MODIFIED docs/id-governance/workflow-sensitivity-labels.md

Modified by Ortagus Winfrey on Dec 4, 2025 6:24 PM
📖 View on learn.microsoft.com

+21 / -14 lines changed

Commit: Updates

Changes:

Before

After

ms.topic: how-to #Required; leave this attribute/value as-is
ms.date: 11/04/2025
 
#CustomerIntent: As an identity governance administrator, I want to view sensitivity labels of groups so that I can maintain security of groups within my environment.
---
 
# Sensitivity labels in Lifecycle Workflows
 
Maintaining and classifying data within your environment is an important part in maintaining a secure environment. Sensitivity labels from Microsoft Purview Information Protection let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered. With sensitivity labels in Lifecycle Workflows, administrators are able to quickly view the sensitivity labels of groups during workflow creation, and editing. 
 
## License requirements
 
Along with Microsoft Entra licenses required for Lifecycle workflows, you must also have:
 
- [A created sensitivity label](/purview/create-sensitivity-labels?tabs=classic-label-scheme#create-and-configure-sensitivity-labels)
- [A sensitivity label applied to the group you want to use with a Lifecycle workflow](/purview/sensitivity-labels-teams-groups-sites#using-sensitivity-labels-for-microsoft-teams-microsoft-365-groups-and-sharepoint-sites)
 
## View assigned groups sensitivity labels during workflow creation
 
Sensitivity labels of groups can be viewed when adding tasks such as "**Add user to groups**" and "**Remove user from selected groups**" during workflow creation. To view the sensitivity labels of groups using Lifecycle workflows during workflow creation, do the following steps:

ms.topic: how-to #Required; leave this attribute/value as-is
ms.date: 11/04/2025
 
#CustomerIntent: As an identity governance administrator, I want to view sensitivity labels of groups or teams so that I can maintain security within my environment.
---
 
# Sensitivity labels in Lifecycle Workflows
 
Maintaining and classifying data within your environment is an important part in maintaining a secure environment. Sensitivity labels from Microsoft Purview Information Protection let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered. With sensitivity labels in Lifecycle Workflows, administrators are able to quickly view the sensitivity labels of groups and teams during workflow creation, and editing. 
 
The following tasks support sensitivity labels:
 
- [Add user to groups](lifecycle-workflow-tasks.md#add-user-to-groups)
- [Add user to teams](lifecycle-workflow-tasks.md#add-user-to-teams)
- [Remover user from selected groups](lifecycle-workflow-tasks.md#remove-user-from-selected-groups)
- [Remove user from selected teams](lifecycle-workflow-tasks.md#remove-user-from-selected-teams)
 
## License requirements
 
Along with Microsoft Entra licenses required for Lifecycle workflows, you must also have:

MODIFIED docs/global-secure-access/how-to-network-content-filtering.md

Modified by Sumeet Mittal on Dec 4, 2025 7:40 PM
📖 View on learn.microsoft.com

+0 / -17 lines changed

Commit: Remove service principal provisioning instructions

Changes:

Before

After

        :::image type="content" source="media/how-to-network-content-filtering/internet-access-rules.png" alt-text="Screenshot of the Global Secure Access Advanced Diagnostics window on the Forwarding Profile tab, showing Internet Access rules in the Rules section." lightbox="media/how-to-network-content-filtering/internet-access-rules.png":::
1. Confirm access to web applications you plan for file policies.
 
## Provision a service principal on your tenant
To enable the integration between Global Secure Access and Microsoft Purview for file scanning, you need to manually provision a service principal on your tenant. You need at least Cloud Application Administrator permission for this configuration setup. 
 
You can manually trigger service principal creation through PowerShell, Azure CLI, or Microsoft Graph directly. To provision using Microsoft Graph:
1. Sign in to [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) as a [Cloud Application Administrator](../identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Run the following POST request to create the service principal:
 
    ```http
    POST https://graph.microsoft.com/v1.0/servicePrincipals
    Content-Type: application/json
 
    {
      "appId": "2eba9957-8c82-4bfd-8025-e4a4a97a9110"
    }
    ```
 
## Configure a file policy

        :::image type="content" source="media/how-to-network-content-filtering/internet-access-rules.png" alt-text="Screenshot of the Global Secure Access Advanced Diagnostics window on the Forwarding Profile tab, showing Internet Access rules in the Rules section." lightbox="media/how-to-network-content-filtering/internet-access-rules.png":::
1. Confirm access to web applications you plan for file policies.
 
