MODIFIED docs/identity/conditional-access/managed-policies.md

Modified by shlipsey3 on Mar 18, 2026 4:44 PM
📖 View on learn.microsoft.com

+86 / -72 lines changed

Commit: idp-security-baseline-031826

Changes:

Before

After

---
title: Microsoft-Managed Conditional Access Policies for Enhanced Security
description: Secure your resources with Microsoft-managed Conditional Access policies. Require multifactor authentication to reduce compromise risks.
ms.service: entra-id
ms.subservice: conditional-access
ms.topic: concept-article
ms.date: 11/06/2025
ms.reviewer: swethar
ms.custom: sfi-image-nochange
---
# Microsoft-managed Conditional Access policies
 
As mentioned in the [Microsoft Digital Defense Report](https://www.microsoft.com/security/security-insider/microsoft-digital-defense-report-2023) from October 2023,
 
> ...threats to digital peace have reduced trust in technology and highlighted the urgent need for improved cyber defenses at all levels...
>
> ...at Microsoft, our more than 10,000 security experts analyze over 65 trillion signals each day... driving some of the most influential insights in
cybersecurity. Together, we can build cyber resilience through innovative action and collective defense.
 
As part of this work, we're making Microsoft-managed policies available in Microsoft Entra tenants around the world. These [simplified Conditional Access policies](#what-is-conditional-access) require multifactor authentication, which a [recent study](https://arxiv.org/abs/2305.00945) finds reduces the risk of compromise by more than 99%.

---
title: Microsoft-Managed Conditional Access Policies for Enhanced Security
description: Secure your resources with Microsoft-managed Conditional Access policies. Require multifactor authentication to reduce compromise risks.
ms.topic: article
ms.date: 03/18/2026
ms.author: sarahlipsey
author: shlipsey3
manager: pmwongera
ms.reviewer: swethar
ms.custom: sfi-image-nochange
---
# Microsoft-managed Conditional Access policies
 
Every day, Microsoft processes more than 100 trillion security signals from endpoints, cloud services, identity systems, and more. We use this data shape how we respond to threats and inform how we innovate to help build a safer digital future. Read about the work we're doing in the [Microsoft Digital Defense Report](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1).
 
As part of this work, Microsoft-managed policies are available in Microsoft Entra tenants around the world. These [simplified Conditional Access policies](#what-is-conditional-access) require multifactor authentication, which continues to reduce the risk of compromise by more than 99%.
 
:::image type="content" source="media/managed-policies/microsoft-managed-policy.png" alt-text="Screenshot of a Microsoft-managed Conditional Access policy in the Microsoft Entra admin center." lightbox="media/managed-policies/microsoft-managed-policy-expanded.png":::
 
## Prerequisites

MODIFIED docs/global-secure-access/how-to-zscaler-coexistence.md

Modified by Ken Withee on Mar 18, 2026 8:20 PM
📖 View on learn.microsoft.com

+54 / -22 lines changed

Commit: AI readiness: fix 21 structure violations in Zscaler coexistence article

Changes:

Before

After

---
title: Configure Microsoft and Zscaler for a Unified SASE Solution
description: "Learn how to configure Microsoft and Zscaler SSE for unified SASE solutions to enhance security and connectivity in your organization."
#customer intent: As a network administrator, I want to configure Microsoft and Zscaler SSE for unified SASE solutions so that I can enhance security and connectivity in my organization.  
ms.topic: how-to
ms.date: 03/13/2026
ms.subservice: entra-private-access
ms.reviewer: shkhalid
ai-usage: ai-assisted
- Set up Zscaler Private Access and Internet Access
- Configure the Global Secure Access FQDN and IP bypasses
 
