πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since March 19th 2026, 9:11 PM PDT

Report generated on March 20th 2026, 9:11 PM PDT

πŸ“Š Summary

32
Total Commits
3
New Files
14
Modified Files
0
Deleted Files
14
Contributors

πŸ†• New Documentation Files

NEW docs/id-governance/tenant-governance/signals-metrics.md
Added by barclayn on Mar 20, 2026 4:28 PM
πŸ“– View on learn.microsoft.com
+274 lines added
Commit: Update tenant governance articles per PM feedback
NEW docs/id-governance/tenant-governance/deployment-guide.md
Added by barclayn on Mar 20, 2026 4:28 PM
πŸ“– View on learn.microsoft.com
+247 lines added
Commit: Update tenant governance articles per PM feedback
NEW docs/id-governance/tenant-governance/overview.md
Added by barclayn on Mar 20, 2026 4:28 PM
πŸ“– View on learn.microsoft.com
+93 lines added
Commit: Update tenant governance articles per PM feedback

πŸ“ Modified Documentation Files

MODIFIED docs/global-secure-access/troubleshoot-global-secure-access-mobile-client-health-check-utility.md
Modified by Ed McKillop on Mar 20, 2026 5:40 PM
πŸ“– View on learn.microsoft.com
+22 / -20 lines changed
Commit: Update metadata and content in troubleshooting guide
Changes:
Before
After
# Troubleshoot the Global Secure Access mobile client with Health check utility
This article's troubleshooting guidance is for the [Global Secure Access](/entra/global-secure-access/overview-what-is-global-secure-access) iOS client, using the health check utility in [Microsoft Defender](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description).
The Global Secure Access mobile client health check utility helps you understand if a device can communicate with the Global Secure Access service and tunnel traffic. The health check has a single view for device compliance, local network configuration, and policy service readiness signals. When required conditions are met, the health check utility reports a healthy state and traffic forwarding functions as expected.
## Run the health check
Review the Global Secure Access client health check on an iOS device.
1. On the device, navigate to **Microsoft Defender**.
2. Select **Global Secure Access**.
> [!NOTE]
> If attempts fail to fix the results, contact [Microsoft Support](/services-hub/unified/support/contact-support).
## Health check: device compliance
Your organization might use [Microsoft Intune](/intune/intune-service/fundamentals/what-is-intune) to define device compliance policies, and [Microsoft Entra Conditional Access](/entra/identity/conditional-access/) policies to enforce the requirement to use Global Secure Access applications. Therefore, the device fails this test if it doesn't meet compliance criteria.
# Troubleshoot the Global Secure Access mobile client with Health check utility
This article's troubleshooting guidance is for the [Global Secure Access](/entra/global-secure-access/overview-what-is-global-secure-access) mobile client, using the health check utility in [Microsoft Defender](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description).
The Global Secure Access mobile client health check utility helps you understand if a device can communicate with the Global Secure Access service and tunnel traffic. The health check has a single view for device compliance, local network configuration, and policy service readiness signals. When required conditions are met, the health check utility reports a healthy state and traffic forwarding functions as expected.
## Run the health check
Review the Global Secure Access client health check on a mobile client.
1. On the device, navigate to **Microsoft Defender**.
2. Select **Global Secure Access**.
> [!NOTE]
> If attempts fail to fix the results, contact [Microsoft Support](/services-hub/unified/support/contact-support).
## Device compliant
Your organization might use [Microsoft Intune](/intune/intune-service/fundamentals/what-is-intune) to define device compliance policies, and [Microsoft Entra Conditional Access](/entra/identity/conditional-access/) policies to enforce the requirement to use Global Secure Access applications. Therefore, the device fails this test if it doesn't meet compliance criteria.
MODIFIED docs/backup/create-review-difference-reports.md
Modified by barclayn on Mar 20, 2026 12:07 PM
πŸ“– View on learn.microsoft.com
+12 / -12 lines changed
Commit: Apply reviewer feedback: lightbox, alt text, typos, agent rules
Changes:
Before
After
 
1. Go to **Backup and recovery** > **Backups**. Select a backup from the list, and then select **Create difference report**.
 
