MODIFIED docs/agent-id/identity-professional/reference-registry-roles.md

Modified by Sherman Ouko on Nov 18, 2025 4:40 PM
📖 View on learn.microsoft.com

+85 / -121 lines changed

Commit: Add updates to agent ID docs

Changes:

Before

After

ms.topic: reference
ms.date: 11/07/2025
ms.author: sarahlipsey
 
---
# Microsoft Entra Agent Registry built-in roles
 
In the Microsoft Entra Agent Registry, you can assign built-in roles to administrators or other security principals to manage agents, agent cards, collections, and role assignments. These roles provide the permissions required to perform specific actions, such as creating or updating agent instances, managing collection membership, or configuring agent discoverability.
 
This article lists the Agent Registry built-in roles you can assign to manage Agent Registry resources. Agent Registry also requires the [Agent Registry Administrator](../../identity/role-based-access-control/permissions-reference.md#agent-registry-administrator) built-in Microsoft Entra role.
 
## Assign Agent Registry roles
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Agent Registry Administrator](../../identity/role-based-access-control/permissions-reference.md#agent-registry-administrator).
1. Browse to **Entra ID** > **Agent ID** > **Agent Registry**.
1. Select **Access Control** > **Role assignments** > **Add principal**.
1. Select the principal you want to assign and select **Save**.
1. Choose the desired role and select **Entire application** as the scope.
1. Select **Create** to complete the role assignment.
 

ms.topic: reference
ms.date: 11/07/2025
ms.author: sarahlipsey
ms.reviewer: paparth
 
---
# Microsoft Entra Agent Registry roles
 
In the Microsoft Entra Agent Registry, you can assign roles to administrators or other security principals to manage agent instances, agent card manifests, and agent collections. These roles provide the permissions required to perform specific actions, such as creating or updating agent instances, create agent card manifests, or managing collection membership.
 
This article lists the Agent Registry roles you can assign to manage Agent Registry resources. Agent Registry also allows the [Agent Registry Administrator](../../identity/role-based-access-control/permissions-reference.md#agent-registry-administrator) built-in Microsoft Entra role.
 
## Assign Agent Registry roles
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an [Agent Registry Administrator](../../identity/role-based-access-control/permissions-reference.md#agent-registry-administrator).
1. Browse to **Entra ID** > **Agent ID** > **Agent collections** > **Custom** > **Manage role assignments**.
1. Under **Access Control**, select **Role Assignments** > **Create Role Assignment**.
1. Choose **Select principal** > select **Role** > **Resource scope** > **Next**. Role assignment to Groups isn't supported. If you're choosing Resource scope as specific resource, select Resource type and enter Resource ID as the corresponding objectId.
1. Review and select **Create**.
 

MODIFIED docs/agent-id/identity-professional/disable-agent-identities.md

Modified by Sherman Ouko on Nov 18, 2025 4:40 PM
📖 View on learn.microsoft.com

+31 / -28 lines changed

Commit: Add updates to agent ID docs

Changes:

Before

After

 
# Disable agent identities in your tenant
 
Agent identities are enabled by default in all Microsoft Entra ID tenants. Customers concerned about security or reliability of agent identities can use the steps in this article to fully disable their use in your tenant. Microsoft Entra agent ID is subject to its [standard preview terms and conditions](/entra/fundamentals/licensing-preview-info).
 
## Types of identities used by AI agents
 
- **Agents using Agent IDs**: Agents created using systems like Microsoft Copilot Studio, Azure AI Foundry, and Security Copilot might also be created as proper agent identities in your tenant. These agent identities are a new identity with clear classification, richer metadata, and feature designed to address the unique security challenges of AI agents.
 
The remainder of this article discusses methods for disabling the use of these agent identities in your tenant.
 
## Review existing agent identities in your tenant
 
1. Apply Conditional Access policies to prevent agent identities from authenticating.
1. (Optional) Block creation of agent identities in your tenant via various channels.
 