### Microsoft Global Secure Access
 
To set up Microsoft Entra Global Secure Access and test all scenarios in this documentation:
- Enable and disable different Microsoft Global Secure Access traffic forwarding profiles for your Microsoft Entra tenant. For more information about enabling and disabling profiles, see [Global Secure Access traffic forwarding profiles](concept-traffic-forwarding.md).
- Install and configure the Microsoft Entra private network connector. For information on how to install and configure the connector, see [How to configure connectors](how-to-configure-connectors.md).
    > [!NOTE]
- Configure Quick Access to your private resources and set up Private Domain Name System (DNS) and DNS suffixes. For information on how to configure Quick Access, see [How to configure Quick Access](how-to-configure-quick-access.md).
- Install and configure the Global Secure Access client on end-user devices. For more information about clients, see [Global Secure Access clients](concept-clients.md). For information on how to install the Windows client, see [Global Secure Access client for Windows](how-to-install-windows-client.md). For macOS, see [Global Secure Access Client for macOS](how-to-install-macos-client.md).

---
title: Configure Microsoft and Zscaler for a Unified SASE Solution
description: "Learn how to deploy Microsoft Global Secure Access alongside Zscaler Private Access and Internet Access. Covers four integration scenarios with step-by-step configuration, verification, and traffic testing procedures."
#customer intent: As a network administrator, I want to configure Microsoft and Zscaler SSE for unified SASE solutions so that I can enhance security and connectivity in my organization.  
ms.topic: how-to
ms.date: 03/18/2026
ms.subservice: entra-private-access
ms.reviewer: shkhalid
ai-usage: ai-assisted
- Set up Zscaler Private Access and Internet Access
- Configure the Global Secure Access FQDN and IP bypasses
 
### Prerequisites for Microsoft Global Secure Access
 
To set up Microsoft Entra Global Secure Access and test all four scenarios described in this article:
- Enable and disable different Microsoft Global Secure Access traffic forwarding profiles for your Microsoft Entra tenant. For more information about enabling and disabling profiles, see [Global Secure Access traffic forwarding profiles](concept-traffic-forwarding.md).
- Install and configure the Microsoft Entra private network connector. For information on how to install and configure the connector, see [How to configure connectors](how-to-configure-connectors.md).
    > [!NOTE]
- Configure Quick Access to your private resources and set up Private Domain Name System (DNS) and DNS suffixes. For information on how to configure Quick Access, see [How to configure Quick Access](how-to-configure-quick-access.md).
- Install and configure the Global Secure Access client on end-user devices. For more information about clients, see [Global Secure Access clients](concept-clients.md). For information on how to install the Windows client, see [Global Secure Access client for Windows](how-to-install-windows-client.md). For macOS, see [Global Secure Access Client for macOS](how-to-install-macos-client.md).

MODIFIED docs/identity/saas-apps/open-text-directory-services-provisioning-tutorial.md

Modified by Hamsika45 on Mar 18, 2026 8:24 AM
📖 View on learn.microsoft.com

+14 / -22 lines changed

Commit: Updating Opentext Directory Services template

Changes:

Before

After

author: jeevansd
manager: pmwongera
ms.topic: how-to
ms.date: 03/12/2026
ms.author: jeedes
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to OpenText Directory Services so that I can streamline the user management process and ensure that users have the appropriate access to OpenText Directory Services.
 
	![Provisioning tab](common/provisioning.png)
 
5. Set the **Provisioning Mode** to **Automatic**.
 
      ![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
6. Under the **Admin Credentials** section, input your OpenText Directory Services Tenant URL.
   * Non-specific tenant URL : {OTDS URL}/scim/{partitionName}
   * Specific tenant URL :  {OTDS URL}/otdstenant/{tenantID}/scim/{partitionName}
 
7. Select 'OAuth2 Client Credentials Grant' as the Authentication Method.
   1. Enter the Client ID and Client Secret retrieved from Step 2.

author: jeevansd
manager: pmwongera
ms.topic: how-to
ms.date: 03/18/2026
ms.author: jeedes
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to OpenText Directory Services so that I can streamline the user management process and ensure that users have the appropriate access to OpenText Directory Services.
 
