MODIFIED docs/identity/authentication/how-to-mfa-number-match.md

Modified by Justinha on Nov 6, 2025 6:27 PM
📖 View on learn.microsoft.com

+39 / -1 lines changed

Commit: Consolidate same-device number matching docs

Changes:

Before

After

ms.service: entra-id
ms.subservice: authentication
ms.topic: article
ms.date: 03/04/2025
ms.author: justinha
author: justinha
# Customer intent: As an identity administrator, I want to explain how number matching in MFA push notifications from Authenticator in Microsoft Entra ID works in different use cases.
 
If your organization uses Remote Desktop Gateway and the user registered for a TOTP code along with Authenticator push notifications, the user can't meet the Microsoft Entra MFA challenge and Remote Desktop Gateway sign-in fails. In this case, set `OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE` to fall back to **Approve**/**Deny** push notifications with Authenticator.
 
## FAQs
 
This section provides answers to common questions.

ms.service: entra-id
ms.subservice: authentication
ms.topic: article
ms.date: 11/06/2025
ms.author: justinha
author: justinha
# Customer intent: As an identity administrator, I want to explain how number matching in MFA push notifications from Authenticator in Microsoft Entra ID works in different use cases.
 
If your organization uses Remote Desktop Gateway and the user registered for a TOTP code along with Authenticator push notifications, the user can't meet the Microsoft Entra MFA challenge and Remote Desktop Gateway sign-in fails. In this case, set `OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE` to fall back to **Approve**/**Deny** push notifications with Authenticator.
 
## Authenticator app same-device number matching
 
When a user signs in for MFA or phone sign-in with number match to Microsoft mobile apps like Teams and Outlook on the same device as their Authenticator app, they can reply Yes/No when prompted rather than enter the number. Users who sign in with Microsoft Edge, Chrome, or Safari web browsers continue to enter the number to sign in. 
 
This greatly improves the experience for users who sign in with number matching on the same device where they run Authenticator. There's no increased risk for users by switching to Yes/No because the prompt only shows on the device that initiated the sign in. 
 
Platform-specific scenario details are provided in this topic.
 
>[!Note] 
>In the following scenarios, the user signs in on the same device as Authenticator. There's no experience change when users complete number matching on a different device.

MODIFIED docs/identity/authentication/how-to-mfa-number-match-preview.md

Modified by Justinha on Nov 6, 2025 5:36 PM
📖 View on learn.microsoft.com

+5 / -17 lines changed

Commit: Update MFA number matching doc to remove preview references

Changes:

Before

After

---
title: Authenticator App same-device number matching improvements (preview)
description: Learn about improvemenst to number matching in preview for Microsoft Authenticator.
ms.service: entra-id
ms.subservice: authentication
ms.topic: article
# Customer intent: As an identity administrator, I want to explain how number matching in MFA push notifications from Authenticator in Microsoft Entra ID works in different use cases.
---
 
# Authenticator App same-device number matching improvements (preview)
 
When a user signs in for MFA or phone sign-in with number match to Microsoft mobile apps like Teams and Outlook on the same device as their Authenticator app, they can reply Yes/No when prompted rather than enter the number. Users who sign in with Microsoft Edge, Chrome, or Safari web browsers continue to see today’s number matching experience. Platform-specific scenario details are provided below.
 
>[!Note] 
>In the following scenarios, the user signs in on the same device as Authenticator. There is no experience change when users complete number matching on a different device.
 
## How to prepare 
 
User signs in to a Microsoft app like Outlook or Teams with an SSO extension. | Yes. The user sees the Yes/No prompt but they need to open the Authenticator app to complete the sign-in.
User signs in to a browser like Edge or Chrome. | No. The user sees a notification with the number match request on the sign-in in screen. In a browser, they need to tap the notification to enter the number and approve the sign-in.

