MODIFIED docs/identity/role-based-access-control/includes/agent-id-administrator.md

Modified by Faith Moraa Ombongi on Nov 19, 2025 4:38 PM
📖 View on learn.microsoft.com

+50 / -12 lines changed

Commit: Revert agent ID changes based on discussion with Robert

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/04/2025
ms.custom: include file, agent-id-ignite
---
 
> | --- | --- |
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
> | microsoft.directory/accessReviews/definitions.applications/allProperties/allTasks | Manage access reviews of application role assignments in Microsoft Entra ID |
> | microsoft.directory/accessReviews/definitions.directoryRoles/allProperties/read | Read all properties of access reviews for Microsoft Entra role assignments |
> | microsoft.directory/accessReviews/definitions.entitlementManagement/allProperties/allTasks | Manage access reviews for access package assignments in entitlement management |
> | microsoft.directory/accessReviews/definitions.groups/allProperties/read | Read all properties of access reviews for membership in Security and Microsoft 365 groups, including role-assignable groups. |
> | microsoft.directory/accessReviews/definitions.groups/allProperties/update | Update all properties of access reviews for membership in Security and Microsoft 365 groups, excluding role-assignable groups. |
> | microsoft.directory/accessReviews/definitions.groups/create | Create access reviews for membership in Security and Microsoft 365 groups. |
> | microsoft.directory/accessReviews/definitions.groups/delete | Delete access reviews for membership in Security and Microsoft 365 groups. |
> | microsoft.directory/externalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |
> | microsoft.directory/groups.unified/createAsOwner | Create Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner. |
> | microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups |

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/19/2025
ms.custom: include file, agent-id-ignite
---
 
> | --- | --- |
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
> | microsoft.directory/agentIdentities/appRoleAssignedTo/update | Update agent identity role assignments. |
> | microsoft.directory/agentIdentities/basic/update | Update basic properties of agent identities. |
> | microsoft.directory/agentIdentities/create | Create agent identities.<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |
> | microsoft.directory/agentIdentities/delete | Delete agent identities.<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |
> | microsoft.directory/agentIdentities/disable | Disable agent identities.<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |
> | microsoft.directory/agentIdentities/enable | Enable agent identities.<br/>[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md) |
> | microsoft.directory/agentIdentities/owners/update | Add and remove owners to agent identities. |
> | microsoft.directory/agentIdentities/tag/update | Update tags for agent identities. |
> | microsoft.directory/agentIdentityBlueprintPrincipals/appRoleAssignedTo/update | Update agent identity blueprint principal role assignments. |
> | microsoft.directory/agentIdentityBlueprintPrincipals/basic/update | Update basic properties of agent identity blueprint principals. |

MODIFIED docs/external-id/customers/concept-security-customers.md

Modified by csmulligan on Nov 19, 2025 2:24 PM
📖 View on learn.microsoft.com

+9 / -9 lines changed

Commit: Added PM recommendations.

Changes:

Before

After

 
ms.subservice: external
ms.topic: concept-article
ms.date: 10/02/2025
ms.custom: it-pro
---
 
 
|Feature Name  |Description  |
|--------------|-------------|
|Brute force protection            | Mitigates brute force attacks by limiting the number of sign-in attempts to prevent unauthorized access through repeated password guessing. |
|Common networking HTTP Protection | Provides protection against common network-layer attacks and timing-based attacks, protecting against attempts to overwhelm your service with excessive requests.|
|Account Protection                | Guards against unauthorized account access to protect user data and prevent account breaches.   |
|Access Control                    | Controls access to applications and resources so that only authorized users can access sensitive information.  |
 
## Conditional Access and multifactor authentication (MFA)
 
Customizable policies and MFA enhance security by reducing unauthorized access to applications and resources.
 