	![Provisioning tab](common/provisioning.png)
 
1. Select **+ New configuration**.
 
      ![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
6. Under the **Admin Credentials** section, input your OpenText Directory Services Tenant URL.
   * Non-specific tenant URL : `{OTDS URL}/scim/{partitionName}`
   * Specific tenant URL :  `{OTDS URL}/otdstenant/{tenantID}/scim/{partitionName}`
 
7. Select **OAuth2 Client Credentials Grant** as the Authentication Method.
   1. Enter the **Client ID** and **Client Secret** retrieved from Step 2.

MODIFIED docs/includes/secure-recommendations/27014.md

Modified by Jay on Mar 18, 2026 5:22 PM
📖 View on learn.microsoft.com

+16 / -15 lines changed

Commit: Clarify SWG layers and reorder remediation steps

Changes:

Before

After

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 03/11/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Microsoft Entra Suite Add-on for Microsoft Entra ID P2
---
The Global Secure Access Secure Web Gateway (SWG) implements defense-in-depth through five security layers that together create a comprehensive inspection chain for internet-bound traffic. Each layer serves a distinct protective function:
 
- **Layer 1: Context-aware network security** This layer routes internet traffic through the SWG and applies identity- and context-aware policy enforcement. Without this layer, traffic bypasses all downstream inspection.
 
- **Layer 2: Web content, threat intelligence filtering, and AI Gateway** This layer blocks access to malicious, inappropriate, or policy-violating destinations and governs interactions with generative AI services.
 
- **Layer 3: Content filtering and network DLP** This layer inspects file transfers and content payloads to prevent sensitive data exfiltration.
 
- **Layer 4: Cloud firewall** This layer applies network-level firewall rules that protect branch office internet traffic routed through remote networks.
 
- **Layer 5: Advanced threat protection** This layer uses TLS inspection to decrypt encrypted traffic so that you can scan payloads for malware, data exfiltration, and command-and-control communications.
 

author: HULKsmashGithub
ms.service: entra-id
ms.topic: include
ms.date: 03/18/2026
manager: dougeby
ms.custom: Network-Secure-Recommendation
# minimumlicense: Microsoft Entra Suite Add-on for Microsoft Entra ID P2
---
The Global Secure Access Secure Web Gateway (SWG) implements defense-in-depth through five security layers that together create a comprehensive inspection chain for internet-bound traffic. Each layer serves a distinct protective function:
 
- **Layer 1: Context-aware network security** This outermost layer routes internet traffic through the SWG and applies identity- and context-aware policy enforcement. Without this layer, traffic bypasses all downstream inspection.
 
- **Layer 2: TLS inspection, web content, and threat intelligence filtering** TLS inspection decrypts encrypted traffic so that all downstream web content filtering and DLP inspection operates on plaintext payloads. Web content filtering blocks access to malicious, inappropriate, or policy-violating destinations. Threat intelligence filtering blocks connections to known-malicious infrastructure.
 
- **Layer 3: AI Gateway, content filtering, and network DLP** AI Gateway controls govern user interactions with generative AI services to prevent prompt injection and data leakage. Content filtering and network DLP inspect file transfers and payloads to prevent sensitive data exfiltration.
 
- **Layer 4: Cloud firewall** This layer applies network-level firewall rules that protect branch office internet traffic routed through remote networks.
 
- **Layer 5: Advanced threat protection** This innermost layer is reserved for future capabilities including anti-malware scanning, intrusion detection and prevention (IDPS), and anomaly detection. No active checks are configured in this layer yet.
 

