MODIFIED docs/fundamentals/whats-new-archive.md

Modified by Ortagus Winfrey on Nov 24, 2025 2:01 PM
📖 View on learn.microsoft.com

+58 / -0 lines changed

Commit: May 2025 added to archive

Changes:

Before

After

 
---
 
## April 2025
 
### Public Preview -  Conditional Access Optimization Agent in Microsoft Entra

 
---
 
## May 2025
 
### General Availability - Microsoft Entra External ID:  User authentication with SAML/WS-Fed Identity Providers
 
**Type:** New feature  
**Service category:** B2C - Consumer Identity Management  
**Product capability:** B2B/B2C  
 
Set up a SAML or WS-Fed identity provider to enable users to sign up and sign in to, your applications using their own account with the identity provider. Users will be redirected to the identity provider, and then redirected back to Microsoft Entra after successful sign in. For more information, see: [SAML/WS-Fed identity providers](../external-id/direct-federation-overview.md).
 
---
 
### General Availability - Pre/Post Attribute Collection Custom Extensions in Microsoft Entra External ID
 
**Type:** New feature  
**Service category:** B2C - Consumer Identity Management  
**Product capability:** Extensibility   

MODIFIED docs/fundamentals/whats-new.md

Modified by Ortagus Winfrey on Nov 24, 2025 2:01 PM
📖 View on learn.microsoft.com

+0 / -51 lines changed

Commit: May 2025 added to archive

Changes:

Before

After

 
---
 
## May 2025
 
### General Availability - Microsoft Entra External ID:  User authentication with SAML/WS-Fed Identity Providers
 
**Type:** New feature  
**Service category:** B2C - Consumer Identity Management  
**Product capability:** B2B/B2C  
 
Set up a SAML or WS-Fed identity provider to enable users to sign up and sign in to, your applications using their own account with the identity provider. Users will be redirected to the identity provider, and then redirected back to Microsoft Entra after successful sign in. For more information, see: [SAML/WS-Fed identity providers](../external-id/direct-federation-overview.md).
 
### General Availability - Pre/Post Attribute Collection Custom Extensions in Microsoft Entra External ID
 
**Type:** New feature  
**Service category:** B2C - Consumer Identity Management  
**Product capability:** Extensibility

---

MODIFIED docs/identity/devices/device-join-out-of-box.md

Modified by John Flores on Nov 24, 2025 9:51 PM
📖 View on learn.microsoft.com

+6 / -7 lines changed

Commit: [Authentication] Windows device join methods

Changes:

Before

After

---
title: Join a new Windows 11 device with Microsoft Entra ID during the out of box experience
description: How users can set up Microsoft Entra join during OOBE.
 
ms.service: entra-id
ms.subservice: devices
ms.topic: tutorial
ms.date: 06/27/2025
 
ms.author: owinfrey
author: owinfreyATL
---
# Microsoft Entra join a new Windows device during the out of box experience
 
Windows 11 users can join new Windows devices to Microsoft Entra ID during the first-run out-of-box experience (OOBE). This functionality enables you to distribute shrink-wrapped devices to your employees or students.
 
This functionality pairs well with mobile device management platforms like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and tools like [Windows Autopilot](/mem/autopilot/windows-autopilot) to ensure devices are configured according to your standards.
 
1. Turn on your new device and start the setup process. Follow the prompts to set up your device.
1. When prompted **How would you like to set up this device?**, select **Set up for work or school**.

---
title: Join Windows 11 Devices to Microsoft Entra ID During OOBE
description: Discover how to set up Microsoft Entra join on a Windows 11 device during OOBE, ensuring seamless integration with your organization's directory.
 
ms.service: entra-id
ms.subservice: devices
ms.topic: tutorial
ms.date: 11/24/2025
 
ms.author: owinfrey
author: owinfreyATL
---
# Microsoft Entra join a new Windows device during the out of box experience
 
This tutorial shows you how to join a new Windows 11 device to Microsoft Entra ID during the out-of-box experience (OOBE). When you join a device during OOBE, the device becomes part of your organization's directory and can be managed according to their policies.
 
This functionality pairs well with mobile device management platforms like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and tools like [Windows Autopilot](/mem/autopilot/windows-autopilot) to ensure devices are configured according to your standards.
 
1. Turn on your new device and start the setup process. Follow the prompts to set up your device.
1. When prompted **How would you like to set up this device?**, select **Set up for work or school**.

MODIFIED docs/agent-id/identity-platform/agent-registry-manage-collections.md

Modified by Sherman Ouko on Nov 24, 2025 2:19 PM
📖 View on learn.microsoft.com

+9 / -3 lines changed

Commit: Add images to manage collections in registry doc

Changes:

Before

After

1. In the **Agent collections** view, you see a tabbed section containing two options:
    - Select **Predefined** tab to view agents added to the **Global** collection.
    - Select **Custom** tab to view agents added to custom collections. This tab displays any custom collections that you created in your tenant. Selecting a custom collection shows the agents that are part of that collection.
 
## Create a custom collection
 
To create a custom collection, follow these steps:
1. Select **+ Create collection**.
1. Provide a descriptive and meaningful **Name** and **Description** of the collection.
 
## Add an agent to predefined collections
 
Use the following steps to add an agent to a predefined collection.
 
