non-reference attribute updates. However, reference attribute updates, such as group membership references, can still flow for reference resolution. Removing groups or referenced objects from Microsoft Entra Connect Sync scope before cutover can cause Microsoft Entra Connect Sync to drop references or deprovision on-premises group objects unexpectedly.
 
Mail-enabled groups and distribution lists written back to Active Directory continue to work with Microsoft Entra Connect Group Writeback but revert to the behavior of Group Writeback v1. In this scenario, after you disable Group Writeback v2, all Microsoft 365 groups are written back to Active Directory independently of the **Writeback Enabled** setting in the Microsoft Entra admin center. For more information, see [Provision to Active Directory with Microsoft Entra Cloud Sync FAQ](reference-provision-to-active-directory-faq.yml).
 
## Prerequisites
 
## Step 3: Create a custom group inbound rule
 
In the Microsoft Entra Connect Synchronization Rules Editor, create an inbound sync rule that targets cloud-created groups that are currently mastered in Microsoft Entra ID and have a `NULL` mail attribute. This inbound sync rule is a join rule that sets the `cloudNoFlow` attribute to `True`.
 
The purpose of this rule is to flag these groups so Microsoft Entra Connect Sync continues to recognize them as joined objects after Group Writeback is disabled. This prevents the existing on-premises group objects from being treated as out of scope during the transition from Group Writeback in Microsoft Entra Connect Sync to group provisioning in Microsoft Entra Cloud Sync.
 

MODIFIED docs/global-secure-access/powershell-samples.md

Modified by Ken Withee on Jun 25, 2026 5:35 PM
📖 View on learn.microsoft.com

+21 / -2 lines changed

Commit: Add GSA operations PowerShell samples (#13530)

Changes:

Before

After

---
title: PowerShell samples for Global Secure Access
description: Use these PowerShell samples to automate common Global Secure Access tasks, including connector registration, client install, traffic forwarding bypasses, break glass scenarios, and TLS certificate creation.
ms.topic: sample
ms.date: 04/27/2026
ms.reviewer: katabish
ai-usage: ai-assisted
---
| [Create and sign TLS certificates using Active Directory Certificate Services](scripts/powershell-active-directory-certificate-service.md) | Generate a certificate signing request through the TLS inspection Graph API, sign it with ADCS, and upload the certificate and chain to TLS inspection settings. |
| [Create and sign TLS certificates using OpenSSL](scripts/powershell-open-secure-sockets-layer.md) | Generate a certificate signing request through the TLS inspection Graph API, sign it with a self-signed root CA created by OpenSSL, and upload the certificate and chain to TLS inspection settings. |
 
## Related content
 
- [What is Global Secure Access?](overview-what-is-global-secure-access.md)
- [Microsoft Graph Beta PowerShell module installation](/powershell/microsoftgraph/installation)
 
 
 
 
 

---
title: PowerShell samples for Global Secure Access
description: Use these PowerShell samples to automate common Global Secure Access tasks, including connector registration, client install, traffic forwarding bypasses, break glass scenarios, TLS certificate creation, operations monitoring, and recovery.
ms.topic: sample
ms.date: 06/17/2026
ms.reviewer: katabish
ai-usage: ai-assisted
---
| [Create and sign TLS certificates using Active Directory Certificate Services](scripts/powershell-active-directory-certificate-service.md) | Generate a certificate signing request through the TLS inspection Graph API, sign it with ADCS, and upload the certificate and chain to TLS inspection settings. |
| [Create and sign TLS certificates using OpenSSL](scripts/powershell-open-secure-sockets-layer.md) | Generate a certificate signing request through the TLS inspection Graph API, sign it with a self-signed root CA created by OpenSSL, and upload the certificate and chain to TLS inspection settings. |
 
## Operations monitoring
 
| Sample | Description |
|---|---|
| [Shared helper functions for operations scripts](scripts/powershell-global-secure-access-operations-helpers.md) | Use shared authentication, Log Analytics token, and alert email helper functions for operations automation scripts. |
| [Verify configuration backup compliance](scripts/powershell-test-backup-compliance.md) | Check recent Azure Automation jobs for your Global Secure Access configuration backup runbook and alert when backups fail or miss a scheduled run. |
| [Check role assignment reviews](scripts/powershell-test-role-based-access-control-hygiene.md) | Query Global Secure Access-related role assignments and identify administrator accounts that need quarterly review. |
| [Calculate alert noise ratio](scripts/powershell-test-alert-noise-ratio.md) | Calculate the Microsoft Sentinel alert noise ratio for Global Secure Access detections and identify noisy analytics rules. |
 

