MODIFIED docs/global-secure-access/scripts/powershell-get-token.md

Modified by RustyTake-Off on Mar 6, 2026 1:30 PM
📖 View on learn.microsoft.com

+49 / -33 lines changed

Commit: fix: gate cleanup and success output behind auth result; defer token file creation

Changes:

Before

After

```powershell
# This sample script lets you obtain the Auth Token that you can use for registering the Entra private network connector through Marketplace.
#
# Version 1.1
#
# This script requires following 
#    - PowerShell 5.1 (x64) or beyond
 
# The script will use a temp folder on C Drive. First it will remove the folder and create a new folder to ensure its empty.
$tempPath = "C:\temp"
 
# Check if the folder exists
if (Test-Path -Path $tempPath) {
 
# Creating C:\temp folder
New-Item -ItemType Directory -Path $tempPath -Force | Out-Null
New-Item -ItemType File -Path C:\token.txt -Force | Out-Null
 
# Copy Required Dlls 
Write-Host "Downloading Entra Private Network Connector Installer..."

```powershell
# This sample script lets you obtain the Auth Token that you can use for registering the Entra private network connector through Marketplace.
#
# Version 1.2
#
# This script requires following 
#    - PowerShell 5.1 (x64) or beyond
 
# The script will use a temp folder on C Drive. First it will remove the folder and create a new folder to ensure its empty.
$tempPath = "C:\temp"
$tokenPath = "C:\token.txt"
 
# Check if the folder exists
if (Test-Path -Path $tempPath) {
 
# Creating C:\temp folder
New-Item -ItemType Directory -Path $tempPath -Force | Out-Null
 
# Copy Required Dlls 
Write-Host "Downloading Entra Private Network Connector Installer..."

MODIFIED docs/identity-platform/tutorial-native-authentication-android-sms-otp-mfa-sign-in.md

Modified by Henry Mbugua on Jan 26, 2026 3:10 PM
📖 View on learn.microsoft.com

+16 / -16 lines changed

Commit: Android - bugfix

Changes:

Before

After

 
To support multi-factor authentication (MFA), update the Android client configuration to include the required MFA capabilities.
 
    ```json
    {
      "client_id": "Enter_the_Application_Id_Here",
      "authorities": [
        {
          "type": "CIAM",
          "authority_url": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/Enter_the_Tenant_Id_Here/"
        }
      ],
      "challenge_types": ["oob", "password"],
      "capabilities": ["mfa_required"],
      "logging": {
        "pii_enabled": false,
        "log_level": "INFO",
        "logcat_enabled": true
      }
    }

 
To support multi-factor authentication (MFA), update the Android client configuration to include the required MFA capabilities.
 
```json
{
    "client_id": "Enter_the_Application_Id_Here",
    "authorities": [
    {
        "type": "CIAM",
        "authority_url": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/Enter_the_Tenant_Id_Here/"
    }
    ],
    "challenge_types": ["oob", "password"],
    "capabilities": ["mfa_required"],
    "logging": {
    "pii_enabled": false,
    "log_level": "INFO",
    "logcat_enabled": true
    }
}

MODIFIED docs/identity-platform/tutorial-native-authentication-android-email-otp-mfa-sign-in.md

Modified by Henry Mbugua on Jan 26, 2026 3:10 PM
📖 View on learn.microsoft.com

+16 / -16 lines changed

Commit: Android - bugfix

Changes:

Before

After

To support multi-factor authentication (MFA), update the Android client configuration to include the required MFA capabilities.
 
 
    ```json
    {
      "client_id": "Enter_the_Application_Id_Here",
      "authorities": [
        {
          "type": "CIAM",
          "authority_url": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/Enter_the_Tenant_Subdomain_Here.onmicrosoft.com/"
        }
      ],
      "challenge_types": ["oob", "password"],
      "capabilities": ["mfa_required"],
      "logging": {
        "pii_enabled": false,
        "log_level": "INFO",
        "logcat_enabled": true
      }
    }

To support multi-factor authentication (MFA), update the Android client configuration to include the required MFA capabilities.
 
 
```json
{
    "client_id": "Enter_the_Application_Id_Here",
    "authorities": [
    {
        "type": "CIAM",
        "authority_url": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/Enter_the_Tenant_Subdomain_Here.onmicrosoft.com/"
    }
    ],
    "challenge_types": ["oob", "password"],
    "capabilities": ["mfa_required"],
    "logging": {
    "pii_enabled": false,
    "log_level": "INFO",
    "logcat_enabled": true
    }
}

MODIFIED docs/identity-platform/tutorial-native-authentication-android-email-strong-auth-method-registration.md

Modified by Henry Mbugua on Jan 26, 2026 3:10 PM
📖 View on learn.microsoft.com

+15 / -15 lines changed

Commit: Android - bugfix

Changes:

Before

After

 
To support strong authentication method, update the Android client configuration to include the required registration capabilities.
 
