đź“‹ Microsoft Entra Documentation Changes

Daily summary for changes since March 16th 2026, 9:30 PM PDT

Report generated on March 17th 2026, 9:30 PM PDT

đź“Š Summary

40
Total Commits
0
New Files
42
Modified Files
0
Deleted Files
14
Contributors

đź“ť Modified Documentation Files

MODIFIED docs/identity/users/groups-naming-policy.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+60 / -60 lines changed
Commit: Editorial pass: groups naming, quickstarts, and misc articles (41 fixes)
Changes:
Before
After
 
You can use attributes that can help you and your users identify which department, office, or geographic region for which the group was created. For example, if you define your naming policy as `PrefixSuffixNamingRequirement = "GRP [GroupName] [Department]"` and `User's department = Engineering`, then an enforced group name might be `"GRP My Group Engineering."` Supported Microsoft Entra attributes are `\[Department\]`, `\[Company\]`, `\[Office\]`, `\[StateOrProvince\]`, `\[CountryOrRegion\]`, and `\[Title\]`. Unsupported user attributes are treated as fixed strings. An example is `"\[postalCode\]"`. Extension attributes and custom attributes aren't supported.
 
We recommend that you use attributes that have values filled in for all users in your organization and don't use attributes that have long values.
 
### Custom blocked words
 
 
1. Select **All groups** > **Groups**, and then select **Naming policy** to open the **Naming policy** page.
 
:::image type="content" source="./media/groups-naming-policy/policy.png" alt-text="Screenshot that shows opening the Naming policy page in the admin center.":::
 
### View or edit the prefix-suffix naming policy
 
 
1. On the **Naming policy** page, select **Blocked words**.
 
:::image type="content" source="./media/groups-naming-policy/blockedwords.png" alt-text="Screenshot that shows editing and uploading a blocked words list for a naming policy.":::
 
1. View or edit the current list of custom blocked words by selecting **Download**. You must add new entries to the existing entries.
 
You can use attributes that can help you and your users identify which department, office, or geographic region for which the group was created. For example, if you define your naming policy as `PrefixSuffixNamingRequirement = "GRP [GroupName] [Department]"` and `User's department = Engineering`, then an enforced group name might be `"GRP My Group Engineering."` Supported Microsoft Entra attributes are `\[Department\]`, `\[Company\]`, `\[Office\]`, `\[StateOrProvince\]`, `\[CountryOrRegion\]`, and `\[Title\]`. Unsupported user attributes are treated as fixed strings. An example is `"\[postalCode\]"`. Extension attributes and custom attributes aren't supported.
 
Use attributes that have values filled in for all users in your organization and don't use attributes that have long values.
 
### Custom blocked words
 
 
1. Select **All groups** > **Groups**, and then select **Naming policy** to open the **Naming policy** page.
 
:::image type="content" source="./media/groups-naming-policy/policy.png" alt-text="Screenshot that shows opening the Naming policy page in the admin center.":::
 
### View or edit the prefix-suffix naming policy
 
 
1. On the **Naming policy** page, select **Blocked words**.
 
:::image type="content" source="./media/groups-naming-policy/blockedwords.png" alt-text="Screenshot that shows editing and uploading a blocked words list for a naming policy.":::
 
1. View or edit the current list of custom blocked words by selecting **Download**. You must add new entries to the existing entries.
MODIFIED docs/identity/users/groups-lifecycle.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+40 / -40 lines changed
Commit: Editorial pass: bulk ops and groups articles (46 fixes)
Changes:
Before
After
- **Teams**: Visit a Teams channel.
- **Viva Engage**: View a post within a Viva Engage community or an interactive email in Outlook.
 
### Auditing and reporting
 
Administrators can get a list of automatically renewed groups from the activity audit logs in Microsoft Entra ID.
 
 
## Set group expiration
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator).
1. Select **Identity**.
1. Select **Groups** > **All groups**, and then select **Expiration** to open the expiration settings.
:::image type="content" source="./media/groups-lifecycle/expiration-settings.png" alt-text="Screenshot that shows expiration settings for groups.":::
 
1. On the **Expiration** page, you can:
 
- **None** to restrict expiration for all groups.
- Save your settings when you're done by selecting **Save**.
- **Teams**: Visit a Teams channel.
- **Viva Engage**: View a post within a Viva Engage community or an interactive email in Outlook.
 