MODIFIED docs/identity/hybrid/cloud-sync/migrate-azure-ad-connect-to-cloud-sync.md

Modified by Nuno Alexandre on Jun 25, 2026 11:04 AM
📖 View on learn.microsoft.com

+11 / -9 lines changed

Commit: Update tutorial-pilot-aadc-aadccp.md (#13419)

Changes:

Before

After

 
## Steps for migrating from Microsoft Entra Connect to cloud sync
 
 
 
|Step|Description|
|Verify the pre-requisites for migrating|The following guidance is only for users who have installed Microsoft Entra Connect using the Express settings and aren't synchronizing devices. Also you should verify the cloud sync [pre-requisites](how-to-prerequisites.md).|
|Back up your Microsoft Entra Connect configuration|Before making any changes, you should back up your Microsoft Entra Connect configuration. This way, you can rollback. For more information, see [Import and export Microsoft Entra Connect configuration settings](../connect/how-to-connect-import-export-config.md).|
|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial. This tutorial guides you through the migration process in a sandbox environment.|
|Create or identify an OU for the migration|Create a new OU or identify an existing OU that contains the users you'll test migration on.|
|Move users into new OU (optional)|If you're using a new OU, move the users that are in scope for this pilot into that OU now. Before continuing, let Microsoft Entra Connect pick up the changes so that it's synchronizing them in the new OU.| 
|Run PowerShell on OU|You can run the following PowerShell cmdlet to get the counts of the users that are in the pilot OU. </br>`Get-ADUser -Filter * -SearchBase "<DN path of OU>"`</br> Example: `Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"`|
|Stop the scheduler|Before creating new sync rules, you need to stop the Microsoft Entra Connect scheduler. For more information, see [how to stop the scheduler](../connect/how-to-connect-sync-feature-scheduler.md#stop-the-scheduler).
|Create the custom sync rules|In the Microsoft Entra Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you created or identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. For more information, see [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-a-custom-user-inbound-rule) tutorial for how to create these rules.|
|Install the provisioning agent|If you haven't done so, install the provisioning agent. For more information, see [how to install the agent](how-to-install.md).|
|Configure cloud sync|Once the agent is installed, you need to configure cloud sync. In the configuration, you need to create a scope to the OU that was created or identified previously. For more information, see [Configuring cloud sync](how-to-configure.md).|
|Verify pilot users are synchronizing and being provisioned|Verify that the users are now being synchronized in the portal. You can use the PowerShell script below to get a count of the number of users that have the on-premises pilot OU in their distinguished name. This number should match the count of users in the previous step. If you create a new user in this OU, verify that it's being provisioned.|
|Start the scheduler|Now that you've verified users are provisioning and synchronizing, you can go ahead and start the Microsoft Entra Connect scheduler.  For more information, see [how to start the scheduler](../connect/how-to-connect-sync-feature-scheduler.md#start-the-scheduler).
|Schedule you remaining users|Now you should come up with a plan on migrating more users. You should use a phased approach so that you can verify that the migrations are successful.|
|Verify all users are provisioned|As you migrate users, verify that they're provisioning and synchronizing correctly.|

 
## Steps for migrating from Microsoft Entra Connect to cloud sync
 
> [!IMPORTANT]
> During the pilot or coexistence phase, don't remove OUs, domains, groups, users, contacts, or other referenced objects from Microsoft Entra Connect Sync scope. Keep the existing scope configured until objects are fully migrated and you're ready for final cutover. Removing objects from scope before final cutover is unsafe: it can drop references in the Microsoft Entra connector space and export reference deletes (such as group membership removals) to Microsoft Entra ID.
 
The supported coexistence model is to keep objects in Microsoft Entra Connect Sync scope and use the `cloudNoFlow` and `JoinNoFlow` rules to prevent Microsoft Entra Connect Sync from exporting object adds, object deletes, and non-reference attribute updates. Reference attribute updates, such as `member` and `manager`, can still flow for reference resolution.
 