|Feature Name	|Description |

 
ms.subservice: external
ms.topic: concept-article
ms.date: 11/19/2025
ms.custom: it-pro
---
 
 
|Feature Name  |Description  |
|--------------|-------------|
|[Brute force protection](/entra/identity/authentication/howto-password-smart-lockout)            | Mitigates brute force attacks by limiting the number of sign-in attempts to prevent unauthorized access through repeated password guessing. |
|[Common networking HTTP Protection](/entra/external-id/customers/reference-service-limits) | Provides protection against common network-layer attacks and timing-based attacks, protecting against attempts to overwhelm your service with excessive requests.|
|Account Protection    | Helps safeguard against unauthorized access to protect user data and prevent account breaches. Relying solely on risk-based multifactor authentication (MFA) isn't a complete security strategy for account protection. MFA is just one control and isn't sufficient for comprehensive identity protection. We offer partner solutions account protection ([Cloudflare](/entra/external-id/customers/how-to-configure-waf-integration) and [Akamai](/entra/external-id/customers/how-to-configure-akamai-integration)) and continue to develop additional options. |
|[Access Control](/entra/external-id/customers/how-to-use-app-roles-customers) | Controls access to applications and resources so that only authorized users can access sensitive information.  |
 
## Conditional Access and multifactor authentication (MFA)
 
Customizable policies and MFA enhance security by reducing unauthorized access to applications and resources.
 
|Feature Name |Description |

MODIFIED docs/identity/role-based-access-control/permissions-reference.md

Modified by Faith Moraa Ombongi on Nov 19, 2025 5:54 PM
📖 View on learn.microsoft.com

+1 / -11 lines changed

Commit: resolve merge conflicts

Changes:

Before

After

> [!div class="mx-tableFixed"]
> | Role | Description | Template ID |
> | --- | --- | --- |
<<<<<<< HEAD
> | [Agent ID Administrator](#agent-id-administrator) | Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users. | db506228-d27e-4b7d-95e5-295956d6615f |
=======
> | [Agent ID Administrator](#agent-id-administrator) | Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) |db506228-d27e-4b7d-95e5-295956d6615f |
>>>>>>> 46a9d6bd9ffcf4fd53f67d3d651ee75c2b57ba50
> | [Agent ID Developer](#agent-id-developer) | Create an agent blueprint and its service principal in a tenant. User will be added as an owner of the agent blueprint and its service principal. | adb2368d-a9be-41b5-8667-d96778e081b0 |
> | [Agent Registry Administrator](#agent-registry-administrator) | Manage all aspects of the Agent Registry service in Microsoft Entra ID | 6b942400-691f-4bf0-9d12-d8a254a2baf5 |
> | [AI Administrator](#ai-administrator) | Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. | d2562ede-74db-457e-a7b6-544e236ebb61 |
> | [Security Reader](#security-reader) | Can read security information and reports in Microsoft Entra ID and Office 365.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 5d6b6bb7-de71-4623-b4af-96380a352509 |
> | [Service Support Administrator](#service-support-administrator) | Can read service health information and manage support tickets. | f023fd81-a637-4b56-95fd-791ac0226033 |
> | [SharePoint Administrator](#sharepoint-administrator) | Can manage all aspects of the SharePoint service. | f28a1f50-f6e7-4571-818b-6a12f2af6b6c |
> | [SharePoint Advanced Management Administrator](#sharepoint-advanced-management-administrator) | Manage all aspects of SharePoint Advanced Management. | 99009c4a-3b3f-4957-82a9-9d35e12db77e |
> | [SharePoint Backup Administrator](#sharepoint-backup-administrator) | Back up and restore content (including granular restore) for SharePoint and OneDrive in Microsoft 365 Backup | 9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be |
> | [SharePoint Embedded Administrator](#sharepoint-embedded-administrator) | Manage all aspects of SharePoint Embedded containers. | 1a7d78b6-429f-476b-b8eb-35fb715fffd4 |
> | [Skype for Business Administrator](#skype-for-business-administrator) | Can manage all aspects of the Skype for Business product. | 75941009-915a-4869-abe7-691bff18279e |
> | [Windows Update Deployment Administrator](#windows-update-deployment-administrator) | Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | 32696413-001a-46ae-978c-ce0f6b3620d2 |
> | [Yammer Administrator](#yammer-administrator) | Manage all aspects of the Yammer service. | 810a2642-a034-447f-a5e8-41beaa378541 |