## Configure a file policy
 
To configure a file policy in Global Secure Access, complete the following steps:
- Compressed content is detected in zip format (the content isn't decompressed).
- Accuracy of true file type detection might not be 100%.
- Destination applications using WebSocket (such as Copilot) aren't supported.
- Top level and second level domains don't support wildcards (like *, *.com, *contoso.com) while configuring FQDNs.
 
> [!NOTE]

MODIFIED docs/includes/cloud-sync-version-history.md

Modified by Ortagus Winfrey on Dec 4, 2025 12:38 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: updated versioning number

Changes:

Before

After

 
Get notified about when to revisit this page for updates by copying and pasting this URL: `https://aka.ms/cloudsyncrss` into your ![RSS feed reader icon](media/cloud-sync-version-history/feed-icon-16-x-16.png) feed reader.
 
## 1.1.2106.0
 
December 3, 2025: released for download only
 
### Known issues
 
- If you are an AzueUSGovernment customer and have enabled writing back passwords with Microsoft Entra provisioning agent, the operation may fail. Please upgrade the agent to version 1.1.2106.0 to address this issue.

 
Get notified about when to revisit this page for updates by copying and pasting this URL: `https://aka.ms/cloudsyncrss` into your ![RSS feed reader icon](media/cloud-sync-version-history/feed-icon-16-x-16.png) feed reader.
 
## 1.1.2108.0
 
December 3, 2025: released for download only
 
### Known issues
 
- If you are an AzueUSGovernment customer and have enabled writing back passwords with Microsoft Entra provisioning agent, the operation may fail. Please upgrade the agent to version 1.1.2108.0 to address this issue.

MODIFIED docs/id-governance/lifecycle-workflow-tasks.md

Modified by Ortagus Winfrey on Dec 4, 2025 6:24 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Updates

Changes:

Before

After

 
```
 
### Remove User from Teams
 
Allows a user to be removed from one or multiple static teams. You're able to customize the task name and description for this task in the Microsoft Entra admin center.
:::image type="content" source="media/lifecycle-workflow-task/remove-user-team-task.png" alt-text="Screenshot of Workflows task: remove user from teams.":::

 
```
 
### Remove User from selected Teams
 
Allows a user to be removed from one or multiple static teams. You're able to customize the task name and description for this task in the Microsoft Entra admin center.
:::image type="content" source="media/lifecycle-workflow-task/remove-user-team-task.png" alt-text="Screenshot of Workflows task: remove user from teams.":::

MODIFIED docs/includes/lifecycle-workflows-tasks-table.md

Modified by Ortagus Winfrey on Dec 4, 2025 6:24 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Updates

Changes:

Before

After

| [Disable user account](../id-governance/lifecycle-workflow-tasks.md#disable-user-account)     |   1dfdfcc7-52fa-4c2e-bf3a-e3919cc12950      | Leaver |
| [Remove user from selected groups](../id-governance/lifecycle-workflow-tasks.md#remove-user-from-selected-groups)     |   1953a66c-751c-45e5-8bfe-01462c70da3c      | Joiner, Leaver, Mover |
| [Remove users from all groups](../id-governance/lifecycle-workflow-tasks.md#remove-users-from-all-groups)     |    b3a31406-2a15-4c9a-b25b-a658fa5f07fc     | Leaver | 
| [Remove user from teams](../id-governance/lifecycle-workflow-tasks.md#remove-user-from-teams)    |    06aa7acb-01af-4824-8899-b14e5ed788d6     | Leaver        | 
| [Remove user from all teams](../id-governance/lifecycle-workflow-tasks.md#remove-users-from-all-teams)     |    81f7b200-2816-4b3b-8c5d-dc556f07b024     | Leaver        | 
| [Remove access package assignment for user](../id-governance/lifecycle-workflow-tasks.md#remove-access-package-assignment-for-user)     |    4a0b64f2-c7ec-46ba-b117-18f262946c50     | Leaver, Mover        | 
| [Remove all access package assignments for user](../id-governance/lifecycle-workflow-tasks.md#remove-all-access-package-assignments-for-user)     |    42ae2956-193d-4f39-be06-691b8ac4fa1d     | Leaver        | 