    ```json
    {
      "client_id": "Enter_the_Application_Id_Here",
      "authorities": [
        {
          "type": "CIAM",
          "authority_url": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/Enter_the_Tenant_Subdomain_Here.onmicrosoft.com/"
        }
      ],
      "challenge_types": ["oob", "password"],
      "capabilities": ["registration_required"],
      "logging": {
        "pii_enabled": false,
        "log_level": "INFO",
        "logcat_enabled": true
      }
    }

 
To support strong authentication method, update the Android client configuration to include the required registration capabilities.
 
```json
{
    "client_id": "Enter_the_Application_Id_Here",
    "authorities": [
    {
        "type": "CIAM",
        "authority_url": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/Enter_the_Tenant_Subdomain_Here.onmicrosoft.com/"
    }
    ],
    "challenge_types": ["oob", "password"],
    "capabilities": ["registration_required"],
    "logging": {
    "pii_enabled": false,
    "log_level": "INFO",
    "logcat_enabled": true
    }
}

MODIFIED docs/identity-platform/tutorial-native-authentication-ios-swift-email-strong-authentication-method.md

Modified by Henry Mbugua on Jan 27, 2026 12:04 PM
📖 View on learn.microsoft.com

+9 / -9 lines changed

Commit: Bugfix

Changes:

Before

After

 
Set the registrationRequired capability during client initialization to support strong authentication method registration.
 
    ```swift
    let config = try MSALNativeAuthPublicClientApplicationConfig(
        clientId: Configuration.clientId,
        tenantSubdomain: Configuration.tenantSubdomain,
        challengeTypes: [.OOB, .password]
    )
    config.capabilities = [.registrationRequired]
    nativeAuth = try MSALNativeAuthPublicClientApplication(nativeAuthConfiguration: config)
    ```
 
## Register email one-time passcode as strong authentication method
 

 
Set the registrationRequired capability during client initialization to support strong authentication method registration.
 