MODIFIED docs/global-secure-access/how-to-cisco-secure-access-coexistence.md

Modified by Ken Withee on Mar 18, 2026 8:53 PM
📖 View on learn.microsoft.com

+15 / -15 lines changed

Commit: AI readiness: fix structure violations in Cisco coexistence articles

Changes:

Before

After

---
title: Security Service Edge (SSE) Coexistence With Microsoft and Cisco Secure Access
description: Microsoft and Cisco’s Secure Access coexistence solution guide.
ms.topic: how-to
ms.date: 03/13/2026
ms.subservice: entra-private-access 
ms.reviewer: shkhalid
ai-usage: ai-assisted
 
This guide outlines how to configure and deploy Global Secure Access solutions alongside Cisco Secure Access SSE offerings. By using both platforms, you can optimize your organization's security posture while maintaining high-performance connectivity for private applications, Microsoft 365 traffic, and internet access.
 
## Scenarios
 
This guide covers the following coexistence scenarios:
 
 
### 1. Microsoft Entra Private Access with Cisco Secure Internet Access
 
**Global Secure Access configuration**
 

---
title: Security Service Edge (SSE) Coexistence With Microsoft and Cisco Secure Access
description: "Configure Microsoft Global Secure Access and Cisco Secure Access for unified SASE capabilities. Covers deployment steps, FQDN and IP bypasses, and client configuration."
ms.topic: how-to
ms.date: 03/18/2026
ms.subservice: entra-private-access 
ms.reviewer: shkhalid
ai-usage: ai-assisted
 
This guide outlines how to configure and deploy Global Secure Access solutions alongside Cisco Secure Access SSE offerings. By using both platforms, you can optimize your organization's security posture while maintaining high-performance connectivity for private applications, Microsoft 365 traffic, and internet access.
 
## Supported coexistence scenarios
 
This guide covers the following coexistence scenarios:
 
 
### 1. Microsoft Entra Private Access with Cisco Secure Internet Access
 
#### Configure Global Secure Access
 

MODIFIED docs/global-secure-access/how-to-simulate-remote-network.md

Modified by Ken Withee on Mar 18, 2026 8:58 PM
📖 View on learn.microsoft.com

+14 / -14 lines changed

Commit: AI readiness: fix structure violations in remote network articles

Changes:

Before

After

title: Simulate remote network connectivity using Azure VNG
description: Configure Azure resources to simulate remote network connectivity to Microsoft's Security Edge Solutions with Global Secure Access.
ms.topic: how-to
ms.date: 03/13/2026
ms.reviewer: absinh
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
1. From the Azure portal, browse to **Virtual network gateways**.
1. Select **Create**.
1. Provide your virtual network gateway with a **Name** and select the appropriate region.
1. Select the **Virtual network** created in the previous section.
 
      :::image type="content" source="media/how-to-simulate-remote-network/create-azure-virtual-network-gateway.png" alt-text="Screenshot of the Azure portal showing configuration settings for a virtual network gateway." lightbox="media/how-to-simulate-remote-network/create-azure-virtual-network-gateway-expanded.png":::
 
 
## Create local network gateway
 
This step is completed in the Azure portal. Several details from the previous step are needed to complete this step.
 
If you selected **No redundancy** while creating device links in the Microsoft Entra admin center, you need to create just one local network gateway.

title: Simulate remote network connectivity using Azure VNG
description: Configure Azure resources to simulate remote network connectivity to Microsoft's Security Edge Solutions with Global Secure Access.
ms.topic: how-to
ms.date: 03/18/2026
ms.reviewer: absinh
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
1. From the Azure portal, browse to **Virtual network gateways**.
1. Select **Create**.
1. Provide your virtual network gateway with a **Name** and select the appropriate region.
1. Select your **Virtual network**.
 
      :::image type="content" source="media/how-to-simulate-remote-network/create-azure-virtual-network-gateway.png" alt-text="Screenshot of the Azure portal showing configuration settings for a virtual network gateway." lightbox="media/how-to-simulate-remote-network/create-azure-virtual-network-gateway-expanded.png":::
 
 
## Create local network gateway
 
Creating a local network gateway is completed in the Azure portal. Several details from the remote network configuration (Microsoft gateway endpoint, ASN, and BGP address) are needed to complete this step.
 