## 1. Block token issuance to Agent IDs using Conditional Access
 
Conditional Access policies can be used to block authentication and token issuance of Agent IDs. Applying the policies below will prevent existing and new Agent IDs from authenticating. It will not prevent the creation of Agent IDs in your tenant.

 
# Disable agent identities in your tenant
 
Agent identities are enabled by default in all Microsoft Entra ID tenants. Customers who want to control which Agent IDs are allowed in their tenant can follow the guidance in this article to configure their preferred settings. Microsoft Entra Agent ID is subject to its [standard preview terms and conditions](/entra/fundamentals/licensing-preview-info).
 
## Types of identities used by AI agents
 
- **Agents using Agent IDs**: Agents created using systems like Microsoft Copilot Studio, Azure AI Foundry, and Security Copilot might also be created as proper agent identities in your tenant. These agent identities are a new identity with clear classification, richer metadata, and feature designed to address the unique security challenges of AI agents.
 
The remainder of this article discusses methods for disabling the use of Agent IDs in your tenant.
 
## Review existing agent identities in your tenant
 
1. Apply Conditional Access policies to prevent agent identities from authenticating.
1. (Optional) Block creation of agent identities in your tenant via various channels.
 
## Monitor for Agent ID creations and activity

MODIFIED docs/identity/authentication/kerberos.md

Modified by Ken Downie on Nov 18, 2025 10:03 PM
📖 View on learn.microsoft.com

+16 / -16 lines changed

Commit: Revise Kerberos documentation for cloud only identity support preview

Changes:

Before

After

ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 09/05/2025
ms.author: barclayn
ms.reviewer: Vimala
---
 
For more information about Kerberos in Windows, see [Kerberos authentication overview in Windows Server](/windows-server/security/kerberos/kerberos-authentication-overview).
 
## Hybrid identity
 
Currently, Microsoft Entra Kerberos works only with hybrid identities.
 
A hybrid identity refers to a user identity that exists both in on-premises AD DS and in Microsoft Entra ID. These identities are synchronized through tools like Microsoft Entra Connect, so users can access both cloud-based and on-premises resources by using a single set of credentials.
 
This setup enables seamless authentication and SSO experiences across environments. It's ideal for organizations that want to transition to the cloud while maintaining legacy infrastructure.
 
## Key features and benefits
 

ms.service: entra-id
ms.subservice: authentication
ms.topic: conceptual
ms.date: 11/18/2025
ms.author: barclayn
ms.reviewer: Vimala
---
 
For more information about Kerberos in Windows, see [Kerberos authentication overview in Windows Server](/windows-server/security/kerberos/kerberos-authentication-overview).
 
## Hybrid versus cloud-only identities
 
Microsoft Entra Kerberos works with hybrid identities and cloud-only identities. Cloud-only identity support is currently in preview.
 
A hybrid identity refers to a user identity that exists both in on-premises AD DS and in Microsoft Entra ID. These identities are synchronized through tools like Microsoft Entra Connect, so users can access both cloud-based and on-premises resources by using a single set of credentials. This setup enables seamless authentication and SSO experiences across environments. It's ideal for organizations that want to transition to the cloud while maintaining legacy infrastructure.
 
Cloud-only identities are created and managed exclusively in Microsoft Entra ID.
 
## Key features and benefits
 

MODIFIED docs/identity/monitoring-health/howto-investigate-remote-networks-scenario-signals.md

Modified by jenniferf-skc on Nov 18, 2025 6:43 PM
📖 View on learn.microsoft.com

+11 / -10 lines changed

Commit: Updating bulleted text

Changes:

Before

After

 
- [How to use Microsoft Entra health monitoring signals and alerts](/entra/identity/monitoring-health/howto-use-health-scenario-alerts)
 
This article describes the health metrics related to Remote Networks connectivity and troubleshoot potential problems.
 
This scenario:
 
- Aggregate the \# of tunnels that are connected.
 