:::image type="content" source="media/create-review-difference-reports/create-difference-report-backups-page.png" alt-text="Screenshot of the Backups page in the Microsoft Entra admin center showing a list of available backups with a Create difference report button in the toolbar.":::
 
1. (Optional) Apply filters to limit the scope of objects included in the report. Choose one of these options:
 
- **Include all objects in their previous state**: Compares all supported objects in the tenant.
 
:::image type="content" source="media/create-review-difference-reports/create-difference-report-all-objects.png" alt-text="Screenshot of the Create difference report dialog with the Include all objects in their previous state option selected.":::
 
- **Include only certain types of objects**: Limits the report to selected object types, such as Users and Groups.
 
:::image type="content" source="media/create-review-difference-reports/create-difference-report-object-types.png" alt-text="Screenshot of the Create difference report dialog with the Include only certain types of objects option selected and Users, Groups chosen in the object type dropdown.":::
 
- **Include only specific objects by their ID**: Limits the report to specific objects by their object IDs. Enter up to 100 object IDs across different object types.
 
:::image type="content" source="media/create-review-difference-reports/create-difference-report-object-ids.png" alt-text="Screenshot of the Create difference report dialog with the Include only specific objects by their ID option selected, showing a list of object IDs including Users, Groups, and Named Location Policies.":::
 
1. Select **Create difference report** to start the report.
 
1. Go to **Backup and recovery** > **Backups**. Select a backup from the list, and then select **Create difference report**.
 
:::image type="content" source="media/create-review-difference-reports/create-difference-report-backups-page.png#lightbox" alt-text="Screenshot of the Backups page showing available backups with a Create difference report button in the toolbar.":::
 
1. (Optional) Apply filters to limit the scope of objects included in the report. Choose one of these options:
 
- **Include all objects in their previous state**: Compares all supported objects in the tenant.
 
:::image type="content" source="media/create-review-difference-reports/create-difference-report-all-objects.png#lightbox" alt-text="Screenshot of the Create difference report dialog with the Include all objects in their previous state option selected.":::
 
- **Include only certain types of objects**: Limits the report to selected object types, such as Users and Groups.
 
:::image type="content" source="media/create-review-difference-reports/create-difference-report-object-types.png#lightbox" alt-text="Screenshot of the Create difference report dialog with the Include only certain types of objects option selected.":::
 
- **Include only specific objects by their ID**: Limits the report to specific objects by their object IDs. Enter up to 100 object IDs across different object types.
 
:::image type="content" source="media/create-review-difference-reports/create-difference-report-object-ids.png#lightbox" alt-text="Screenshot of the Create difference report dialog with the Include only specific objects by ID option selected.":::
 
1. Select **Create difference report** to start the report.
MODIFIED docs/backup/recover-applications.md
Modified by barclayn on Mar 20, 2026 12:07 PM
πŸ“– View on learn.microsoft.com
+10 / -10 lines changed
Commit: Apply reviewer feedback: lightbox, alt text, typos, agent rules
Changes:
Before
After
After you determine the cause of the changes, validate whether the secrets for applications were impacted. Find changes to application secrets in the audit log. Look for events that indicate the application secret was changed or updated.
 
 
The nature of the change and whether secrets were impacted determine the best path for recovery for your applications. Any time an application, service principal, or user is recovered from soft-delete, the secret is recovered to the state it was in when the delete action occurred.
 
## Recover accidental changes when secrets weren't impacted
 
1. Find the Key Vault that you configured with this application.
1. Browse to **Secrets** and select the secret to see the current version.
 