If you selected **No redundancy** when creating device links in the Microsoft Entra admin center, create one local network gateway.

MODIFIED docs/global-secure-access/how-to-cisco-vpn-coexistence.md

Modified by Ken Withee on Mar 18, 2026 8:53 PM
📖 View on learn.microsoft.com

+11 / -11 lines changed

Commit: AI readiness: fix structure violations in Cisco coexistence articles

Changes:

Before

After

---
title: Security Service Edge (SSE) Coexistence With Microsoft and Cisco VPNs
description: Microsoft and Cisco VPNs coexistence solution guide.
ms.topic: how-to
ms.date: 03/13/2026
ms.subservice: entra-private-access
ms.reviewer: shkhalid
ai-usage: ai-assisted
**Global Secure Access configuration:**
1. Enable Microsoft Entra Internet Access and Microsoft Access forwarding profiles.
1. Install and configure the Global Secure Access client for Windows or macOS.
1. Add an Internet Access traffic forwarding profile custom bypass to exclude Cisco Secure Access VPNaaS service. [Instructions above.](#adding-a-custom-bypass)
 
**Cisco configuration:**
1. Set up remote access VPN profile as [described previously](#split-include-configuration).
1. Install a private network connector for Microsoft Entra Private Access.
1. Configure Quick Access and set up Private DNS.
1. Create an app segment, for example an SMB file share. This will be the application you want to access through Global Secure Access and not Cisco VPN.
1. Add an Internet Access traffic forwarding profile [custom bypass](#adding-a-custom-bypass) to exclude Cisco Secure Access VPNaaS endpoint.
1. Install and configure the Global Secure Access client for Windows or macOS.

---
title: Security Service Edge (SSE) Coexistence With Microsoft and Cisco VPNs
description: "Configure Microsoft Global Secure Access alongside Cisco AnyConnect and ASA VPNs for unified SASE. Covers deployment scenarios with step-by-step configuration for private access, Microsoft 365 traffic, and internet access."
ms.topic: how-to
ms.date: 03/18/2026
ms.subservice: entra-private-access
ms.reviewer: shkhalid
ai-usage: ai-assisted
**Global Secure Access configuration:**
1. Enable Microsoft Entra Internet Access and Microsoft Access forwarding profiles.
1. Install and configure the Global Secure Access client for Windows or macOS.
1. Add an Internet Access traffic forwarding profile custom bypass to exclude Cisco Secure Access VPNaaS service. Add a custom bypass rule for `*.vpn.sse.cisco.com` in the Internet Access profile. For detailed steps, see [Adding a custom bypass](#adding-a-custom-bypass).
 
**Cisco configuration:**
1. Set up remote access VPN profile as [described previously](#split-include-configuration).
1. Install a private network connector for Microsoft Entra Private Access.
1. Configure Quick Access and set up Private DNS.
1. Create an app segment, for example an SMB file share. This will be the application you want to access through Global Secure Access and not Cisco VPN.
1. Add an Internet Access traffic forwarding profile custom bypass to exclude the Cisco Secure Access VPNaaS endpoint. Add a custom bypass rule for `*.vpn.sse.cisco.com` in the Internet Access profile. For detailed steps, see [Adding a custom bypass](#adding-a-custom-bypass).
1. Install and configure the Global Secure Access client for Windows or macOS.

MODIFIED docs/identity/users/users-sharing-accounts.md

Modified by Ken Withee on Mar 18, 2026 7:21 PM
📖 View on learn.microsoft.com

+4 / -7 lines changed

Commit: Restore full article with merged editorial fixes

Changes:

Before

After

title: Sharing accounts and credentials
description: Learn how to configure shared accounts in Microsoft Entra ID using password-based single sign-on so multiple users can securely access apps without sharing passwords directly.
ms.topic: how-to
ms.date: 03/14/2026
ms.reviewer: krbain
ms.custom: it-pro
ai-usage: ai-assisted
 