```swift
let config = try MSALNativeAuthPublicClientApplicationConfig(
    clientId: Configuration.clientId,
    tenantSubdomain: Configuration.tenantSubdomain,
    challengeTypes: [.OOB, .password]
)
config.capabilities = [.registrationRequired]
nativeAuth = try MSALNativeAuthPublicClientApplication(nativeAuthConfiguration: config)
```
 
## Register email one-time passcode as strong authentication method
 

MODIFIED docs/identity-platform/tutorial-native-authentication-android-sms-one-time-passcode-sign-in.md

Modified by Henry Mbugua on Jan 27, 2026 1:09 PM
📖 View on learn.microsoft.com

+8 / -8 lines changed

Commit: Addressing Acrolinx suggestion

Changes:

Before

After

---
title: Add SMS one-time passcode MFA to an Android app using native authentication
description: Learn how to add multi-factor authentication (MFA) with SMS one-time passcodes to an Android app using Microsoft Entra native authentication.
 
author: henrymbuguakiarie
manager: pmwongera
ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 01/26/2026
ms.custom:
#Customer intent: As a developer, I want to add SMS one-time passcode–based multi-factor authentication (MFA) to an Android app using native authentication, so I can require a second verification step during sign-in and strengthen app security.
---
 
# Tutorial: Add SMS one-time passcode MFA to your Android app
 
This tutorial shows you how to add multi-factor authentication (MFA) with SMS one-time passcode (OTP) to your Android app using native authentication. MFA adds an extra layer of security by requiring a second verification step during sign-in.
We will also demonstrate how to enhance security during authentication and enforce MFA by using [authentication context](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context). 
 
In this tutorial, you learn how to:

---
title: Add SMS one-time passcode MFA to an Android app using native authentication
description: Learn how to add multifactor authentication (MFA) with SMS one-time passcodes to an Android app using Microsoft Entra native authentication.
 
author: henrymbuguakiarie
manager: pmwongera
ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 01/27/2026
ms.custom:
#Customer intent: As a developer, I want to add SMS one-time passcode–based multi-factor authentication (MFA) to an Android app using native authentication, so I can require a second verification step during sign-in and strengthen app security.
---
 
# Tutorial: Add SMS one-time passcode MFA to your Android app
 
This tutorial shows you how to add multifactor authentication (MFA) with SMS one-time passcode (OTP) to your Android app using native authentication. MFA adds an extra layer of security by requiring a second verification step during sign-in.
We'll also demonstrate how to enhance security during authentication and enforce MFA by using [authentication context](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context). 
 
In this tutorial, you learn how to:

MODIFIED docs/identity-platform/tutorial-native-authentication-ios-swift-sms-one-time-passcode-sign-in.md

Modified by Henry Mbugua on Jan 27, 2026 12:04 PM
📖 View on learn.microsoft.com

+7 / -6 lines changed

Commit: Bugfix

Changes:

Before

After

# Tutorial: Add SMS one-time passcode MFA to your iOS/macOS app
 
This tutorial shows you how to add multi-factor authentication (MFA) with SMS one-time passcode (OTP) to your iOS/macOS app using native authentication. MFA adds an extra layer of security by requiring a second verification step during sign-in. 
We will also demonstrate how to enhance security during authentication and enforce MFA by using [authentication context](https://learn.microsoft.com/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context). 
 
In this tutorial, you learn how to:
 
- Handle sign-in with SMS one-time passcode MFA errors
 
## Prerequisites
1. Enroll in the [Private Preview of SMS and Email OTP MFA on Native Authentication](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR3phsVGS44BJs6m7EP81nAFUODVZQTJBWFJYRVhGTkRHN1BISTJPWTBVNC4u&route=shorturl)
1. Complete the steps in [Tutorial: Add sign-in and sign-out in iOS/macOS app by using native authentication](tutorial-native-authentication-ios-macos-sign-in-sign-out.md).
 
1. Enable SMS as an MFA method in your tenant: follow the steps in [Enable SMS as an MFA method](../../../SMS-MFA/get-started-sms-mfa.md#enable-sms-as-an-mfa-method).
 
1. If you'd like to explore our Sign-in with SMS one time passcode MFA implementation, take a look at our [Code sample](https://github.com/Azure-Samples/ms-identity-ciam-native-auth-ios-sample) before getting started.
 
## Configure client capabilities to require MFA
 
> [!NOTE] Currently there is a known issue using the SMS one time passcode with the authority format:

# Tutorial: Add SMS one-time passcode MFA to your iOS/macOS app
 
This tutorial shows you how to add multi-factor authentication (MFA) with SMS one-time passcode (OTP) to your iOS/macOS app using native authentication. MFA adds an extra layer of security by requiring a second verification step during sign-in. 
We will also demonstrate how to enhance security during authentication and enforce MFA by using [authentication context](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context). 
 
In this tutorial, you learn how to:
 
- Handle sign-in with SMS one-time passcode MFA errors
 
