MODIFIED docs/identity/saas-apps/knowledgeowl-tutorial.md

Modified by omondiatieno on Mar 19, 2026 10:41 AM
📖 View on learn.microsoft.com

+25 / -22 lines changed

Commit: update knowledgeowl and veza articles

Changes:

Before

After

description: Learn how to configure single sign-on between Microsoft Entra ID and KnowledgeOwl.
ms.reviewer: celested
ms.topic: how-to
ms.date: 03/25/2025
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and KnowledgeOwl so that I can control who has access to KnowledgeOwl, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
 
1. In a different web browser window, sign in to your KnowledgeOwl company site as an administrator.
 
1. Select **Settings** and then select **SSO**.
 
	![Screenshot shows SSO selected from the Settings menu.](./media/knowledgeowl-tutorial/settings-sso-dropdown.png)
 
1. In the Scroll to **SAML Settings** tab, perform the following steps:
 
	![Screenshot shows SAML S S O Integration where you can make the changes described here.](./media/knowledgeowl-tutorial/sso-settings-required-fields.png)
 
	a. Select **Enable SAML SSO**.
 

description: Learn how to configure single sign-on between Microsoft Entra ID and KnowledgeOwl.
ms.reviewer: celested
ms.topic: how-to
ms.date: 03/19/2026
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and KnowledgeOwl so that I can control who has access to KnowledgeOwl, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
 
1. In a different web browser window, sign in to your KnowledgeOwl company site as an administrator.
 
1. Select **Security and access** and then select **Single sign-on**.
 
1. In the **SAML Settings** tab, perform the following steps:
 
	![Screenshot shows the SAML settings where you can enable SAML SSO reader logins mentioned here.](./media/knowledgeowl-tutorial/sso-saml-settings.png)
 
	1. Select **Enable SAML SSO reader logins**.
 
	![Screenshot shows the Service provider metadata section where you can copy the values mentioned here.](./media/knowledgeowl-tutorial/service-provider-metadata.png)
 

MODIFIED docs/architecture/security-copilot-entra-proof-of-concept.md

Modified by Dennis Rea on Mar 19, 2026 4:27 PM
📖 View on learn.microsoft.com

+23 / -23 lines changed

Commit: Alt-text and indentation fixes

Changes:

Before

After

A Security Copilot in Entra PoC begins with your organization’s unique security challenges and objectives. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Copilot**. Prompts appear to get you started. You can explore these prompts or enter your prompt in the chat box. You can view the graph query used to derive results. 

   ![Screenshot of the Microsoft Entra admin center](./media/security-copilot-entra-poc/admin-center.png)

   ![Screenshot of Copilot topic history](./media/security-copilot-entra-poc/method-open-list.png)

### Persona functions

|---|---|---|
|Helpdesk Administrator|Investigate users blocked from sign-in, due to a risk event. To resolve the issue, Help Desk is on the call, with the user. |I'm investigating a user email **julie-b@contoso** blocked due to high risk. Help me understand why this user is blocked. Also, let me know if other users are blocked, due to the same situation, within the last 24 hours. |
|Security operations center (SOC) team member|Investigate a spike of password resets from a country/region, or department: determine trends or patterns. |I'm seeing a trend from an IP address that's high risk for multiple users. Review all user applications in the United States to determine if there’s a pattern of applications, services, or groups. |
|Identity administrator|Investigate the potential effects of a new Conditional Access policy|Show me the signins and the Conditional Access policies that apply. List users without registered multifactor authentication (MFA). Show me sign-in logs from unmanaged devices for the past 14 days|
|Tenant administrator|Guest management|Show me the guest users in the tenant|

## PoC scenarios: Microsoft Entra ID
2. Create end-user communication for changes that affects the user experience. 
3. Set up and/or confirm data retention for agent log and metrics.  
4. Apply Conditional Access optimization agent recommendations: 
  * Obtain and document a prioritized list of suggestions by chatting with the agent.  

A Security Copilot in Entra PoC begins with your organization’s unique security challenges and objectives. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Copilot**. Prompts appear to get you started. You can explore these prompts or enter your prompt in the chat box. You can view the graph query used to derive results. 

