MODIFIED docs/identity-platform/custom-extension-overview.md

Modified by Chris Werner on Nov 25, 2025 4:39 PM
📖 View on learn.microsoft.com

+0 / -21 lines changed

Commit: remove Woodgrove demo

Changes:

Before

After

 
The token issuance start event, **OnTokenIssuanceStart** is triggered when a token is about to be issued to an application. It is an event type set up within a [custom claims provider](custom-claims-provider-overview.md). The custom claims provider is a custom authentication extension that calls a REST API to fetch claims from external systems. A custom claims provider maps claims from external systems into tokens and can be assigned to one or many applications in your directory.
 
> [!TIP]
> [![Try it now](./media/common/try-it-now.png)](https://woodgrovedemo.com/#usecase=TokenAugmentation)
> 
> To try out this feature, go to the Woodgrove Groceries demo and start the “Add claims to security tokens from a REST API” use case.
 
### Attribute collection start 
 
[Attribute collection start](./custom-extension-attribute-collection.md) events can be used with custom authentication extensions to add logic before attributes are collected from a user. The **OnAttributeCollectionStart** event occurs at the beginning of the attribute collection step, before the attribute collection page renders. It lets you add actions such as prefilling values and displaying a blocking error. 
 
> [!TIP]
> [![Try it now](./media/common/try-it-now.png)](https://woodgrovedemo.com/#usecase=PreAttributeCollection)
> 
> To try out this feature, go to the Woodgrove Groceries demo and start the “[Prepopulate sign-up attributes](https://woodgrovedemo.com/#usecase=PreAttributeCollection)” use case.
 
### Attribute collection submit
 
[Attribute collection submit](./custom-extension-attribute-collection.md) events can be used with custom authentication extensions to add logic after attributes are collected from a user. The **OnAttributeCollectionSubmit** event triggers after the user enters and submits attributes, allowing you to add actions like validating entries or modifying attributes.

 
The token issuance start event, **OnTokenIssuanceStart** is triggered when a token is about to be issued to an application. It is an event type set up within a [custom claims provider](custom-claims-provider-overview.md). The custom claims provider is a custom authentication extension that calls a REST API to fetch claims from external systems. A custom claims provider maps claims from external systems into tokens and can be assigned to one or many applications in your directory.
 
### Attribute collection start 
 
[Attribute collection start](./custom-extension-attribute-collection.md) events can be used with custom authentication extensions to add logic before attributes are collected from a user. The **OnAttributeCollectionStart** event occurs at the beginning of the attribute collection step, before the attribute collection page renders. It lets you add actions such as prefilling values and displaying a blocking error. 
 
### Attribute collection submit
 
[Attribute collection submit](./custom-extension-attribute-collection.md) events can be used with custom authentication extensions to add logic after attributes are collected from a user. The **OnAttributeCollectionSubmit** event triggers after the user enters and submits attributes, allowing you to add actions like validating entries or modifying attributes.
 
### One time passcode send
 
The **OnOtpSend** event is triggered when a one time passcode email is activated. It allows you to [call a REST API to use your own email provider](./custom-extension-email-otp-get-started.md). This event can be used to send customized emails to users who sign up with email address, sign in with email one-time passcode (Email OTP), reset their password using Email OTP, or use Email OTP for multifactor authentication (MFA).
 
When the **OnOtpSend** event is activated, Microsoft Entra sends a one-time passcode to the specified REST API you own. The REST API then uses your chosen email provider, such as Azure Communication Service or SendGrid, to send the one-time passcode with your custom email template, from address, and email subject, while also supporting localization.
 
## Related content
 
- Learn more about [custom claims providers](custom-claims-provider-overview.md)

MODIFIED docs/agent-id/identity-professional/agent-access-packages.md

Modified by Mark Wahl on Nov 25, 2025 8:40 PM
📖 View on learn.microsoft.com

+9 / -4 lines changed

Commit: terminology

Changes:

Before

After

 
# Access packages for Agent identities in Microsoft Entra ID
 
Microsoft Entra entitlement management provides access packages as a governance mechanism. Access packages ensure that agent access assignments are intentional, auditable, and time-bound. Access packages represent a structured approach to managing agent identity permissions, contrasting with ad-hoc permission assignments that might lack appropriate governance controls. Access packages enable standardized access for many AI Agents with the same access needs, for example, a fleet of customer support AI Agents. Through access packages, organizations can establish consistent governance practices for all agent identity resource access.
 
## Access request and approval process
 
To use access packages, IT admin configures an access package with the required policy settings. These settings define who can get access, who can request access, approvals, access expiration, and extension. Agents can be assigned access packages through three different request pathways. 
 