You can still migrate in phases, such as by OU or another defined batch. Each batch must remain in Microsoft Entra Connect Sync scope with the no-flow rules applied until that batch is fully migrated and ready for cutover.
 
 
|Step|Description|
|Verify the pre-requisites for migrating|The following guidance is only for users who have installed Microsoft Entra Connect using the Express settings and aren't synchronizing devices. Also you should verify the cloud sync [pre-requisites](how-to-prerequisites.md).|
|Back up your Microsoft Entra Connect configuration|Before making any changes, you should back up your Microsoft Entra Connect configuration. This way, you can rollback. For more information, see [Import and export Microsoft Entra Connect configuration settings](../connect/how-to-connect-import-export-config.md).|
|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial. This tutorial guides you through the migration process in a sandbox environment.|
|Create or identify an OU for the migration|Create a new OU or identify an existing OU that contains the users you'll test migration on. Keep this OU in Microsoft Entra Connect Sync scope during migration.|
|Move users into new OU (optional)|If you're using a new OU, move the users that are in scope for this pilot into that OU now. Before continuing, let Microsoft Entra Connect Sync pick up the changes so that it's synchronizing them in the new OU. Don't remove the OU or users from Microsoft Entra Connect Sync scope during migration.|
|Run PowerShell on OU|You can run the following PowerShell cmdlet to get the counts of the users that are in the pilot OU. </br>`Get-ADUser -Filter * -SearchBase "<DN path of OU>"`</br> Example: `Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"`|
|Stop the scheduler|Before creating new sync rules, you need to stop the Microsoft Entra Connect scheduler. For more information, see [how to stop the scheduler](../connect/how-to-connect-sync-feature-scheduler.md#stop-the-scheduler).
|Create the custom sync rules|In the Microsoft Entra Connect Synchronization Rules editor, create an inbound sync rule that sets the `cloudNoFlow` attribute to `True` for users in the OU you created or identified previously. You'll also need an outbound sync rule with a link type of `JoinNoFlow` and a scoping filter that has the `cloudNoFlow` attribute set to `True`. Together, these rules prevent Microsoft Entra Connect Sync from exporting object adds, object deletes, and non-reference attribute updates for the scoped users. Reference attribute updates, such as `member` and `manager`, can still flow for reference resolution. During the pilot or coexistence phase, don't remove the pilot OU, group, domain, or related referenced objects from Microsoft Entra Connect Sync scope. For more information, see the [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-a-custom-user-inbound-rule) tutorial for how to create these rules.|

MODIFIED docs/backup/recover-applications.md

Modified by Ken Withee on Jun 25, 2026 8:42 PM
📖 View on learn.microsoft.com

+11 / -3 lines changed

Commit: Clarify Backup and Recovery resilience guidance

Changes:

Before

After

ms.date: 03/09/2026
ms.service: entra-id
ms.topic: how-to
---
 
# Recover application secrets using Microsoft Entra Backup and Recovery (Preview)
 
This article describes how to restore application secrets after accidental or malicious changes, using Microsoft Entra Backup and Recovery.
 
## Prepare for recovery
 
As part of your disaster recovery plan for applications, review your current processes for managing application secrets and secret rotation. Using best practices for managing application secrets eases recovery from accidental or malicious edits. This article assumes you're using Azure Key Vault or another secure solution for managing your application secrets. For more information, see [Best practices for protecting secrets](/azure/security/fundamentals/secrets-best-practices).
 
After you determine the cause of the changes, validate whether the secrets for applications were impacted. Find changes to application secrets in the audit log. Look for events that indicate the application secret was changed or updated.
 
The nature of the change and whether secrets were impacted determine the best path for recovery for your applications. Anytime an application, service principal, or user is recovered from soft-delete, the secret is recovered to the state it was in when the delete action occurred.
 
This includes scenarios where the application was edited or soft-deleted, but the secrets on the application weren't edited.

ms.date: 03/09/2026
ms.service: entra-id
ms.topic: how-to
ai-usage: ai-assisted
---
 
# Recover application secrets using Microsoft Entra Backup and Recovery (Preview)
 
This article describes how to restore application secrets after accidental or malicious changes, using Microsoft Entra Backup and Recovery.
 
Backups are created automatically once per day and retained for up to five days. Restore points for applications and service principals are limited to backups within this retention window.
 
## Prerequisites
 
To recover application objects and service principals, the tenant must have **Microsoft Entra ID P1 or P2** licenses, and you need the **Microsoft Entra Backup Administrator** role.
 