   ![Screenshot of the Microsoft Entra admin center.](./media/security-copilot-entra-poc/admin-center.png)

   ![Screenshot of Copilot topic history.](./media/security-copilot-entra-poc/method-open-list.png)

### Persona functions

|---|---|---|
|Helpdesk Administrator|Investigate users blocked from sign-in, due to a risk event. To resolve the issue, Help Desk is on the call, with the user. |I'm investigating a user email **julie-b@contoso** blocked due to high risk. Help me understand why this user is blocked. Also, let me know if other users are blocked, due to the same situation, within the last 24 hours. |
|Security operations center (SOC) team member|Investigate a spike of password resets from a country/region, or department: determine trends or patterns. |I'm seeing a trend from an IP address that's high risk for multiple users. Review all user applications in the United States to determine if there’s a pattern of applications, services, or groups. |
|Identity administrator|Investigate the potential effects of a new Conditional Access policy|Show me the sign-ins and the Conditional Access policies that apply. List users without registered multifactor authentication (MFA). Show me sign-in logs from unmanaged devices for the past 14 days|
|Tenant administrator|Guest management|Show me the guest users in the tenant|

## PoC scenarios: Microsoft Entra ID
2. Create end-user communication for changes that affects the user experience. 
3. Set up and/or confirm data retention for agent log and metrics.  
4. Apply Conditional Access optimization agent recommendations: 
   * Obtain and document a prioritized list of suggestions by chatting with the agent.  

MODIFIED docs/id-governance/tenant-governance/how-to-terminate-governance-relationship.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

 
1. Select **Terminate governance**.
 
   The relationship status changes to **Termination requested**. Tenant Governance sends an email notification to the governed tenant about the termination request.
 
1. Wait for the governed tenant to confirm the termination.
 
   When the governed tenant confirms, Tenant Governance deletes all relationship-related resources from the governed tenant, and the relationship status changes to **Terminated**.
 
### Confirm termination as the governed tenant
When the governing tenant initiates termination, the governed tenant must confirm the request to complete the process.
 
1. Select **Confirm termination**.
 
   Tenant Governance deletes all relationship-related resources from the governed tenant, and the relationship status changes to **Terminated**. Tenant Governance sends an email notification to the governing tenant that termination is complete.
 
## Directly terminate a relationship: Governed tenant
As the governed tenant, directly terminate a governance relationship without requiring approval from the governing tenant.
 
1. Review the details of the relationship, then confirm termination.

 
1. Select **Terminate governance**.
 
    The relationship status changes to **Termination requested**. Tenant Governance sends an email notification to the governed tenant about the termination request.
 
1. Wait for the governed tenant to confirm the termination.
 
    When the governed tenant confirms, Tenant Governance deletes all relationship-related resources from the governed tenant, and the relationship status changes to **Terminated**.
 
### Confirm termination as the governed tenant
When the governing tenant initiates termination, the governed tenant must confirm the request to complete the process.
 
1. Select **Confirm termination**.
 
    Tenant Governance deletes all relationship-related resources from the governed tenant, and the relationship status changes to **Terminated**. Tenant Governance sends an email notification to the governing tenant that termination is complete.
 
## Directly terminate a relationship: Governed tenant
As the governed tenant, directly terminate a governance relationship without requiring approval from the governing tenant.
 
1. Review the details of the relationship, then confirm termination.

MODIFIED docs/id-governance/tenant-governance/signals-metrics.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

 
This article focuses exclusively on:
 
1. Discovery signals and what they represent
 
1. How each signal is composed
 
1. How metric concepts apply to each signal
 
1. How to interpret signals and metrics together
 
## Discovery signals at a glance
 
At a conceptual level, this signal answers:
 
> *Are identities from one tenant authenticating into or collaborating with another tenant?*
 
This signal intentionally combines multiple identity inputs to reflect both breadth and depth of cross-tenant interaction.

 
This article focuses exclusively on:
 
- Discovery signals and what they represent
 
- How each signal is composed
 
- How metric concepts apply to each signal
 
- How to interpret signals and metrics together
 
## Discovery signals at a glance
 
At a conceptual level, this signal answers:
 
*Are identities from one tenant authenticating into or collaborating with another tenant?*
 
This signal intentionally combines multiple identity inputs to reflect both breadth and depth of cross-tenant interaction.