> [!div class="mx-tableFixed"]
> | Role | Description | Template ID |
> | --- | --- | --- |
> | [Agent ID Administrator](#agent-id-administrator) | Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | db506228-d27e-4b7d-95e5-295956d6615f |
> | [Agent ID Developer](#agent-id-developer) | Create an agent blueprint and its service principal in a tenant. User will be added as an owner of the agent blueprint and its service principal. | adb2368d-a9be-41b5-8667-d96778e081b0 |
> | [Agent Registry Administrator](#agent-registry-administrator) | Manage all aspects of the Agent Registry service in Microsoft Entra ID | 6b942400-691f-4bf0-9d12-d8a254a2baf5 |
> | [AI Administrator](#ai-administrator) | Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. | d2562ede-74db-457e-a7b6-544e236ebb61 |
> | [Security Reader](#security-reader) | Can read security information and reports in Microsoft Entra ID and Office 365.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 5d6b6bb7-de71-4623-b4af-96380a352509 |
> | [Service Support Administrator](#service-support-administrator) | Can read service health information and manage support tickets. | f023fd81-a637-4b56-95fd-791ac0226033 |
> | [SharePoint Administrator](#sharepoint-administrator) | Can manage all aspects of the SharePoint service. | f28a1f50-f6e7-4571-818b-6a12f2af6b6c |
> | [SharePoint Backup Administrator](#sharepoint-backup-administrator) | Back up and restore content (including granular restore) for SharePoint and OneDrive in Microsoft 365 Backup | 9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be |
> | [SharePoint Embedded Administrator](#sharepoint-embedded-administrator) | Manage all aspects of SharePoint Embedded containers. | 1a7d78b6-429f-476b-b8eb-35fb715fffd4 |
> | [Skype for Business Administrator](#skype-for-business-administrator) | Can manage all aspects of the Skype for Business product. | 75941009-915a-4869-abe7-691bff18279e |
> | [Windows Update Deployment Administrator](#windows-update-deployment-administrator) | Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | 32696413-001a-46ae-978c-ce0f6b3620d2 |
> | [Yammer Administrator](#yammer-administrator) | Manage all aspects of the Yammer service. | 810a2642-a034-447f-a5e8-41beaa378541 |
 
## Agent ID Administrator
 
[!INCLUDE [agent-id-administrator](includes/agent-id-administrator.md)]
 

MODIFIED docs/global-secure-access/how-to-transport-layer-security-settings.md

Modified by Teresa Yao on Nov 19, 2025 9:03 PM
📖 View on learn.microsoft.com

+2 / -9 lines changed

Commit: remving preview

Changes:

Before

After

---
title: Configure Transport Layer Security Inspection Settings (preview)
description: Learn how to configure a Transport Layer Security inspection certificate authority
author: HULKsmashGithub
ms.author: jayrusso
#customer intent: As a Global Secure Access administrator, I want to configure a context-aware Transport Layer Security inspection policy and assign the policy to users in my organization.   
---
 
# Configure Transport Layer Security inspection settings (preview)
Transport Layer Security (TLS) inspection in Microsoft Entra Internet Access uses a two-tier Intermediate certificate model to issue dynamically generated leaf certificates for decrypting traffic. This article explains how to configure the Certificate Authority (CA) that serves as the Global Secure Access intermediate CA, including signing and uploading the certificate.
 
> [!IMPORTANT]
> The Transport Layer Security inspection feature is currently in PREVIEW.   
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.   
> While in preview, don't use TLS inspection in production environments.    
 