## Prerequisites
 
1. Complete the steps in [Tutorial: Add sign-in and sign-out in iOS/macOS app by using native authentication](tutorial-native-authentication-ios-macos-sign-in-sign-out.md).
 
1. Enable SMS as an MFA method in your tenant: follow the steps in [Enable SMS as an MFA method](../identity/authentication/howto-authentication-sms-signin.md#enable-the-sms-based-authentication-method).
 
1. If you'd like to explore our Sign-in with SMS one time passcode MFA implementation, take a look at our [Code sample](https://github.com/Azure-Samples/ms-identity-ciam-native-auth-ios-sample) before getting started.
 
## Configure client capabilities to require MFA
 
> [!NOTE]

MODIFIED docs/identity-platform/tutorial-native-authentication-android-email-one-time-passcode-sign-in.md

Modified by Henry Mbugua on Jan 27, 2026 1:09 PM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: Addressing Acrolinx suggestion

Changes:

Before

After

---
title: Add email and SMS one-time passcode MFA to an Android app using native authentication
description: Learn how to add multi-factor authentication (MFA) with email and SMS one-time passcodes to an Android app using Microsoft Entra native authentication.
 
author: henrymbuguakiarie
manager: pmwongera
ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 01/26/2026
ms.custom:
#Customer intent: As a developer, I want to add email and SMS one-time passcode–based multi-factor authentication (MFA) to an Android app using native authentication, so I can secure user sign-in with an additional verification step.
---
 
# Tutorial: Add email one-time passcode MFA to your Android app
 
This tutorial demonstrates how to implement multi-factor authentication (MFA) into your Android app using the native authentication. MFA adds an extra layer of security to your app by requiring users to provide an extra verification step during sign-in. Currently, we support Email and SMS one-time passcode MFA.
We will also demonstrate how to enhance security during authentication and enforce MFA by using [authentication context](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context).
 
In this tutorial, you learn how to:

---
title: Add email and SMS one-time passcode MFA to an Android app using native authentication
description: Learn how to add multifactor authentication (MFA) with email and SMS one-time passcodes to an Android app using Microsoft Entra native authentication.
 
author: henrymbuguakiarie
manager: pmwongera
ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 01/27/2026
ms.custom:
#Customer intent: As a developer, I want to add email and SMS one-time passcode–based multi-factor authentication (MFA) to an Android app using native authentication, so I can secure user sign-in with an additional verification step.
---
 
# Tutorial: Add email one-time passcode MFA to your Android app
 
This tutorial demonstrates how to implement multifactor authentication (MFA) into your Android app using the native authentication. MFA adds an extra layer of security to your app by requiring users to provide an extra verification step during sign-in. Currently, we support Email and SMS one-time passcode MFA.
We'll also demonstrate how to enhance security during authentication and enforce MFA by using [authentication context](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context).
 
In this tutorial, you learn how to:

MODIFIED docs/identity-platform/tutorial-native-authentication-ios-swift-email-one-time-passcode-sign-in.md

Modified by Henry Mbugua on Jan 27, 2026 1:09 PM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: Addressing Acrolinx suggestion

Changes:

Before

After

---
title: Add email one-time passcode MFA to your iOS/macOS app by using native authentication
description: Learn how to add email one-time passcode (OTP) multi-factor authentication (MFA) to an iOS or macOS app by using native authentication and enforce MFA with authentication context.
author: henrymbuguakiarie
manager: pmwongera
 
ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 11/17/2025
ms.custom:
 
#customer-intent: As a developer, I want to add email one-time passcode multi-factor authentication (MFA) to an iOS or macOS app by using native authentication and optionally enforce MFA with authentication context to improve sign-in security.
 
# Tutorial: Add email one-time passcode MFA to your iOS/macOS app
 
This tutorial demonstrates how to implement multi-factor authentication (MFA) into your iOS/macOS app using the native authentication. MFA adds an extra layer of security to your app by requiring users to provide an extra verification step during sign-in. We support email and SMS one-time passcode MFA.
We will also demonstrate how to enhance security during authentication and enforce MFA by using [authentication context](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context). 
 
In this tutorial, you learn how to: 

---
title: Add email one-time passcode MFA to your iOS/macOS app by using native authentication
description: Learn how to add email one-time passcode (OTP) multifactor authentication (MFA) to an iOS or macOS app by using native authentication and enforce MFA with authentication context.
author: henrymbuguakiarie
manager: pmwongera
 
ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 01/27/2026
ms.custom:
 
