πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since March 24th 2026, 9:39 PM PDT

Report generated on March 25th 2026, 9:39 PM PDT

πŸ“Š Summary

60
Total Commits
0
New Files
76
Modified Files
0
Deleted Files
15
Contributors

πŸ“ Modified Documentation Files

MODIFIED docs/identity/app-proxy/application-proxy-wildcard.md
Modified by Ken Withee on Mar 25, 2026 7:48 PM
πŸ“– View on learn.microsoft.com
+12 / -12 lines changed
Commit: Freshness review: App Proxy batch 5 β€” 3 heavy-screenshot articles (final batch)
Changes:
Before
After
title: Wildcard applications in Microsoft Entra application proxy
description: "Publish and manage multiple on-premises applications at once using wildcard URL patterns in Microsoft Entra application proxy."
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: KaTabish
ms.custom: it-pro, sfi-image-nochange
ai-usage: ai-assisted
 
For example: `http(s)://*.adventure-works.com`.
 
While the internal and external URLs can use different domains, as a best practice, they should be same. When publishing the application, you see an error if one of the URLs doesn't have a wildcard.
 
Creating a wildcard application is based on the same [application publishing flow](application-proxy-add-on-premises-application.md) that is available for all other applications. The only difference is that you include a wildcard in the URLs and potentially the SSO configuration.
 
 
For wildcard applications, the **Internal URL** must be formatted as `http(s)://*.<domain>`.
 
![For internal URL, use the format http(s)://*.\<domain>](./media/application-proxy-wildcard/22.png)
 
When you configure an **External URL**, you must use the following format: `https://*.<custom domain>`
title: Wildcard applications in Microsoft Entra application proxy
description: "Publish and manage multiple on-premises applications at once using wildcard URL patterns in Microsoft Entra application proxy."
ms.topic: how-to
ms.date: 03/25/2026
ms.reviewer: KaTabish
ms.custom: it-pro, sfi-image-nochange
ai-usage: ai-assisted
 
For example: `http(s)://*.adventure-works.com`.
 
While the internal and external URLs can use different domains, as a best practice, they should be the same. When publishing the application, you see an error if one of the URLs doesn't have a wildcard.
 
Creating a wildcard application is based on the same [application publishing flow](application-proxy-add-on-premises-application.md) that is available for all other applications. The only difference is that you include a wildcard in the URLs and potentially the SSO configuration.
 
 
For wildcard applications, the **Internal URL** must be formatted as `http(s)://*.<domain>`.
 
![For internal URL, use the format http(s)://*.\<domain>.](./media/application-proxy-wildcard/22.png)
 
When you configure an **External URL**, you must use the following format: `https://*.<custom domain>`
MODIFIED docs/global-secure-access/how-to-install-ios-client.md
Modified by cagautham on Mar 25, 2026 11:28 AM
πŸ“– View on learn.microsoft.com
+5 / -12 lines changed
Commit: Revise iOS client installation guide details
Changes:
Before
After
---
title: The Global Secure Access Client for iOS (Preview)
description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the iOS client app.
#customer intent: As an IT admin, I want to set up and deploy the Global Secure Access client for iOS devices so that I can secure network traffic for my organization.
ms.topic: how-to
 
---
 
# Global Secure Access client for iOS (Preview)
> [!IMPORTANT]
> The Global Secure Access client for iOS is currently in PREVIEW.
> This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
This article explains how to set up and deploy the Global Secure Access client app on iOS and iPadOS devices. For simplicity, this article refers to both iOS and iPadOS as **iOS**.
 
> [!CAUTION]
 
### System requirements
The iOS device (phone or tablet) must meet the following requirements:
- The device runs iOS 15.0 or newer.
---
title: The Global Secure Access Client for iOS
description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the iOS client app.
#customer intent: As an IT admin, I want to set up and deploy the Global Secure Access client for iOS devices so that I can secure network traffic for my organization.
ms.topic: how-to
 
---
 
# Global Secure Access client for iOS
This article explains how to set up and deploy the Global Secure Access client app on iOS and iPadOS devices. For simplicity, this article refers to both iOS and iPadOS as **iOS**.
 
> [!CAUTION]
 
### System requirements
The iOS device (phone or tablet) must meet the following requirements:
- The device runs iOS 16.0 or newer.
- The device has the Microsoft Authenticator app or the Intune Company Portal app.
- For the supervised devices, the device must be enrolled to enforce Intune device compliance policies.
 