 
 
## Prerequisites   
To complete the steps in this process, you must have the following prerequisites in place:      

---
title: Configure Transport Layer Security Inspection Settings
description: Learn how to configure a Transport Layer Security inspection certificate authority
author: HULKsmashGithub
ms.author: jayrusso
#customer intent: As a Global Secure Access administrator, I want to configure a context-aware Transport Layer Security inspection policy and assign the policy to users in my organization.   
---
 
# Configure Transport Layer Security inspection settings
Transport Layer Security (TLS) inspection in Microsoft Entra Internet Access uses a two-tier Intermediate certificate model to issue dynamically generated leaf certificates for decrypting traffic. This article explains how to configure the Certificate Authority (CA) that serves as the Global Secure Access intermediate CA, including signing and uploading the certificate.
 
## Prerequisites   
To complete the steps in this process, you must have the following prerequisites in place:      
- A Public Key Infrastructure (PKI) service to sign the Certificate Signing Request (CSR) and generate an intermediate certificate for TLS inspection. For testing scenarios, you can also use a self-signed root certificate created with OpenSSL.   
 
 
 
 
 
 

MODIFIED docs/global-secure-access/concept-transport-layer-security.md

Modified by Teresa Yao on Nov 19, 2025 9:03 PM
📖 View on learn.microsoft.com

+2 / -8 lines changed

Commit: remving preview

Changes:

Before

After

#customer intent: As a Global Secure Access administrator, I want to learn about the Transport Layer Security (TLS) protocol to support the creation of TLS inspection policies.   
 
---
# What is Transport Layer Security inspection? (Preview)
The Transport Layer Security (TLS) protocol uses certificates at the transport layer to ensure the privacy, integrity, and authenticity of data exchanged between two communicating parties. While TLS secures legitimate traffic, malicious traffic like malware and data leakage attacks can still hide behind encryption. The Microsoft Entra Internet Access TLS inspection capability provides visibility into encrypted traffic by making content available for enhanced protection, such as malware detection, data loss prevention, prompt inspection, and other advanced security controls.
 
> [!IMPORTANT]
> The Transport Layer Security inspection feature is currently in PREVIEW.   
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here. While in preview, use TLS inspection with care, especially in production environments, thoroughly evaluate before deployment.    
 
This article gives an overview of the TLS inspection process.
 
## The TLS inspection process
When you enable TLS inspection, Global Secure Access decrypts HTTPS requests at the service edge and applies security controls like full URL enhanced web content filtering policies. If no security control blocks the request, Global Secure Access encrypts and forwards the request to the destination.

#customer intent: As a Global Secure Access administrator, I want to learn about the Transport Layer Security (TLS) protocol to support the creation of TLS inspection policies.   
 
---
# What is Transport Layer Security inspection?
The Transport Layer Security (TLS) protocol uses certificates at the transport layer to ensure the privacy, integrity, and authenticity of data exchanged between two communicating parties. While TLS secures legitimate traffic, malicious traffic like malware and data leakage attacks can still hide behind encryption. The Microsoft Entra Internet Access TLS inspection capability provides visibility into encrypted traffic by making content available for enhanced protection, such as malware detection, data loss prevention, prompt inspection, and other advanced security controls. This article gives an overview of the TLS inspection process.
 
## The TLS inspection process
When you enable TLS inspection, Global Secure Access decrypts HTTPS requests at the service edge and applies security controls like full URL enhanced web content filtering policies. If no security control blocks the request, Global Secure Access encrypts and forwards the request to the destination.

MODIFIED docs/global-secure-access/how-to-transport-layer-security.md

Modified by Teresa Yao on Nov 19, 2025 9:03 PM
📖 View on learn.microsoft.com

+2 / -8 lines changed

Commit: remving preview

Changes:

Before

After

---
title: Configure Transport Layer Security Inspection Policies (preview)
description: Learn how to configure a Transport Layer Security inspection policy and assign it to users in your organization.
author: HULKsmashGithub
ms.author: jayrusso
#customer intent: As a Global Secure Access administrator, I want to configure a context-aware Transport Layer Security inspection policy and assign the policy to users in my organization.   
---
 
# Configure Transport Layer Security inspection policies (preview)
Transport Layer Security (TLS) inspection in Microsoft Entra Internet Access lets you decrypt and inspect encrypted traffic at service edge locations. This feature lets Global Secure Access apply advanced security controls like threat detection, content filtering, and granular access policies. These access policies help protect against threats that might be hidden in encrypted communications.
 