#customer-intent: As a developer, I want to add email one-time passcode multi-factor authentication (MFA) to an iOS or macOS app by using native authentication and optionally enforce MFA with authentication context to improve sign-in security.
 
# Tutorial: Add email one-time passcode MFA to your iOS/macOS app
 
This tutorial demonstrates how to implement multifactor authentication (MFA) into your iOS/macOS app using the native authentication. MFA adds an extra layer of security to your app by requiring users to provide an extra verification step during sign-in. We support email and SMS one-time passcode MFA.
We'll also demonstrate how to enhance security during authentication and enforce MFA by using [authentication context](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context). 
 
In this tutorial, you learn how to: 

MODIFIED docs/identity-platform/tutorial-native-authentication-ios-swift-sms-strong-authentication-method.md

Modified by Henry Mbugua on Jan 27, 2026 1:09 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Addressing Acrolinx suggestion

Changes:

Before

After

ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 11/17/2025
ms.custom:
# Customer intent: As a developer or DevOps engineer, I want to register phone SMS as a strong authentication method for MFA-enabled users in an iOS or macOS app using native authentication so that users can complete MFA securely during sign-in.
---
## Configure client capabilities for strong authentication method registration
 
> [!NOTE] 
> Currently there is a known issue using the SMS one time passcode with the authority format:
> `<tenantName>.ciamlogin.com/<tenantName>.onmicrosoft.com`
> because of that the following format should be used:
> `<tenantName>.ciamlogin.com/<tenantID>`
 
## Register SMS one-time passcode as strong authentication method
 
To register a SMS one-time passcode for an MFA-enabled user, you need to specify a phone number as the strong authentication method. This process is triggered only the first time the MFA is required, and the user doesn't have a strong authentication method registered. Afterward, you need to send an SMS containing a one-time passcode for the user to verify their phone number. Once the user enters a valid one-time passcode, the SDK completes the sign-in process.
 
To register a strong authentication method (phone SMS passcode) for MFA-enabled user, you need to:

ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 01/27/2026
ms.custom:
# Customer intent: As a developer or DevOps engineer, I want to register phone SMS as a strong authentication method for MFA-enabled users in an iOS or macOS app using native authentication so that users can complete MFA securely during sign-in.
---
## Configure client capabilities for strong authentication method registration
 
> [!NOTE] 
> Currently there's a known issue using the SMS one time passcode with the authority format:
> `<tenantName>.ciamlogin.com/<tenantName>.onmicrosoft.com`
> because of that the following format should be used:
> `<tenantName>.ciamlogin.com/<tenantID>`
 
## Register SMS one-time passcode as strong authentication method
 
To register an SMS one-time passcode for an MFA-enabled user, you need to specify a phone number as the strong authentication method. This process is triggered only the first time the MFA is required, and the user doesn't have a strong authentication method registered. Afterward, you need to send an SMS containing a one-time passcode for the user to verify their phone number. Once the user enters a valid one-time passcode, the SDK completes the sign-in process.
 
To register a strong authentication method (phone SMS passcode) for MFA-enabled user, you need to:

MODIFIED docs/identity-platform/tutorial-native-authentication-android-sms-strong-authentication-method.md

Modified by Henry Mbugua on Jan 27, 2026 1:09 PM
📖 View on learn.microsoft.com

+4 / -6 lines changed

Commit: Addressing Acrolinx suggestion

Changes:

Before

After

ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 01/26/2026
ms.custom:
#Customer intent: As a developer, I want to register an SMS one-time passcode as a strong authentication method for MFA-enabled users in an Android app using native authentication, so users can complete MFA when no strong authentication method is registered.
---
 
## Prerequisites
 
1. Enroll in a Private Preview of SMS and Email OTP MFA on Native Authentication – [Fill out form](https://forms.office.com/r/P3m1q2j3hg)
 
1. Complete the steps in [Tutorial: Add sign-in in Android app by using native authentication](tutorial-native-authentication-android-sign-in-sign-out.md).
 
1. To enforce multifactor authentication (MFA) for your customers, use the steps in [Add multifactor authentication (MFA) to an app](../external-id/customers/how-to-multifactor-authentication-customers.md) to add SMS MFA to your sign-in flow. Currently, native authentication supports Email and SMS one-time passcode as a second factor for MFA. 
## Add strong authentication method registration to the client configuration file
 
> [!NOTE] 
> Currently there is a known issue using the SMS one time passcode with the authority format:
> `<tenantSubdomain>.ciamlogin.com/<tenantSubdomain>.onmicrosoft.com`

ms.service: identity-platform
ms.subservice: external
ms.topic: tutorial
ms.date: 01/27/2026
ms.custom:
#Customer intent: As a developer, I want to register an SMS one-time passcode as a strong authentication method for MFA-enabled users in an Android app using native authentication, so users can complete MFA when no strong authentication method is registered.
---
 
## Prerequisites
 
1. Complete the steps in [Tutorial: Add sign-in in Android app by using native authentication](tutorial-native-authentication-android-sign-in-sign-out.md).
 
1. To enforce multifactor authentication (MFA) for your customers, use the steps in [Add multifactor authentication (MFA) to an app](../external-id/customers/how-to-multifactor-authentication-customers.md) to add SMS MFA to your sign-in flow. Currently, native authentication supports Email and SMS one-time passcode as a second factor for MFA. 
## Add strong authentication method registration to the client configuration file
 
> [!NOTE] 
> Currently there's a known issue using the SMS one time passcode with the authority format:
> `<tenantSubdomain>.ciamlogin.com/<tenantSubdomain>.onmicrosoft.com`
> because of that the following format should be used:
> `<tenantSubdomain>.ciamlogin.com/<tenantID>`

MODIFIED docs/identity/users/groups-dynamic-membership.md

Modified by barclayn on Mar 6, 2026 4:12 PM
📖 View on learn.microsoft.com

+4 / -2 lines changed

Commit: Update security consideration wording for dynamic group rules

Changes:

Before

After

 
### Security consideration: Evaluate attribute write permissions before using them in dynamic group rules
 
When you create a dynamic membership rule, you effectively delegate control of that group's membership to anyone who can modify the attributes referenced in the rule. Before selecting an attribute for a dynamic group rule, verify that only authorized administrators can update its value. This is especially important for:
 
- **Attributes synced from on-premises Active Directory.** Some on-premises attributes might be configured with permissions that allow users to modify their own values (SELF write).
- **Groups used for access control.** If a dynamic group controls access to sensitive resources, applications, or Conditional Access policies, the security of that access is only as strong as the write controls on the attributes in the rule.
 
As a best practice, audit the write permissions for any attribute you plan to use in a dynamic membership rule, both in Microsoft Entra ID and at the source (such as on-premises Active Directory). Restrict self-service write access to attributes used in security-sensitive groups.
 
> [!NOTE]
> Role-assignable groups already prevent this risk by requiring assigned (not dynamic) membership.

 
### Security consideration: Evaluate attribute write permissions before using them in dynamic group rules
 
When you create a dynamic membership rule, the security of that group's membership depends on who can modify the attributes referenced in the rule. Before selecting an attribute, review the write permissions for that attribute—both in Microsoft Entra ID and in any connected source directories.
 
This is especially important for:
 
- **Attributes synced from on-premises Active Directory.** Some on-premises attributes might be configured with permissions that allow users to modify their own values (SELF write).
- **Groups used for access control.** If a dynamic group controls access to sensitive resources, applications, or Conditional Access policies, the security of that access is only as strong as the write controls on the attributes in the rule.
 
As a best practice, audit the write permissions for all entity types and their attributes you plan to use in a dynamic membership rule, both in Microsoft Entra ID and at the source (such as on-premises Active Directory). Restrict self-service write access to attributes used in security-sensitive groups.
 
> [!NOTE]
> Role-assignable groups already prevent this risk by requiring assigned (not dynamic) membership.

MODIFIED docs/identity-platform/concept-native-authentication-sms-mfa-third-party-fraud-protection.md

Modified by Henry Mbugua on Mar 6, 2026 12:30 PM
📖 View on learn.microsoft.com

+2 / -4 lines changed

Commit: Addressing final feedback

Changes:

Before

After

 
## Prerequisites
 
Before you integrate third‑party fraud protection with native authentication and SMS‑based MFA, make sure that the following requirements are met:
 
- Your native application integrates with a third‑party fraud protection provider to securely evaluate risk signals before issuing an SMS one‑time passcode (OTP).
- You deploy a customer‑managed web application firewall (WAF) to enforce fraud decisions and to support any increase in SMS throttling limits.
- You enable [regional opt‑in for SMS‑based MFA in supported geographies by using Microsoft Graph](../external-id/customers/how-to-region-code-opt-in.md).
Native authentication applications that use SMS‑based MFA remain exposed to extra risks, including:
 
- **International Revenue Share Fraud (IRSF)** which occurs when attackers artificially inflate SMS traffic to premium‑rate international destinations in order to extract revenue through telecom termination and revenue‑sharing mechanisms.
- **Account takeover (ATO)** which occurs when attackers use automated, scripted techniques to initiate sign‑in attempts with valid‑looking credentials, causing the system to issue SMS verification challenges as if the activity were legitimate.
 