## Known limitations
MODIFIED docs/global-secure-access/how-to-manage-users-groups-assignment.md
Modified by Ken Withee on Mar 25, 2026 9:38 PM
πŸ“– View on learn.microsoft.com
+8 / -8 lines changed
Commit: Freshness review: GSA β€” 37 articles reviewed (alt text prefix, ms.date)
Changes:
Before
After
title: Assign users and groups to traffic forwarding profiles
description: "Control which users and groups receive traffic forwarding policies, enabling gradual rollout and limiting scope during testing or deployment phases."
ms.topic: how-to
ms.date: 03/13/2026
ai-usage: ai-assisted
---
# How to assign users and groups to traffic forwarding profiles
 
1. Select the **View** link in the **User and group assignments** section.
 
![Screenshot of the traffic forwarding profiles with the view link highlighted.](media/how-to-manage-users-groups-assignment/traffic-profile-view-user-group-assignments.png)
 
1. Select the **0 Users, 0 Groups assigned** link.
 
![Screenshot of the 0 users, 0 groups assigned link.](media/how-to-manage-users-groups-assignment/user-group-assignment-link.png)
 
1. Select **Add user/group**.
 
![Screenshot of the users and groups page with the Add user/group button highlighted.](media/how-to-manage-users-groups-assignment/traffic-profile-add-user-group-button.png)
 
title: Assign users and groups to traffic forwarding profiles
description: "Control which users and groups receive traffic forwarding policies, enabling gradual rollout and limiting scope during testing or deployment phases."
ms.topic: how-to
ms.date: 03/25/2026
ai-usage: ai-assisted
---
# How to assign users and groups to traffic forwarding profiles
 
1. Select the **View** link in the **User and group assignments** section.
 
![Screenshot that shows the traffic forwarding profiles with the view link highlighted.](media/how-to-manage-users-groups-assignment/traffic-profile-view-user-group-assignments.png)
 
1. Select the **0 Users, 0 Groups assigned** link.
 
![Screenshot that shows the 0 users, 0 groups assigned link.](media/how-to-manage-users-groups-assignment/user-group-assignment-link.png)
 
1. Select **Add user/group**.
 
![Screenshot that shows the users and groups page with the Add user/group button highlighted.](media/how-to-manage-users-groups-assignment/traffic-profile-add-user-group-button.png)
 
MODIFIED docs/identity/app-proxy/application-proxy-secure-api-access.md
Modified by Ken Withee on Mar 25, 2026 2:13 PM
πŸ“– View on learn.microsoft.com
+7 / -9 lines changed
Commit: Freshness review: App Proxy batch 1 β€” 2 articles reviewed
Changes:
Before
After
title: Access on-premises Application Programming Interface (API) with Microsoft Entra application proxy
description: Use Microsoft Entra application proxy to provide secure access to an Application Programming Interface (API) hosted in a private cloud or on premises.
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: KaTabish
ms.custom: has-adal-ref, sfi-image-nochange
ai-usage: ai-assisted
---
# Use Microsoft Entra application proxy to provide secure access to an Application Programming Interface (API) hosted in a private cloud or on premises
 
1. You don't want APIs to be available to end users in the **MyApps** panel, so set **Visible to users** to **No** at the bottom of the **Properties** page, and then select **Save**.
 
![Properties page with Visible to users toggle set to No.](./media/application-proxy-secure-api-access/5-not-visible-to-users.png)
 
The web API is now published through Microsoft Entra application proxy. Next, add users who can access the app.
 
1. On the **SecretAPI - Overview** page, select **Users and groups** in the left navigation.
 
1. On the **Users and groups** page, select **Add user**.
 
title: Access on-premises Application Programming Interface (API) with Microsoft Entra application proxy
description: Use Microsoft Entra application proxy to provide secure access to an Application Programming Interface (API) hosted in a private cloud or on premises.
ms.topic: how-to
ms.date: 03/25/2026
ms.reviewer: KaTabish
ms.custom: has-adal-ref
ai-usage: ai-assisted
---
# Use Microsoft Entra application proxy to provide secure access to an Application Programming Interface (API) hosted in a private cloud or on premises
 
1. You don't want APIs to be available to end users in the **MyApps** panel, so set **Visible to users** to **No** at the bottom of the **Properties** page, and then select **Save**.
 
![Properties page in the Microsoft Entra admin center showing the Visible to users toggle.](./media/application-proxy-secure-api-access/5-not-visible-to-users.png)
 
The web API is now published through Microsoft Entra application proxy. Next, add users who can access the app.
 
1. On the **SecretAPI - Overview** page, select **Users and groups** in the left navigation.
 
1. On the **Users and groups** page, select **Add user/group**.
 
MODIFIED docs/identity/saas-apps/stormshield-network-security-tutorial.md
Modified by Colin Cooper on Mar 25, 2026 9:28 AM
πŸ“– View on learn.microsoft.com
+7 / -7 lines changed
Commit: Update stormshield-network-security-tutorial.md
Changes:
Before
After
 
This section guides you through the necessary configurations on the **Stormshield Network Security (SNS) firewall** to enable **OIDC authentication** via **Microsoft Entra ID**.
 