> [!IMPORTANT]
> The Transport Layer Security inspection feature is currently in PREVIEW.   
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.   
> While in preview, don't use TLS inspection in production environments.    
 
This article explains how to create a context-aware Transport Layer Security inspection policy and assign it to users in your organization.
 
## Prerequisites   

---
title: Configure Transport Layer Security Inspection Policies
description: Learn how to configure a Transport Layer Security inspection policy and assign it to users in your organization.
author: HULKsmashGithub
ms.author: jayrusso
#customer intent: As a Global Secure Access administrator, I want to configure a context-aware Transport Layer Security inspection policy and assign the policy to users in my organization.   
---
 
# Configure Transport Layer Security inspection policies
Transport Layer Security (TLS) inspection in Microsoft Entra Internet Access lets you decrypt and inspect encrypted traffic at service edge locations. This feature lets Global Secure Access apply advanced security controls like threat detection, content filtering, and granular access policies. These access policies help protect against threats that might be hidden in encrypted communications.
This article explains how to create a context-aware Transport Layer Security inspection policy and assign it to users in your organization.
 
## Prerequisites

MODIFIED docs/identity/hybrid/how-to-group-source-of-authority-configure.md

Modified by Ortagus Winfrey on Nov 19, 2025 1:59 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Wording fix

Changes:

Before

After

 
## Scope a group for SOA operations within an Administrative Unit
 
To scope a group for Source of Authority operations within an Administrative Unit(AU), do the following steps:
 
1. Create an AU to use as the scope for the group. For steps on creating an AU, see: [Create an administrative unit](../../identity/role-based-access-control/admin-units-manage.md#create-an-administrative-unit).
 
1. Add the group as a Hybrid Identity Administrator within the scope.
    :::image type="content" source="media/how-to-user-source-of-authority-configure/assign-scope-role.png" alt-text="Screenshot of assigning a hybrid admin role to an Administrative unit scope." lightbox="media/how-to-user-source-of-authority-configure/assign-scope-role.png":::
1. Add the group to the AU. For information on this, see: [Add users, groups, or devices to an administrative unit](../../identity/role-based-access-control/admin-units-members-add.md).
 
1.Transfer the SOA of a group within the scope of the AU. For a guide on transferring the SOA of groups, see: [Convert SOA for a test group](how-to-group-source-of-authority-configure.md#convert-soa-for-a-test-group).
 
## Related content

 
## Scope a group for SOA operations within an Administrative Unit
 
To scope a group for Source of Authority operations within an Administrative Unit, do the following steps:
 
1. Create an unit to use as the scope for the group. For steps on creating an unit, see: [Create an administrative unit](../../identity/role-based-access-control/admin-units-manage.md#create-an-administrative-unit).
 
1. Add the group as a Hybrid Identity Administrator within the scope.
    :::image type="content" source="media/how-to-user-source-of-authority-configure/assign-scope-role.png" alt-text="Screenshot of assigning a hybrid admin role to an Administrative unit scope." lightbox="media/how-to-user-source-of-authority-configure/assign-scope-role.png":::
1. Add the group to the unit. For information on this, see: [Add users, groups, or devices to an administrative unit](../../identity/role-based-access-control/admin-units-members-add.md).
 
1. Transfer the SOA of a group within the scope of the unit. For a guide on transferring the SOA of groups, see: [Convert SOA for a test group](how-to-group-source-of-authority-configure.md#convert-soa-for-a-test-group).
 
## Related content

MODIFIED docs/identity/hybrid/how-to-user-source-of-authority-configure.md

Modified by Ortagus Winfrey on Nov 19, 2025 1:59 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Wording fix

Changes:

Before

After

 
## Scope a user for SOA operations within an Administrative Unit
 
To scope a user for Source of Authority operations within an Administrative Unit(AU), do the following steps:
 
1. Create an AU to use as the scope for the user. For steps on creating an AU, see: [Create an administrative unit](../../identity/role-based-access-control/admin-units-manage.md#create-an-administrative-unit).
 