:::image type="content" source="./media/recover-applications/key-vault-secrets-list.png" alt-text="The Azure Key Vault Secrets page showing a secret with Enabled status." lightbox="./media/recover-applications/key-vault-secrets-list.png":::
 
:::image type="content" source="./media/recover-applications/key-vault-secret-versions.png" alt-text="The Azure Key Vault secret versions page showing the current version enabled and an older version disabled." lightbox="./media/recover-applications/key-vault-secret-versions.png":::
 
1. Select **Show Secret Value** and compare the first three characters of the secret with the secret value configured in your application registration in the Microsoft Entra admin center. If they match, your secrets were unaltered and continue to function as expected.
 
:::image type="content" source="./media/recover-applications/key-vault-secret-value-comparison.png" alt-text="The Azure Key Vault secret version detail page with the secret value revealed, highlighting the first three characters for comparison." lightbox="./media/recover-applications/key-vault-secret-value-comparison.png":::
 
:::image type="content" source="./media/recover-applications/entra-app-certificates-secrets.png" alt-text="The Certificates and secrets page for an application in the Microsoft Entra admin center, showing the first three characters of the secret value for comparison with Azure Key Vault." lightbox="./media/recover-applications/entra-app-certificates-secrets.png":::
 
After you determine the cause of the changes, validate whether the secrets for applications were impacted. Find changes to application secrets in the audit log. Look for events that indicate the application secret was changed or updated.
 
 
The nature of the change and whether secrets were impacted determine the best path for recovery for your applications. Anytime an application, service principal, or user is recovered from soft-delete, the secret is recovered to the state it was in when the delete action occurred.
 
## Recover accidental changes when secrets weren't impacted
 
1. Find the Key Vault that you configured with this application.
1. Browse to **Secrets** and select the secret to see the current version.
 
:::image type="content" source="./media/recover-applications/key-vault-secrets-list.png" alt-text="Screenshot of the Azure Key Vault Secrets page showing a secret with Enabled status." lightbox="./media/recover-applications/key-vault-secrets-list.png":::
 
:::image type="content" source="./media/recover-applications/key-vault-secret-versions.png" alt-text="Screenshot of the Key Vault secret versions page with the current version enabled and an older version disabled." lightbox="./media/recover-applications/key-vault-secret-versions.png":::
 
1. Select **Show Secret Value** and compare the first three characters of the secret with the secret value configured in your application registration in the Microsoft Entra admin center. If they match, your secrets were unaltered and continue to function as expected.
 
:::image type="content" source="./media/recover-applications/key-vault-secret-value-comparison.png" alt-text="Screenshot of the Key Vault secret version detail page with the secret value revealed for comparison." lightbox="./media/recover-applications/key-vault-secret-value-comparison.png":::
 
:::image type="content" source="./media/recover-applications/entra-app-certificates-secrets.png" alt-text="Screenshot of the Certificates and secrets page showing the secret value for comparison with Key Vault." lightbox="./media/recover-applications/entra-app-certificates-secrets.png":::
 
MODIFIED docs/backup/review-recovery-history.md
Modified by barclayn on Mar 20, 2026 10:03 AM
πŸ“– View on learn.microsoft.com
+11 / -8 lines changed
Commit: Add screenshots and format Review failed changes section
Changes:
Before
After
 
## Review failed changes
 
If a recovery operation partially succeeds, the **Status** column shows **Completed with warnings**, allowing you to identify objects that weren't recovered. Click on **Completed with warnings** to view the details of the changes that were not recovered.
<!-- screeshot placeholder -->
 
Select **Changed attributes** or **Changed Links** of an object to view the details of the failure.
<!-- screeshot placeholder -->
 
**Value at recovery attempt** shows the attribute value at the time the recovery was attempted. **Backup value** shows the value the recovery service attempted to restore.
<!-- screeshot placeholder -->
 
Use failed recovery entries to:
Identify which recovery operation and object didn't complete successfully.
Confirm the backup point that was used.
View failure details that explain why the recovery didn't succeed.
 