**Log in** to the web administration interface of the firewall.
 
### Set the firewall FQDN for access to the captive portal
 
The wizard suggests URLs that correspond to the captive portal service, the **SSL** VPN service, and access to the firewall’s web administration interface. These URLs can be copied directly from this wizard to be entered as redirect URLs in [your **Microsoft Entra ID** administration center](#configure-the-redirect-uris) if necessary.
They are also available in the OIDC/**Microsoft Entra ID** method editing panel.
1. Select **Next**.
1. Select the CSV file containing the groups in your **Microsoft Entra ID** tenant, which was downloaded when [Download user groups to import them into the SNS firewall](#download-user-groups-to-import-them-into-the-sns-firewall-optional), then click on **Next**. A summary of the group import operation then appears.
1. Select **Next**.
1. Confirm your configuration by clicking on **Finish**.
You will be redirected to the OIDC/**Microsoft Entra ID** authentication method editing panel.
1. Select **Apply** to save the configuration of the **Microsoft Entra ID** authentication method on the firewall.
 
* **in**: interface to access the internal captive portal to authenticate administrators via the web administration interface,
* **out**: interface to access the external captive portal that **SSL** VPN clients use for retrieving their configuration files and setting up tunnels,
* **sslvpn**: interface used by **SSL** VPN clients to access the firewall's **SSL** VPN service when the tunnel is set up.
1. In the **Authentication methods** menu: click on **Enable a method** and select the **OIDC** method.
 
This section guides you through the necessary configurations on the **Stormshield Network Security (SNS) firewall** to enable **OIDC authentication** via **Microsoft Entra ID**.
 
**Sign in** to the web administration interface of the firewall.
 
### Set the firewall FQDN for access to the captive portal
 
The wizard suggests URLs that correspond to the captive portal service, the **SSL** VPN service, and access to the firewall’s web administration interface. These URLs can be copied directly from this wizard to be entered as redirect URLs in [your **Microsoft Entra ID** administration center](#configure-the-redirect-uris) if necessary.
They are also available in the OIDC/**Microsoft Entra ID** method editing panel.
1. Select **Next**.
1. Select the CSV file containing the groups in your **Microsoft Entra ID** tenant, which was downloaded when [Download user groups to import them into the SNS firewall](#download-user-groups-to-import-them-into-the-sns-firewall-optional), then select **Next**. A summary of the group import operation then appears.
1. Select **Next**.
1. Confirm your configuration by selecting on **Finish**.
You will be redirected to the OIDC/**Microsoft Entra ID** authentication method editing panel.
1. Select **Apply** to save the configuration of the **Microsoft Entra ID** authentication method on the firewall.
 
* **in**: interface to access the internal captive portal to authenticate administrators via the web administration interface,
* **out**: interface to access the external captive portal that **SSL** VPN clients use for retrieving their configuration files and setting up tunnels,
* **sslvpn**: interface used by **SSL** VPN clients to access the firewall's **SSL** VPN service when the tunnel is set up.
1. In the **Authentication methods** menu: select **Enable a method** and select the **OIDC** method.
MODIFIED docs/global-secure-access/how-to-configure-domain-controllers.md
Modified by Ken Withee on Mar 25, 2026 9:38 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: Freshness review: GSA β€” 37 articles reviewed (alt text prefix, ms.date)
Changes:
Before
After
title: Configure Microsoft Entra Private Access for Active Directory Domain Controllers
description: "Enforce Conditional Access and multifactor authentication for Kerberos authentication to Active Directory Domain Controllers through Microsoft Entra Private Access."
ms.topic: how-to
ms.date: 03/16/2026
ms.subservice: entra-private-access
ms.reviewer: shkhalid
ai-usage: ai-assisted
1. Go to **Global Secure Access** > **Connect** > **Traffic forwarding** > **Private Access Profile**.
1. Enable the Private Access profile.
 
[![Screenshot showing the Private Access traffic forwarding profile activated in the Microsoft Entra admin center.](media/how-to-configure-domain-controllers/traffic-forwarding-profile.png)](media/how-to-configure-domain-controllers/traffic-forwarding-profile.png#lightbox)
 
### 5. Install the Global Secure Access client
 
1. During installation, sign in with a Microsoft Entra ID user when prompted.
1. After installation, in the Microsoft Entra admin center, go to **Global Secure Access** > **Connect** > **Connectors and sensors** > **Private access sensors** and verify the sensor status is **Active**.
 