1. Add the user as a Hybrid Identity Administrator within the scope.
    :::image type="content" source="media/how-to-user-source-of-authority-configure/assign-scope-role.png" alt-text="Screenshot of assigning a hybrid admin role to an Administrative unit scope." lightbox="media/how-to-user-source-of-authority-configure/assign-scope-role.png":::
1. Add users to the AU. For information on this, see: [Add users, groups, or devices to an administrative unit](../../identity/role-based-access-control/admin-units-members-add.md).
 
1.Transfer the SOA of users within the scope of the AU. For a guide on transferring the SOA of users, see: [Transfer SOA for a test user](how-to-user-source-of-authority-configure.md#transfer-soa-for-a-test-user).

 
## Scope a user for SOA operations within an Administrative Unit
 
To scope a user for Source of Authority operations within an Administrative Unit, do the following steps:
 
1. Create an unit to use as the scope for the user. For steps on creating an unit, see: [Create an administrative unit](../../identity/role-based-access-control/admin-units-manage.md#create-an-administrative-unit).
 
1. Add the user as a Hybrid Identity Administrator within the scope.
    :::image type="content" source="media/how-to-user-source-of-authority-configure/assign-scope-role.png" alt-text="Screenshot of assigning a hybrid admin role to an Administrative unit scope." lightbox="media/how-to-user-source-of-authority-configure/assign-scope-role.png":::
1. Add users to the unit. For information on this, see: [Add users, groups, or devices to an administrative unit](../../identity/role-based-access-control/admin-units-members-add.md).
 
1. Transfer the SOA of users within the scope of the unit. For a guide on transferring the SOA of users, see: [Transfer SOA for a test user](how-to-user-source-of-authority-configure.md#transfer-soa-for-a-test-user).

MODIFIED docs/identity/role-based-access-control/includes/sharepoint-administrator.md

Modified by Faith Moraa Ombongi on Nov 19, 2025 6:54 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Re-run to add SharePoint Advanced Management Admin

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 07/09/2025
ms.custom: include file
---
 
> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
> | microsoft.backup/oneDriveForBusinessProtectionPolicies/allProperties/allTasks | Create and manage OneDrive protection policy in Microsoft 365 Backup |
> | microsoft.backup/oneDriveForBusinessRestoreSessions/allProperties/allTasks | Read and configure restore session for OneDrive in Microsoft 365 Backup |
> | microsoft.backup/restorePoints/sites/allProperties/allTasks | Manage all restore points associated with selected SharePoint sites in M365 Backup |
> | microsoft.backup/restorePoints/userDrives/allProperties/allTasks | Manage all restore points associated with selected OneDrive accounts in M365 Backup |
> | microsoft.backup/sharePointProtectionPolicies/allProperties/allTasks | Create and manage SharePoint protection policy in Microsoft 365 Backup |
> | microsoft.backup/sharePointRestoreSessions/allProperties/allTasks | Read and configure restore session for SharePoint in Microsoft 365 Backup |
> | microsoft.backup/siteProtectionUnits/allProperties/allTasks | Manage sites added to SharePoint protection policy in Microsoft 365 Backup |

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/19/2025
ms.custom: include file
---
 
> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
> | microsoft.backup/oneDriveForBusinessProtectionPolicies/allProperties/allTasks | Create and manage OneDrive protection policy in Microsoft 365 Backup |
> | microsoft.backup/oneDriveForBusinessRestoreSessions/allProperties/allTasks | Read and configure restore session for OneDrive in Microsoft 365 Backup |
> | microsoft.backup/restorePoints/sites/allProperties/allTasks | Manage all restore points associated with selected SharePoint sites in Microsoft 365 Backup |
> | microsoft.backup/restorePoints/userDrives/allProperties/allTasks | Manage all restore points associated with selected OneDrive accounts in Microsoft 365 Backup |
> | microsoft.backup/sharePointProtectionPolicies/allProperties/allTasks | Create and manage SharePoint protection policy in Microsoft 365 Backup |
> | microsoft.backup/sharePointRestoreSessions/allProperties/allTasks | Read and configure restore session for SharePoint in Microsoft 365 Backup |
> | microsoft.backup/siteProtectionUnits/allProperties/allTasks | Manage sites added to SharePoint protection policy in Microsoft 365 Backup |