- Aggregate the \# of tunnels that are disconnected.
 
- Aggregate the \# of tunnels with BGP disconnected.
 
## Prerequisites
 
There are different roles, permissions, and license requirements to view health monitoring signals and configure and receive alerts. We recommend using a role with least privilege access to align with the [Zero Trust guidance](/security/zero-trust/zero-trust-overview).
 
- A tenant with a [Microsoft Entra P1 or P2 license](/entra/fundamentals/get-started-premium) is required to *view* the Microsoft Entra health scenario monitoring signals.
 
- A tenant with Microsoft Entra Global Secure Access license is required. For details, see the licensing section of [What is Global Secure Access?](/entra/global-secure-access/overview-what-is-global-secure-access).

 
- [How to use Microsoft Entra health monitoring signals and alerts](/entra/identity/monitoring-health/howto-use-health-scenario-alerts)
 
This article describes the health metrics related to Remote Network connectivity and provides steps to troubleshoot potential problems.
 
This article covers two scenarios:
 
- Global Secure Access requiring remote network tunnel connectivity
    - Presents data showing the number of remote network tunnels that are connected.
    - Presents data showing the number of remote network tunnels that are disconnected.
- Global Secure Access requiring remote network BGP connectivity
    - Presents data showing the number of remote networks with BGP connected.
    - Presents data showing the number of remote networks with BGP  disconnected.
 
## Prerequisites
 
There are different roles, permissions, and license requirements to view health monitoring signals and configure and receive alerts. We recommend using a role with least privilege access to align with the [Zero Trust guidance](/security/zero-trust/zero-trust-overview).
 
- A tenant with a [Microsoft Entra P1 or P2 license](/entra/fundamentals/get-started-premium) is required to *view* the Microsoft Entra health scenario monitoring signals
 

MODIFIED docs/identity/authentication/how-to-authentication-passkey-profiles.md

Modified by John Flores on Nov 18, 2025 5:05 PM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: Apply suggestion from @MicrosoftGuyJFlo

Changes:

Before

After

 
## Disable passkey profiles (preview)
 
>[!NOTE]
>Opting out of passkey profiles (preview) will:
>*Remove all passkey profiles and their associated targets
>*Revert your passkey policy to the configuration of your default passkey profile, including its user targets
>*Disable support for synced passkeys
>Ensure taht no administrators will be locked out of their accounts due to these changes.
 
1. Sign in to the Microsoft Entra admin center as at least an [Authentication Policy Administrator](/entra/identity/role-based-access-control/permissions-reference#authentication-policy-administrator).
1. Browse to **Entra ID** > **Security** > **Authentication methods** > **Policies**.

 
## Disable passkey profiles (preview)
 
> [!NOTE]
> Opting out of passkey profiles (preview) will:
> * Remove all passkey profiles and their associated targets
> * Revert your passkey policy to the configuration of your default passkey profile, including its user targets
> * Disable support for synced passkeys
> * Ensure that no administrators will be locked out of their accounts due to these changes.
 
1. Sign in to the Microsoft Entra admin center as at least an [Authentication Policy Administrator](/entra/identity/role-based-access-control/permissions-reference#authentication-policy-administrator).
1. Browse to **Entra ID** > **Security** > **Authentication methods** > **Policies**.

MODIFIED docs/fundamentals/whats-new-ignite-2025.md

Modified by csmulligan on Nov 18, 2025 4:44 PM
📖 View on learn.microsoft.com

+8 / -0 lines changed

Commit: Added External ID details.

Changes:

Before

After

- [Configure risk policies](../id-protection/howto-identity-protection-configure-risk-policies.md) (Updated)
- [Identity Protection overview](../id-protection/overview-identity-protection.md) (Updated)
 
## Microsoft Entra ID

- [Configure risk policies](../id-protection/howto-identity-protection-configure-risk-policies.md) (Updated)
- [Identity Protection overview](../id-protection/overview-identity-protection.md) (Updated)
 
### Microsoft Entra External ID
 
**Built-in protection with third-party partner solutions.** New partner integrations provide comprehensive protection across the identity lifecycle, including edge security, sign-up fraud prevention, and unified monitoring. Customers can configure sign-in using a unique username or alias.
 