[![Screenshot showing the Private Access sensor as activated in the Microsoft Entra admin center.](media/how-to-configure-domain-controllers/connectors-and-sensors.png)](media/how-to-configure-domain-controllers/connectors-and-sensors.png#lightbox)
 
> [!IMPORTANT]
title: Configure Microsoft Entra Private Access for Active Directory Domain Controllers
description: "Enforce Conditional Access and multifactor authentication for Kerberos authentication to Active Directory Domain Controllers through Microsoft Entra Private Access."
ms.topic: how-to
ms.date: 03/25/2026
ms.subservice: entra-private-access
ms.reviewer: shkhalid
ai-usage: ai-assisted
1. Go to **Global Secure Access** > **Connect** > **Traffic forwarding** > **Private Access Profile**.
1. Enable the Private Access profile.
 
[![Screenshot that shows the Private Access traffic forwarding profile activated in the Microsoft Entra admin center.](media/how-to-configure-domain-controllers/traffic-forwarding-profile.png)](media/how-to-configure-domain-controllers/traffic-forwarding-profile.png#lightbox)
 
### 5. Install the Global Secure Access client
 
1. During installation, sign in with a Microsoft Entra ID user when prompted.
1. After installation, in the Microsoft Entra admin center, go to **Global Secure Access** > **Connect** > **Connectors and sensors** > **Private access sensors** and verify the sensor status is **Active**.
 
[![Screenshot that shows the Private Access sensor as activated in the Microsoft Entra admin center.](media/how-to-configure-domain-controllers/connectors-and-sensors.png)](media/how-to-configure-domain-controllers/connectors-and-sensors.png#lightbox)
 
> [!IMPORTANT]
MODIFIED docs/global-secure-access/how-to-manage-microsoft-profile.md
Modified by Ken Withee on Mar 25, 2026 9:38 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: Freshness review: GSA β€” 37 articles reviewed (alt text prefix, ms.date)
Changes:
Before
After
title: How to Enable and Manage the Microsoft Profile
description: "Enable the Microsoft traffic forwarding profile to route traffic to Microsoft 365 services including Exchange Online, SharePoint, and OneDrive through Global Secure Access."
ms.topic: how-to
ms.date: 03/13/2026
ms.subservice: entra-internet-access
ai-usage: ai-assisted
---
 
The policy groups are listed, with a checkbox to indicate if the policy group is enabled. Expand a policy group to view all of the IPs and FQDNs included in the group.
 
![Screenshot of the Microsoft profile details.](media/how-to-manage-microsoft-profile/microsoft-profile-details.png)
 
The policy groups include the following details:
 
 
The following example shows setting the `*.sharepoint.com` FQDN to **Bypass** so the traffic isn't forwarded to the service.
 
![Screenshot of the Action dropdown menu.](media/how-to-manage-microsoft-profile/microsoft-policies-forward-bypass.png)
 
If the Global Secure Access client isn't able to connect to the service (for example due to an authorization or Conditional Access failure), the service *bypasses* the traffic. Traffic is sent direct-and-local instead of being blocked. In this scenario, you can create a Conditional Access policy for the [compliant network check](how-to-compliant-network.md), to block traffic if the client isn't able to connect to the service.
title: How to Enable and Manage the Microsoft Profile
description: "Enable the Microsoft traffic forwarding profile to route traffic to Microsoft 365 services including Exchange Online, SharePoint, and OneDrive through Global Secure Access."
ms.topic: how-to
ms.date: 03/25/2026
ms.subservice: entra-internet-access
ai-usage: ai-assisted
---
 
The policy groups are listed, with a checkbox to indicate if the policy group is enabled. Expand a policy group to view all of the IPs and FQDNs included in the group.
 
![Screenshot that shows the Microsoft profile details.](media/how-to-manage-microsoft-profile/microsoft-profile-details.png)
 
The policy groups include the following details:
 
 
The following example shows setting the `*.sharepoint.com` FQDN to **Bypass** so the traffic isn't forwarded to the service.
 
![Screenshot that shows the Action dropdown menu.](media/how-to-manage-microsoft-profile/microsoft-policies-forward-bypass.png)
 
If the Global Secure Access client isn't able to connect to the service (for example due to an authorization or Conditional Access failure), the service *bypasses* the traffic. Traffic is sent direct-and-local instead of being blocked. In this scenario, you can create a Conditional Access policy for the [compliant network check](how-to-compliant-network.md), to block traffic if the client isn't able to connect to the service.
MODIFIED docs/global-secure-access/how-to-simulate-remote-network.md
Modified by Ken Withee on Mar 25, 2026 9:38 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: Freshness review: GSA β€” 37 articles reviewed (alt text prefix, ms.date)
Changes:
Before
After
title: Simulate remote network connectivity using Azure VNG
description: Configure Azure resources to simulate remote network connectivity to Microsoft's Security Edge Solutions with Global Secure Access.
ms.topic: how-to
ms.date: 03/18/2026
ms.reviewer: absinh
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
1. Select **Review + create**.
1. Confirm your details, then select **Create**.
 