### Audit and report
 
Administrators can get a list of automatically renewed groups from the activity audit logs in Microsoft Entra ID.
 
 
## Set group expiration
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
1. Select **Identity**.
1. Select **Groups** > **All groups**, and then select **Expiration** to open the expiration settings.
:::image type="content" source="./media/groups-lifecycle/expiration-settings.png" alt-text="Screenshot that shows expiration settings for groups.":::
 
1. On the **Expiration** page, you can:
 
- **None** to restrict expiration for all groups.
- Save your settings when you're done by selecting **Save**.
MODIFIED docs/identity/users/users-bulk-download.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+40 / -40 lines changed
Commit: Editorial pass: users bulk, misc, and light articles (90 fixes)
Changes:
Before
After
1. Select **Users** > **All users** > **Download users**. By default, all user profiles are exported.
1. On the **Download users** page, select **Start** to receive a CSV file listing user profile properties. If there are errors, you can download and view the results file on the **Bulk operation results** page. The file contains the reason for each error.
 
:::image type="content" source="./media/users-bulk-download/bulk-download.png" alt-text="Screenshot of selecting where you want the list the users you want to download.":::
 
> [!NOTE]
> The download file will contain the filtered list of users based on the scope of the filters applied.
 
[!INCLUDE [Bulk operations limitations](~/includes/bulk-operations-limitations.md)]
 
## Improved Bulk user download in Entra admin center (Preview)
 
The enhanced bulk user download experience includes:
 
**Customizable Columns for Export**: Previously, user exports included only a fixed set of predefined attributes. With this update, admins can customize their User List View columns, and the export will mirror those selected columns. This gives IT admins greater control and relevance in the data they download.
 
**Expanded Attribute Coverage**: 27 new user attributes are now added to the exportable list, enabling deeper insights and more tailored exports. See full list of these newly exportable attributes:
 
1. Assigned licenses
2. Authorization info
1. Select **Users** > **All users** > **Download users**. By default, all user profiles are exported.
1. On the **Download users** page, select **Start** to receive a CSV file listing user profile properties. If there are errors, you can download and view the results file on the **Bulk operation results** page. The file contains the reason for each error.
 
:::image type="content" source="./media/users-bulk-download/bulk-download.png" alt-text="Screenshot of selecting where you want to list the users you want to download.":::
 
> [!NOTE]
> The download file will contain the filtered list of users based on the scope of the filters applied.
 
[!INCLUDE [Bulk operations limitations](~/includes/bulk-operations-limitations.md)]
 
## Improved bulk user download in Microsoft Entra admin center (Preview)
 
The enhanced bulk user download experience includes:
 
**Customizable columns for export**: Previously, user exports included only a fixed set of predefined attributes. With this update, admins can customize their User List View columns, and the export will mirror those selected columns. This gives IT admins greater control and relevance in the data they download.
 
**Expanded attribute coverage**: 27 new user attributes are now added to the exportable list, enabling deeper insights and more tailored exports. See full list of these newly exportable attributes:
 
1. Assigned licenses
1. Authorization info
MODIFIED docs/fundamentals/whats-new.md
Modified by Faith Moraa Ombongi on Mar 17, 2026 6:18 AM
đź“– View on learn.microsoft.com
+43 / -31 lines changed
Commit: Add Authentication Extensibility Password Admin to what's new
Changes:
Before
After
- clicktale
ms.assetid: 06a149f7-4aa1-4fb9-a8ec-ac2633b031fb
ms.topic: reference
ms.date: 03/12/2026
ms.author: owinfrey
ms.reviewer: dhanyahk
ms.custom: it-pro, has-azure-ad-ps-ref, sfi-ga-nochange
 
> Get notified about when to revisit this page for updates by copying and pasting this URL: `https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us` into your ![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png) feed reader.
 
## February 2026
 
### General Availability - Expanded attribute support in Lifecycle Workflows attribute changes trigger
 
**What is Hard-matching in Microsoft Entra Connect Sync and Cloud Sync?**
 
When Microsoft Entra Connect or Cloud Sync adds new objects from Active Directory, the Microsoft Entra ID service tries to match the incoming object with an Microsoft Entra object by looking up the incoming object’s sourceAnchor value against the OnPremisesImmutableId attribute of existing cloud managed objects in Microsoft Entra ID. If there's a match, Microsoft Entra Connect or Cloud Sync takes over the source or authority (SoA) of that object and updates it with the properties of the incoming Active Directory object in what is known as "hard-match." 
 