MODIFIED docs/id-governance/tenant-governance/governance-policy-templates.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

 
- Cross-tenant delegated administration roles - Specify which Microsoft Entra built-in roles users from the governing tenant have in the governed tenant.
 
- Multi-tenant applications - Select custom applications to create and manage across tenants.
 
After you create a template, you can use it to establish multiple governance relationships with different governed tenants, ensuring consistent access policies across your organization.
 
Each group can have multiple role assignments, and each policy template can have multiple groups defined. When you create the governance relationship, Tenant Governance creates [granular delegated admin privileges (GDAP)](/partner-center/customers/gdap-introduction) role assignments in the governed tenant.
 
## Multi-tenant application configuration
 
By selecting custom, multi-tenant applications in the policy template, you enable centralized application management. When you create the governance relationship, Tenant Governance creates a service principal with the same permissions in the governed tenant.
 
This capability allows you to manage your custom, multi-tenant applications at scale from the central governing tenant. You don't need to go into every tenant individually to monitor and maintain least privileged app access.
 
For example, assume you've built a custom line of business app called Contoso Resource Manager, responsible for monitoring, reporting, and automating resource configuration across your tenants. Use the governance relationship to set up a service principal instance of Contoso Resource Manager across your governed tenants, with the right provisioned permissions consented. When you need to add or remove permissions, do so through the governance relationship instead of making changes and consenting to permissions on a per-tenant basis.
 
## Related content

 
- Cross-tenant delegated administration roles - Specify which Microsoft Entra built-in roles users from the governing tenant have in the governed tenant.
 
- Multitenant applications - Select custom applications to create and manage across tenants.
 
After you create a template, you can use it to establish multiple governance relationships with different governed tenants, ensuring consistent access policies across your organization.
 
Each group can have multiple role assignments, and each policy template can have multiple groups defined. When you create the governance relationship, Tenant Governance creates [granular delegated admin privileges (GDAP)](/partner-center/customers/gdap-introduction) role assignments in the governed tenant.
 
## Multitenant application configuration
 
By selecting custom, multitenant applications in the policy template, you enable centralized application management. When you create the governance relationship, Tenant Governance creates a service principal with the same permissions in the governed tenant.
 
This capability allows you to manage your custom, multitenant applications at scale from the central governing tenant. You don't need to go into every tenant individually to monitor and maintain least privileged app access.
 
For example, assume you've built a custom line of business app called Contoso Resource Manager, responsible for monitoring, reporting, and automating resource configuration across your tenants. Use the governance relationship to set up a service principal instance of Contoso Resource Manager across your governed tenants, with the right provisioned permissions consented. When you need to add or remove permissions, do so through the governance relationship instead of making changes and consenting to permissions on a per-tenant basis.
 
## Related content

MODIFIED docs/id-governance/tenant-governance/how-to-update-governance-relationship.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

 
[!INCLUDE [entra-tenant-governance-preview-note](~/includes/entra-tenant-governance-preview-note.md)]
 
This article describes how to update an existing governance relationship between a governing tenant and a governed tenant. You might need to update a governance relationship to add or modify delegated administration roles or multi-tenant application configurations.
 
## Prerequisites
- You must have an active governance relationship between a governing tenant and a governed tenant.
 
1. Modify the template as needed. Update one or more of these configurations:
 
    - **Delegated administration roles**: Add or change the Microsoft Entra built-in roles assigned to security groups in the governing tenant. These roles determine the access level that users in those groups have when they sign in to the governed tenant.
 
    - **Multi-tenant application management**: Add or update custom, multi-tenant applications. When you update the relationship, Tenant Governance creates or updates a service principal with the corresponding permissions in the governed tenant.
 
1. Save the updated governance policy template. The version number of the template increments by one.
 
- If you updated delegated administration roles, Tenant Governance updates the GDAP role assignments in the governed tenant accordingly.
 