- The agent identity itself can programmatically request an access package when needed for its operations.
- The agent's sponsor can request access on behalf of the agent ID, providing human oversight in the access request process.
- An administrator can assign the agent identity or agent user to the access package.
 
After submission, the access request is routed to designated approvers based on the access package configuration.

 
# Access packages for Agent identities in Microsoft Entra ID
 
Microsoft Entra entitlement management provides access packages as a governance mechanism. Access packages ensure that agent access assignments are intentional, auditable, and time-bound. Access packages represent a structured approach to managing agent identity permissions, contrasting with ad-hoc permission assignments that might lack appropriate governance controls. Access packages enable standardized access for many AI Agents with the same access needs, for example, a fleet of customer support AI Agents. Through access packages, organizations can establish consistent governance practices for all agent identity resource access. For more information, see [Governing agent identities](/entra/id-governance/agent-id-governance-overview).
 
## Access request and approval process
 
To use access packages, IT admin configures an access package with the required policy settings. These settings define who can get access, who can request access, approvals, access expiration, and extension.  When creating an access package assignment policy, in the **Who can get access** section, select **For users, service principals, and agent identities in your directory**, and then select the option of **All agents (preview)**.
 
> [!NOTE]
> If your agents are not using Microsoft Entra agent IDs, then also create an access package assignment policy with the option **All Service principals (preview)** to allow service principals in your directory to be able to request this access package.
 
Agents can then be assigned access packages through three different request pathways.
 
- The agent identity itself can programmatically request an access package when needed for its operations, by creating an [accessPackageAssignmentRequest](/graph/api/entitlementmanagement-post-assignmentrequests?view=graph-rest-1.0&tabs=http).
- The agent's sponsor can request access on behalf of the agent ID, providing human oversight in the access request process. For more information, see [Request an access package on behalf of an agent identity (Preview)](/entra/id-governance/entitlement-management-request-behalf#request-an-access-package-on-behalf-of-an-agent-identity-preview).
- An administrator can assign the agent identity or agent user to the access package.
 
After submission, the access request is routed to designated approvers based on the access package configuration.

MODIFIED docs/id-governance/entitlement-management-catalog-create.md

Modified by Ortagus Winfrey on Nov 25, 2025 10:41 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Updates

Changes:

Before

After

 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
1. Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to remove resources from.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog owner.
1. Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to add administrators to.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog creator.
1. Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to edit.

 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
1. Browse to **ID Governance** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to remove resources from.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog owner.
1. Browse to **ID Governance** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to add administrators to.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog creator.
1. Browse to **ID Governance** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to edit.

MODIFIED docs/id-governance/entitlement-management-delegate-managers.md

Modified by Ortagus Winfrey on Nov 25, 2025 10:41 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Updates

Changes:

Before

After

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog owner.    
1. Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to add administrators to.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog owner.
1. Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to add administrators to.
 

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog owner.    
1. Browse to **ID Governance** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to add administrators to.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog owner.
1. Browse to **ID Governance** > **Catalogs**.
 
1. On the Catalogs page, open the catalog you want to add administrators to.
 

MODIFIED docs/id-governance/custom-data-resource-access-reviews.md

Modified by Ortagus Winfrey on Nov 25, 2025 10:35 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Updates

Changes:

Before

After

Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog creator. Users who were assigned to the User Administrator role will no longer be able to create catalogs or manage access packages in a catalog they don't own. If users in your organization were assigned to the User Administrator role to configure catalogs, access packages, or policies in entitlement management, you should instead assign these users the Identity Governance Administrator role.
Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
Select **New catalog**.
 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
On the Catalogs page, open the catalog you created in the previous section.

Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
    > [!TIP]
    > Other least privilege roles that can complete this task include the Catalog creator. Users who were assigned to the User Administrator role will no longer be able to create catalogs or manage access packages in a catalog they don't own. If users in your organization were assigned to the User Administrator role to configure catalogs, access packages, or policies in entitlement management, you should instead assign these users the Identity Governance Administrator role.
Browse to **ID Governance** > **Catalogs**.
 
Select **New catalog**.
 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
Browse to **ID Governance** > **Catalogs**.
 
On the Catalogs page, open the catalog you created in the previous section.

MODIFIED docs/agent-id/identity-professional/security-for-ai.md

Modified by Mark Wahl on Nov 25, 2025 8:40 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: terminology

Changes:

Before

After

 
## Agent sprawl
 
Agent proliferation creates a governance challenge termed "agent sprawl"—the uncontrolled expansion of agents across an organization without adequate visibility, management, or governance controls.
 