To strengthen the security posture of your Microsoft Entra ID environment, we're introducing a change that restricts certain types of hard-match operations by default.   
 
- clicktale
ms.assetid: 06a149f7-4aa1-4fb9-a8ec-ac2633b031fb
ms.topic: reference
ms.date: 03/17/2026
ms.author: owinfrey
ms.reviewer: dhanyahk
ms.custom: it-pro, has-azure-ad-ps-ref, sfi-ga-nochange
 
> Get notified about when to revisit this page for updates by copying and pasting this URL: `https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us` into your ![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png) feed reader.
 
## March 2026
 
### General Availability - Authentication Extensibility Password Administrator role
 
**Type:** New feature
**Service category:** Role-Based Access Control
**Product capability:** Microsoft Entra Built-in Roles
 
The [Authentication Extensibility Password Administrator](../identity/role-based-access-control/permissions-reference.md#authentication-extensibility-password-administrator) role is the least-privileged role that enables you to trigger password submit events for custom authentication extensions, making it easier to migrate user passwords from external identity systems to Microsoft Entra External ID.
 
MODIFIED docs/identity/users/groups-troubleshooting.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+26 / -26 lines changed
Commit: Editorial pass: groups naming, quickstarts, and misc articles (41 fixes)
Changes:
Before
After
To disable group creation for nonadmin users in PowerShell:
1. Verify that nonadmin users are allowed to create groups:
 
```powershell
Get-MgBetaDirectorySetting | select -ExpandProperty values
```
 
2. If it returns `EnableGroupCreation : True`, then nonadmin users can create groups. To disable this feature:
 
```powershell
Install-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
$params = @{
TemplateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
Values = @(
@{
Name = "EnableGroupCreation"
Value = "false"
}
)
To disable group creation for nonadmin users in PowerShell:
1. Verify that nonadmin users are allowed to create groups:
 
```powershell
Get-MgBetaDirectorySetting | select -ExpandProperty values
```
 
1. If it returns `EnableGroupCreation : True`, then nonadmin users can create groups. To disable this feature:
 
```powershell
Install-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
$params = @{
TemplateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
Values = @(
@{
Name = "EnableGroupCreation"
Value = "false"
}
)
MODIFIED docs/identity/users/users-custom-security-attributes.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+21 / -21 lines changed
Commit: Editorial pass: users bulk, misc, and light articles (90 fixes)
Changes:
Before
After
 
To manage custom security attribute assignments for users in your Microsoft Entra organization, you can use PowerShell or Microsoft Graph API. The following examples can be used to manage assignments.
 
#### Assign a custom security attribute with a string value to a user
 
The following example assigns a custom security attribute with a string value to a user.
 
 
---
 
#### Assign a custom security attribute with a multi-string value to a user
 
The following example assigns a custom security attribute with a multi-string value to a user.
 
 
---
 
#### Assign a custom security attribute with an integer value to a user
 
The following example assigns a custom security attribute with an integer value to a user.
 
To manage custom security attribute assignments for users in your Microsoft Entra organization, you can use PowerShell or Microsoft Graph API. The following examples can be used to manage assignments.
 
### Assign a custom security attribute with a string value to a user
 
The following example assigns a custom security attribute with a string value to a user.
 
 
---
 
### Assign a custom security attribute with a multi-string value to a user
 
The following example assigns a custom security attribute with a multi-string value to a user.
 
 
---
 
### Assign a custom security attribute with an integer value to a user
 
The following example assigns a custom security attribute with an integer value to a user.
MODIFIED docs/identity/users/groups-dynamic-tutorial.md
Modified by Ken Withee on Mar 17, 2026 3:48 AM
đź“– View on learn.microsoft.com
+20 / -18 lines changed
Commit: Editorial pass: dynamic groups articles (33 fixes)
Changes:
Before
After
 
You're not required to assign licenses to the users for them to be members in dynamic membership groups. You only need the minimum number of available Microsoft Entra ID P1 licenses in the organization to cover all such users.
 
## To create a group of guest users
 
 
First, you create a group for your guest users who all are from a single partner company. They need special licensing, so it's often more efficient to create a group for this purpose.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator).
1. Select Microsoft Entra ID.
2. Select **Groups** > **All groups** > **New group**.
 