![Screenshot of the create a resource group fields.](media/how-to-simulate-remote-network/create-azure-resource-group.png)
 
## Create a virtual network
 
1. Select **Review + create**.
1. Select **Create**.
 
![Screenshot of the create a virtual network fields.](media/how-to-simulate-remote-network/create-azure-virtual-network.png)
 
## Create a virtual network gateway
title: Simulate remote network connectivity using Azure VNG
description: Configure Azure resources to simulate remote network connectivity to Microsoft's Security Edge Solutions with Global Secure Access.
ms.topic: how-to
ms.date: 03/25/2026
ms.reviewer: absinh
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
1. Select **Review + create**.
1. Confirm your details, then select **Create**.
 
![Screenshot that shows the create a resource group fields.](media/how-to-simulate-remote-network/create-azure-resource-group.png)
 
## Create a virtual network
 
1. Select **Review + create**.
1. Select **Create**.
 
![Screenshot that shows the create a virtual network fields.](media/how-to-simulate-remote-network/create-azure-virtual-network.png)
 
## Create a virtual network gateway
MODIFIED docs/identity/multi-tenant-organizations/cross-tenant-synchronization-configure-graph.md
Modified by Ken Withee on Mar 25, 2026 8:36 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: Freshness review: Multi-Tenant Orgs β€” 5 articles reviewed
Changes:
Before
After
title: Configure cross-tenant synchronization using PowerShell or Microsoft Graph API
description: "Configure cross-tenant synchronization using Microsoft Graph PowerShell or Microsoft Graph API. Includes enabling synchronization, setting up automatic redemption, creating provisioning jobs, and testing on-demand provisioning."
ms.topic: how-to
ms.date: 03/18/2026
ms.custom: it-pro
ai-usage: ai-assisted
 
 
1. Use the [Invoke-MgGraphRequest](/powershell/microsoftgraph/authentication-commands#using-invoke-mggraphrequest) command to enable user synchronization in the target tenant.
 
If you get an `Request_MultipleObjectsWithSameKeyValue` error, you might already have an existing policy. For more information, see [Symptom - Request_MultipleObjectsWithSameKeyValue error](#symptom---request_multipleobjectswithsamekeyvalue-error).
 
```powershell
$Params = @{
 
1. In the target tenant, use the [Create crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicy-post-partners) API to create a new partner configuration in a cross-tenant access policy between the target tenant and the source tenant. Use the source tenant ID in the request.
 
If you get an `Request_MultipleObjectsWithSameKeyValue` error, you might already have an existing configuration. For more information, see [Symptom - Request_MultipleObjectsWithSameKeyValue error](#symptom---request_multipleobjectswithsamekeyvalue-error).
 
**Request**
title: Configure cross-tenant synchronization using PowerShell or Microsoft Graph API
description: "Configure cross-tenant synchronization using Microsoft Graph PowerShell or Microsoft Graph API. Includes enabling synchronization, setting up automatic redemption, creating provisioning jobs, and testing on-demand provisioning."
ms.topic: how-to
ms.date: 03/25/2026
ms.custom: it-pro
ai-usage: ai-assisted
 
 
1. Use the [Invoke-MgGraphRequest](/powershell/microsoftgraph/authentication-commands#using-invoke-mggraphrequest) command to enable user synchronization in the target tenant.
 
If you get a `Request_MultipleObjectsWithSameKeyValue` error, you might already have an existing policy. For more information, see [Symptom - Request_MultipleObjectsWithSameKeyValue error](#symptom---request_multipleobjectswithsamekeyvalue-error).
 
```powershell
$Params = @{
 
1. In the target tenant, use the [Create crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicy-post-partners) API to create a new partner configuration in a cross-tenant access policy between the target tenant and the source tenant. Use the source tenant ID in the request.
 
If you get a `Request_MultipleObjectsWithSameKeyValue` error, you might already have an existing configuration. For more information, see [Symptom - Request_MultipleObjectsWithSameKeyValue error](#symptom---request_multipleobjectswithsamekeyvalue-error).
 
**Request**
MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-logic-apps.md
Modified by Ken Withee on Mar 25, 2026 7:48 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: Freshness review: App Proxy batch 5 β€” 3 heavy-screenshot articles (final batch)
Changes:
Before
After
title: Securely integrate Azure Logic Apps with on-premises APIs using Microsoft Entra application proxy
description: Microsoft Entra application proxy lets cloud-native logic apps securely access on-premises APIs to bridge your workload.
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: KaTabish
ms.custom: sfi-image-nochange
ai-usage: ai-assisted
 
1. Select the **API permissions** menu item from the navigation pane.
 
![the Microsoft Entra App Registration API Permissions Menu Item.](./media/application-proxy-integrate-with-logic-apps/api-permissions-menu.png)
 
1. Select the **Add a permission** button.
 
 
3. Verify the configured permission appears.
 
![the Microsoft Entra App Registration API Permissions Detail.](./media/application-proxy-integrate-with-logic-apps/api-permissions-detail.png)
 