---
# Sharing accounts with Microsoft Entra ID
 
## Overview
 
In Microsoft Entra ID, part of Microsoft Entra, sometimes organizations need to use a single username and password for multiple people, which often happens in the following cases:
 
* A user account with at least the [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator) role to configure SSO and assign users. The [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) role also works.
* At least the [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator) role to create security groups. If your tenant allows users to create security groups, this role isn't required.
* An application that supports password-based single sign-on (SSO).
* The [My Apps Secure Sign-in Extension](https://microsoftedge.microsoft.com/addons/detail/my-apps-secure-signin-ex/gaaceiggkkiffbfdpmfapegoiohkiipl) installed in end-user browsers (Microsoft Edge or Chrome) for accessing password-based SSO apps.
 

title: Sharing accounts and credentials
description: Learn how to configure shared accounts in Microsoft Entra ID using password-based single sign-on so multiple users can securely access apps without sharing passwords directly.
ms.topic: how-to
ms.date: 03/18/2026
ms.reviewer: yukarppa
ms.custom: it-pro
ai-usage: ai-assisted
 
---
# Share accounts with Microsoft Entra ID
 
In Microsoft Entra ID, part of Microsoft Entra, sometimes organizations need to use a single username and password for multiple people, which often happens in the following cases:
 
* A user account with at least the [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator) role to configure SSO and assign users. The [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) role also works.
* At least the [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator) role to create security groups. If your tenant allows users to create security groups, this role isn't required.
* An application that supports password-based single sign-on (SSO).
 
<a name='azure-active-directory-account-sharing'></a>
 
 

MODIFIED docs/global-secure-access/how-to-manage-remote-networks.md

Modified by Ken Withee on Mar 18, 2026 8:58 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: AI readiness: fix structure violations in remote network articles

Changes:

Before

After

---
title: How to Update and Delete Remote Networks for Global Secure Access
description: Learn how to update and delete remote networks for Global Secure Access.
ms.topic: how-to
ms.date: 03/13/2026
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
 
There are three sections with details you can edit. **Basics**, **Links**, and **Traffic profiles**.
 
#### Basics
 
The basics page provides a way to delete a selected remote network. You change the name of a remote network after you create it. Select the pencil icon to edit the name of the remote network.
 
![Screenshot of the basics tab with the pencil icon highlighted.](./media/how-to-manage-remote-networks/remote-network-basics.png)
 
#### Links
 
Add a new device link or delete an existing device link from this page. You can't edit the details of a device link after it was created. Select the trash can icon to delete a remote network device link.

---
title: How to Update and Delete Remote Networks for Global Secure Access
description: "Modify remote network configurations, delete unused networks, and manage device links and traffic profile assignments for Global Secure Access."
ms.topic: how-to
ms.date: 03/18/2026
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
 
There are three sections with details you can edit. **Basics**, **Links**, and **Traffic profiles**.
 
#### Update basic settings
 
The basics page provides a way to delete a selected remote network. You change the name of a remote network after you create it. Select the pencil icon to edit the name of the remote network.
 
![Screenshot of the basics tab with the pencil icon highlighted.](./media/how-to-manage-remote-networks/remote-network-basics.png)
 
#### Update device links
 
Add a new device link or delete an existing device link from this page. You can't edit the details of a device link after it was created. Select the trash can icon to delete a remote network device link.

MODIFIED docs/global-secure-access/how-to-view-enriched-logs.md

Modified by Ken Withee on Mar 18, 2026 9:02 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: AI readiness: fix remaining structure violations in 4 GSA articles

Changes:

Before

After

---
title: How to use enriched Microsoft 365 logs
description: Learn how to use enriched Microsoft 365 logs for Global Secure Access.
ms.topic: how-to
ms.date: 03/13/2026
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
 
To use the enriched logs, you need the following roles, configurations, and subscriptions:
 
### Roles and Permissions
 
- A **Security Administrator** role is required to export Global Secure Access Network Traffic Logs in Diagnostic Settings.
 