- If you updated multi-tenant application management, Tenant Governance updates the corresponding service principal and its permissions in the governed tenant.

 
[!INCLUDE [entra-tenant-governance-preview-note](~/includes/entra-tenant-governance-preview-note.md)]
 
This article describes how to update an existing governance relationship between a governing tenant and a governed tenant. You might need to update a governance relationship to add or modify delegated administration roles or multitenant application configurations.
 
## Prerequisites
- You must have an active governance relationship between a governing tenant and a governed tenant.
 
1. Modify the template as needed. Update one or more of these configurations:
 
    - **Delegated administration roles**: Add or change the Microsoft Entra built-in roles assigned to security groups in the governing tenant. These roles determine the access level that users in those groups have when they sign in to the governed tenant.
 
    - **Multitenant application management**: Add or update custom, multitenant applications. When you update the relationship, Tenant Governance creates or updates a service principal with the corresponding permissions in the governed tenant.
 
1. Save the updated governance policy template. The version number of the template increments by one.
 
- If you updated delegated administration roles, Tenant Governance updates the GDAP role assignments in the governed tenant accordingly.
 
- If you updated multitenant application management, Tenant Governance updates the corresponding service principal and its permissions in the governed tenant.

MODIFIED docs/id-governance/tenant-governance/deployment-guide.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

1. Configure the template:
 
   - **Cross-tenant delegated administration**: Select the Microsoft Entra built-in roles to assign, and specify the security groups in the governing tenant that receive those roles.
   - **Multi-tenant applications** (optional): Select custom applications to provision in governed tenants.
 
1. Save the template.
 
- A governance relationship object in both tenants
- Cross-tenant access settings updates
- GDAP role assignments (if delegated administration is configured)
- Service principals for multi-tenant applications (if application management is configured)
 
For complete setup instructions, see [Set up a governance relationship](how-to-setup-governance-relationship.md).
 
## Phase 4: Implement cross-tenant delegated administration
 
1. On the **Entra roles** tab, assign any required roles (for example, Teams Reader for Teams resources).
1. For Exchange, Security, and Compliance resources, assign permissions in the respective service admin centers.
 
For detailed instructions, see [Set up permissions for tenant monitoring](how-to-setup-permissions-tenant-monitoring.md).

1. Configure the template:
 
   - **Cross-tenant delegated administration**: Select the Microsoft Entra built-in roles to assign, and specify the security groups in the governing tenant that receive those roles.
   - **Multitenant applications** (optional): Select custom applications to provision in governed tenants.
 
1. Save the template.
 
- A governance relationship object in both tenants
- Cross-tenant access settings updates
- GDAP role assignments (if delegated administration is configured)
- Service principals for multitenant applications (if application management is configured)
 
For complete setup instructions, see [Set up a governance relationship](how-to-set-up-governance-relationship.md).
 
## Phase 4: Implement cross-tenant delegated administration
 
1. On the **Entra roles** tab, assign any required roles (for example, Teams Reader for Teams resources).
1. For Exchange, Security, and Compliance resources, assign permissions in the respective service admin centers.
 
For detailed instructions, see [Set up permissions for tenant monitoring](how-to-set-up-permissions-tenant-monitoring.md).

MODIFIED docs/id-governance/tenant-governance/overview.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

 
- Automatically detect tenants that are related to your tenant based on one or more discovery signals.
- The B2B discovery signal identifies and measures inbound and outbound B2B access, B2B registration, and B2B administrative access between your tenant and other tenants.
- The multi-tenant application discovery signal identifies tenants with registered multi-tenant applications that have permissions in your tenant, or tenants to which your registered multi-tenant applications have access.
- The billing discovery signal identifies tenants that share billing accounts with you, where either your tenant or the related tenant is an associated billing tenant for the billing account.
- View initial and recent metrics about the volume of relationships between your tenant and related tenants.
- Filter and sort the list of related tenants based on discovery signal findings to focus on tenants with particular types of risk that your organization prioritizes.
 