1. Select the **Certificates & secrets** menu item from the navigation pane.
title: Securely integrate Azure Logic Apps with on-premises APIs using Microsoft Entra application proxy
description: Microsoft Entra application proxy lets cloud-native logic apps securely access on-premises APIs to bridge your workload.
ms.topic: how-to
ms.date: 03/25/2026
ms.reviewer: KaTabish
ms.custom: sfi-image-nochange
ai-usage: ai-assisted
 
1. Select the **API permissions** menu item from the navigation pane.
 
![The Microsoft Entra App Registration API Permissions Menu Item.](./media/application-proxy-integrate-with-logic-apps/api-permissions-menu.png)
 
1. Select the **Add a permission** button.
 
 
3. Verify the configured permission appears.
 
![The Microsoft Entra App Registration API Permissions Detail.](./media/application-proxy-integrate-with-logic-apps/api-permissions-detail.png)
 
1. Select the **Certificates & secrets** menu item from the navigation pane.
MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-sharepoint-server-saml.md
Modified by Ken Withee on Mar 25, 2026 7:10 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: Freshness review: App Proxy batch 4 β€” 7 articles with 3-5 screenshots
Changes:
Before
After
title: Publish an on-premises SharePoint farm with Microsoft Entra application proxy
description: "Configure Microsoft Entra application proxy with SAML-based authentication for secure external access to on-premises SharePoint Server."
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: KaTabish
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
## Prerequisites
 
- A SharePoint 2013 farm or newer. The SharePoint farm must be [integrated with Microsoft Entra ID](~/identity/saas-apps/sharepoint-on-premises-tutorial.md).
- A Microsoft Entra tenant with a plan that includes application proxy. Learn more about [Microsoft Entra ID plans and pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
- A Microsoft Office Web Apps Server farm to properly launch Office files from the on-premises SharePoint farm.
- A [custom, verified domain](~/fundamentals/add-custom-domain.md) in the Microsoft Entra tenant. The verified domain must match the SharePoint URL suffix.
- A Transport Layer Security (TLS) certificate is required. See the details in [custom domain publishing](./how-to-configure-custom-domain.md).
> [!NOTE]
> The Internal and External URLs must match the **Sign on URL** in the SAML Based Application configuration in Step 1.
 
![the Sign on URL value.](./media/application-proxy-integrate-with-sharepoint-server/sso-url-saml.png)
 
 
title: Publish an on-premises SharePoint farm with Microsoft Entra application proxy
description: "Configure Microsoft Entra application proxy with SAML-based authentication for secure external access to on-premises SharePoint Server."
ms.topic: how-to
ms.date: 03/25/2026
ms.reviewer: KaTabish
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
## Prerequisites
 
- A SharePoint 2013 farm or newer. The SharePoint farm must be [integrated with Microsoft Entra ID](~/identity/saas-apps/sharepoint-on-premises-tutorial.md).
- A Microsoft Entra tenant with a plan that includes application proxy. Learn more about [Microsoft Entra ID plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing).
- A Microsoft Office Web Apps Server farm to properly launch Office files from the on-premises SharePoint farm.
- A [custom, verified domain](~/fundamentals/add-custom-domain.md) in the Microsoft Entra tenant. The verified domain must match the SharePoint URL suffix.
- A Transport Layer Security (TLS) certificate is required. See the details in [custom domain publishing](./how-to-configure-custom-domain.md).
> [!NOTE]
> The Internal and External URLs must match the **Sign on URL** in the SAML Based Application configuration in Step 1.
 
![The Sign on URL value.](./media/application-proxy-integrate-with-sharepoint-server/sso-url-saml.png)
 
 
MODIFIED docs/identity/app-proxy/how-to-configure-sso-with-kcd.md
Modified by Ken Withee on Mar 25, 2026 7:10 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: Freshness review: App Proxy batch 4 β€” 7 articles with 3-5 screenshots
Changes:
Before
After
title: Kerberos Constrained Delegation for single sign-on (SSO) to your apps with application proxy
description: "Configure Kerberos-based SSO for on-premises applications using Kerberos Constrained Delegation (KCD) with Microsoft Entra application proxy."
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: KaTabish
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
## How single sign-on with KCD works
The diagram explains the flow when a user attempts to access an on-premises application that uses IWA.
 
![Microsoft Entra authentication flow diagram](./media/application-proxy-configure-single-sign-on-with-kcd/authdiagram.png)
 
1. The user enters the URL to access the on-premises application through application proxy.
2. Application proxy redirects the request to Microsoft Entra authentication services to preauthenticate. At this point, Microsoft Entra ID applies any applicable authentication and authorization policies, such as multifactor authentication. If the user is validated, Microsoft Entra ID creates a token and sends it to the user.
5. Select **Use any authentication protocol**.
6. Under **Services to which this account can present delegated credentials**, add the value for the SPN identity of the application server. The setting enables the private network connector to impersonate users in AD against the applications defined in the list.
 