- [Akamai WAF integration](../external-id/customers/how-to-configure-akamai-integration.md) (New)
- [Cloudflare WAF integration](../external-id/customers/how-to-configure-waf-integration.md) (Updated)
- [Arkose Labs and HUMAN Security fraud protection](../external-id/customers/how-to-integrate-fraud-protection.md) (New)
- [Azure Monitor and Microsoft Sentinel integration](../external-id/customers/how-to-azure-monitor) (Updated)
- [Sign in with an alias](../external-id/customers/how-to-sign-in-alias.md) (New)
 
## Microsoft Entra ID
 

MODIFIED docs/id-protection/concept-risky-agents.md

Modified by shlipsey3 on Nov 18, 2025 5:30 PM
📖 View on learn.microsoft.com

+4 / -3 lines changed

Commit: idp-updates-111825

Changes:

Before

After

 
### Licensing
 
- ID Protection for agents is included with the Microsoft Entra P2 license.
 
## How it works
 
 
| Agent risk detection | Detection type | Description | riskEventType |
|----------|-----|--------|----|
| Unfamiliar resource access | Offline  | Agent targeted resources that it doesn't usually access. This detection can mean that an attacker is trying to access sensitive resources beyond the agent's intended purpose. | unfamiliarResourceAccess |
| Sign-in spike | Offline | Agent made a higher number of sign-ins compared to its usual sign-in frequency. This spike can be an indicator that an attacker is using automation or a toolkit. | signInSpike | 
| Failed access attempt | Offline  | Agent attempted and failed to access resources for which it isn't authorized. This detection can indicate an attacker is attempting to replay an agent's token against an unauthorized resource. | failedAccessAttempt |
| Sign-in by risky user  | Offline | Agent signed in on behalf of a risky user during a delegated authentication. This detection means that an attacker might be using a compromised user's credentials to exploit an agent. | riskyUserSignIn |
 
## View the risky agent report
 
- **Confirm compromise**: Select after manual investigation or automated detection confirms the account is compromised. This step is useful as part of incident response to prevent further damage. Confirm compromise automatically sets the risk level to High and creates an event in the agent's **Risk detections**. This action triggers risk-based Conditional Access policies that are configured to block access on High Agent Risk. 
- **Confirm safe**: Marks the user as safe after investigation and clears any active risk state for that user by setting risk level to None. Use this option when you want to mark a false positive and for the system to avoid flagging similar activity.
- **Dismiss risk**: Tells the system that the detected risk for an agent is no longer relevant after investigation, or is a benign true positive where you want the system to continue to flag similar activity.  

 
### Licensing
 
- ID Protection for agents is included with the Microsoft Entra P2 license while in preview.
 
## How it works
 
 
| Agent risk detection | Detection type | Description | riskEventType |
|----------|-----|--------|----|
| Unfamiliar resource access | Offline  | Agent targeted resources that it doesn't usuallyÂ access. This detection can mean that an attacker is trying to access sensitive resources beyond the agent's intended purpose. | unfamiliarResourceAccess |
| Sign-in spike | Offline | Agent made a higher number of sign-ins compared to its usual sign-in frequency. This spike can be an indicator that an attacker is using automation or a toolkit. | signInSpike | 
| Failed access attempt | Offline  | Agent attempted and failed to access resources for which it isn't authorized. This detection can indicate an attacker is attempting to replay an agent's token against an unauthorized resource. | failedAccessAttempt |
| Sign-in by risky user  | Offline | Agent signed in on behalf of a risky user during a delegated authentication. This detection means that an attacker might be using a compromised user's credentials to exploit an agent. | riskyUserSignIn |
| Confirmed compromised | Offline | Admin confirmed agent compromised | adminConfirmedAgentCompromised |
| Microsoft Entra threat intelligence | Offline | Microsoft identified activity that is consistent with known attack patterns based on its internal and external threat intelligence sources. | threatIntelligenceAccount |
 