---
title: Authenticator App same-device number matching improvements 
description: Learn about improvemenst to number matching in for Microsoft Authenticator.
ms.service: entra-id
ms.subservice: authentication
ms.topic: article
# Customer intent: As an identity administrator, I want to explain how number matching in MFA push notifications from Authenticator in Microsoft Entra ID works in different use cases.
---
 
# Authenticator App same-device number matching improvements 
 
When a user signs in for MFA or phone sign-in with number match to Microsoft mobile apps like Teams and Outlook on the same device as their Authenticator app, they can reply Yes/No when prompted rather than enter the number. Users who sign in with Microsoft Edge, Chrome, or Safari web browsers continue to see today’s number matching experience. Platform-specific scenario details are provided in this topic.
 
>[!Note] 
>In the following scenarios, the user signs in on the same device as Authenticator. There's no experience change when users complete number matching on a different device.
 
## How to prepare 
 
User signs in to a Microsoft app like Outlook or Teams with an SSO extension. | Yes. The user sees the Yes/No prompt but they need to open the Authenticator app to complete the sign-in.
User signs in to a browser like Edge or Chrome. | No. The user sees a notification with the number match request on the sign-in in screen. In a browser, they need to tap the notification to enter the number and approve the sign-in.

MODIFIED docs/external-id/customers/how-to-azure-monitor.md

Modified by csmulligan on Nov 6, 2025 10:17 AM
📖 View on learn.microsoft.com

+9 / -9 lines changed

Commit: Numbering updates.

Changes:

Before

After

> If you select **Review** before adding settings, the **Subscription** and **Resource group** appear on the right-hand side. These fields are read-only. To make changes, remove the existing service provider information and restart the wizard.  
Keep the window open while the background subscription check runs. If you close or refresh the window before the check finishes, you might need to restart the wizard from **Start setup**.
 
  :::image type="content" source="media/how-to-azure-monitor/add-diagnostic-settings.png" alt-text="Screenshot that shows the Add diagnostic settings page." lightbox="media/how-to-azure-monitor/add-diagnostic-settings.png"::::::
 
 
6. Select **Add diagnostic setting** to add a new setting or **Edit setting** to edit an existing one. You might need multiple diagnostic settings for a resource if you want to send data to multiple destinations of the same type.
7. Give your setting a descriptive name.
8. **Logs and metrics to route**: For logs, either choose a [category group](/azure/azure-monitor/platform/diagnostic-settings?tabs=portal#category-groups) or select the individual checkboxes for each category of data you want to send to the destinations specified later. The list of categories varies for each Azure service. Select **AllMetrics** if you want to collect platform metrics.
9. **Destination details**: Select the checkbox for each destination that should be included in the diagnostic settings and then provide the details for each. If you select Log Analytics workspace as a destination, then you might need to specify the collection mode. See [Collection mode](/azure/azure-monitor/platform/resource-logs?tabs=log-analytics#collection-mode) for details.
 
## Visualize your data with log queries
 
  | order by SignInCount desc  nulls last
  ```
 
1. Select **Run**. The query results are displayed at the bottom of the screen.
1. To save your query for later use, select **Save**.
 
  :::image type="content" source="media/how-to-azure-monitor/query-policy-usage.png" alt-text="Screenshot of the Log Analytics log editor.":::

> If you select **Review** before adding settings, the **Subscription** and **Resource group** appear on the right-hand side. These fields are read-only. To make changes, remove the existing service provider information and restart the wizard.  
Keep the window open while the background subscription check runs. If you close or refresh the window before the check finishes, you might need to restart the wizard from **Start setup**.
 
  :::image type="content" source="media/how-to-azure-monitor/add-diagnostic-settings.png" alt-text="Screenshot that shows the Add diagnostic settings page." lightbox="media/how-to-azure-monitor/add-diagnostic-settings.png":::
 
 
3. Select **Add diagnostic setting** to add a new setting or **Edit setting** to edit an existing one. You might need multiple diagnostic settings for a resource if you want to send data to multiple destinations of the same type.
4. Give your setting a descriptive name.
5. **Logs and metrics to route**: For logs, either choose a [category group](/azure/azure-monitor/platform/diagnostic-settings?tabs=portal#category-groups) or select the individual checkboxes for each category of data you want to send to the destinations specified later. The list of categories varies for each Azure service. Select **AllMetrics** if you want to collect platform metrics.
6. **Destination details**: Select the checkbox for each destination that should be included in the diagnostic settings and then provide the details for each. If you select Log Analytics workspace as a destination, then you might need to specify the collection mode. See [Collection mode](/azure/azure-monitor/platform/resource-logs?tabs=log-analytics#collection-mode) for details.
 
## Visualize your data with log queries
 
  | order by SignInCount desc  nulls last
  ```
 