 
> [!NOTE]
> Failed recovery records remain available for 5 days after the recovery completion date.
 
## Review failed changes
 
If a recovery operation partially succeeds, the **Status** column shows **Completed with warnings**, allowing you to identify objects that weren't recovered. Select **Completed with warnings** to view the details of the changes that were not recovered.
 
:::image type="content" source="media/review-recovery-history/recovery-completed-with-warnings.png" alt-text="Screenshot of the Recovery History page showing four recovery operations, with the first entry displaying a Completed with Warnings status highlighted in orange, alongside columns for Recovery ID, Status, Backup timestamp, Backup ID, Recovery started, Recovery completed, Modified objects, Modified links, Filtered by, and Backup.":::
 
Select **Changed Attributes** or **Changed Links** of an object to view the details of the failure.
 
:::image type="content" source="media/review-recovery-history/failed-recovery-changes.png" alt-text="Screenshot of the Failed recovery changes page showing recovery job details including Recovery job ID, Status Completed with Warnings, Backup timestamp, Recovery started and completed times, and a table listing the TestUser 1111 user object with a Restore recovery action, one changed attribute, zero changed links, and Error Code 400.":::
 
**Value at recovery attempt** shows the attribute value at the time the recovery was attempted. **Backup value** shows the value the recovery service attempted to restore.
 
:::image type="content" source="media/review-recovery-history/failed-changed-attributes.png" alt-text="Screenshot of the View failed changed attributes flyout for a user object showing Error code 400 with conflict details, and a table comparing the Value at recovery attempt and Backup value of the deletedDateTime attribute.":::
 
Use failed recovery entries to:
 
- Identify which recovery operation and object didn't complete successfully.
- Confirm the backup point that was used.
- View failure details that explain why the recovery didn't succeed.
MODIFIED docs/backup/recover-objects.md
Modified by barclayn on Mar 20, 2026 12:07 PM
πŸ“– View on learn.microsoft.com
+8 / -8 lines changed
Commit: Apply reviewer feedback: lightbox, alt text, typos, agent rules
Changes:
Before
After
 
1. Go to **Backup and recovery** > **Difference reports**. Select a completed difference report.
 
:::image type="content" source="media/recover-objects/difference-reports-select.png" alt-text="Screenshot of the Difference Reports page showing three completed reports with available backups.":::
 
1. After inspecting the objects listed in the difference report, select **Recover** to start recovery.
 
:::image type="content" source="media/recover-objects/recover-from-difference-report.png" alt-text="Screenshot of the Recover from difference report dialog showing the list of objects that will be recovered, with the Recover button at the bottom.":::
 
If you recover from a difference report that was created with scoping filters, recovery automatically uses the same scope and doesn't allow additional filtering. To recover a different set of objects, start from the backups page and run difference report to review changes.
 
1. (Optional) To recover a single high-priority object without initiating a full recovery job, open the object's changed attributes panel and select **Recover this object**.
 
:::image type="content" source="media/recover-objects/recover-single-object.png" alt-text="Screenshot of the View changed attributes panel for a user object, with a confirmation dialog asking to recover the specific object.":::
 
Difference reports are a point-in-time comparison. If objects are modified in the tenant after the report is created, those changes aren't reflected in the report. When you recover from a difference report, recovery applies to the tenant's most current state. This might result in a different set of changes than the difference report shows.
 
 
1. Go to **Backup and recovery** > **Backups**. Select a backup and select **Recover backup**.
 
 
1. Go to **Backup and recovery** > **Difference reports**. Select a completed difference report.
 
:::image type="content" source="media/recover-objects/difference-reports-select.png#lightbox" alt-text="Screenshot of the Difference Reports page showing three completed reports with available backups.":::
 
1. After inspecting the objects listed in the difference report, select **Recover** to start recovery.
 
:::image type="content" source="media/recover-objects/recover-from-difference-report.png#lightbox" alt-text="Screenshot of the Recover from difference report dialog showing the list of objects that will be recovered, with the Recover button at the bottom.":::
 
If you recover from a difference report that was created with scoping filters, recovery automatically uses the same scope and doesn't allow additional filtering. To recover a different set of objects, start from the backups page and run difference report to review changes.
 