## View the risky agent report
 
- **Confirm compromise**: Select after manual investigation or automated detection confirms the account is compromised. This step is useful as part of incident response to prevent further damage. Confirm compromise automatically sets the risk level to High and creates an event in the agent's **Risk detections**. This action triggers risk-based Conditional Access policies that are configured to block access on High Agent Risk. 

MODIFIED docs/identity/devices/sso-linux.md

Modified by Justin Ploegert on Nov 18, 2025 9:58 PM
📖 View on learn.microsoft.com

+4 / -1 lines changed

Commit: Learn Editor: Update sso-linux.md

Changes:

Before

After

## Requirements
 
The Microsoft single sign-on for Linux is supported with the following operating systems (physical or Hyper-V machine with x86/64 CPUs):  
 - Ubuntu Desktop 24.04, 22.04 or 20.04 LTS  
 - RedHat Enterprise Linux 8  
 - RedHat Enterprise Linux 9
 
![Demo of the Linux Login component component](./media/sso-linux/linux-entra-login.gif)
 
## Deployment
 
### Installation

## Requirements
 
The Microsoft single sign-on for Linux is supported with the following operating systems (physical or Hyper-V machine with x86/64 CPUs):  
- Ubuntu Desktop 24.04, 22.04 or 20.04 LTS  
 - RedHat Enterprise Linux 8  
 - RedHat Enterprise Linux 9
 
 
![Demo of the Linux Login component component](./media/sso-linux/linux-entra-login.gif)
 
> [!NOTE]
> The microsoft.identity.broker version 2.0.1 and less does not currently support [FIPs compliance](https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips"https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips")."  
 
## Deployment
 
### Installation

MODIFIED docs/identity/role-based-access-control/permissions-reference.md

Modified by rolyon on Nov 18, 2025 7:07 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Agent Registry Administrator guid

Changes:

Before

After

> | Role | Description | Template ID |
> | --- | --- | --- |
> | [Agent ID Administrator](#agent-id-administrator) | Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) |db506228-d27e-4b7d-95e5-295956d6615f |
> | [Agent ID Developer](#agent-id-developer) | Create an agent blueprint and its service principal in a tenant. User will be added as an owner of the agent blueprint and its service principal. |adb2368d-a9be-41b5-8667-d96778e081b0 |
> | [Agent Registry Administrator](#agent-registry-administrator) | Manage all aspects of the Agent Registry service in Microsoft Entra ID | e733d94e-9700-4c6d-83f2-29c61df70250 |
> | [AI Administrator](#ai-administrator) | Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. | d2562ede-74db-457e-a7b6-544e236ebb61 |
> | [Application Administrator](#application-administrator) | Can create and manage all aspects of app registrations and enterprise apps.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 |
> | [Application Developer](#application-developer) | Can create application registrations independent of the 'Users can register applications' setting.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | cf1c38e5-3621-4004-a7cb-879624dced7c |

> | Role | Description | Template ID |
> | --- | --- | --- |
> | [Agent ID Administrator](#agent-id-administrator) | Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) |db506228-d27e-4b7d-95e5-295956d6615f |
> | [Agent ID Developer](#agent-id-developer) | Create an agent blueprint and its service principal in a tenant. User will be added as an owner of the agent blueprint and its service principal. | adb2368d-a9be-41b5-8667-d96778e081b0 |
> | [Agent Registry Administrator](#agent-registry-administrator) | Manage all aspects of the Agent Registry service in Microsoft Entra ID | 6b942400-691f-4bf0-9d12-d8a254a2baf5 |
> | [AI Administrator](#ai-administrator) | Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. | d2562ede-74db-457e-a7b6-544e236ebb61 |
> | [Application Administrator](#application-administrator) | Can create and manage all aspects of app registrations and enterprise apps.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 |
> | [Application Developer](#application-developer) | Can create application registrations independent of the 'Users can register applications' setting.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | cf1c38e5-3621-4004-a7cb-879624dced7c |