### Configurations
 
- **Microsoft Profile** - Ensure the Microsoft traffic profile is enabled. Microsoft traffic forwarding profile is required to capture traffic directed to Microsoft 365 services, which is fundamental for log enrichment. 
- **Tenant sending data** - Confirms that traffic, as configured in forwarding profiles, is accurately tunneled to the Global Secure Access service.
- **Diagnostic Settings Configuration** - Set up Microsoft Entra diagnostic settings to channel the logs to a designated endpoint, like a Log Analytics workspace or Sentinel workspace. The requirements for each endpoint differ and are outlined in the Configure Diagnostic settings section of this article.

---
title: How to use enriched Microsoft 365 logs
description: "View performance, experience, and availability insights for Microsoft 365 apps routed through Microsoft Entra Internet Access. Integrate enriched log data with Log Analytics or Microsoft Sentinel for network diagnostics and security analysis."
ms.topic: how-to
ms.date: 03/18/2026
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
---
 
To use the enriched logs, you need the following roles, configurations, and subscriptions:
 
### Required roles and permissions
 
- A **Security Administrator** role is required to export Global Secure Access Network Traffic Logs in Diagnostic Settings.
 
### Required configurations
 
- **Microsoft Profile** - Ensure the Microsoft traffic profile is enabled. Microsoft traffic forwarding profile is required to capture traffic directed to Microsoft 365 services, which is fundamental for log enrichment. 
- **Tenant sending data** - Confirms that traffic, as configured in forwarding profiles, is accurately tunneled to the Global Secure Access service.
- **Diagnostic Settings Configuration** - Set up Microsoft Entra diagnostic settings to channel the logs to a designated endpoint, like a Log Analytics workspace or Sentinel workspace. The requirements for each endpoint differ and are outlined in the Configure Diagnostic settings section of this article.

MODIFIED docs/global-secure-access/troubleshoot-global-secure-access-client-ios-health-check-utility.md

Modified by Marilee Turscak - MSFT on Mar 18, 2026 11:12 PM
📖 View on learn.microsoft.com

+2 / -6 lines changed

Commit: Fixed broken link

Changes:

Before

After

In the [Microsoft Intune admin center](https://intune.microsoft.com/), confirm the following criteria:

* Device enrollment
  * If not, [enroll the device in Intune](/intune/intune-service/fundamentals/deployment-guide-enrollment)
* Device compliance
  * If not, remediate the issue
  * See the following steps for more

1. On the client device, open the **Company Portal** app.
2. Ensure the device status is **Compliant**. See the following steps [to resolve compliance issues](/intune/intune-service/user-help/check-device-access-windows-cpapp.

   > [!NOTE]
   > After changes are made, it can take up to 30 minutes for the status to update. 

In the [Microsoft Intune admin center](https://intune.microsoft.com/), confirm the following criteria:

* Device enrollment
  * If not, [enroll the device in Intune](/intune/intune-service/fundamentals/deployment-guide-enrollment).
* Device compliance
  * If not, open the **Company Portal** app on the client device and follow the steps to [remediate the issue](/intune/intune-service/user-help/check-device-access-windows-cpapp).

   > [!NOTE]
   > After changes are made, it can take up to 30 minutes for the status to update.

MODIFIED docs/identity/saas-apps/bynder-tutorial.md

Modified by Regan Downer on Mar 18, 2026 4:16 PM
📖 View on learn.microsoft.com

+2 / -4 lines changed

Commit: Refactor Bynder tutorial for better readability

Changes:

Before

After

2. Add the Bynder app from the gallery.
 
> [!IMPORTANT]
> We strongly recommend creating a custom application. Bynder now supports SCIM provisioning, which is available only
for custom applications. Using the Bynder application from the gallery will limit the availability of this
functionality for your integration.
 
To create a custom application, you can use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration. [Learn more about Microsoft 365 wizards](/microsoft-365/admin/misc/azure-ad-setup-guides).
 