1. Select the **Predefined** tab to view the predefined collections.
1. Select the predefined collection you want to add the agent to. It opens a view listing all the agents in that collection and their source (builder platform).
1. To add an agent to the collection, select **+ Add**, then choose the agents you want to add.
 
## Add an agent to custom collections
 

1. In the **Agent collections** view, you see a tabbed section containing two options:
    - Select **Predefined** tab to view agents added to the **Global** collection.
    - Select **Custom** tab to view agents added to custom collections. This tab displays any custom collections that you created in your tenant. Selecting a custom collection shows the agents that are part of that collection.
    
    :::image type="content" source="media/agent-registry-manage-collections/agent-collections.png" alt-text="Screenshot of the Agent collections view showing predefined and custom tabs.":::
    
## Create a custom collection
 
To create a custom collection, follow these steps:
1. Select **+ Create collection**.
1. Provide a descriptive and meaningful **Name** and **Description** of the collection.
 
    :::image type="content" source="media/agent-registry-manage-collections/custom-collections.png" alt-text="Screenshot of the create custom collection dialog view.":::
 
## Add an agent to predefined collections
 
Use the following steps to add an agent to a predefined collection.
 
1. Select the **Predefined** tab to view the predefined collections.
1. Select the predefined collection you want to add the agent to. It opens a view listing all the agents in that collection and their publisher (builder platform).

MODIFIED docs/external-id/tenant-restrictions-v2.md

Modified by vimrang on Nov 24, 2025 8:50 PM
📖 View on learn.microsoft.com

+4 / -1 lines changed

Commit: Update tenant restrictions documentation for clarity

Changes:

Before

After

- All Office apps (all versions/release channels)
- Universal Windows Platform (UWP) .NET applications
- Authentication plane protection for all applications that authenticate with Microsoft Entra ID, including all Microsoft applications and any partner applications that use Microsoft Entra ID for authentication
- Data plane protection for SharePoint Online, Exchange Online, and Microsoft Graph
- Anonymous access protection for Forms, SharePoint Online, OneDrive, and Teams (with federation controls configured)
- Authentication and data plane protection for Microsoft tenant or consumer accounts
- When you use universal tenant restrictions in Global Secure Access, all browsers and platforms
- When you use Windows Group Policy, Microsoft Edge and all websites in Microsoft Edge
- Scenarios with device-based authentication (including custom applications integrated with Microsoft Graph)
  
### Unsupported scenarios
 
 
 
 

- All Office apps (all versions/release channels)
- Universal Windows Platform (UWP) .NET applications
- Authentication plane protection for all applications that authenticate with Microsoft Entra ID, including all Microsoft applications and any partner applications that use Microsoft Entra ID for authentication
- Data plane protection for SharePoint Online, Exchange Online and Microsoft Graph
- Anonymous access protection for Forms, SharePoint Online, OneDrive, and Teams (with federation controls configured)
- Authentication and data plane protection for Microsoft tenant or consumer accounts
- When you use universal tenant restrictions in Global Secure Access, all browsers and platforms
- When you use Windows Group Policy, Microsoft Edge and all websites in Microsoft Edge
- Scenarios with device-based authentication (including custom applications integrated with Microsoft Graph)
- Tenant Restrictions v2 (TRv2) enforcement over Azure ExpressRoute when the TRv2 header to be present.
  - TRv2 headers are automatically added when using Universal TRv2 via GSA or Windows Group Policy Objects (GPO) for client-side signaling. This approach supports        both authentication and data plane protection.
  - For proxy-based signaling, headers are injected only at the authentication plane protection and do not apply to the data plane protection. ExpressRoute operates      at the network layer and does not terminate TLS or inspect HTTP traffic and the header injection requires TLS interception and application-layer processing,          which must occur on a proxy or firewall before traffic enters ExpressRoute. If Trv2 headers are not added on the request, TRv2 will not enforced.
  
### Unsupported scenarios
 

MODIFIED docs/identity/enterprise-apps/assign-agent-identities-to-applications.md

Modified by omondiatieno on Nov 24, 2025 10:21 AM
📖 View on learn.microsoft.com

+2 / -0 lines changed

Commit: add image

Changes:

Before

After

  * the SAML helper application registration as the resource
  * the scope value of the concatenation of `api://'`, the SAML helper application's application ID, and `/.default`
 
If the agent has multiple agent identities, then permission inheritance can be used to grant consent once at the agent identity blueprint and inherit it for the agent identities.
 
Once these applications, users, role assignments, and grants are in place in the tenant, then an agent that needs a SAML assertion for authenticating to the enterprise application can:

  * the SAML helper application registration as the resource
  * the scope value of the concatenation of `api://'`, the SAML helper application's application ID, and `/.default`
 
:::image type="content" source="media/assign-agent-identities-to-applications/agent-saml.png" alt-text="Diagram of relationships between Microsoft Entra artifacts needed for SAML token issuance.":::
 
If the agent has multiple agent identities, then permission inheritance can be used to grant consent once at the agent identity blueprint and inherit it for the agent identities.
 
Once these applications, users, role assignments, and grants are in place in the tenant, then an agent that needs a SAML assertion for authenticating to the enterprise application can:

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files