5. Select **Run**. The query results are displayed at the bottom of the screen.
6. To save your query for later use, select **Save**.
 
  :::image type="content" source="media/how-to-azure-monitor/query-policy-usage.png" alt-text="Screenshot of the Log Analytics log editor.":::

MODIFIED docs/identity/authentication/concept-fido2-compatibility.md

Modified by Justinha on Nov 6, 2025 6:37 PM
📖 View on learn.microsoft.com

+1 / -8 lines changed

Commit: edits

Changes:

Before

After

ms.service: entra-id
ms.subservice: authentication
ms.topic: article
ms.date: 09/24/2025
 
author: justinha
ms.author: justinha
- BLE and NFC security keys aren't supported on Android by Google.
- Sign-in with passkey isn't supported in Firefox on Android.
 
## Known issues
 
### Sign in when more than three passkeys are registered
 
If you registered more than three passkeys, sign in with a passkey might not work on iOS or Safari on macOS. If you have more than three passkeys, as a workaround, click **Sign-in options** and sign in without entering a username.
 
:::image type="content" border="true" source="media/fido2-compatibility/sign-in-options.png" alt-text="Screenshot of sign-in options.":::
 
## [**Native apps**](#tab/native)
 

ms.service: entra-id
ms.subservice: authentication
ms.topic: article
ms.date: 11/06/2025
 
author: justinha
ms.author: justinha
- BLE and NFC security keys aren't supported on Android by Google.
- Sign-in with passkey isn't supported in Firefox on Android.
 
## [**Native apps**](#tab/native)

MODIFIED docs/architecture/id-protection-guide-analyze.md

Modified by Marilee Turscak - MSFT on Nov 7, 2025 1:33 AM
📖 View on learn.microsoft.com

+3 / -2 lines changed

Commit: Fixed text

Changes:

Before

After

A Log Analytics workspace is a data store to collect log data types from Azure and non-Azure resources and applications. We recommend you send all log data to one Log Analytics workspace.

1. [Create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
2. To incorporate the data you want to analyze, add diagnostics settings. See the following list.

* AuditLogs
* SignInLogs

## Discern risk event types

Risk even types include unfamiliar sign-in, unusual tokens, and unlikely travel are examples. After you determine user patterns, review detections and summarize them by the risk event type.  

1. Use the **AADUserRiskEvents** table.
2. Summarize with **RiskEventType**.

A Log Analytics workspace is a data store to collect log data types from Azure and non-Azure resources and applications. We recommend you send all log data to one Log Analytics workspace.

1. [Create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
2. To incorporate the data you want to analyze, add diagnostics settings. See the following list:

* AuditLogs
* SignInLogs

## Discern risk event types

After we've looked at patterns from specific users, we recommend reviewing the detections themselves and summarizing them by detection type.

1. Use the **AADUserRiskEvents** table.
2. Summarize with **RiskEventType**. 

MODIFIED docs/id-governance/microsoft-entra-id-governance-licensing-for-guest-users.md

Modified by Ortagus Winfrey on Nov 6, 2025 9:09 PM
📖 View on learn.microsoft.com

+2 / -3 lines changed

Commit: EIG Quick updates

Changes:

Before

After

 
- You won't be able to create new access reviews scoped to guest users if any of the following features are selected: 
    - Inactive user access review
- User-to-group affiliation recommendation helper
    - You won't be able to update existing reviews that add these features.
 