1. (Optional) To recover a single high-priority object without initiating a full recovery job, open the object's changed attributes panel and select **Recover this object**.
 
:::image type="content" source="media/recover-objects/recover-single-object.png#lightbox" alt-text="Screenshot of the View changed attributes panel for a user object, with a confirmation dialog asking to recover the specific object.":::
 
Difference reports are a point-in-time comparison. If objects are modified in the tenant after the report is created, those changes aren't reflected in the report. When you recover from a difference report, recovery applies to the tenant's most current state. This might result in a different set of changes than the difference report shows.
 
 
1. Go to **Backup and recovery** > **Backups**. Select a backup and select **Recover backup**.
 
MODIFIED docs/backup/scope-supported-objects-limitations.md
Modified by barclayn on Mar 20, 2026 12:07 PM
πŸ“– View on learn.microsoft.com
+7 / -7 lines changed
Commit: Apply reviewer feedback: lightbox, alt text, typos, agent rules
Changes:
Before
After
 
An app role assignment records when a user, group, or service principal is assigned an app role for an app. All properties of app role assignment are in scope. View all app role assignment details and properties in the [Microsoft Graph appRoleAssignment resource type](/graph/api/resources/approleassignment).
 
App role assigments aren’t recovered independently. For difference report and recovery scoping, service principals, OAuth2 permission grants, and app role assignments are grouped under a single filter in the Microsoft Entra admin center.
 
## Organization
 
- `StrongAuthenticationDetails`
- `availableMFAMethods`
 
:::image type="content" source="media/scope-supported-objects-limitations/organization-available-mfa-methods.png" alt-text="Screenshot showing the availableMFAMethods property under StrongAuthenticationDetails.":::
 
- `IsApplicationPasswordBlocked`
 
:::image type="content" source="media/scope-supported-objects-limitations/organization-app-password-blocked.png" alt-text="Screenshot showing the IsApplicationPasswordBlocked property under StrongAuthenticationDetails.":::
 
- `IsRememberDevicesEnabled`
 
:::image type="content" source="media/scope-supported-objects-limitations/organization-remember-devices-enabled.png" alt-text="Screenshot showing the IsRememberDevicesEnabled property under StrongAuthenticationDetails.":::
 
 
An app role assignment records when a user, group, or service principal is assigned an app role for an app. All properties of app role assignment are in scope. View all app role assignment details and properties in the [Microsoft Graph appRoleAssignment resource type](/graph/api/resources/approleassignment).
 
App role assignments aren’t recovered independently. For difference report and recovery scoping, service principals, OAuth2 permission grants, and app role assignments are grouped under a single filter in the Microsoft Entra admin center.
 
## Organization
 
- `StrongAuthenticationDetails`
- `availableMFAMethods`
 
:::image type="content" source="media/scope-supported-objects-limitations/organization-available-mfa-methods.png#lightbox" alt-text="Screenshot showing the availableMFAMethods property under StrongAuthenticationDetails.":::
 
- `IsApplicationPasswordBlocked`
 
:::image type="content" source="media/scope-supported-objects-limitations/organization-app-password-blocked.png#lightbox" alt-text="Screenshot showing the IsApplicationPasswordBlocked property under StrongAuthenticationDetails.":::
 
- `IsRememberDevicesEnabled`
 
:::image type="content" source="media/scope-supported-objects-limitations/organization-remember-devices-enabled.png#lightbox" alt-text="Screenshot showing the IsRememberDevicesEnabled property under StrongAuthenticationDetails.":::
 
MODIFIED docs/id-protection/concept-identity-protection-policies.md
Modified by shlipsey3 on Mar 20, 2026 4:42 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: idp-remediation
Changes:
Before
After
description: Identifying risk-based Conditional Access policies
ms.service: entra-id-protection
ms.topic: concept-article
ms.date: 01/07/2026
ms.reviewer: cokoopma
ms.custom: sfi-image-nochange
---
 
Policies requiring either #1 or #2 forces end users to remediate their user risk and unblock themselves.
 