In browser‑delegated authentication flows, Microsoft Entra External ID mitigates these risks by using rich device telemetry and CAPTCHA challenges. Native authentication applications don't use the Microsoft‑hosted, browser‑delegated sign‑in experience, so the risk profiling doesn't benefit from rich device telemetry. Because of this, native authentication scenarios that use SMS by default are less protected by extensive risk profiling than browser-delegated flows. Customers are therefore recommended to set up extra risk detection and protection using third party providers.
 
| Component | Notes | 
| --- |  --- |
| **Native applications**   | The native application integrates a third-party fraud detection SDK. The applications collect limited, privacy‑preserving device and behavioral signals using the third‑party provider’s tooling and associate those signals with the current authentication session|
|  **Third‑party fraud protection provider**  |  The third‑party fraud provider evaluates the signals collected from the native application and determines the risk level of the authentication attempt. Based on the evaluation, one of the following outcomes occurs:<br> - **Low or acceptable risk**: The authentication flow proceeds, and the SMS one-time passcode (OTP) is issued. <br> - **High risk requiring extra verification**: Device possession is verified before allowing the flow to continue.<br> - **High risk with failed evaluation**: The sign-in attempt is blocked immediately, and no SMS challenge is sent. <br> You can use third‑party fraud providers such as [Human security](https://www.humansecurity.com/) and [Prove](https://www.prove.com/). |
|  **Web application firewall (WAF)**  |  The WAF is a customer‑managed enforcement layer that sits in front of Microsoft Entra External ID endpoints. The WAF consumes the fraud decision from the third‑party provider and enforces it consistently. Microsoft doesn't configure or operate the WAF; its behavior, including fail‑open or fail‑closed policies, is owned by the customer.|

 
## Prerequisites
 
- Your native application integrates with a third‑party fraud protection provider to securely evaluate risk signals before issuing an SMS one‑time passcode (OTP).
- You deploy a customer‑managed web application firewall (WAF) to enforce fraud decisions and to support any increase in SMS throttling limits.
- You enable [regional opt‑in for SMS‑based MFA in supported geographies by using Microsoft Graph](../external-id/customers/how-to-region-code-opt-in.md).
Native authentication applications that use SMS‑based MFA remain exposed to extra risks, including:
 
- **International Revenue Share Fraud (IRSF)** which occurs when attackers artificially inflate SMS traffic to premium‑rate international destinations in order to extract revenue through telecom termination and revenue‑sharing mechanisms.
- **Account takeover (ATO)**  is a common attack pattern in which attackers use automated, scripted techniques to attempt sign‑ins with compromised or valid‑looking credentials. Although ATO is not specific to SMS or MFA, in environments where SMS verification is enabled these attempts can result in SMS challenges being issued as if the activity were legitimate.
 
In browser‑delegated authentication flows, Microsoft Entra External ID mitigates these risks by using rich device telemetry and CAPTCHA challenges. Native authentication applications don't use the Microsoft‑hosted, browser‑delegated sign‑in experience, so the risk profiling doesn't benefit from rich device telemetry. Because of this, native authentication scenarios that use SMS by default are less protected by extensive risk profiling than browser-delegated flows. Customers are therefore recommended to set up extra risk detection and protection using third party providers.
 
| Component | Notes | 
| --- |  --- |
| **Native applications**   | The native application integrates a third-party fraud detection SDK. The applications collect limited, privacy‑preserving device and behavioral signals using the third‑party provider’s tooling and associate those signals with the current authentication session|
|  **Third‑party fraud protection provider**  |  The third‑party fraud provider evaluates the signals collected from the native application and determines the risk level of the authentication attempt. Based on the evaluation, one of the following outcomes occurs:<br> - **Low or acceptable risk**: The authentication flow proceeds, and Microsoft Entra External ID is triggered to issue the SMS one-time passcode (OTP). <br> - **High risk requiring extra verification**: Device possession is verified before allowing the flow to continue.<br> - **High risk with failed evaluation**: The sign-in attempt is blocked immediately, and no SMS challenge is sent. <br> You can use third‑party fraud providers such as [Human security](https://www.humansecurity.com/) and [Prove](https://www.prove.com/). |
|  **Web application firewall (WAF)**  |  The WAF is a customer‑managed enforcement layer that sits in front of Microsoft Entra External ID endpoints. The WAF consumes the fraud decision from the third‑party provider and enforces it consistently. Microsoft doesn't configure or operate the WAF; its behavior, including fail‑open or fail‑closed policies, is owned by the customer.|
