MODIFIED docs/identity/authentication/howto-authentication-sms-signin.md

Modified by Justinha on Mar 4, 2026 10:50 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Update howto-authentication-sms-signin.md

Changes:

Before

After

title: SMS-based user sign-in for Microsoft Entra ID
description: Learn how to configure and enable users to sign-in to Microsoft Entra ID using SMS
ms.topic: how-to
ms.date: 06/18/2025
ms.reviewer: anjusingh
ms.custom: sfi-ga-nochange, sfi-image-nochange
---
 
# Configure and enable users for SMS-based authentication using Microsoft Entra ID 
 
Entra SMS-based authentication allows users to sign in using only a registered phone number and a one-time passcode (OTP) sent via SMS, no username or password required. This is different from Entra SMS multi-factor authentication, which typically requires a username, password, and SMS as MFA method. This authentication method is primarily designed to simplify sign-in experience of frontline workers and not recommended for Information workers (IW).
 
Entra also has a public preview of an alternative approach for frontline-workers called [QR code authentication](concept-authentication-qr-code.md) that organizations may want to consider for frontline shared device scenarios.
 
The rest of this article shows you how to enable SMS-based authentication as a first factor for select users or groups in Microsoft Entra ID. For a list of apps that support using SMS-based sign-in, see [App support for SMS-based authentication](how-to-authentication-sms-supported-apps.md).
 
 
- You should enable SMS authentication *only* for frontline workers. 
- If you enable SMS authentication, make sure you follow best practices for using security controls for work or home access for frontline workers. For more information, see [Best practices to protect frontline workers](/entra/identity-platform/security-best-practices-for-frontline-workers).
- If you enable SMS authentication for frontline workers, we suggest you to move to using QR code authentication (preview), which isn't phishable. For more information, see [Authentication methods in Microsoft Entra ID - QR code authentication method (Preview)](/entra/identity/authentication/concept-authentication-qr-code).

title: SMS-based user sign-in for Microsoft Entra ID
description: Learn how to configure and enable users to sign-in to Microsoft Entra ID using SMS
ms.topic: how-to
ms.date: 03/04/2026
ms.reviewer: anjusingh
ms.custom: sfi-ga-nochange, sfi-image-nochange
---
 
# Configure and enable users for SMS-based authentication using Microsoft Entra ID 
 
Microsoft Entra SMS-based authentication allows users to sign in using only a registered phone number and a one-time passcode (OTP) sent via SMS, no username or password required. This is different from Microsoft Entra SMS multifactor authentication, which typically requires a username, password, and SMS as an MFA method. This authentication method is primarily designed to simplify sign-in experience of frontline workers and not recommended for Information workers (IW).
 
Microsoft Entra also has an alternative approach for frontline-workers called [QR code authentication](concept-authentication-qr-code.md) that organizations may want to consider for frontline shared device scenarios.
 
The rest of this article shows you how to enable SMS-based authentication as a first factor for select users or groups in Microsoft Entra ID. For a list of apps that support using SMS-based sign-in, see [App support for SMS-based authentication](how-to-authentication-sms-supported-apps.md).
 
 
- You should enable SMS authentication *only* for frontline workers. 
- If you enable SMS authentication, make sure you follow best practices for using security controls for work or home access for frontline workers. For more information, see [Best practices to protect frontline workers](/entra/identity-platform/security-best-practices-for-frontline-workers).
- If you enable SMS authentication for frontline workers, we suggest you to move to using QR code authentication. For more information, see [Authentication methods in Microsoft Entra ID - QR code authentication method](/entra/identity/authentication/concept-authentication-qr-code).

MODIFIED docs/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback.md

Modified by Justin Hall on Mar 4, 2026 9:55 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Update terminology from 'cloud sync' to 'Cloud sync'

Changes:

Before

After

# Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment
 
> [!NOTE]
> Self-service password reset writeback with cloud sync isn't supported in Microsoft Azure operated by 21Vianet. Admins can deploy SSPR writeback with [Microsoft Entra Connect sync](tutorial-enable-sspr-writeback.md) instead.
 
Microsoft Entra Connect cloud sync can synchronize Microsoft Entra password changes in real time between users in disconnected on-premises Active Directory Domain Services (AD DS) domains. Microsoft Entra Connect cloud sync can run side-by-side with [Microsoft Entra Connect](tutorial-enable-sspr-writeback.md) at the domain level to simplify password writeback for additional scenarios, such as users who are in disconnected domains because of a company split or merge. You can configure each service in different domains to target different sets of users depending on their needs. Microsoft Entra Connect cloud sync uses the lightweight Microsoft Entra cloud provisioning agent to simplify the setup for self-service password reset (SSPR) writeback and provide a secure way to send password changes in the cloud back to an on-premises directory. 
 