![Connector-SVR Properties window](./media/application-proxy-configure-single-sign-on-with-kcd/properties.jpg)
 
#### Connector and application server in different domains
title: Kerberos Constrained Delegation for single sign-on (SSO) to your apps with application proxy
description: "Configure Kerberos-based SSO for on-premises applications using Kerberos Constrained Delegation (KCD) with Microsoft Entra application proxy."
ms.topic: how-to
ms.date: 03/25/2026
ms.reviewer: KaTabish
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
## How single sign-on with KCD works
The diagram explains the flow when a user attempts to access an on-premises application that uses IWA.
 
![Microsoft Entra authentication flow diagram.](./media/application-proxy-configure-single-sign-on-with-kcd/authdiagram.png)
 
1. The user enters the URL to access the on-premises application through application proxy.
2. Application proxy redirects the request to Microsoft Entra authentication services to preauthenticate. At this point, Microsoft Entra ID applies any applicable authentication and authorization policies, such as multifactor authentication. If the user is validated, Microsoft Entra ID creates a token and sends it to the user.
5. Select **Use any authentication protocol**.
6. Under **Services to which this account can present delegated credentials**, add the value for the SPN identity of the application server. The setting enables the private network connector to impersonate users in AD against the applications defined in the list.
 
![Connector-SVR Properties window.](./media/application-proxy-configure-single-sign-on-with-kcd/properties.jpg)
 
#### Connector and application server in different domains
MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-teams.md
Modified by Ken Withee on Mar 25, 2026 2:13 PM
πŸ“– View on learn.microsoft.com
+2 / -8 lines changed
Commit: Freshness review: App Proxy batch 1 β€” 2 articles reviewed
Changes:
Before
After
title: Access Microsoft Entra application proxy apps in Teams
description: Use Microsoft Entra application proxy to access your on-premises application through Microsoft Teams.
ms.topic: how-to
ms.date: 03/11/2026
ms.reviewer: KaTabish
ai-usage: ai-assisted
---
 
Microsoft Entra application proxy gives you single sign-on to on-premises applications no matter where you are. Microsoft Teams streamlines your collaborative efforts in one place. Integrating the two together means that your users can be productive with their teammates in any situation.
 
Your users can add cloud apps to their Teams channels [using tabs](https://support.office.com/article/Video-Using-Tabs-7350a03e-017a-4a00-a6ae-1c9fe8c497b3?ui=en-US&rs=en-US&ad=US), but what about the SharePoint sites or planning tool that are hosted on-premises? Application proxy is the solution. They can add apps published through application proxy to their channels using the same external URLs they always use to access their apps remotely. And because application proxy authenticates through Microsoft Entra ID, your users get a single sign-on experience.
 
## Install the private network connector and publish your app
 
 
1. Navigate to the Teams channel where you want to add this app and select **+** to add a tab.
 
![Select + to add a tab in Teams](./media/application-proxy-integrate-with-teams/add-tab.png)
 
1. Select **Website** from the tab options.
title: Access Microsoft Entra application proxy apps in Teams
description: Use Microsoft Entra application proxy to access your on-premises application through Microsoft Teams.
ms.topic: how-to
ms.date: 03/25/2026
ms.reviewer: KaTabish
ai-usage: ai-assisted
---
 
Microsoft Entra application proxy gives you single sign-on to on-premises applications no matter where you are. Microsoft Teams streamlines your collaborative efforts in one place. Integrating the two together means that your users can be productive with their teammates in any situation.
 
Your users can add cloud apps to their Teams channels [using tabs](https://support.microsoft.com/office/use-a-tab-in-a-channel-or-chat-in-microsoft-teams-83d0514f-2134-4db5-80f2-e9b43e111d57), but what about the SharePoint sites or planning tool that are hosted on-premises? Application proxy is the solution. They can add apps published through application proxy to their channels using the same external URLs they always use to access their apps remotely. And because application proxy authenticates through Microsoft Entra ID, your users get a single sign-on experience.
 
## Install the private network connector and publish your app
 
 
1. Navigate to the Teams channel where you want to add this app and select **+** to add a tab.
 
1. Select **Website** from the tab options.
 
1. Give the tab a name and set the URL to the application proxy external URL.
MODIFIED docs/global-secure-access/how-to-configure-connectors.md
Modified by Ken Withee on Mar 25, 2026 9:38 PM
πŸ“– View on learn.microsoft.com
+4 / -4 lines changed
Commit: Freshness review: GSA β€” 37 articles reviewed (alt text prefix, ms.date)
Changes:
Before
After
title: How to configure connectors for Microsoft Entra Private Access
description: "Set up private network connectors that enable outbound connections from your private network to Global Secure Access. Includes installation, connector groups, and high availability."
ms.topic: how-to
ms.date: 03/16/2026
ms.subservice: entra-private-access
ms.reviewer: katabish
ai-usage: ai-assisted
1. Browse to **Global Secure Access** > **Connect** > **Connectors**.
1. Select **Download connector service**.
 