| [Disable user account](../id-governance/lifecycle-workflow-tasks.md#disable-user-account)     |   1dfdfcc7-52fa-4c2e-bf3a-e3919cc12950      | Leaver |
| [Remove user from selected groups](../id-governance/lifecycle-workflow-tasks.md#remove-user-from-selected-groups)     |   1953a66c-751c-45e5-8bfe-01462c70da3c      | Joiner, Leaver, Mover |
| [Remove users from all groups](../id-governance/lifecycle-workflow-tasks.md#remove-users-from-all-groups)     |    b3a31406-2a15-4c9a-b25b-a658fa5f07fc     | Leaver | 
| [Remove user from selected teams](../id-governance/lifecycle-workflow-tasks.md#remove-user-from-selected-teams)    |    06aa7acb-01af-4824-8899-b14e5ed788d6     | Leaver        | 
| [Remove user from all teams](../id-governance/lifecycle-workflow-tasks.md#remove-users-from-all-teams)     |    81f7b200-2816-4b3b-8c5d-dc556f07b024     | Leaver        | 
| [Remove access package assignment for user](../id-governance/lifecycle-workflow-tasks.md#remove-access-package-assignment-for-user)     |    4a0b64f2-c7ec-46ba-b117-18f262946c50     | Leaver, Mover        | 
| [Remove all access package assignments for user](../id-governance/lifecycle-workflow-tasks.md#remove-all-access-package-assignments-for-user)     |    42ae2956-193d-4f39-be06-691b8ac4fa1d     | Leaver        | 

MODIFIED docs/global-secure-access/how-to-customize-block-page.md

Modified by Frank Gomulka on Dec 4, 2025 4:26 PM
📖 View on learn.microsoft.com

+0 / -1 lines changed

Commit: remove mentions of feedback or future capabilities

Changes:

Before

After

 
## Next steps
 
- If you need features beyond the preview's capabilities (richer templates, localization, or analytics), collect feedback and request expanded preview access from the product team.
- For guidance on configuring web content filtering, see [Configure web content filtering](./how-to-configure-web-content-filtering.md).
- For guidance on configuring threat intelligence, see [Configure threat intelligence](./how-to-configure-threat-intelligence.md).

 
## Next steps
 
- For guidance on configuring web content filtering, see [Configure web content filtering](./how-to-configure-web-content-filtering.md).
- For guidance on configuring threat intelligence, see [Configure threat intelligence](./how-to-configure-threat-intelligence.md).

MODIFIED docs/identity/authentication/concept-authentication-external-method-provider.md

Modified by Akul Loomba on Dec 4, 2025 2:49 PM
📖 View on learn.microsoft.com

+0 / -1 lines changed

Commit: Fix formatting and clarify metadata table in documentation

Changes:

Before

After

| Metadata value        | Value  | Comments |
|-----------------------|--------|----------|
| Issuer                |        | Must be an HTTPS URL.<br>The issuer value **MUST** match character-for-character between the configured issuer, the issuer value in the discovery document, and the `iss` claim in the tokens issued by the provider’s service.<br>The issuer MAY include a port and/or path segment, but MUST NOT contain query parameters or fragment identifiers. |
 
| authorization_endpoint |        | The endpoint that Microsoft Entra ID communicates with for authorization. This endpoint must be present as one of the reply URLs for the allowed applications. |
| jwks_uri               |        | Where Microsoft Entra ID can find the public keys needed to verify the signatures issued by the provider. The `jwks_uri` **MUST** be an HTTPS endpoint and **MUST NOT** include query parameters or fragment identifiers.<br>[!NOTE]<br>The JSON Web Key (JWK) **x5c** parameter must be present to provide X.509 representations of keys provided. |
| scopes_supported       | openid | Other values may also be included but aren't required. |

| Metadata value        | Value  | Comments |
|-----------------------|--------|----------|
| Issuer                |        | Must be an HTTPS URL.<br>The issuer value **MUST** match character-for-character between the configured issuer, the issuer value in the discovery document, and the `iss` claim in the tokens issued by the provider’s service.<br>The issuer MAY include a port and/or path segment, but MUST NOT contain query parameters or fragment identifiers. |
| authorization_endpoint |        | The endpoint that Microsoft Entra ID communicates with for authorization. This endpoint must be present as one of the reply URLs for the allowed applications. |
| jwks_uri               |        | Where Microsoft Entra ID can find the public keys needed to verify the signatures issued by the provider. The `jwks_uri` **MUST** be an HTTPS endpoint and **MUST NOT** include query parameters or fragment identifiers.<br>[!NOTE]<br>The JSON Web Key (JWK) **x5c** parameter must be present to provide X.509 representations of keys provided. |
| scopes_supported       | openid | Other values may also be included but aren't required. |
 

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files