 
## Prerequisites 
- A Microsoft Entra tenant with at least a Microsoft Entra ID P1 or trial license enabled. If needed, [create one for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn). 
- A [Hybrid Identity Administrator](~/identity/role-based-access-control/permissions-reference.md#hybrid-identity-administrator) account
- Microsoft Entra ID configured for self-service password reset. If needed, complete this tutorial to enable Microsoft Entra SSPR. 
- An on-premises AD DS environment configured with [Microsoft Entra Connect cloud sync version 1.1.977.0 or later](~/identity/app-provisioning/provisioning-agent-release-version-history.md). Learn how to [identify the agent's current version](~/identity/hybrid/cloud-sync/how-to-automatic-upgrade.md). If needed, configure Microsoft Entra Connect cloud sync using [this tutorial](tutorial-enable-sspr.md). 
 
 
## Deployment steps
 
1. [Configure Microsoft Entra Connect cloud sync service account permissions](#configure-azure-ad-connect-cloud-sync-service-account-permissions)
1. [Enable password writeback in Microsoft Entra Connect cloud sync](#enable-password-writeback-in-sspr)
1. [Enable password writeback for SSPR](#enable-password-writeback-in-sspr)

# Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment
 
> [!NOTE]
> Self-service password reset writeback with Cloud sync isn't supported in Microsoft Azure operated by 21Vianet. Instead, admins can deploy SSPR writeback with [Microsoft Entra Connect sync](tutorial-enable-sspr-writeback.md).
 
Microsoft Entra Cloud sync can synchronize Microsoft Entra password changes in real time between users in disconnected on-premises Active Directory Domain Services (AD DS) domains. Microsoft Entra Cloud sync can run side-by-side with [Microsoft Entra Connect](tutorial-enable-sspr-writeback.md) at the domain level to simplify password writeback for additional scenarios, such as users who are in disconnected domains because of a company split or merge. You can configure each service in different domains to target different sets of users depending on their needs. Microsoft Entra Cloud sync uses the lightweight Microsoft Entra cloud provisioning agent to simplify the setup for self-service password reset (SSPR) writeback and provide a secure way to send password changes in the cloud back to an on-premises directory. 
 
 
## Prerequisites 
- A Microsoft Entra tenant with at least a Microsoft Entra ID P1 or trial license enabled. If needed, [create one for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn). 
- A [Hybrid Identity Administrator](~/identity/role-based-access-control/permissions-reference.md#hybrid-identity-administrator) account
- Microsoft Entra ID configured for self-service password reset. If needed, complete this tutorial to enable Microsoft Entra SSPR. 
- An on-premises AD DS environment configured with [Microsoft Entra Cloud sync version 1.1.977.0 or later](~/identity/app-provisioning/provisioning-agent-release-version-history.md). Learn how to [identify the agent's current version](~/identity/hybrid/cloud-sync/how-to-automatic-upgrade.md). 
 
 
## Deployment steps
 
1. [Configure Microsoft Entra Cloud sync service account permissions](#configure-azure-ad-cloud-sync-service-account-permissions)
1. [Enable password writeback in Microsoft Entra Connect cloud sync](#enable-password-writeback-in-sspr)
1. [Enable password writeback for SSPR](#enable-password-writeback-in-sspr)

MODIFIED docs/identity/authentication/howto-authentication-temporary-access-pass.md

Modified by Justinha on Mar 4, 2026 8:12 PM
📖 View on learn.microsoft.com

+4 / -5 lines changed

Commit: Fix terminology and consolidate redundant notes in TAP Windows device setup

Changes:

Before

After

Users with a TAP can navigate the setup process on Windows 10 and 11 to perform device join operations and configure Windows Hello for Business. TAP usage for setting up Windows Hello for Business varies based on the devices joined state. 
 
For devices that are joined to Microsoft Entra ID: 
- During the domain-join setup process, users can authenticate with a TAP (no password required) to join the device and register Windows Hello for Business.
- On already-joined devices, users must first authenticate with another method such as a password, smartcard, or FIDO2 key, before using TAP to set up Windows Hello for Business. 
- If the [Web sign-in](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) feature on Windows is also enabled, the user can use TAP to sign into the device. This is intended only for completing initial device setup, or recovery when the user doesn't know or have a password. 
 
For hybrid-joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business. 
 
> [!NOTE]
> For federated domains, the **FederatedIdpMfaBehavior** changes the behavior when MFA is required. If set to **enforceMfaByFederatedIdp** the user is redirected to the federated IDP and does not get the chance to use the TAP. However, if set to **acceptIfMfaDoneByFederatedIdp** then the user will see a TAP prompt in Entra ID during MFA for Windows Hello for Business provisioning.
 
> [!NOTE]
> For federated domains where federatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, users will not be prompted for TAP to satisfy multifactor authentication (MFA) to set up Windows Hello for Business. Instead, they are redirected to the federated Identity Provider (IdP) for multifactor authentication (MFA).
 
:::image type="content" border="true" source="./media/how-to-authentication-temporary-access-pass/windows-10-tap.png" alt-text="Screenshot of how to enter Temporary Access Pass when setting up Windows.":::
 

Users with a TAP can navigate the setup process on Windows 10 and 11 to perform device join operations and configure Windows Hello for Business. TAP usage for setting up Windows Hello for Business varies based on the devices joined state. 
 