:::image type="content" source="./media/groups-dynamic-tutorial/new-group.png" alt-text="Screenshot of using the Select command to start a new group.":::
 
3. On the **New Group** pane:
* Enter a *Guest users name*, *email address*, and *description* for the group.
* Change **Membership type** to **Dynamic User**.
:::image type="content" source="./media/groups-dynamic-tutorial/new-dynamic-group.png" alt-text="Screenshot of Group page where user enters the dynamic membership group details.":::
 
You're not required to assign licenses to the users for them to be members in dynamic membership groups. You only need the minimum number of available Microsoft Entra ID P1 licenses in the organization to cover all such users.
 
## Create a group of guest users
 
 
First, you create a group for your guest users who all are from a single partner company. They need special licensing, so it's often more efficient to create a group for this purpose.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
1. Select **Microsoft Entra ID**.
1. Select **Groups** > **All groups** > **New group**.
 
:::image type="content" source="./media/groups-dynamic-tutorial/new-group.png" alt-text="Screenshot of using the Select command to start a new group.":::
 
1. On the **New Group** pane:
* Enter a *Guest users name*, *email address*, and *description* for the group.
* Change **Membership type** to **Dynamic User**.
:::image type="content" source="./media/groups-dynamic-tutorial/new-dynamic-group.png" alt-text="Screenshot of Group page where user enters the dynamic membership group details.":::
MODIFIED docs/identity/users/groups-quickstart-expiration.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+18 / -16 lines changed
Commit: Editorial pass: groups naming, quickstarts, and misc articles (41 fixes)
Changes:
Before
After
 
Expiration policy is simple:
 
- Groups with user activities are automatically renewed as the expiration nears
- Group owners are notified to renew an expiring group
- A group that isn't renewed is deleted
- A deleted Microsoft 365 group can be restored within 30 days by a group owner or by a Microsoft Entra administrator
 
> [!NOTE]
> Microsoft Entra ID, part of Microsoft Entra, uses intelligence to automatically renew groups based on whether they have been in recent use. This renewal decision is based on user activity in groups across Microsoft 365 services like Outlook, SharePoint, Teams, Yammer, and others.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
1. Browse to **Entra ID** > **Groups** > **All groups** and then select **General**.
:::image type="content" source="./media/groups-quickstart-expiration/self-service-settings.png" alt-text="Screenshot of the Self-service group settings page.":::
 
3. Set **Users can create Microsoft 365 groups in Azure portals, API or PowerShell** to **Yes**.
 
4. Select **Save** to save the groups settings when you're done.
 
## Set group expiration
 
Expiration policy is simple:
 
- Groups with user activities are automatically renewed as the expiration nears.
- Group owners are notified to renew an expiring group.
- A group that isn't renewed is deleted.
- A deleted Microsoft 365 group can be restored within 30 days by a group owner or by a Microsoft Entra administrator.
 
> [!NOTE]
> Microsoft Entra ID, part of Microsoft Entra, uses intelligence to automatically renew groups based on whether they have been in recent use. This renewal decision is based on user activity in groups across Microsoft 365 services like Outlook, SharePoint, Teams, Yammer, and others.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
1. Browse to **Entra ID** > **Groups** > **All groups** and then select **General**.
:::image type="content" source="./media/groups-quickstart-expiration/self-service-settings.png" alt-text="Screenshot of the Self-service group settings page.":::
 
1. Set **Users can create Microsoft 365 groups in Azure portals, API or PowerShell** to **Yes**.
 
1. Select **Save** to save the groups settings when you're done.
 
## Set group expiration
MODIFIED docs/identity/users/groups-dynamic-rule-member-of.md
Modified by Ken Withee on Mar 17, 2026 3:48 AM
đź“– View on learn.microsoft.com
+17 / -17 lines changed
Commit: Editorial pass: dynamic groups articles (33 fixes)
Changes:
Before
After
 
This feature preview in Microsoft Entra ID enables admins to create dynamic membership groups and administrative units that populate by adding members of other groups using the `memberOf` attribute. Apps that couldn't read group-based membership previously in Microsoft Entra ID can now read the entire membership of these new `memberOf` groups. Not only can these groups be used for apps but they can also be used for licensing assignments.
 
