📋 Microsoft Entra Documentation Changes

ms.date: 12/01/2025

| Identity | Uses [Microsoft Entra Agent ID](../agent-id/identity-professional/authorization-agent-id.md) for authorization. A unique agent identity is created when the agent is turned on. Learn more about [agent identities]().<br><br>The agent uses this identity to scan your tenant for active access reviews, gather additional insights, and save its recommendations and justifications for the reviewer. For more information, see: [How it works](access-review-agent.md#how-it-works).<br><br>Final decisions, submitted through the Microsoft Teams conversation, use the reviewer's identity. |

### Application Lifecycle Management Agent (Preview)

 

Identify, onboard, and monitor applications in your environment with the Application Lifecycle Management Agent. This agent uses application discovery capabilities of Microsoft Entra Internet Access and Microsoft Entra Private Access to find unmanaged applications, recommend onboarding actions, and monitor application security posture over time. This agent is currently being deployed and might not be available in all tenants.

You can also create an access review programmatically using Microsoft Graph. For more information, see [Create a single stage access review on a catalog](graph/api/accessreviewset-post-definitions?view=graph-rest-beta&tabs=http#example-6-create-a-single-stage-access-review-on-a-catalog).

 

In the **Applying** stage, you can get a list of denied users by making the [list decisions](/graph/api/accessreviewinstance-list-decisions?view=graph-rest-beta&tabs=http) API call:

GET https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions/{access review object ID}/instances/{access review instance object ID}/decisions?$filter=(decision eq 'Deny' and resourceId eq '<custom data provided resource ID>')

Remove access from your own system and then patch each decision item to indicate success or failure for removal by making the [update accessReviewInstanceDecisionItem](/graph/api/accessreviewinstancedecisionitem-update?view=graph-rest-beta&tabs=http) API call:

[Microsoft Entra Agent ID](../agent-id/identity-platform/what-is-agent-id.md) includes four new types of object: agent identity blueprint, agent identity blueprint principal, agent identity, and agent user. These can be created in [Microsoft Foundry](/azure/ai-foundry/agents/concepts/agent-identity), [Microsoft Copilot Studio](/microsoft-copilot-studio/admin-use-entra-agent-identities), or other platforms. The agent identity, and optionally the agent user, allows AI agents to take on digital identities within Microsoft Entra. Once a digital identity is established, these agent identities are able to be governed using lifecycle and access features. Sponsors can be assigned to agent identities after creation. Sponsors of agent identities are human users accountable for making decisions about its lifecycle and access. For more information about the role of a sponsor of agent identities, see: [Administrative relationships for agent IDs](../agent-id/identity-platform/agent-owners-sponsors-managers.md).

When created, agent identities have limited permissions, such as OAuth 2 delegated permission scopes [inherited from their parent agent identity blueprint](../agent-id/identity-professional/configure-inheritable-permissions-blueprints.md). In addition, agent identities can have resources assigned to them directly via access packages. Resource assignments allow agent identities to request an access package for themselves, or have their owner or sponsor request one on their behalf. With access packages, you're able to assign agent identities the following resources:

- [Microsoft Entra roles](../agent-id/identity-professional/authorization-agent-id.md#role-assignments-for-agent-identities)

Agents can then be assigned access packages through three different request pathways.

 

There are four common scenarios in which it's necessary to populate Microsoft Entra ID with existing access rights and users of an application before you use the application with a Microsoft Entra ID Governance feature such as [access reviews](access-reviews-application-preparation.md).

### Application uses Microsoft Entra ID as its identity provider and has additional access rights for users

 

Using custom data provided resources, you can include access rights from applications in Microsoft Entra ID access reviews by uploading their access data directly into a catalog.

 

You can then run user Access Reviews (UARs) across both Microsoft Entra-connected resources and those access rights. Reviewers can easily review and certify users’ access in the My Access portal, helping ensure consistent governance, improved visibility, and compliance across all resources whether or not they’re connected to Microsoft Entra.

 

This scenario is covered in a separate article, [include custom data provided resource in the catalog for catalog user Access Reviews (Preview)](custom-data-resource-access-reviews.md).

 

 

 

## Global Secure Access In Government Cloud limitations

Global Secure Access is not available in the US Government community cloud High (GCC-H), Department of Defense cloud and other Govt/Sovereign cloud environments.

 

For usage in US Government community (GCC) cloud, known limitations/disclaimers include:

 

- Non Federal Information Processing Standard (FIPS) 140-2 certified: Note that while the GSA service is FedRAMP High accredited, it is not yet FIPS 140-2 certified. Microsoft is actively working toward achieving FIPS accreditation/certification, and this process is currently underway. Customers should consider this status when evaluating compliance requirements. FIPS 140-2 is a US government standard that defines FedRAMP minimum security requirements for cryptographic modules in products and systems. For more information, see [Federal Information Processisng Standard (FIPS) 140](https://learn.microsoft.com/azure/compliance/offerings/offering-fips-140-2).

- Data Residency Requirements: Customers should carefully consider data residency requirements when evaluating the GSA solution for their needs. When using GSA, there is a possibility that your data (up to and including customer content) may be Transport Layer Security (TLS) terminated and processed outside the United States esp. in cases where the users access GSA while traveling outside of the USA and its territories. Additionally, data may also be TLS terminated and processed outside of the USA when GSA routes traffic through the nearest available edge location, which may be outside U.S. borders depending on several factors. Factors for TLS termination and processing outside the US may include but not limited to: user’s physical location, proximity to edge locations, network latency, service availability, performance considerations, customer configurations and so on. As an example, a user near a US border with a non-US country may connect to a non-U.S. edge, where data inspection and policy enforcement take place.