For devices that are joined to Microsoft Entra ID: 
- During the Microsoft Entra join setup process, users can authenticate with a TAP (no password required) to join the device and register Windows Hello for Business.
- On already-joined devices, users must first authenticate with another method such as a password, smartcard, or FIDO2 key, before using TAP to set up Windows Hello for Business. 
- If the [Web sign-in](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) feature on Windows is also enabled, the user can use TAP to sign into the device. This is intended only for completing initial device setup, or recovery when the user doesn't know or have a password. 
 
For hybrid-joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business. 
 
> [!NOTE]
> For federated domains, the **FederatedIdpMfaBehavior** setting changes the behavior when MFA is required:
> - If set to **enforceMfaByFederatedIdp**, the user is redirected to the federated identity provider (IdP) for MFA and isn't prompted for a TAP to set up Windows Hello for Business.
> - If set to **acceptIfMfaDoneByFederatedIdp**, the user sees a TAP prompt in Microsoft Entra ID during MFA for Windows Hello for Business provisioning.
 
:::image type="content" border="true" source="./media/how-to-authentication-temporary-access-pass/windows-10-tap.png" alt-text="Screenshot of how to enter Temporary Access Pass when setting up Windows.":::
 
 

MODIFIED docs/identity/hybrid/includes/gpad-prereqs.md

Modified by Nuno Alexandre on Mar 4, 2026 9:09 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Fix version number for Microsoft Entra Connect Sync

Changes:

Before

After

 - The provisioning agent must be installed on a server that runs Windows Server 2022, Windows Server 2019, or Windows Server 2016.
 - The provisioning agent must be able to communicate with one or more domain controllers on ports TCP/389 (LDAP) and TCP/3268 (Global Catalog).
     - Required for Global Catalog lookup to filter out invalid membership references
 - Microsoft Entra Connect Sync with build version [2.22.8.0](../connect/reference-connect-version-history.md#2280)
     - Required to support on-premises user membership synchronized using Microsoft Entra Connect Sync
     - Required to synchronize `AD DS:user:objectGUID` to `AAD DS:user:onPremisesObjectIdentifier`
 

 - The provisioning agent must be installed on a server that runs Windows Server 2022, Windows Server 2019, or Windows Server 2016.
 - The provisioning agent must be able to communicate with one or more domain controllers on ports TCP/389 (LDAP) and TCP/3268 (Global Catalog).
     - Required for Global Catalog lookup to filter out invalid membership references
 - Microsoft Entra Connect Sync with build version [2.2.8.0](../connect/reference-connect-version-history.md#2280)
     - Required to support on-premises user membership synchronized using Microsoft Entra Connect Sync
     - Required to synchronize `AD DS:user:objectGUID` to `AAD DS:user:onPremisesObjectIdentifier`
 

MODIFIED docs/identity/monitoring-health/reference-reports-data-retention.md

Modified by Shannon Leavitt on Mar 4, 2026 7:56 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update docs/identity/monitoring-health/reference-reports-data-retention.md

Changes:

Before

After

**No**, you can't. Azure stores up to seven days of activity data for a free version. When you switch from a free to a premium version, you can only see up to 7 days of data.
 
> [!NOTE]
> Log retention changes are not retroactive. When upgrading from Microsoft Entra ID Free to P1 or P2, only data still within the free retention period (up to seven days) is available. Data that has already expired cannot be recovered unless it was previously archived.
 
## Next steps

**No**, you can't. Azure stores up to seven days of activity data for a free version. When you switch from a free to a premium version, you can only see up to 7 days of data.
 
> [!NOTE]
> Log retention changes aren't retroactive. When you upgrade from Microsoft Entra ID Free to P1 or P2, only data still within the free retention period (up to seven days) is available. Data that has already expired can't be recovered unless it was previously archived.
 
## Next steps

MODIFIED docs/identity/hybrid/connect/how-to-connect-sync-whatis.md

Modified by omondiatieno on Mar 4, 2026 11:36 AM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Improve heading scannability in sync overview page

Changes:

Before

After

 
<a name='azure-ad-connect-sync-topics'></a>
 
## Microsoft Entra Connect Sync topics
| Topic | What it covers and when to read |
| --- | --- |
| **Microsoft Entra Connect Sync fundamentals** | |

 
<a name='azure-ad-connect-sync-topics'></a>
 
## Feature and configuration reference
| Topic | What it covers and when to read |
| --- | --- |
| **Microsoft Entra Connect Sync fundamentals** | |

MODIFIED docs/identity-platform/concept-native-authentication-challenge-types.md

Modified by Kenga Derdus on Mar 4, 2026 8:02 AM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Learn Editor: Update concept-native-authentication-challenge-types.md

Changes:

Before

After

 
New values are added when native authentication supports new authentication methods.
 
## Challenge type values for native authentication
 
The following table summarizes the challenge type values an app should use for the various authentication flows:

 
New values are added when native authentication supports new authentication methods.
 
## Challenge type values for native authentication flows
 
The following table summarizes the challenge type values an app should use for the various authentication flows:

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files