>[!WARNING]
>This is a preview feature and isn't intended for production use. The use of this feature comes with limitations that can affect dynamic group processing in the tenant. We recommend you review the [Preview limitations](#preview-limitations) section before using this feature.
 
The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A.
 
## Preview limitations
 
 
- This preview should only be used in test environments as it can affect dynamic group processing in the tenant. We are working on addressing these limitations and will provide updates when they are available.
- Each Microsoft Entra tenant is limited to 500 dynamic groups using the `memberOf` attribute. The `memberOf` groups count toward the total dynamic group quota of 15,000.
- Each dynamic group can have up to 50 member groups.
- When you add members of security groups to `memberOf` dynamic membership groups, only direct members of the security group become members of the dynamic group.
- The `memberOf` attribute can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail.
- The dynamic group rule builder and validate feature can't be used for `memberOf` at this time.
- The `memberOf` attribute can't be used with other operators. For example, you can't create a rule that states "Members Of group A can't be in Dynamic group B."
- Users included in `memberOf` dynamic membership groups may cause a slower processing time for your tenant, if the tenant has a large number of groups or frequent dynamic membership groups updates.
- Membership of a memberOf dynamic group doesn't automatically update when a child group is deleted or when members are removed from a child group. The affected users or devices remain members of the memberOf dynamic group until the rule is modified.
 
This feature preview in Microsoft Entra ID enables admins to create dynamic membership groups and administrative units that populate by adding members of other groups using the `memberOf` attribute. Apps that couldn't read group-based membership previously in Microsoft Entra ID can now read the entire membership of these new `memberOf` groups. Not only can these groups be used for apps but they can also be used for licensing assignments.
 
> [!WARNING]
> This is a preview feature and isn't intended for production use. The use of this feature comes with limitations that can affect dynamic group processing in the tenant. Review the [Preview limitations](#preview-limitations) section before using this feature.
 
The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A.
 
## Preview limitations
 
 
- This preview should only be used in test environments as it can affect dynamic group processing in the tenant. These limitations are being addressed, and updates will be provided when they're available.
- Each Microsoft Entra tenant is limited to 500 dynamic groups using the `memberOf` attribute. The `memberOf` groups count toward the total dynamic group quota of 15,000.
- Each dynamic group can have up to 50 member groups.
- When you add members of security groups to `memberOf` dynamic membership groups, only direct members of the security group become members of the dynamic group.
- The `memberOf` attribute can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail.
- The dynamic group rule builder and validate feature can't be used for `memberOf` at this time.
- The `memberOf` attribute can't be used with other operators. For example, you can't create a rule that states "Members Of group A can't be in Dynamic group B."
- Users included in `memberOf` dynamic membership groups might cause a slower processing time for your tenant, if the tenant has a large number of groups or frequent dynamic membership groups updates.
- Membership of a memberOf dynamic group doesn't automatically update when a child group is deleted or when members are removed from a child group. The affected users or devices remain members of the memberOf dynamic group until the rule is modified.
MODIFIED docs/identity/users/users-sharing-accounts.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+13 / -15 lines changed
Commit: Editorial pass: users bulk, misc, and light articles (90 fixes)
Changes:
Before
After
ms.custom: it-pro
 
---
# Sharing accounts with Microsoft Entra ID
 
## Overview
 
In Microsoft Entra ID, part of Microsoft Entra, sometimes organizations need to use a single username and password for multiple people, which often happens in the following cases:
 
The traditional sharing model has several drawbacks:
 
* Enabling access to new applications requires you to distribute credentials to everyone that needs access.
* Each shared application might require its own unique set of shared credentials, requiring users to remember multiple sets of credentials. When users have to remember many credentials, the risk increases that they resort to risky practices. (for example, writing down passwords).
* You can't tell who has access to an application.
* You can't tell who *accessed* an application.
* When you want to remove access to an application, you have to update the credentials and redistribute them to everyone that needs access to that application.
 
Microsoft Entra ID provides a new approach to using shared accounts that eliminates these drawbacks.
 