## Require risk remediation with Microsoft-managed remediation (preview)
 
The Microsoft-managed remediation risk-based Conditional Access policy lets you author a risk policy that accommodates all authentication methods, including password-based and passwordless. This means that when you select "Require risk remediation" in your policy's grant controls, Microsoft Entra ID Protection manages the appropriate remediation flow based on the threat observed and the user's authentication method. For detailed steps on how to enable Microsoft-managed remediation, see [Configure risk policies](howto-identity-protection-configure-risk-policies.md#microsoft-recommendations).
 
- **Password authentication**: Risky user has an active risk detection, such as a leaked credential, password spray, or session history involving a compromised password. The user is prompted to perform a secure password change and when completed, their previous sessions are revoked.
- **Passwordless authentication**: Risky user has an active risk detection, but it doesn't involve a compromised password. Possible risk detections include anomalous token, impossible travel, or unfamiliar sign-in properties. The user's sessions are revoked and they're prompted to sign in again.
 
### Special considerations
 
- [Microsoft Entra ID P2](https://www.microsoft.com/security/business/microsoft-entra-pricing) is required to use the Microsoft-managed remediation policy.
description: Identifying risk-based Conditional Access policies
ms.service: entra-id-protection
ms.topic: concept-article
ms.date: 03/20/2026
ms.reviewer: cokoopma
ms.custom: sfi-image-nochange
---
 
Policies requiring either #1 or #2 forces end users to remediate their user risk and unblock themselves.
 
## Require risk remediation control (preview)
 
This control uses adaptive risk remediation to let you author a Conditional Access risk policy that accommodates all authentication methods, including password-based and passwordless. This means that when you select "Require risk remediation" in your policy's grant controls, Microsoft Entra ID Protection manages the appropriate remediation flow based on the threat observed and the user's authentication method. For detailed steps on how to enable adaptive risk remediation, see [Configure risk policies](howto-identity-protection-configure-risk-policies.md#microsoft-recommendations).
 
- **Password authentication**: Risky user has an active risk detection, such as a leaked credential, password spray, or session history involving a compromised password. The user is prompted to perform a secure password change and when completed, their previous sessions are revoked.
- **Passwordless authentication**: Risky user has an active risk detection, but it doesn't involve a compromised password. Possible risk detections include anomalous token, impossible travel, or unfamiliar sign-in properties. The user's sessions are revoked and they're prompted to sign in again.
 
#### Special considerations
 
- [Microsoft Entra ID P2](https://www.microsoft.com/security/business/microsoft-entra-pricing) is required to use the adaptive risk remediation policy.
MODIFIED docs/backup/view-available-backups.md
Modified by barclayn on Mar 20, 2026 12:07 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Apply reviewer feedback: lightbox, alt text, typos, agent rules
Changes:
Before
After
 
1. Browse to **Backup and recovery**. The **Overview** page shows feature highlights, alerts, and recent activity.
 
:::image type="content" source="media/view-available-backups/backup-recovery-overview.png" alt-text="Screenshot of the Backup and recovery Overview page in the Microsoft Entra admin center, showing feature highlights and alerts.":::
 
1. Select **Backups** to view the list of available backups for your tenant. Each backup shows its timestamp and backup ID.
 
:::image type="content" source="media/view-available-backups/backups-list.png" alt-text="Screenshot of the Backups page showing a list of five available backups with their timestamps and backup IDs.":::
 
From the **Backups** page, select a backup to [create a difference report](create-review-difference-reports.md) or [start a recovery](recover-objects.md).
 