- Define a governance policy template to automatically create a governance relationship between your tenant and new tenants created by your users.
- Control which users can create new add-on tenants by assigning or limiting access to commerce billing accounts in your tenant.
- Use the Entra asset in your commerce billing account to streamline recovery of administrative access to an add-on tenant, such as when the last administrator of that tenant leaves your organization, or when a threat actor compromises the add-on tenant.
- Use the commerce API or the Microsoft Entra admin center to create a new add-on tenant.
 
Learn more about [creating a governed tenant](how-to-create-tenant.md).
 
Tenant Governance is available at two service levels: Tenant Governance Basic and Tenant Governance Premium. To see which Tenant Governance features are available at each service level, see [Microsoft Entra licensing](~/fundamentals/licensing.md).
 
Tenant configuration management APIs are generally available. Other Tenant Governance experiences are in public preview. All Tenant Governance capabilities are supported by Microsoft Customer Support for use in production environments.
 
## Next steps

 
- Automatically detect tenants that are related to your tenant based on one or more discovery signals.
- The B2B discovery signal identifies and measures inbound and outbound B2B access, B2B registration, and B2B administrative access between your tenant and other tenants.
- The multitenant application discovery signal identifies tenants with registered multitenant applications that have permissions in your tenant, or tenants to which your registered multitenant applications have access.
- The billing discovery signal identifies tenants that share billing accounts with you, where either your tenant or the related tenant is an associated billing tenant for the billing account.
- View initial and recent metrics about the volume of relationships between your tenant and related tenants.
- Filter and sort the list of related tenants based on discovery signal findings to focus on tenants with particular types of risk that your organization prioritizes.
 
- Define a governance policy template to automatically create a governance relationship between your tenant and new tenants created by your users.
- Control which users can create new add-on tenants by assigning or limiting access to commerce billing accounts in your tenant.
- Use the Microsoft Entra asset in your commerce billing account to streamline recovery of administrative access to an add-on tenant, such as when the last administrator of that tenant leaves your organization, or when a threat actor compromises the add-on tenant.
- Use the commerce API or the Microsoft Entra admin center to create a new add-on tenant.
 
Learn more about [creating a governed tenant](how-to-create-tenant.md).
 
Tenant Governance is available at two service levels: Tenant Governance Basic and Tenant Governance Premium. To see which Tenant Governance features are available at each service level, see [Microsoft Entra licensing](~/fundamentals/licensing.md).
 
Tenant configuration management APIs are generally available. Other Tenant Governance experiences are in preview. All Tenant Governance capabilities are supported by Microsoft Customer Support for use in production environments.
 
## Next steps

MODIFIED docs/global-secure-access/troubleshoot-global-secure-access-client-ios-health-check-utility.md

Modified by Marilee Turscak - MSFT on Mar 19, 2026 2:39 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Fixed small typos

Changes:

Before

After

In the [Microsoft Intune admin center](https://intune.microsoft.com/), confirm the following criteria:

* Device enrollment
  * If not, [enroll the device in Intune](/intune/intune-service/fundamentals/deployment-guide-enrollment)
* Device compliance
  * If not, open the **Company Portal** app on the client device and follow the steps to [remediate the issue](/intune/intune-service/user-help/check-device-access-windows-cpapp).

   > [!NOTE]

1. Navigate to **Global Secure Access**.
2. Under **Applications**, select **Quick Access**.
3. In the **Private DNS** tabm ensure **Private DNS** is not selected.

### Manual proxy setting disabled

In the [Microsoft Intune admin center](https://intune.microsoft.com/), confirm the following criteria:

1. Device enrollment
  * If not, [enroll the device in Intune](/intune/intune-service/fundamentals/deployment-guide-enrollment)
2. Device compliance
  * If not, open the **Company Portal** app on the client device and follow the steps to [remediate the issue](/intune/intune-service/user-help/check-device-access-windows-cpapp).

   > [!NOTE]

1. Navigate to **Global Secure Access**.
2. Under **Applications**, select **Quick Access**.
3. In the **Private DNS** tab, ensure **Private DNS** is not selected.