The Microsoft Entra administrator configures which applications a user can access by using the Access Panel and choosing the type of single sign-on best suited for that application. One of those types, *password-based single-sign on*, lets Microsoft Entra ID act as a kind of "broker" during the sign-on process for that app.
ms.custom: it-pro
 
---
# Share accounts with Microsoft Entra ID
 
In Microsoft Entra ID, part of Microsoft Entra, sometimes organizations need to use a single username and password for multiple people, which often happens in the following cases:
 
The traditional sharing model has several drawbacks:
 
* Enabling access to new applications requires you to distribute credentials to everyone that needs access.
* Each shared application might require its own unique set of shared credentials, requiring users to remember multiple sets of credentials. When users have to remember many credentials, the risk increases that they resort to risky practices (for example, writing down passwords).
* You can't tell who has access to an application.
* You can't tell who *accessed* an application.
* When you want to remove access to an application, you have to update the credentials and redistribute them to everyone that needs access to that application.
 
Microsoft Entra ID provides a new approach to using shared accounts that eliminates these drawbacks.
 
The Microsoft Entra administrator configures which applications a user can access by using the Access Panel and choosing the type of single sign-on best suited for that application. One of those types, *password-based single sign-on*, lets Microsoft Entra ID act as a kind of "broker" during the sign-in process for that app.
 
Users sign in once with their organizational account. This account is the same one they regularly use to access their desktop or email. They can discover and access only those applications that they're assigned to. With shared accounts, this list of applications can include any number of shared credentials. The end-user doesn't need to remember or write down the various accounts they might be using.
MODIFIED docs/identity/users/groups-dynamic-rule-validation.md
Modified by Ken Withee on Mar 17, 2026 3:48 AM
đź“– View on learn.microsoft.com
+13 / -13 lines changed
Commit: Editorial pass: dynamic groups articles (33 fixes)
Changes:
Before
After
---
title: Validate Rules for Dynamic Membership Groups
description: Learn how to test members against a rule for a dynamic membership groups in Microsoft Entra ID.
ms.topic: how-to
ms.date: 12/19/2024
ms.reviewer: yukarppa
To evaluate the rule for dynamic membership groups, the administrator must be at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
 
> [!WARNING]
> Assigning one of the required roles via indirect role assignment is not supported.
 
## Validate a rule for dynamic membership groups
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a Groups Administrator.
 
2. Browse to **Entra ID** > **Groups** > **All groups**.
 
3. Select an existing dynamic group or create a new dynamic group, and then select **Dynamic membership rules**.
 
:::image type="content" source="./media/groups-dynamic-rule-validation/validate-tab.png" alt-text="Screenshot of selections for viewing details of dynamic membership rules.":::
---
title: Validate rules for dynamic membership groups
description: Learn how to test members against a rule for dynamic membership groups in Microsoft Entra ID.
ms.topic: how-to
ms.date: 12/19/2024
ms.reviewer: yukarppa
To evaluate the rule for dynamic membership groups, the administrator must be at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
 
> [!WARNING]
> Assigning one of the required roles via indirect role assignment isn't supported.
 
## Validate a rule for dynamic membership groups
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a Groups Administrator.
 
1. Browse to **Entra ID** > **Groups** > **All groups**.
 
1. Select an existing dynamic group or create a new dynamic group, and then select **Dynamic membership rules**.
 
:::image type="content" source="./media/groups-dynamic-rule-validation/validate-tab.png" alt-text="Screenshot of selections for viewing details of dynamic membership rules.":::
MODIFIED docs/identity/users/users-revoke-access.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+13 / -13 lines changed
Commit: Editorial pass: users bulk, misc, and light articles (90 fixes)
Changes:
Before
After
Access tokens and refresh tokens are frequently used with thick client applications, and also used in browser-based applications such as single page apps.
 
- When users authenticate to Microsoft Entra ID, part of Microsoft Entra, authorization policies are evaluated to determine if the user can be granted access to a specific resource.
- Once authorized, Microsoft Entra ID issues an access token and a refresh token for the resource.
- If the authentication protocol allows, the app can silently reauthenticate the user by passing the refresh token to Microsoft Entra ID when the access token expires. By default, access tokens issued by Microsoft Entra ID last for 1 hour.
- Microsoft Entra ID then reevaluates its authorization policies. If the user is still authorized, Microsoft Entra ID issues a new access token and refreshes token.
 
Access tokens may pose a security risk if they need to be revoked within a period shorter than their typical one-hour lifespan. For this reason, Microsoft is actively working to bring [continuous access evaluation](~/identity/conditional-access/concept-continuous-access-evaluation.md) to Office 365 applications, which helps ensure invalidation of access tokens in near real time.
 