### How agent sprawl develops
 
    - Agent registry: Provides centralized metadata management, secure agent discovery, and automatic organization into security collections
 
- Govern agent identities and lifecycle
    - Identity governance for agent identities: Lifecycle management, access reviews, and compliance reporting for agent identities
 
- Protect agent access to resources 
    - Global Secure Access for agent identities: Network-level security and zero-trust access for agent communications

 
## Agent sprawl
 
Agent proliferation creates a governance challenge termed "agent sprawl"—the uncontrolled expansion of agents across an organization without adequate visibility, management, or lifecycle controls.
 
### How agent sprawl develops
 
    - Agent registry: Provides centralized metadata management, secure agent discovery, and automatic organization into security collections
 
- Govern agent identities and lifecycle
    - Identity governance for agent identities: Lifecycle management, access assignment, and compliance reporting for agent identities
 
- Protect agent access to resources 
    - Global Secure Access for agent identities: Network-level security and zero-trust access for agent communications

MODIFIED docs/identity/app-provisioning/on-premises-ldap-connector-prepare-directory.md

Modified by Mark Wahl on Nov 25, 2025 6:55 PM
📖 View on learn.microsoft.com

+3 / -1 lines changed

Commit: remove space in pathname

Changes:

Before

After

### Grant the NETWORK SERVICE read permissions to the SSL certificate
In order to enable SSL to work, you need to grant the NETWORK SERVICE read permissions to our newly created certificate. To grant permissions, use the following steps.
 
 1. Navigate to **C:\Program Data\Microsoft\Crypto\Keys**.
 2. Right-select on the system file located here. It will be a guid. This container is storing our certificate.
 3. Select properties.
 4. At the top, select the **Security** tab.
 9. Select **Ok**.
 10. Ensure the Network service account has read and read & execute permissions and select **Apply** and **OK**.
 
### Verify SSL connectivity with AD LDS
Now that we have configured the certificate and granted the network service account permissions, test the connectivity to verify that it's working.
 1. Open Server Manager and select AD LDS.
 
 

### Grant the NETWORK SERVICE read permissions to the SSL certificate
In order to enable SSL to work, you need to grant the NETWORK SERVICE read permissions to our newly created certificate. To grant permissions, use the following steps.
 
 1. Navigate to **C:\ProgramData\Microsoft\Crypto\Keys**.
 2. Right-select on the system file located here. It will be a guid. This container is storing our certificate.
 3. Select properties.
 4. At the top, select the **Security** tab.
 9. Select **Ok**.
 10. Ensure the Network service account has read and read & execute permissions and select **Apply** and **OK**.
 
For more information, see [Configuring LDAP over SSL Requirements for AD LDS](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725767(v=ws.10)).
 
### Verify SSL connectivity with AD LDS
Now that we have configured the certificate and granted the network service account permissions, test the connectivity to verify that it's working.
 1. Open Server Manager and select AD LDS.

MODIFIED docs/global-secure-access/reference-macos-client-release-history.md

Modified by Jay on Nov 25, 2025 5:16 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Update macOS client release notes to publish

Changes:

Before

After

description: Track the latest updates and bug fixes for the Global Secure Access client for macOS. Stay informed about version changes and download instructions.
ms.service: global-secure-access
ms.topic: reference
ms.date: 11/03/2025
ms.author: jayrusso
author: HULKsmashGithub
manager: dougeby
:::image type="content" source="media/reference-macos-client-release-history/macos-client-download-screen.png" alt-text="Screenshot of the Client download screen with the Download Client button highlighted.":::
 
## Version 1.1.25090800
Released for download on November 04, 2025.
### Other changes
- Bug fix: Better recovery of the connection to the Global Secure Access cloud service when a device switches between networks.
- Bug fix: Mutual Transport Layer Security (mTLS) connections to the Global Secure Access cloud service use the correct certificate after renewal.

description: Track the latest updates and bug fixes for the Global Secure Access client for macOS. Stay informed about version changes and download instructions.
ms.service: global-secure-access
ms.topic: reference
ms.date: 11/25/2025
ms.author: jayrusso
author: HULKsmashGithub
manager: dougeby
:::image type="content" source="media/reference-macos-client-release-history/macos-client-download-screen.png" alt-text="Screenshot of the Client download screen with the Download Client button highlighted.":::
 
## Version 1.1.25090800
Released for download on November 24, 2025.
### Other changes
- Bug fix: Better recovery of the connection to the Global Secure Access cloud service when a device switches between networks.
- Bug fix: Mutual Transport Layer Security (mTLS) connections to the Global Secure Access cloud service use the correct certificate after renewal.