## Prepare for recovery
 
As part of your disaster recovery plan for applications, review your current processes for managing application secrets and secret rotation. Using best practices for managing application secrets eases recovery from accidental or malicious edits. This article assumes you're using Azure Key Vault or another secure solution for managing your application secrets. For more information, see [Best practices for protecting secrets](/azure/security/fundamentals/secrets-best-practices).
 

MODIFIED docs/identity/role-based-access-control/includes/ai-reader.md

Modified by Faith Moraa Ombongi on Jun 25, 2026 2:25 PM
📖 View on learn.microsoft.com

+8 / -2 lines changed

Commit: AI admin and reader manual overrides (#13640)

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 04/22/2026
---
 
Assign the AI Reader role to users who need to do the following tasks:
 
- Read all aspects of Microsoft 365 Copilot
- Read AI-related enterprise services, extensibility, and copilot agents
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
> | microsoft.directory/administrativeUnits/members/read | Read members of administrative units |
> | microsoft.directory/administrativeUnits/standard/read | Read basic properties on administrative units |
> | microsoft.directory/agentUsers/lifeCycleInfo/read | Read lifecycle information of agent users, such as employeeLeaveDateTime<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |
> | microsoft.directory/applicationPolicies/standard/read | Read standard properties of application policies |
> | microsoft.directory/applications/owners/read | Read owners of applications |
 
 
 
 

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 06/25/2026
---
 
[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md)
 
This is a [privileged role](../privileged-roles-permissions.md). Assign the AI Reader role to users who need to do the following tasks:
 
- Read all aspects of Microsoft 365 Copilot
- Read AI-related enterprise services, extensibility, and copilot agents
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
> | microsoft.directory/administrativeUnits/members/read | Read members of administrative units |
> | microsoft.directory/administrativeUnits/standard/read | Read basic properties on administrative units |
> | microsoft.directory/adminConsentRequestPolicy/allProperties/read | Read all properties of admin consent request policies in Microsoft Entra ID |
> | microsoft.directory/agentIdentities/allProperties/read | Read all properties of agent identities |
> | microsoft.directory/agentIdentityBlueprintPrincipals/allProperties/read | Read all properties of agent identity blueprint principals |
> | microsoft.directory/agentIdentityBlueprints/allProperties/read | Read all properties of agent identity blueprints |
> | microsoft.directory/agentUsers/lifeCycleInfo/read | Read lifecycle information of agent users, such as employeeLeaveDateTime<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |

MODIFIED docs/backup/backup-difference-report-recovery-model.md

Modified by Ken Withee on Jun 25, 2026 8:42 PM
📖 View on learn.microsoft.com

+6 / -2 lines changed

Commit: Clarify Backup and Recovery resilience guidance

Changes:

Before

After

 
For a full list of supported attributes, see [Supported objects and attributes](scope-supported-objects-limitations.md).
 
## Difference reports
 
Create a difference report to compare the current state of your tenant with a backup. Only changed objects appear in the report. Apply filters to view changes for a specific object type or a specific object. If you don't apply a filter, all changed objects are included in the difference report.
 
Changes for users and groups synchronized from on-premises Active Directory appear in the difference report to help you track changed objects. However, you can't recover on-premises synced objects through Backup and Recovery, because the source of authority for these objects is on-premises Active Directory.
 
When you recover your tenant, apply filters to control which objects to recover:
 
- **By object type**: Recover only objects of a certain type, such as users, groups, or applications.
- **By object ID**: Supply the object type and object ID to recover a specific object.
- **All changes**: Recover all changed objects to the state captured in the selected backup.
 
> [!WARNING]
> Hard-deleted objects can't be recovered. Configure [protected actions](/entra/identity/role-based-access-control/protected-actions-overview) to prevent unwanted hard deletions.
 
On-premises synchronized objects can't be recovered through Backup and Recovery, because the source of authority is on-premises Active Directory. Recover these objects in on-premises Active Directory instead. Changes to synced objects still appear in difference reports.

 
For a full list of supported attributes, see [Supported objects and attributes](scope-supported-objects-limitations.md).
 
Backups are created automatically once per day and retained for up to five days. Select from these retained backups when you create a difference report or start recovery.
 
## Difference reports
 
Create a difference report to compare the current state of your tenant with a selected backup. Only changed objects appear in the report, with changed attributes and links shown for review. Apply filters to view changes for a specific object type or a specific object. If you don't apply a filter, all changed objects are included in the difference report.
 