 

ms.date: 12/01/2025

# Identity Risk Management Agent (Preview)

IT administrators and security analysts face mounting pressure to identify and respond to threats quickly while managing increasingly complex environments. They're often overwhelmed by the sheer volume of alerts, struggle to prioritize which risks need immediate attention, and find it difficult to connect scattered data points across their organization's systems. The Identity Risk Management Agent with Security Copilot in Microsoft Entra helps these professionals investigate potential risks, understand their effect, and take decisive action to protect their organization's critical assets.

 

> [!NOTE]

> The Identity Risk Management Agent is currently being deployed and in preview. This information relates to a prerelease product that might be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

## Access Review Agent (Preview)

 

The Access Review Agent works for your reviewers by automatically gathering insights and generating recommendations. It then guides reviewers through the review process in Microsoft Teams with natural language, with simple summaries and proposed decisions, so they can make the final call with confidence and clarity. For more information, see [Access Review Agent](../security-copilot/access-review-agent.md).

 

You can also use Microsoft Security Copilot to query current and recent access reviews. For more information, see [validate access through access reviews](../security-copilot/entra-governance-optimization.md#validate-access-through-access-reviews).

 

For more advanced queries and analysis of access reviews, and to track changes and completion of reviews over time, export your Microsoft Entra audit logs to [Azure Monitor Log Analytics](../identity/monitoring-health/howto-archive-logs-to-storage-account.md) or Azure Event Hubs. When audit logs are stored in Log Analytics, you can use the [powerful analytics language](../identity/monitoring-health/howto-analyze-activity-logs-log-analytics.md) and build your own dashboards. For more information, see [Archive logs and reporting on entitlement management in Azure Monitor](entitlement-management-logs-and-reporting.md).

 

If you are in the middle of reviews, you can go directly to the Access Review agent in Microsoft Teams.

 

1. Select the [Access Review Agent](https://teams.microsoft.com/l/app/b99caf01-1dd7-43cf-981a-0de444e783f3) link to open the agent.

1. Select **Add** or **Open** to access the conversation with the Access Review Agent.

This article covers the third scenario. For some legacy applications, it might not be feasible to remove other identity providers or local credential authentication from the application, or enable support for provisioning protocols for those applications. For those applications, if you want to use Microsoft Entra ID to review who has access to that application, or remove someone's access from that application, you'll need to create assignments in Microsoft Entra ID that represent application users. This article covers that scenario of an application that does not use Microsoft Entra ID as its identity provider and does not support provisioning.

Otherwise, if the application does not have a directory or database, you will need to contact the owner of the application and have them supply a list of users. This could be in a format such as a CSV file, with one line per user. Ensure that one field of each user in the file contains a unique identifier, such as an email address, that is also present on users in Microsoft Entra ID.

If you have ServiceNow, then you can optionally configure automated ServiceNow ticket creation, using the [entitlement management integration](entitlement-management-ticketed-provisioning.md) via Logic Apps. In that scenario, entitlement management can automatically create ServiceNow tickets for manual provisioning of users who have received access package assignments.

The Risky user report is also integrated with the Identity Risk Management Agent for enhanced agent suggestions and insights. If you have the Identity Risk Management Agent enabled, you can switch between the standard view and the agent view of the report.

 

- [Security Administrator](../identity/role-based-access-control/permissions-reference.md#search-administrator) is required to use the *agent view* of the report and access the Risk Management Agent features.

The standard view of the Risky user report contains three main sections: The summary chart of risky users at each level, new risky users per day, and the full list of risky users. If you have the [Identity Risk Management Agent](identity-risk-management-agent-risky-user-report.md) turned on, you can use the **Agent view** to see agent suggestions and insights.

The Identity Risk Management Agent (Preview) in Microsoft Entra ID Protection provides proactive risk management capabilities by analyzing the risky identities and suggesting actions to remediate them. By using a Large Language Model, the agent helps security administrators review and respond to risky activities before they lead to security incidents.

 

> [!NOTE]

> The Identity Risk Management Agent is currently being deployed and in preview. This information relates to a prerelease product that might be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

# Identity Risk Management Agent (Preview) settings

> [!NOTE]

> The Identity Risk Management Agent is currently being deployed and in preview. This information relates to a prerelease product that might be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

 

ms.date: 12/01/2025

>[!NOTE]

>If you are troubleshooting licensing assignment issues, review [Identify and resolve license assignment problems for a group in the Microsoft 365 Admin Portal](licensing-groups-resolve-problems.md).

## Access Review Agent (Preview)

 

The Access Review Agent works for your reviewers by automatically gathering insights and generating recommendations. It then guides reviewers through the review process in Microsoft Teams with natural language, with simple summaries and proposed decisions, so they can make the final call with confidence and clarity. For more information, see [Access Review Agent](../security-copilot/access-review-agent.md).

 

Furthermore, IT can delegate access management decisions to business decision makers. For example, employees that wish to access confidential customer data in a company's marketing application in Europe could need approval from their manager, a department lead or resource owner, and a security risk officer. [Entitlement management](entitlement-management-overview.md) enables you to define how identities request access across packages of group and team memberships, app roles, and SharePoint Online roles, and enforce separation of duties checks on access requests. Access packages can require regular access reviews, and other access rights, such as group memberships, can also be regularly reviewed using recurring [Microsoft Entra access reviews](access-reviews-overview.md) for access recertification. The [Access Review Agent](../security-copilot/access-review-agent.md) helps reviewers by automatically gathering insights and generating recommendations, and guides reviewers through the review process in Microsoft Teams with natural language, with simple summaries and proposed decisions, so they can make the final call with confidence and clarity.

Organizations can also control which guest identities have access, including to [on-premises applications](../external-id/hybrid-cloud-to-on-premises.md).