## Session tokens (cookies)
 
 
- When a user opens a browser and authenticates to an application via Microsoft Entra ID, the user receives two session tokens. One from Microsoft Entra ID and another from the application.
 
- Once the application issues its own session token, the application controls access based on its authorization policies.
 
- The authorization policies of Microsoft Entra ID are reevaluated as often as the application sends the user back to Microsoft Entra ID. Reevaluation usually happens silently, though the frequency depends on how the application is configured. It's possible that the app may never send the user back to Microsoft Entra ID as long as the session token is valid.
 
- For a session token to be revoked, the application must revoke access based on its own authorization policies. Microsoft Entra ID can't directly revoke a session token issued by an application.
 
Access tokens and refresh tokens are frequently used with thick client applications, and also used in browser-based applications such as single page apps.
 
- When users authenticate to Microsoft Entra ID, part of Microsoft Entra, authorization policies are evaluated to determine if the user can be granted access to a specific resource.
- After authorization, Microsoft Entra ID issues an access token and a refresh token for the resource.
- If the authentication protocol allows, the app can silently reauthenticate the user by passing the refresh token to Microsoft Entra ID when the access token expires. By default, access tokens issued by Microsoft Entra ID last for 1 hour.
- Microsoft Entra ID then reevaluates its authorization policies. If the user is still authorized, Microsoft Entra ID issues a new access token and refresh token.
 
Access tokens might pose a security risk if they need to be revoked within a period shorter than their typical one-hour lifespan. For this reason, Microsoft is actively working to bring [continuous access evaluation](~/identity/conditional-access/concept-continuous-access-evaluation.md) to Office 365 applications, which helps ensure invalidation of access tokens in near real time.
 
## Session tokens (cookies)
 
 
- When a user opens a browser and authenticates to an application via Microsoft Entra ID, the user receives two session tokens. One from Microsoft Entra ID and another from the application.
 
- After the application issues its own session token, the application controls access based on its authorization policies.
 
- The authorization policies of Microsoft Entra ID are reevaluated as often as the application sends the user back to Microsoft Entra ID. Reevaluation usually happens silently, though the frequency depends on how the application is configured. It's possible that the app might never send the user back to Microsoft Entra ID as long as the session token is valid.
 
- To revoke a session token, the application must revoke access based on its own authorization policies. Microsoft Entra ID can't directly revoke a session token issued by an application.
 
MODIFIED docs/identity/users/groups-dynamic-membership.md
Modified by Ken Withee on Mar 17, 2026 3:48 AM
đź“– View on learn.microsoft.com
+13 / -11 lines changed
Commit: Editorial pass: dynamic groups articles (33 fixes)
Changes:
Before
After
---
title: Manage Rules for Dynamic Membership Groups in Microsoft Entra ID
description: Learn how to manage rules for dynamic membership groups to automatically populate group members and rule references.
ms.topic: how-to
ms.date: 03/05/2026
 
Also keep these limitations in mind:
 
- You can create a dynamic membership groups for users or devices, but you can't create a rule that contains both users and devices.
- You can't create a device membership group based on the user attributes of the device owner. Device membership rules can reference only device attributes.
 
### Security consideration: Evaluate attribute write permissions before using them in dynamic group rules
 
Parentheses are optional for a single expression. The total length of the body of your membership rule can't exceed 3,072 characters.
 
### Constructing the body of a membership rule
 
A membership rule that automatically populates a group with users or devices is a binary expression that results in a true or false outcome. The three parts of a simple rule are:
 
| `In` | `-in` |
---
title: Manage rules for dynamic membership groups in Microsoft Entra ID
description: Learn how to manage rules for dynamic membership groups to automatically populate group members and rule references.
ms.topic: how-to
ms.date: 03/05/2026
 
Also keep these limitations in mind:
 
- You can create dynamic membership groups for users or devices, but you can't create a rule that contains both users and devices.
- You can't create a device membership group based on the user attributes of the device owner. Device membership rules can reference only device attributes.
 
### Security consideration: Evaluate attribute write permissions before using them in dynamic group rules
 
Parentheses are optional for a single expression. The total length of the body of your membership rule can't exceed 3,072 characters.
 