 
1. Browse to **Backup and recovery**. The **Overview** page shows feature highlights, alerts, and recent activity.
 
:::image type="content" source="media/view-available-backups/backup-recovery-overview.png#lightbox" alt-text="Screenshot of the Backup and recovery Overview page in the Microsoft Entra admin center, showing feature highlights and alerts.":::
 
1. Select **Backups** to view the list of available backups for your tenant. Each backup shows its timestamp and backup ID.
 
:::image type="content" source="media/view-available-backups/backups-list.png#lightbox" alt-text="Screenshot of the Backups page showing a list of five available backups with their timestamps and backup IDs.":::
 
From the **Backups** page, select a backup to [create a difference report](create-review-difference-reports.md) or [start a recovery](recover-objects.md).
 
MODIFIED docs/security-copilot/security-store-in-entra.md
Modified by shlipsey3 on Mar 20, 2026 7:00 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: roles
Changes:
Before
After
 
Security Store is embedded in the Microsoft Entra admin center, so you can discover and deploy agents and solutions without leaving your identity management workflow.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a []().
1. Browse to **Security Store**.
1. Browse or search for the agent or solution you want to deploy.
- Use the **All** and **Agent** tabs to filter results.
 
Security Store is embedded in the Microsoft Entra admin center, so you can discover and deploy agents and solutions without leaving your identity management workflow.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
1. Browse to **Security Store**.
1. Browse or search for the agent or solution you want to deploy.
- Use the **All** and **Agent** tabs to filter results.
MODIFIED docs/fundamentals/whats-new.md
Modified by Justinha on Mar 20, 2026 6:09 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Update link text and remove locale from external MFA entry
Changes:
Before
After
**Service category:** MFA
**Product capability:** User Authentication
 
We're excited to announce that external authentication methods in Microsoft Entra ID is now generally available under a new name: External Multifactor Authentication (External MFA). This capability enables organizations to meet multifactor authentication requirements while continuing to use their preferred MFA provider. Microsoft Entra ID remains the identity control plane, performing full policy evaluation and access decisions on every sign in, including real time Conditional Access enforcement and sign in risk assessment. Learn more in our [documentation](../identity/authentication/how-to-authentication-external-method-manage.md).
 
---
 
**Service category:** MFA
**Product capability:** User Authentication
 
We're excited to announce that external authentication methods in Microsoft Entra ID is now generally available under a new name: External Multifactor Authentication (External MFA). This capability enables organizations to meet multifactor authentication requirements while continuing to use their preferred MFA provider. Microsoft Entra ID remains the identity control plane, performing full policy evaluation and access decisions on every sign in, including real time Conditional Access enforcement and sign in risk assessment. For more information, see [How to enable external MFA](../identity/authentication/how-to-authentication-external-method-manage.md).
 
---
 
MODIFIED docs/identity/conditional-access/concept-conditional-access-grant.md
Modified by shlipsey3 on Mar 20, 2026 4:42 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: idp-remediation
Changes:
Before
After
 
### Require risk remediation
 
When user risk is detected, users can self-remediate by completing the appropriate remediation flow, regardless of their authentication method. The Microsoft-managed remediation policy in Conditional Access accommodates all authentication methods, including password-based and passwordless. For more information, see [Require risk remediation with Microsoft-managed remediation (preview)](../../id-protection/concept-identity-protection-policies.md#require-risk-remediation-with-microsoft-managed-remediation-preview).
 
When you select **Require risk remediation** as a grant control, the following settings are automatically applied to the policy:
- **Require authentication strength**
 
### Require risk remediation
 
When user risk is detected, users can self-remediate by completing the appropriate remediation flow, regardless of their authentication method. The Microsoft-managed remediation policy in Conditional Access accommodates all authentication methods, including password-based and passwordless. For more information, see [Require risk remediation with Microsoft-managed remediation (preview)](../../id-protection/concept-identity-protection-policies.md#require-risk-remediation-control-preview).
 