### Manual proxy setting disabled

MODIFIED docs/identity/saas-apps/veza-tutorial.md

Modified by omondiatieno on Mar 19, 2026 10:41 AM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: update knowledgeowl and veza articles

Changes:

Before

After

description: Learn how to configure single sign-on between Microsoft Entra ID and Veza.
ms.reviewer: jomondi
ms.topic: how-to
ms.date: 05/07/2024
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Veza so that I can control who has access to Veza, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
1. If you wish to configure the application in **SP** initiated mode, then perform the following step:
 
    In the **Sign-on URL** text box, type a URL using the following pattern:
    `https://<instancename>.veza.com/login`.
 
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
 

description: Learn how to configure single sign-on between Microsoft Entra ID and Veza.
ms.reviewer: jomondi
ms.topic: how-to
ms.date: 03/19/2026
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Veza so that I can control who has access to Veza, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
1. If you wish to configure the application in **SP** initiated mode, then perform the following step:
 
    In the **Sign-on URL** text box, type a URL using the following pattern:
    `https://<instancename>.vezacloud.com/login`.
 
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
 

MODIFIED docs/id-governance/tenant-governance/governance-relationships.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

| Scenario | Description |
|---|---|
| Cross-tenant delegated administration | Use governance relationships to centralize **least-privileged administrative access** across multiple Microsoft Entra tenants. Administrators sign in using accounts from the governing tenant. This approach eliminates the need to create and manage local or B2B administrator accounts in every governed tenant. |
| Multi-tenant application management | Manage custom, multi-tenant applications from the governing tenant. Administrators can monitor and maintain least-privileged application access across governed tenants without signing into each tenant individually. This approach reduces operational overhead and configuration drift. |
| Tenant configuration management | If you configured cross-tenant delegated administration in your governance relationship, use this administrative access to ensure that the tenant meets your organization's security and compliance objectives on an ongoing basis. |
| Secure tenant creation | When you create a new add-on tenant from an existing tenant, Tenant Governance automatically establishes a governance relationship between the parent tenant and the new tenant by using a default governance policy template. This step immediately brings newly created tenants under centralized administration and governance controls, reducing the risk of unmanaged or misconfigured tenants. |
 
 
## Related content
 
- [Set up a governance relationship](how-to-setup-governance-relationship.md)
- [Governance policy templates](governance-policy-templates.md)
- [Cross-tenant delegated administration](cross-tenant-delegated-administration.md)

| Scenario | Description |
|---|---|
| Cross-tenant delegated administration | Use governance relationships to centralize **least-privileged administrative access** across multiple Microsoft Entra tenants. Administrators sign in using accounts from the governing tenant. This approach eliminates the need to create and manage local or B2B administrator accounts in every governed tenant. |
| Multitenant application management | Manage custom, multitenant applications from the governing tenant. Administrators can monitor and maintain least-privileged application access across governed tenants without signing into each tenant individually. This approach reduces operational overhead and configuration drift. |
| Tenant configuration management | If you configured cross-tenant delegated administration in your governance relationship, use this administrative access to ensure that the tenant meets your organization's security and compliance objectives on an ongoing basis. |
| Secure tenant creation | When you create a new add-on tenant from an existing tenant, Tenant Governance automatically establishes a governance relationship between the parent tenant and the new tenant by using a default governance policy template. This step immediately brings newly created tenants under centralized administration and governance controls, reducing the risk of unmanaged or misconfigured tenants. |
 
 
## Related content
 
- [Set up a governance relationship](how-to-set-up-governance-relationship.md)
- [Governance policy templates](governance-policy-templates.md)
- [Cross-tenant delegated administration](cross-tenant-delegated-administration.md)

MODIFIED docs/id-governance/tenant-governance/how-to-interpret-discovery-data.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

 
- Investigate ownership (business unit, team, or developer).
- Evaluate whether IT should manage the tenant.
- Consider establishing a [governance relationship](how-to-setup-governance-relationship.md).
 
This approach aligns with the goal of bringing unsanctioned but legitimate tenants under governance, rather than blocking them.
 
- [Related tenants in Tenant Governance](related-tenants.md)
- [Signals and metrics for tenant discovery](signals-metrics.md)
- [Enable tenant discovery](how-to-enable-tenant-discovery.md)
- [Set up a governance relationship](how-to-setup-governance-relationship.md)

 
- Investigate ownership (business unit, team, or developer).
- Evaluate whether IT should manage the tenant.
- Consider establishing a [governance relationship](how-to-set-up-governance-relationship.md).
 