Changes for users and groups synchronized from on-premises Active Directory appear in the difference report to help you track changed objects. However, you can't recover on-premises synced objects through Backup and Recovery, because the source of authority for these objects is on-premises Active Directory.
 
When you recover your tenant, apply filters to control which objects to recover:
 
- **By object type**: Recover only objects of a certain type, such as users, groups, applications, service principals, or Conditional Access policies.
- **By object ID**: Supply the object type and object ID to recover a specific object.
- **All changes**: Recover all changed objects to the state captured in the selected backup.
 
> [!WARNING]
> Hard-deleted objects can't be recovered. Configure [protected actions](/entra/identity/role-based-access-control/protected-actions-overview) to prevent unwanted hard deletions.

MODIFIED docs/backup/create-review-difference-reports.md

Modified by Ken Withee on Jun 25, 2026 8:42 PM
📖 View on learn.microsoft.com

+7 / -1 lines changed

Commit: Clarify Backup and Recovery resilience guidance

Changes:

Before

After

 
You need at least the **Microsoft Entra Backup Reader** role to review difference reports. To review and create difference reports, you need the **Microsoft Entra Backup Administrator** role. The **Global Administrator** role also includes these permissions.
 
## Scope a difference report
 
When you create a difference report, scope it to control which objects are included in the comparison:
 
- **All supported objects**: Includes all supported object types in the tenant.
- **By object type**: Includes only selected object types.
- **By object ID**: Includes only specific objects by their object IDs with their object types specified. Specify up to 100 object IDs across supported object types.
 
You set the scope when you create the report. You can't change it afterward.
 
   :::image type="content" source="media/create-review-difference-reports/create-difference-report-backups-page.png#lightbox" alt-text="Screenshot of the Backups page showing available backups with a Create difference report button in the toolbar.":::
 
1. (Optional) Apply filters to limit the scope of objects included in the report. Choose one of these options:
 
   - **Include all objects in their previous state**: Compares all supported objects in the tenant.
 
## Review a difference report

 
You need at least the **Microsoft Entra Backup Reader** role to review difference reports. To review and create difference reports, you need the **Microsoft Entra Backup Administrator** role. The **Global Administrator** role also includes these permissions.
 
The tenant must also have **Microsoft Entra ID P1 or P2** licenses.
 
## Scope a difference report
 
When you create a difference report, scope it to control which objects are included in the comparison:
 
- **All supported objects**: Includes all supported object types in the tenant.
- **By object type**: Includes only selected object types, such as Conditional Access policies, service principals, or groups.
- **By object ID**: Includes only specific objects by their object IDs with their object types specified. Specify up to 100 object IDs across supported object types.
 
You set the scope when you create the report. You can't change it afterward.
 
   :::image type="content" source="media/create-review-difference-reports/create-difference-report-backups-page.png#lightbox" alt-text="Screenshot of the Backups page showing available backups with a Create difference report button in the toolbar.":::
 
   Backups are created automatically once per day and retained for up to five days. Only backups within this retention window appear for selection. The report compares the selected backup with the current tenant state.
 
1. (Optional) Apply filters to limit the scope of objects included in the report. Choose one of these options:

MODIFIED docs/backup/recover-objects.md

Modified by Ken Withee on Jun 25, 2026 8:42 PM
📖 View on learn.microsoft.com

+6 / -2 lines changed

Commit: Clarify Backup and Recovery resilience guidance

Changes:

Before

After

Key details:
 
- A recovery ID identifies the recovery job.
- Only one recovery runs at a time. If another job (recovery job or difference report) is already running, you must wait for it to complete or cancel it before starting a new one.
- **Recovery History** retains recovery details for 5 days after recovery completion date.
- Audit logs record all recovery actions.
 
## Prerequisites
 
To recover objects, you need the **Microsoft Entra Backup Administrator** role.
 
## Recover from a difference report
 
   :::image type="content" source="media/recover-objects/difference-reports-select.png#lightbox" alt-text="Screenshot of the Difference Reports page showing three completed reports with available backups.":::
 
1. After inspecting the objects listed in the difference report, select **Recover** to start recovery.
 
   :::image type="content" source="media/recover-objects/recover-from-difference-report.png#lightbox" alt-text="Screenshot of the Recover from difference report dialog showing the list of objects that will be recovered, with the Recover button at the bottom.":::

Key details:
 
- A recovery ID identifies the recovery job.
- Backups are created automatically once per day and retained for up to five days. Only backups within this retention window are available for recovery and for generating difference reports.
- Only one recovery runs at a time. If another job (recovery job or difference report) is already running, you must wait for it to complete or cancel it before starting a new one.
- **Recovery History** retains recovery details for 5 days after recovery completion date.
- Audit logs record all recovery actions.
 