MODIFIED docs/id-governance/entitlement-management-delegate.md

Modified by Ortagus Winfrey on Nov 25, 2025 10:41 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Updates

Changes:

Before

After

 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](~/identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
Change the filter setting for **Enabled for external users** to **Yes**.

 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](~/identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
Browse to **ID Governance** > **Catalogs**.
 
Change the filter setting for **Enabled for external users** to **Yes**.

MODIFIED docs/id-governance/entitlement-management-dynamic-approval.md

Modified by Ortagus Winfrey on Nov 25, 2025 10:41 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Updates

Changes:

Before

After

 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Catalog owner](../id-governance/entitlement-management-delegate.md#entitlement-management-roles) of the catalog where the custom extension will be located.
 
Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
 
On the Catalogs overview page, select an existing catalog where your custom extension will be located, or create a new catalog.

 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Catalog owner](../id-governance/entitlement-management-delegate.md#entitlement-management-roles) of the catalog where the custom extension will be located.
 
Browse to **ID Governance** > **Catalogs**.
 
On the Catalogs overview page, select an existing catalog where your custom extension will be located, or create a new catalog.

MODIFIED docs/id-governance/custom-extension-security.md

Modified by Ortagus Winfrey on Nov 25, 2025 10:38 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Updates

Changes:

Before

After

 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
Browse to **ID Governance** > **Entitlement management** > **Catalogs**. 
 
Select the catalog with the custom extension you want to update.

 
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
Browse to **ID Governance** > **Catalogs**. 
 
Select the catalog with the custom extension you want to update.

MODIFIED docs/architecture/deployment-scenario-remote-access.md

Modified by Ortagus Winfrey on Nov 25, 2025 10:34 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: updates

Changes:

Before

After

Follow these steps to create an Entitlement management catalog:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](/entra/identity/role-based-access-control/permissions-reference#identity-governance-administrator).
1. Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
1. Select **+New catalog**.
 
   :::image type="content" source="media/deployment-scenario-remote-access/identity-governance-catalogs-inline.png" alt-text="Screenshot of New access review, Enterprise applications, All applications, Identity Governance, New catalog." lightbox="media/deployment-scenario-remote-access/identity-governance-catalogs-expanded.png":::

Follow these steps to create an Entitlement management catalog:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](/entra/identity/role-based-access-control/permissions-reference#identity-governance-administrator).
1. Browse to **ID Governance** > **Catalogs**.
1. Select **+New catalog**.
 
   :::image type="content" source="media/deployment-scenario-remote-access/identity-governance-catalogs-inline.png" alt-text="Screenshot of New access review, Enterprise applications, All applications, Identity Governance, New catalog." lightbox="media/deployment-scenario-remote-access/identity-governance-catalogs-expanded.png":::

MODIFIED docs/architecture/deployment-scenario-workforce-guest.md

Modified by Ortagus Winfrey on Nov 25, 2025 10:34 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: updates

Changes:

Before

After

Follow these steps to create an Entitlement management catalog for the scenario.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](/entra/identity/role-based-access-control/permissions-reference#identity-governance-administrator).
1. Browse to **ID Governance** > **Entitlement management** > **Catalogs**.
1. Select **+New catalog**.
 
   :::image type="content" source="media/deployment-scenario-workforce-guest/identity-governance-catalogs-inline.png" alt-text="Screenshot of New access review, Enterprise applications, All applications, Identity Governance, New catalog." lightbox="media/deployment-scenario-workforce-guest/identity-governance-catalogs-expanded.png":::

Follow these steps to create an Entitlement management catalog for the scenario.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](/entra/identity/role-based-access-control/permissions-reference#identity-governance-administrator).
1. Browse to **ID Governance** > **Catalogs**.
1. Select **+New catalog**.
 
   :::image type="content" source="media/deployment-scenario-workforce-guest/identity-governance-catalogs-inline.png" alt-text="Screenshot of New access review, Enterprise applications, All applications, Identity Governance, New catalog." lightbox="media/deployment-scenario-workforce-guest/identity-governance-catalogs-expanded.png":::

MODIFIED docs/identity-platform/v2-oauth2-on-behalf-of-flow.md

Modified by Celeste de Guzman on Nov 25, 2025 10:06 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Change access token value to placeholder

Changes:

Before

After

    "scope": "https://graph.microsoft.com/user.read",
    "expires_in": 3269,
    "ext_expires_in": 0,
    "access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCbmZpRy1tQTZOVGFlN0NkV1c3UWZkQ0NDYy0tY0hGa18wZE50MVEtc2loVzRMd2RwQVZISGpnTVdQZ0tQeVJIaGlDbUN2NkdyMEpmYmRfY1RmMUFxU21TcFJkVXVydVJqX3Nqd0JoN211eHlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiejAzOXpkc0Z1aXpwQmZCVksxVG4yNVFIWU8wIiwia2lkIjoiejAzOXpkc0Z1aXpwQmZCVksxVG4yNVFIWU8wIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaWF0IjoxNDkzOTMwMzA1LCJuYmYiOjE0OTM5MzAzMDUsImV4cCI6MTQ5MzkzMzg3NSwiYWNyIjoiMCIsImFpbyI6IkFTUUEyLzhEQUFBQU9KYnFFWlRNTnEyZFcxYXpKN1RZMDlYeDdOT29EMkJEUlRWMXJ3b2ZRc1k9IiwiYW1yIjpbInB3ZCJdLCJhcHBfZGlzcGxheW5hbWUiOiJUb2RvRG90bmV0T2JvIiwiYXBwaWQiOiIyODQ2ZjcxYi1hN2E0LTQ5ODctYmFiMy03NjAwMzViMmYzODkiLCJhcHBpZGFjciI6IjEiLCJmYW1pbHlfbmFtZSI6IkNhbnVtYWxsYSIsImdpdmVuX25hbWUiOiJOYXZ5YSIsImlwYWRkciI6IjE2Ny4yMjAuMC4xOTkiLCJuYW1lIjoiTmF2eWEgQ2FudW1hbGxhIiwib2lkIjoiZDVlOTc5YzctM2QyZC00MmFmLThmMzAtNzI3ZGQ0YzJkMzgzIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTIxMjc1MjExODQtMTYwNDAxMjkyMC0xODg3OTI3NTI3LTI2MTE4NDg0IiwicGxhdGYiOiIxNCIsInB1aWQiOiIxMDAzM0ZGRkEwNkQxN0M5Iiwic2NwIjoiVXNlci5SZWFkIiwic3ViIjoibWtMMHBiLXlpMXQ1ckRGd2JTZ1JvTWxrZE52b3UzSjNWNm84UFE3alVCRSIsInRpZCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsInVuaXF1ZV9uYW1lIjoibmFjYW51bWFAbWljcm9zb2Z0LmNvbSIsInVwbiI6Im5hY2FudW1hQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJWR1ItdmtEZlBFQ2M1dWFDaENRSkFBIiwidmVyIjoiMS4wIn0.cubh1L2VtruiiwF8ut1m9uNBmnUJeYx4x0G30F7CqSpzHj1Sv5DCgNZXyUz3pEiz77G8IfOF0_U5A_02k-xzwdYvtJUYGH3bFISzdqymiEGmdfCIRKl9KMeoo2llGv0ScCniIhr2U1yxTIkIpp092xcdaDt-2_2q_ql1Ha_HtjvTV1f9XR3t7_Id9bR5BqwVX5zPO7JMYDVhUZRx08eqZcC-F3wi0xd_5ND_mavMuxe2wrpF-EZviO3yg0QVRr59tE3AoWl8lSGpVc97vvRCnp4WVRk26jJhYXFPsdk4yWqOKZqzr3IFGyD08WizD_vPSrXcCPbZP3XWaoTUKZSNJg",
    "refresh_token": "OAQABAAAAAABnfiG-mA6NTae7CdWW7QfdAALzDWjw6qSn4GUDfxWzJDZ6lk9qRw4An{a lot of characters here}"
}
```

    "scope": "https://graph.microsoft.com/user.read",
    "expires_in": 3269,
    "ext_expires_in": 0,
    "access_token": "eyJhbGciO...",
    "refresh_token": "OAQABAAAAAABnfiG-mA6NTae7CdWW7QfdAALzDWjw6qSn4GUDfxWzJDZ6lk9qRw4An{a lot of characters here}"
}
```

MODIFIED docs/agent-id/identity-professional/microsoft-entra-agent-identities-for-ai-agents.md

Modified by Mark Wahl on Nov 25, 2025 8:40 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: terminology

Changes:

Before

After

- Ensure sponsors and owners are assigned and maintained for each agent ID, preventing orphaned agent IDs.
- Enforce that agent access to resources is intentional, auditable, and time-bound through access packages.
 
For more information, see [identity governance for agents](/entra/id-governance/agent-id-governance-overview)
 
## Identity protection for agents

- Ensure sponsors and owners are assigned and maintained for each agent ID, preventing orphaned agent IDs.
- Enforce that agent access to resources is intentional, auditable, and time-bound through access packages.
 
For more information, see [identity governance for agents](/entra/id-governance/agent-id-governance-overview).
 
## Identity protection for agents

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files

🗑️ Deleted Documentation Files