### Construct the body of a membership rule
 
A membership rule that automatically populates a group with users or devices is a binary expression that results in a true or false outcome. The three parts of a simple rule are:
 
| `In` | `-in` |
MODIFIED docs/identity/users/groups-bulk-download-members.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+11 / -11 lines changed
Commit: Editorial pass: bulk ops and groups articles (46 fixes)
Changes:
Before
After
---
title: Bulk download group membership list - Azure portal
description: Add users in bulk in the Azure admin center.
ms.date: 12/05/2025
ms.topic: how-to
ms.custom: it-pro
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade) and in the left-hand navigation pane, select the **Groups** tab.
 
2. Select a group from the list and navigate to the **Members** tab.
 
:::image type="content" source="media/bulk-operations/group-members-tab.png" alt-text="Screenshot of a selected group's Members tab listing users and service principals.":::
 
3. On the **Members** page command bar, select **Download members**.
If you see a **Bulk operations** menu instead, select **Bulk operations** > **Download members**.
 
:::image type="content" source="media/bulk-operations/bulk-operations-download-members.png" alt-text="Screenshot of the Bulk operations menu on the Members tab with Download members selected.":::
 
4. Enter a filename and select **Start bulk operation**.
 
---
title: Bulk download group membership list - Azure portal
description: Download group members in bulk in the Microsoft Entra admin center.
ms.date: 12/05/2025
ms.topic: how-to
ms.custom: it-pro
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade) and in the left-hand navigation pane, select the **Groups** tab.
 
1. Select a group from the list and navigate to the **Members** tab.
 
:::image type="content" source="media/bulk-operations/group-members-tab.png" alt-text="Screenshot of a selected group's Members tab listing users and service principals.":::
 
1. On the **Members** page command bar, select **Download members**.
If you see a **Bulk operations** menu instead, select **Bulk operations** > **Download members**.
 
:::image type="content" source="media/bulk-operations/bulk-operations-download-members.png" alt-text="Screenshot of the Bulk operations menu on the Members tab with Download members selected.":::
 
1. Enter a filename and select **Start bulk operation**.
 
MODIFIED docs/identity/users/groups-assign-sensitivity-labels.md
Modified by Ken Withee on Mar 17, 2026 3:49 AM
đź“– View on learn.microsoft.com
+10 / -10 lines changed
Commit: Editorial pass: bulk ops and groups articles (46 fixes)
Changes:
Before
After
 
#### [21Vianet](#tab/21Vianet)
 
If you are performing these Microsoft 365 operations from 21Vianet:
 
1. Register a Microsoft Entra ID application in Microsoft Entra ID.
1. Grant your application API permissions to access Microsoft Graph including ```Directory.ReadWriteAll``` and ```Group.ReadWriteAll```, you may need to get tenant admin's explicit consent to grant the application access to Microsoft Graph.
1. Generate a client secret and copy it. You need the client secret to connect to MS Graph;
1. Run PowerShell as administrator:
 
```PowerShell
$ClientSecretCredential = Get-Credential -Credential
```
After commands run, you'll be prompted to enter a password. The password is the new client secret you copied in earlier step.
 
1. Run the following command to get access to MS Graph:
 
```PowerShell
Connect-MgGraph -TenantId "Current tenant id" - ClientSecretCredential $ClientSecretCredential -Environment China
```
 
#### [21Vianet](#tab/21Vianet)
 
If you're performing these Microsoft 365 operations from 21Vianet:
 
1. Register a Microsoft Entra ID application in Microsoft Entra ID.
1. Grant your application API permissions to access Microsoft Graph including ```Directory.ReadWriteAll``` and ```Group.ReadWriteAll```, you might need to get tenant admin's explicit consent to grant the application access to Microsoft Graph.
1. Generate a client secret and copy it. You need the client secret to connect to Microsoft Graph.
1. Run PowerShell as administrator:
 
```PowerShell
$ClientSecretCredential = Get-Credential -Credential
```
After commands run, you'll be prompted to enter a password. The password is the new client secret you copied in an earlier step.
 
1. Run the following command to get access to Microsoft Graph:
 
```PowerShell
Connect-MgGraph -TenantId "Current tenant id" -ClientSecretCredential $ClientSecretCredential -Environment China
```

🤖 This report was automatically generated by the Entra Docs Monitor

📧 Delivered to merill@merill.net

đź”— Visit Repository