This approach aligns with the goal of bringing unsanctioned but legitimate tenants under governance, rather than blocking them.
 
- [Related tenants in Tenant Governance](related-tenants.md)
- [Signals and metrics for tenant discovery](signals-metrics.md)
- [Enable tenant discovery](how-to-enable-tenant-discovery.md)
- [Set up a governance relationship](how-to-set-up-governance-relationship.md)

MODIFIED docs/includes/licensing-tenant-governance.md

Modified by barclayn on Mar 19, 2026 7:18 AM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Apply reviewer feedback: Acrolinx fixes and formatting corrections

Changes:

Before

After

 
| Feature | Free | Microsoft Entra P1 | Microsoft Entra P2 | Microsoft Entra ID Governance |
|---|---|---|---|---|
| Discover related tenants through B2B collaboration, multi-tenant apps, and shared billing accounts | | | | ✅ |
 
### Governance relationships
 
| Feature | Free | Microsoft Entra P1 | Microsoft Entra P2 | Microsoft Entra ID Governance |
|---|---|---|---|---|
| Governance relationship with cross-tenant granular delegated admin privileges (GDAP) | | ✅ | ✅ | ✅ |
| Governance relationship with custom multi-tenant app injection | | | | ✅ |
 
### Secure tenant creation
 

 
| Feature | Free | Microsoft Entra P1 | Microsoft Entra P2 | Microsoft Entra ID Governance |
|---|---|---|---|---|
| Discover related tenants through B2B collaboration, multitenant apps, and shared billing accounts | | | | ✅ |
 
### Governance relationships
 
| Feature | Free | Microsoft Entra P1 | Microsoft Entra P2 | Microsoft Entra ID Governance |
|---|---|---|---|---|
| Governance relationship with cross-tenant granular delegated admin privileges (GDAP) | | ✅ | ✅ | ✅ |
| Governance relationship with custom multitenant app injection | | | | ✅ |
 
### Secure tenant creation
 

MODIFIED docs/global-secure-access/troubleshoot-global-secure-access-mobile-client-health-check-utility.md

Modified by Ed McKillop on Mar 19, 2026 6:11 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Update troubleshoot-global-secure-access-mobile-client-health-check-utility.md

Changes:

Before

After

---

# Troubleshoot the Global Secure Access mobile client with Health check utility

This article's troubleshooting guidance is for the [Global Secure Access](/entra/global-secure-access/overview-what-is-global-secure-access) iOS client, using the health check utility in [Microsoft Defender](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description). 

---

# Troubleshoot the Global Secure Access mobile client with Health check utility 

This article's troubleshooting guidance is for the [Global Secure Access](/entra/global-secure-access/overview-what-is-global-secure-access) iOS client, using the health check utility in [Microsoft Defender](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description). 

MODIFIED docs/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md

Modified by Diana Richards on Mar 19, 2026 3:30 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: space fix

Changes:

Before

After

---
 
# Provision Microsoft Entra ID to Active Directory - Configuration
The following document will guide you through configuring Microsoft Entra Cloud Sync for provisioning groups from Microsoft Entra ID to Active Directory. If you are looking for information on provisioning from AD to Microsoft Entra ID, see [ Configure - Provisioning Active Directory to Microsoft Entra ID using Microsoft Entra Cloud Sync](how-to-configure.md).
 
[!INCLUDE [deprecation](~/includes/gwb-v2-deprecation.md)]

---
 
# Provision Microsoft Entra ID to Active Directory - Configuration
The following document will guide you through configuring Microsoft Entra Cloud Sync for provisioning groups from Microsoft Entra ID to Active Directory. If you are looking for information on provisioning from AD to Microsoft Entra ID, see [Configure - Provisioning Active Directory to Microsoft Entra ID using Microsoft Entra Cloud Sync](how-to-configure.md).
 
[!INCLUDE [deprecation](~/includes/gwb-v2-deprecation.md)]

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files

🗑️ Deleted Documentation Files