 
   ![Screenshot shows to Edit Basic SAML Configuration.](common/edit-urls.png)
 
   > [!NOTE]
	> For BYNDER_CONFIG_ID use an identifier value you got from **Сreate New Bynder Configuration** section.
 
1. On the **Basic SAML Configuration** section, perform the following steps:

2. Add the Bynder app from the gallery.
 
> [!IMPORTANT]
> We strongly recommend creating a custom application. Bynder now supports SCIM provisioning, which is available only for custom applications. Using the Bynder application from the gallery will limit the availability of this functionality for your integration.
 
To create a custom application, you can use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration. [Learn more about Microsoft 365 wizards](/microsoft-365/admin/misc/azure-ad-setup-guides).
 
   ![Screenshot shows to Edit Basic SAML Configuration.](common/edit-urls.png)
 
    > [!NOTE]
	> For BYNDER_CONFIG_ID use an identifier value you got from **Сreate New Bynder Configuration** section.
 
1. On the **Basic SAML Configuration** section, perform the following steps:

MODIFIED docs/identity/saas-apps/looop-provisioning-tutorial.md

Modified by Hamsika45 on Mar 18, 2026 7:20 AM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: resolving suggestions in all files

Changes:

Before

After

 
	![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png)
 
1. Set **+ New configuration**.
 
	![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. Select **Create** to create your configuration.	
 
1. Select **Properties** in the **Overview** page. 
 
1. Select the pencil to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletions prevention. Select **Apply** to save the changes.
 
   ![Screenshot of Provisioning properties.](common/provisioning-properties.png)

 
	![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png)
 
1. Select **+ New configuration**.
 
	![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. Select **Create** to create your configuration.	
 
1. Select **Properties** on the **Overview** page.
 
1. Select the **Edit** icon to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletions prevention. Select **Apply** to save the changes.
 
   ![Screenshot of Provisioning properties.](common/provisioning-properties.png)

MODIFIED docs/identity/saas-apps/logicgate-provisioning-tutorial.md

Modified by Hamsika45 on Mar 18, 2026 7:20 AM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: resolving suggestions in all files

Changes:

Before

After

 
	![Provision tab](common/provisioning.png)
 
1. Set **+ New configuration**.
 
	![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. Select **Create** to create your configuration.	
 
1. Select **Properties** in the **Overview** page. 
 
1. Select the pencil to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletions prevention. Select **Apply** to save the changes.
 
   ![Screenshot of Provisioning properties.](common/provisioning-properties.png)

 
	![Provision tab](common/provisioning.png)
 
1. Select **+ New configuration**.
 
	![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. Select **Create** to create your configuration.	
 
1. Select **Properties** on the **Overview** page.
 
1. Select the **Edit** icon to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletions prevention. Select **Apply** to save the changes.
 
   ![Screenshot of Provisioning properties.](common/provisioning-properties.png)

MODIFIED docs/identity/saas-apps/keystone-provisioning-tutorial.md

Modified by Hamsika45 on Mar 18, 2026 7:20 AM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: resolving suggestions in all files

Changes:

Before

After

 
	![Screenshot of Provisioning tab.](common/provisioning.png)
 
1. Set **+ New configuration**.
 
	![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. Select **Create** to create your configuration.	
 
1. Select **Properties** in the **Overview** page. 
 
1. Select the pencil to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletions prevention. Select **Apply** to save the changes.
 
   ![Screenshot of Provisioning properties.](common/provisioning-properties.png)

 
	![Screenshot of Provisioning tab.](common/provisioning.png)
 
1. Select **+ New configuration**.
 
	![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. Select **Create** to create your configuration.	
 
1. Select **Properties** on the **Overview** page. 
 
1. Select the **Edit** icon to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletions prevention. Select **Apply** to save the changes.
 
   ![Screenshot of Provisioning properties.](common/provisioning-properties.png)

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files