MODIFIED docs/identity/monitoring-health/howto-investigate-internet-access-signals.md

Modified by jenniferf-skc on Nov 18, 2025 8:46 PM
📖 View on learn.microsoft.com

+3 / -0 lines changed

Commit: Adding image to Internet Access document

Changes:

Before

After

 
    - Select the **Internet applications blocked by Entra Internet Access Policy** scenario.
 
3.  Review your Microsoft Entra Internet Access content filtering policies. For more information, see [How to configure Global Secure Access web content filtering - Global Secure Access \| Microsoft Learn](/entra/global-secure-access/how-to-configure-web-content-filtering).
 
4.  Review Microsoft Entra Internet Access forwarding profile for access policies and user assignments. For more information, see [How to manage the Internet Access profile - Global Secure Access \| Microsoft Learn](/entra/global-secure-access/how-to-manage-internet-access-profile).

 
    - Select the **Internet applications blocked by Entra Internet Access Policy** scenario.
 
        :::image type="content" source="media/howto-investigate-internet-access-signals/internet-access-blocked.png" alt-text="Screenshot showing the Internet applications blocked by Entra Internet Access Policy scenario in the health monitoring dashboard." lightbox="media/howto-investigate-internet-access-signals/internet-access-blocked.png":::
 
3.  Review your Microsoft Entra Internet Access content filtering policies. For more information, see [How to configure Global Secure Access web content filtering - Global Secure Access \| Microsoft Learn](/entra/global-secure-access/how-to-configure-web-content-filtering).
 
4.  Review Microsoft Entra Internet Access forwarding profile for access policies and user assignments. For more information, see [How to manage the Internet Access profile - Global Secure Access \| Microsoft Learn](/entra/global-secure-access/how-to-manage-internet-access-profile).

MODIFIED docs/global-secure-access/how-to-secure-web-ai-gateway-agents.md

Modified by Frank Gomulka on Nov 18, 2025 5:42 PM
📖 View on learn.microsoft.com

+1 / -2 lines changed

Commit: Remove a duplicate from content + remove explicit reference to specific 3P vendor

Changes:

Before

After

## Known limitations
 
- The enforcement feature supports only the baseline profile. Network security policies apply per tenant.
- Integration with third-party DLP and ATP services, such as Netskope, isn't supported.
- Copilot Studio Bing search network transactions aren't supported.
- Only specific Copilot Studio connectors are supported with network security controls. Refer to the Copilot Studio documentation for the list of supported connectors.
- Currently the Agent Name returned in the Global Secure Access traffic logs is the agent's unique *schema name*.
- Currently the block experience for Copilot Studio agents blocked by GSA shows a *502 Bad Gateway* for HTTP Actions or a *403 Forbidden* for connectors. This is a known issue, and improvements are coming soon.
- Currently only the baseline profile is supported for enforcement, so network security policies are per-tenant.
 
## Next steps
 

## Known limitations
 
- The enforcement feature supports only the baseline profile. Network security policies apply per tenant.
- Global Secure Access partner ecosystem integrations, such as third-party Data Loss Prevention (DLP), aren't supported.
- Copilot Studio Bing search network transactions aren't supported.
- Only specific Copilot Studio connectors are supported with network security controls. Refer to the Copilot Studio documentation for the list of supported connectors.
- Currently the Agent Name returned in the Global Secure Access traffic logs is the agent's unique *schema name*.
- Currently the block experience for Copilot Studio agents blocked by GSA shows a *502 Bad Gateway* for HTTP Actions or a *403 Forbidden* for connectors. This is a known issue, and improvements are coming soon.
 