MODIFIED docs/identity/role-based-access-control/includes/sharepoint-advanced-management-administrator.md

Modified by Faith Moraa Ombongi on Nov 19, 2025 6:54 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Re-run to add SharePoint Advanced Management Admin

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/17/2025
ms.custom: include file
---
 
> | microsoft.backup/siteRestoreArtifacts/allProperties/allTasks | Manage sites added to restore session for SharePoint in Microsoft 365 Backup |
> | microsoft.backup/userDriveProtectionUnits/allProperties/allTasks | Manage accounts added to OneDrive protection policy in Microsoft 365 Backup |
> | microsoft.backup/userDriveRestoreArtifacts/allProperties/allTasks | Manage accounts added to restore session for OneDrive in Microsoft 365 Backup |
> | microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups |
> | microsoft.directory/groups.unified/assignedLabels/update | Update the assigned labels property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups |
> | microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups |
> | microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups |
> | microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups |
> | microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
> | microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups |
> | microsoft.office365.migrations/allEntities/allProperties/allTasks | Manage all aspects of Microsoft 365 migrations |
> | microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/19/2025
ms.custom: include file
---
 
> | microsoft.backup/siteRestoreArtifacts/allProperties/allTasks | Manage sites added to restore session for SharePoint in Microsoft 365 Backup |
> | microsoft.backup/userDriveProtectionUnits/allProperties/allTasks | Manage accounts added to OneDrive protection policy in Microsoft 365 Backup |
> | microsoft.backup/userDriveRestoreArtifacts/allProperties/allTasks | Manage accounts added to restore session for OneDrive in Microsoft 365 Backup |
> | microsoft.directory/groups.unified/assignedLabels/update | Update the assigned labels property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups |
> | microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups |
> | microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups |
> | microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups |
> | microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
> | microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups |
> | microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups |
> | microsoft.office365.migrations/allEntities/allProperties/allTasks | Manage all aspects of Microsoft 365 migrations |
> | microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |

MODIFIED docs/identity/role-based-access-control/includes/sharepoint-backup-administrator.md

Modified by Faith Moraa Ombongi on Nov 19, 2025 6:54 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Re-run to add SharePoint Advanced Management Admin

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 10/16/2025
ms.custom: include file
---
 
> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
> | microsoft.backup/oneDriveForBusinessProtectionPolicies/allProperties/allTasks | Create and manage OneDrive protection policy in Microsoft 365 Backup |
> | microsoft.backup/oneDriveForBusinessRestoreSessions/allProperties/allTasks | Read and configure restore session for OneDrive in Microsoft 365 Backup |
> | microsoft.backup/restorePoints/sites/allProperties/allTasks | Manage all restore points associated with selected SharePoint sites in M365 Backup |
> | microsoft.backup/restorePoints/userDrives/allProperties/allTasks | Manage all restore points associated with selected OneDrive accounts in M365 Backup |
> | microsoft.backup/sharePointProtectionPolicies/allProperties/allTasks | Create and manage SharePoint protection policy in Microsoft 365 Backup |
> | microsoft.backup/sharePointRestoreSessions/allProperties/allTasks | Read and configure restore session for SharePoint in Microsoft 365 Backup |
> | microsoft.backup/siteProtectionUnits/allProperties/allTasks | Manage sites added to SharePoint protection policy in Microsoft 365 Backup |

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/19/2025
ms.custom: include file
---
 
> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
> | microsoft.backup/oneDriveForBusinessProtectionPolicies/allProperties/allTasks | Create and manage OneDrive protection policy in Microsoft 365 Backup |
> | microsoft.backup/oneDriveForBusinessRestoreSessions/allProperties/allTasks | Read and configure restore session for OneDrive in Microsoft 365 Backup |
> | microsoft.backup/restorePoints/sites/allProperties/allTasks | Manage all restore points associated with selected SharePoint sites in Microsoft 365 Backup |
> | microsoft.backup/restorePoints/userDrives/allProperties/allTasks | Manage all restore points associated with selected OneDrive accounts in Microsoft 365 Backup |
> | microsoft.backup/sharePointProtectionPolicies/allProperties/allTasks | Create and manage SharePoint protection policy in Microsoft 365 Backup |
> | microsoft.backup/sharePointRestoreSessions/allProperties/allTasks | Read and configure restore session for SharePoint in Microsoft 365 Backup |
> | microsoft.backup/siteProtectionUnits/allProperties/allTasks | Manage sites added to SharePoint protection policy in Microsoft 365 Backup |

MODIFIED docs/identity/saas-apps/bis-tutorial.md

Modified by BIS Admin Account on Nov 19, 2025 6:30 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Update bis-tutorial.md

Changes:

Before

After

1. On the **Basic SAML Configuration** section, perform the following step:
 
    In the **Sign-on URL** text box, type the URL:
    `https://www.bistrainer.com/sso/biscr.cfm`
 
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
 
## Configure BIS SSO
 
To configure single sign-on on **BIS** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from the application configuration to [BIS support team](mailto:help@bistrainer.com). They set this setting to have the SAML SSO connection set properly on both sides.
 
### Create BIS test user

1. On the **Basic SAML Configuration** section, perform the following step:
 
    In the **Sign-on URL** text box, type the URL:
    `https://www.bissafety.app/sso/biscr.cfm`
 
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
 
## Configure BIS SSO
 
To configure single sign-on on **BIS** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from the application configuration to [BIS support team](mailto:help@bissafety.app). They set this setting to have the SAML SSO connection set properly on both sides.
 
### Create BIS test user

MODIFIED docs/identity/role-based-access-control/includes/agent-id-developer.md

Modified by Faith Moraa Ombongi on Nov 19, 2025 4:38 PM
📖 View on learn.microsoft.com

+1 / -2 lines changed

Commit: Revert agent ID changes based on discussion with Robert

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/04/2025
ms.custom: include file, agent-id-ignite
---
 
> | Actions | Description |
> | --- | --- |
> | microsoft.directory/servicePrincipals/standard/read | Read basic properties of service principals |
 

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/19/2025
ms.custom: include file, agent-id-ignite
---
 
> | Actions | Description |
> | --- | --- |
> | microsoft.directory/servicePrincipals/standard/read | Read basic properties of service principals |
 

MODIFIED docs/identity/role-based-access-control/includes/agent-registry-administrator.md

Modified by Faith Moraa Ombongi on Nov 19, 2025 4:38 PM
📖 View on learn.microsoft.com

+1 / -2 lines changed

Commit: Revert agent ID changes based on discussion with Robert

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/04/2025
ms.custom: include file, agent-id-ignite
---
 
> | Actions | Description |
> | --- | --- |
> | microsoft.agentRegistry/allEntities/allProperties/allTasks | Manage all aspects of Agent Registry in Microsoft Entra ID |
 

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/19/2025
ms.custom: include file, agent-id-ignite
---
 
> | Actions | Description |
> | --- | --- |
> | microsoft.agentRegistry/allEntities/allProperties/allTasks | Manage all aspects of Agent Registry in Microsoft Entra ID |
 

MODIFIED docs/identity/role-based-access-control/includes/global-administrator.md

Modified by Faith Moraa Ombongi on Nov 19, 2025 4:38 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Revert agent ID changes based on discussion with Robert

Changes:

Before

After

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 07/09/2025
ms.custom: include file
---
 

ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 11/19/2025
ms.custom: include file
---
 

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files