![Screenshot of the Download connector service button in the App proxy page.](media/how-to-configure-connectors/app-proxy-download-connector-service.png)
1. Read the Terms of Service. When you're ready, select **Accept terms & Download**.
1. At the bottom of the window, select **Run** to install the connector. An install wizard opens.
1. Follow the instructions in the wizard to install the service. When you're prompted to register the connector with the Application Proxy for your Microsoft Entra tenant, provide your Application Administrator credentials.
* Expand the connector to view the details if it's not already expanded.
* An active green label indicates that your connector can connect to the service. However, even though the label is green, a network issue could still block the connector from receiving messages.
 
![Screenshot of the connector groups and connector group details.](media/how-to-configure-connectors/app-proxy-connectors-status.png)
 
For more help with installing a connector, see [troubleshoot connectors](troubleshoot-connectors.md).
title: How to configure connectors for Microsoft Entra Private Access
description: "Set up private network connectors that enable outbound connections from your private network to Global Secure Access. Includes installation, connector groups, and high availability."
ms.topic: how-to
ms.date: 03/25/2026
ms.subservice: entra-private-access
ms.reviewer: katabish
ai-usage: ai-assisted
1. Browse to **Global Secure Access** > **Connect** > **Connectors**.
1. Select **Download connector service**.
 
![Screenshot that shows the Download connector service button in the App proxy page.](media/how-to-configure-connectors/app-proxy-download-connector-service.png)
1. Read the Terms of Service. When you're ready, select **Accept terms & Download**.
1. At the bottom of the window, select **Run** to install the connector. An install wizard opens.
1. Follow the instructions in the wizard to install the service. When you're prompted to register the connector with the Application Proxy for your Microsoft Entra tenant, provide your Application Administrator credentials.
* Expand the connector to view the details if it's not already expanded.
* An active green label indicates that your connector can connect to the service. However, even though the label is green, a network issue could still block the connector from receiving messages.
 
![Screenshot that shows the connector groups and connector group details.](media/how-to-configure-connectors/app-proxy-connectors-status.png)
 
For more help with installing a connector, see [troubleshoot connectors](troubleshoot-connectors.md).
MODIFIED docs/global-secure-access/how-to-configure-per-app-access.md
Modified by Ken Withee on Mar 25, 2026 9:38 PM
πŸ“– View on learn.microsoft.com
+4 / -4 lines changed
Commit: Freshness review: GSA β€” 37 articles reviewed (alt text prefix, ms.date)
Changes:
Before
After
title: How to configure per-app access using Global Secure Access applications
description: Learn how to configure per-app access to your private, internal resources using Global Secure Access applications for Microsoft Entra Private Access.
ms.topic: how-to
ms.date: 03/12/2026
ms.subservice: entra-private-access
ms.reviewer: katabish
ai-usage: ai-assisted
1. Browse to **Global Secure Access** > **Applications** > **Enterprise applications**.
1. Select **New application**.
 
![Screenshot of the Enterprise apps and Add new application button.](media/how-to-configure-per-app-access/new-enterprise-app.png)
 
1. Enter a name for the app.
1. Select a Connector group from the dropdown menu.
- Spaces between values are removed when you apply the changes.
- For example, `400-500, 80, 443`.
 
![Screenshot of the create app segment panel with multiple ports added.](media/how-to-configure-per-app-access/app-segment-multiple-ports.png)
 
The following table provides the most commonly used ports and their associated networking protocols:
title: How to configure per-app access using Global Secure Access applications
description: Learn how to configure per-app access to your private, internal resources using Global Secure Access applications for Microsoft Entra Private Access.
ms.topic: how-to
ms.date: 03/25/2026
ms.subservice: entra-private-access
ms.reviewer: katabish
ai-usage: ai-assisted
1. Browse to **Global Secure Access** > **Applications** > **Enterprise applications**.
1. Select **New application**.
 
![Screenshot that shows the Enterprise apps and Add new application button.](media/how-to-configure-per-app-access/new-enterprise-app.png)
 
1. Enter a name for the app.
1. Select a Connector group from the dropdown menu.
- Spaces between values are removed when you apply the changes.
- For example, `400-500, 80, 443`.
 
![Screenshot that shows the create app segment panel with multiple ports added.](media/how-to-configure-per-app-access/app-segment-multiple-ports.png)
 
The following table provides the most commonly used ports and their associated networking protocols:

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to merill@merill.net

πŸ”— Visit Repository