### Entitlement Management
 
- You won't be able to create policies with guests in scope (“*For all users in your directory including guests*” or “*For users not in your directory*”) and the Microsoft Entra ID Governance features listed in this documentation (For example, sponsor approvers, custom extensions, and Verified ID).

 
- You won't be able to create new access reviews scoped to guest users if any of the following features are selected: 
    - Inactive user access review
    - User-to-group affiliation recommendation helper
    
### Entitlement Management
 
- You won't be able to create policies with guests in scope (“*For all users in your directory including guests*” or “*For users not in your directory*”) and the Microsoft Entra ID Governance features listed in this documentation (For example, sponsor approvers, custom extensions, and Verified ID).

MODIFIED docs/verified-id/whats-new.md

Modified by Barclay Neira on Nov 6, 2025 2:51 PM
📖 View on learn.microsoft.com

+4 / -0 lines changed

Commit: Update what's new section for October 2025

Changes:

Before

After

This article lists the latest features, improvements, and changes in the Microsoft Entra Verified ID service.
 
## September 2025
 
- Entra Verified ID is supported on Microsoft GCC environments.

This article lists the latest features, improvements, and changes in the Microsoft Entra Verified ID service.
 
## October 2025
 
Partner Gallery Update: Reorganized content and removed deprecated individual partner pages.
 
## September 2025
 
- Entra Verified ID is supported on Microsoft GCC environments.

MODIFIED docs/fundamentals/data-residency.md

Modified by Shannon Leavitt on Nov 6, 2025 6:41 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update docs/fundamentals/data-residency.md

Changes:

Before

After

ms.date: 11/06/2025
ms.author: jricketts
ms.reviewer: jricketts
ms.custom: "it-pro", references_regions
ms.collection:
# Customer intent: As a cloud administrator, I want to understand how Microsoft Entra ID handles data residency, so that I can ensure compliance with data residency requirements and make informed decisions about storing and managing identity and access data in the cloud.
---

ms.date: 11/06/2025
ms.author: jricketts
ms.reviewer: jricketts
ms.custom: it-pro, references_regions
ms.collection:
# Customer intent: As a cloud administrator, I want to understand how Microsoft Entra ID handles data residency, so that I can ensure compliance with data residency requirements and make informed decisions about storing and managing identity and access data in the cloud.
---

MODIFIED docs/external-id/customers/how-to-create-external-tenant-portal.md

Modified by rolyon on Nov 6, 2025 7:22 AM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Date update

Changes:

Before

After

ms.service: entra-external-id
ms.subservice: external
ms.topic: how-to
ms.date: 05/21/2025
ms.author: cmulligan
ms.custom: it-pro, seo-july-2024, sfi-image-nochange
#Customer intent: As an it admin, I want to learn how to create an external tenant in the  Microsoft Entra admin center. 

ms.service: entra-external-id
ms.subservice: external
ms.topic: how-to
ms.date: 11/06/2025
ms.author: cmulligan
ms.custom: it-pro, seo-july-2024, sfi-image-nochange
#Customer intent: As an it admin, I want to learn how to create an external tenant in the  Microsoft Entra admin center. 

MODIFIED docs/identity-platform/refresh-tokens.md

Modified by Derdus Kenga on Nov 6, 2025 9:24 AM
📖 View on learn.microsoft.com

+0 / -1 lines changed

Commit: Correct refresh token lifetime for EOTP

Changes:

Before

After

author: cilwerner
manager: pmwongera
ms.author: cwerner
ms.custom: curation-claims
ms.date: 11/05/2025
ms.reviewer: ludwignick
ms.service: identity-platform

author: cilwerner
manager: pmwongera
ms.author: cwerner
ms.date: 11/05/2025
ms.reviewer: ludwignick
ms.service: identity-platform
 

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files

🗑️ Deleted Documentation Files