When you select **Require risk remediation** as a grant control, the following settings are automatically applied to the policy:
- **Require authentication strength**
MODIFIED docs/external-id/customers/tutorial-configure-external-id-web-app-firewall.md
Modified by Regan Downer on Mar 20, 2026 3:24 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Apply suggestion from @v-regandowner
Changes:
Before
After
 
## Enable Azure Web Application Firewall
 
To enable WAF for protection, configure a WAF policy and associate it with Azure Front Door Premium. Microsoft optimizes Azure Front Door premium for security and manages the rule sets provided by the WAF to protect against common vulnerabilities including cross-site scripting and Javascript exploits. Additionally, Azure WAF provides rule sets that help protect against malicious bot activity and provide layer 7 DDoS protection for your application.
 
### Create Azure Web Application Firewall policy
 
 
## Enable Azure Web Application Firewall
 
To enable WAF for protection, configure a WAF policy and associate it with Azure Front Door Premium. Microsoft optimizes Azure Front Door premium for security and manages the rule sets provided by the WAF to protect against common vulnerabilities including cross-site scripting and JavaScript exploits. Additionally, Azure WAF provides rule sets that help protect against malicious bot activity and provide layer 7 DDoS protection for your application.
 
### Create Azure Web Application Firewall policy
 
MODIFIED docs/backup/troubleshooting.md
Modified by barclayn on Mar 20, 2026 12:07 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Apply reviewer feedback: lightbox, alt text, typos, agent rules
Changes:
Before
After
 
**If the difference report is running for a long time:**
 
See the [estimated difference report generation time](backup-difference-report-recovery-model.md). Large tenants or large change sets might take longer to process.
 
- Allow the report to continue running unless cancellation is required.
 
 
**If the difference report is running for a long time:**
 
See the [estimated difference report generation time](backup-difference-report-recovery-model.md). Large tenants or large changesets might take longer to process.
 
- Allow the report to continue running unless cancellation is required.
 
MODIFIED docs/identity/multi-tenant-organizations/cross-tenant-synchronization-configure.md
Modified by ArvindHarinder1 on Mar 20, 2026 11:22 AM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Clarify license requirements for cross-tenant sync
Changes:
Before
After
![Icon for the source tenant.](../../media/common/icons/entra-id-purple.png)<br/>**Source tenant**
 
::: zone pivot="same-cloud-synchronization"
- Microsoft Entra ID P1 or P2 license. For more information, see [License requirements](cross-tenant-synchronization-overview.md#license-requirements).
- [Security Administrator](../role-based-access-control/permissions-reference.md#security-administrator) role to configure cross-tenant access settings.
- [Hybrid Identity Administrator](../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) role to configure cross-tenant synchronization.
- [Cloud Application Administrator](../role-based-access-control/permissions-reference.md#cloud-application-administrator) or [Application Administrator](../role-based-access-control/permissions-reference.md#application-administrator) role to assign users to a configuration and to delete a configuration.
![Icon for the source tenant.](../../media/common/icons/entra-id-purple.png)<br/>**Source tenant**
 
::: zone pivot="same-cloud-synchronization"
- Microsoft Entra ID P1 or P2 license for cross-tenant user sync. Microsoft Entra ID Governance or Microsoft Entra Suite licenses for cross-tenant group sync. For more information, see [License requirements](cross-tenant-synchronization-overview.md#license-requirements).
- [Security Administrator](../role-based-access-control/permissions-reference.md#security-administrator) role to configure cross-tenant access settings.
- [Hybrid Identity Administrator](../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) role to configure cross-tenant synchronization.
- [Cloud Application Administrator](../role-based-access-control/permissions-reference.md#cloud-application-administrator) or [Application Administrator](../role-based-access-control/permissions-reference.md#application-administrator) role to assign users to a configuration and to delete a configuration.

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to merill@merill.net

πŸ”— Visit Repository