|  **Microsoft Entra External ID**   |  Microsoft Entra External ID processes only those requests that have passed upstream fraud checks. It doesn't receive raw device telemetry or third‑party risk scores. It issues SMS OTPs only after upstream approval and relies on its built‑in controls, such as throttling, regional restrictions, and phone number reputation signals to provide protection. |
 

MODIFIED docs/identity-platform/reference-native-authentication-api.md

Modified by Carolyn McSharry on Mar 6, 2026 10:06 AM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Update reference-native-authentication-api.md

Changes:

Before

After

| `continuation_token`  | [Continuation token](#continuation-token) that Microsoft Entra returns. |
|`challenge_type`| Challenge type selected for the user to complete MFA.|
|`binding_method`|The only valid value is *prompt*. This parameter can be used in the future to offer more ways for the user to enter the one-time passcode. Issued if `challenge_type` is *oob*  |
|`challenge_channel`| The type of the MFA challenge channel through which the one-time passcode was sent. Surported values: *email, sms*. |
|`challenge_target_label` |An obfuscated email where the one-time passcode was sent.|
|`code_length`|The length of the one-time passcode that Microsoft Entra generates. | 
 
|`/resetpassword/v1.0/continue`| Validates the challenge issued by the `/resetpassword/v1.0/challenge` endpoint, then either returns a *continuation token* for the `/resetpassword/v1.0/submit` endpoint, or issues another challenge to the user.  |
|`/resetpassword/v1.0/submit`| Accepts a new password input by the user along with the *continuation token* to complete the password reset flow. This endpoint issues another *continuation token*. |
|`/resetpassword/v1.0/poll_completion`|  The app can use the *continuation token* issued by the `/resetpassword/v1.0/submit` endpoint to check the status of the password reset request. |
|`oauth2/v2.0/token`| If password reset is successfull, the app can use the continuation token it obtains from the `/resetpassword/v1.0/poll_completion` endpoint to obtain security tokens from the `oauth2/v2.0/token` endpoint. |
 
### Self-service password reset challenge types
 
 
## Related content
 
- [Configure a custom claims provider](custom-extension-tokenissuancestart-configuration.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json).

| `continuation_token`  | [Continuation token](#continuation-token) that Microsoft Entra returns. |
|`challenge_type`| Challenge type selected for the user to complete MFA.|
|`binding_method`|The only valid value is *prompt*. This parameter can be used in the future to offer more ways for the user to enter the one-time passcode. Issued if `challenge_type` is *oob*  |
|`challenge_channel`| The type of the MFA challenge channel through which the one-time passcode was sent. Supported values: *email, sms*. |
|`challenge_target_label` |An obfuscated email where the one-time passcode was sent.|
|`code_length`|The length of the one-time passcode that Microsoft Entra generates. | 
 
|`/resetpassword/v1.0/continue`| Validates the challenge issued by the `/resetpassword/v1.0/challenge` endpoint, then either returns a *continuation token* for the `/resetpassword/v1.0/submit` endpoint, or issues another challenge to the user.  |
|`/resetpassword/v1.0/submit`| Accepts a new password input by the user along with the *continuation token* to complete the password reset flow. This endpoint issues another *continuation token*. |
|`/resetpassword/v1.0/poll_completion`|  The app can use the *continuation token* issued by the `/resetpassword/v1.0/submit` endpoint to check the status of the password reset request. |
|`oauth2/v2.0/token`| If password reset is successful, the app can use the continuation token it obtains from the `/resetpassword/v1.0/poll_completion` endpoint to obtain security tokens from the `oauth2/v2.0/token` endpoint. |
 
### Self-service password reset challenge types
 
 
## Related content
 
- [Configure a custom claims provider](custom-extension-tokenissuancestart-configuration.md?toc=/entra/external-id/toc.json&bc=/entra/external-id/breadcrumb/toc.json).

MODIFIED docs/id-governance/privileged-identity-management/pim-resource-roles-overview-dashboards.md

Modified by Ken Withee on Mar 6, 2026 4:07 AM
📖 View on learn.microsoft.com

+1 / -5 lines changed

Commit: Move PIM metadata to docfx.json and update ownership

Changes:

Before

After

title: Resource dashboards for access reviews in PIM
description: Describes how to use a resource dashboard to perform an access review
  in Microsoft Entra Privileged Identity Management (PIM).
author: barclayn
editor: markwahl-msft
ms.topic: how-to
ms.subservice: privileged-identity-management
ms.date: 12/17/2024
ms.author: barclayn
ms.reviewer: shaunliu
ms.custom: pim
---
 
## Next steps
 
- [Start an access review for Azure resource roles in Privileged Identity Management](./pim-create-roles-and-resource-roles-review.md)

title: Resource dashboards for access reviews in PIM
description: Describes how to use a resource dashboard to perform an access review
  in Microsoft Entra Privileged Identity Management (PIM).
ms.topic: how-to
ms.date: 12/17/2024
ms.reviewer: shaunliu
ms.custom: pim
---
 
## Next steps
 
- [Start an access review for Azure resource roles in Privileged Identity Management](./pim-create-roles-and-resource-roles-review.md)
 
 
 
 

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files