## Prerequisites
 
The tenant must have **Microsoft Entra ID P1 or P2** licenses. To recover objects, you need the **Microsoft Entra Backup Administrator** role.
 
## Recover from a difference report
 
 
   :::image type="content" source="media/recover-objects/difference-reports-select.png#lightbox" alt-text="Screenshot of the Difference Reports page showing three completed reports with available backups.":::
 
   Difference reports compare the selected backup with the current tenant state and show changed attributes and links.
 
1. After inspecting the objects listed in the difference report, select **Recover** to start recovery.

MODIFIED docs/backup/scope-supported-objects-limitations.md

Modified by Ken Withee on Jun 25, 2026 8:42 PM
📖 View on learn.microsoft.com

+8 / -0 lines changed

Commit: Clarify Backup and Recovery resilience guidance

Changes:

Before

After

> [!NOTE]
> The set of supported objects and properties expands over time. Recovery applies only to supported properties listed in this article and doesn't imply full object rollback.
 
## User
 
Recovery for user objects supports these properties:
 
Microsoft Entra Backup and Recovery doesn't support the recovery or re-creation of hard-deleted objects. Only soft-deleted or modified objects can be restored.
 
### Objects managed in on-premises Active Directory Domain Services
 
Any changes made to on-premises synced objects (except group memberships) appear in difference reports, but are automatically excluded from recovery. Organizations that use hybrid identity with Microsoft Entra ID can use difference reports to identify changes to objects synchronized from on-premises. For certain object types, such as users and groups, you can move the source of authority from on-premises to the cloud. After conversion, all Backup and Recovery functionality is available for those objects. Back up and recover objects managed on-premises by using an alternative solution.

> [!NOTE]
> The set of supported objects and properties expands over time. Recovery applies only to supported properties listed in this article and doesn't imply full object rollback.
 
Backups are created automatically once per day and retained for up to five days. Difference reports compare a selected backup with the current tenant state and show changes to supported properties and links.
 
## Recovery scope levels
 
When you create a difference report or start recovery, you can scope the operation to all supported objects, selected object types, or specific object IDs. Some related objects are grouped for scoping. For example, service principals, OAuth2 permission grants, and app role assignments are grouped under a single filter in the Microsoft Entra admin center.
 
## User
 
Recovery for user objects supports these properties:
 
Microsoft Entra Backup and Recovery doesn't support the recovery or re-creation of hard-deleted objects. Only soft-deleted or modified objects can be restored.
 
Soft-deleted supported objects can be restored for 30 days through [soft-delete recovery processes](/entra/architecture/recover-from-deletions). Backup and Recovery focuses on restoring supported backup state from retained backups and doesn't replace those recovery processes.
 
### Objects managed in on-premises Active Directory Domain Services
 
Any changes made to on-premises synced objects (except group memberships) appear in difference reports, but are automatically excluded from recovery. Organizations that use hybrid identity with Microsoft Entra ID can use difference reports to identify changes to objects synchronized from on-premises. For certain object types, such as users and groups, you can move the source of authority from on-premises to the cloud. After conversion, all Backup and Recovery functionality is available for those objects. Back up and recover objects managed on-premises by using an alternative solution.

MODIFIED docs/backup/overview.md

Modified by Ken Withee on Jun 25, 2026 8:42 PM
📖 View on learn.microsoft.com

+5 / -3 lines changed

Commit: Clarify Backup and Recovery resilience guidance

Changes:

Before

After

> [!IMPORTANT]
> Microsoft Entra Backup and Recovery is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
Microsoft Entra Backup and Recovery is a built-in backup and recovery solution that lets you recover critical Microsoft Entra directory objects to a previously known good state after accidental changes or security compromises. Supported objects include users, groups, apps, service principals, Conditional Access policies, named locations, authentication method policy, and partial authorization policy. The solution also supports Agent ID because it consists of user and service principal objects with distinct types and characteristics.
 