## Next steps
 
 

MODIFIED docs/id-governance/custom-data-resource-access-reviews.md

Modified by Ortagus Winfrey on Nov 18, 2025 7:46 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Updates to custom data access review post ignite

Changes:

Before

After

    :::image type="content" source="media/custom-data-resource-access-reviews/upload-access-data-files.png" alt-text="Screenshot of uploading files to custom access data.":::
    > [!NOTE]
    > To confirm all CSVs were uploaded successfully, view the [audit logs](entitlement-management-logs-and-reporting.md).
1. You have **up to two hours** from the time the review enters the *Initializing* state to complete the upload. After two hours, the system transitions the review status to **Active**.
 
 
## Active review state

    :::image type="content" source="media/custom-data-resource-access-reviews/upload-access-data-files.png" alt-text="Screenshot of uploading files to custom access data.":::
    > [!NOTE]
    > To confirm all CSVs were uploaded successfully, view the [audit logs](entitlement-management-logs-and-reporting.md).
1. You have **up to two hours** from the time the review enters the *Initializing* state to complete the upload.
 
 
## Active review state

MODIFIED docs/agent-id/identity-professional/microsoft-entra-agent-identities-for-ai-agents.md

Modified by Sherman Ouko on Nov 18, 2025 5:56 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Add updates to agent ID docs

Changes:

Before

After

- Using real-time signals such as agent identities risk controlling agent access to resources, with Microsoft Managed Policies providing a secure baseline by blocking high-risk agents.
- Deploying Conditional Access policies at scale using custom security attributes, while still supporting fine-grained controls for individual agents.
 
For more information, see [Conditional Access](/entra/identity/conditional-access/overview).
 
## Identity governance for agents

- Using real-time signals such as agent identities risk controlling agent access to resources, with Microsoft Managed Policies providing a secure baseline by blocking high-risk agents.
- Deploying Conditional Access policies at scale using custom security attributes, while still supporting fine-grained controls for individual agents.
 
For more information, see [Conditional Access](/entra/identity/conditional-access/agent-id).
 
## Identity governance for agents

MODIFIED docs/agent-id/identity-platform/preview-known-issues.md

Modified by Sherman Ouko on Nov 18, 2025 5:38 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Add updates to agent ID docs

Changes:

Before

After

 
The following known issues and gaps relate to consent and permissions.
 
### Admin consent workflow (ACW)**
 
The Microsoft Entra ID [admin consent workflow](/entra/identity/enterprise-apps/configure-admin-consent-workflow) doesn't work properly for permissions requested by Agent IDs. Users can contact their Microsoft Entra ID tenant admins to request permissions be granted to an Agent ID.

 
The following known issues and gaps relate to consent and permissions.
 
### Admin consent workflow (ACW)
 
The Microsoft Entra ID [admin consent workflow](/entra/identity/enterprise-apps/configure-admin-consent-workflow) doesn't work properly for permissions requested by Agent IDs. Users can contact their Microsoft Entra ID tenant admins to request permissions be granted to an Agent ID.

MODIFIED docs/agent-id/identity-professional/agent-id-creation-channels.md

Modified by Sherman Ouko on Nov 18, 2025 5:11 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Add updates to agent ID docs

Changes:

Before

After

---
title: How are agent identities created?
description: Learn the channels and roles involved in creating Microsoft Entra agent identity blueprints, agent identities, and agent. Monitor and control their introduction into your tenant.
ms.service: entra-id
ms.topic: concept-article
ms.date: 11/04/2025

---
title: How are agent identities created?
description: Learn the channels and roles involved in creating Microsoft Entra agent identity blueprints, agent identities, and agent users. Monitor and control their introduction into your tenant.
ms.service: entra-id
ms.topic: concept-article
ms.date: 11/04/2025

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files

🗑️ Deleted Documentation Files