## How backups work
 
Microsoft Entra Backup and Recovery lets you:
 
- **View available backups**: See a list of backups available in your Microsoft Entra tenant.
- **Create difference reports**: Before recovering objects to a previous state, compare the current state of your tenant with a backup by creating a difference report.
- **Recover objects**: Choose to recover all objects or select objects by object type or object ID.
- **Review recovery history**: View completed and in-progress recovery operations for your tenant.
 
> [!TIP]
 
Organizations that use hybrid identity with Microsoft Entra ID can create difference reports to identify changes to objects synchronized from Active Directory Domain Services (AD DS). For certain object types, such as groups, you can move the source of authority from AD DS to the cloud. This makes all Microsoft Entra Backup and Recovery functionality available for those converted objects. Use an alternative solution to back up and recover objects managed in AD DS.
 
Microsoft Entra Backup and Recovery doesn't support the recovery or re-creation of hard-deleted objects.
 

> [!IMPORTANT]
> Microsoft Entra Backup and Recovery is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
Microsoft Entra Backup and Recovery is a built-in backup and recovery solution that lets you recover critical Microsoft Entra directory objects to a previously known good state after accidental changes or security compromises. Supported objects include users, groups, apps, service principals, Conditional Access policies, named locations, authentication method policy, and selected authorization policy settings. The solution also supports Agent ID because it consists of user and service principal objects with distinct types and characteristics.
 
## How backups work
 
Microsoft Entra Backup and Recovery lets you:
 
- **View available backups**: See a list of backups available in your Microsoft Entra tenant.
- **Create difference reports**: Before recovering objects to a previous state, compare the current state of your tenant with a backup and review changed attributes and links.
- **Recover objects**: Recover all supported objects, selected object types, or specific object IDs.
- **Review recovery history**: View completed and in-progress recovery operations for your tenant.
 
> [!TIP]
 
Organizations that use hybrid identity with Microsoft Entra ID can create difference reports to identify changes to objects synchronized from Active Directory Domain Services (AD DS). For certain object types, such as groups, you can move the source of authority from AD DS to the cloud. This makes all Microsoft Entra Backup and Recovery functionality available for those converted objects. Use an alternative solution to back up and recover objects managed in AD DS.
 
Soft-deleted supported objects can be restored for 30 days through [soft-delete recovery processes](/entra/architecture/recover-from-deletions). Backup and Recovery restores supported object and configuration state from retained backups and complements those processes.
 

MODIFIED docs/identity/role-based-access-control/whats-new.md

Modified by Faith Moraa Ombongi on Jun 25, 2026 2:25 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: AI admin and reader manual overrides (#13640)

Changes:

Before

After

title: What's new in Microsoft Entra RBAC documentation
description: Learn about the new features and documentation improvements in Microsoft Entra role-based access control (RBAC).
ms.topic: whats-new
ms.date: 06/17/2026
 
---
 
 
| Date | Area | Description |
| --- | --- | --- |
| June 2026 | Roles | Updated [AI Administrator](permissions-reference.md#ai-administrator) role. |
| June 2026 | Roles | Updated [Agent ID Administrator](permissions-reference.md#agent-id-administrator) and [Agent ID Developer](permissions-reference.md#agent-id-developer) roles. |
| May 2026 | Roles | Updated [Identity Governance Administrator](permissions-reference.md#identity-governance-administrator) role to a privileged role. |
| April 2026 | Roles | Added [AI Reader](permissions-reference.md#ai-reader) and [Customer Delegated Admin Relationship Administrator](permissions-reference.md#customer-delegated-admin-relationship-administrator) roles. |

title: What's new in Microsoft Entra RBAC documentation
description: Learn about the new features and documentation improvements in Microsoft Entra role-based access control (RBAC).
ms.topic: whats-new
ms.date: 06/24/2026
 
---
 
 
| Date | Area | Description |
| --- | --- | --- |
| June 2026 | Roles | Updated [AI Administrator](permissions-reference.md#ai-administrator) role and [AI Reader](permissions-reference.md#ai-reader) roles.|
| June 2026 | Roles | Updated [Agent ID Administrator](permissions-reference.md#agent-id-administrator) and [Agent ID Developer](permissions-reference.md#agent-id-developer) roles. |
| May 2026 | Roles | Updated [Identity Governance Administrator](permissions-reference.md#identity-governance-administrator) role to a privileged role. |
| April 2026 | Roles | Added [AI Reader](permissions-reference.md#ai-reader) and [Customer Delegated Admin Relationship Administrator](permissions-reference.md#customer-delegated-admin-relationship-administrator) roles. |

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files