MODIFIED docs/agent-id/identity-professional/security-for-ai.md

Modified by shlipsey3 on Mar 26, 2026 7:59 PM
📖 View on learn.microsoft.com

+14 / -8 lines changed

Commit: cleanu

Changes:

Before

After

 
# Security for AI agents with Microsoft Entra Agent ID
 
AI agents—autonomous software systems that perceive their environment, make decisions, and take actions—expand organizational capabilities but introduce security challenges that differ from traditional application security. This introduction explains why AI security matters, the challenges AI agents present, the concept of agent sprawl, and how Microsoft provides security mechanisms for AI agents in enterprise environments.
 
## Types of AI agents
 
Organizations are increasingly deploying AI agents for diverse tasks:
 
- Assistive agents perform specific, well-defined tasks on demand. Examples include agents that analyze customer data for sales recommendations, answer support questions with escalation to human representatives, or analyze market data for financial reporting.
 
- Autonomous agents operate independently, making decisions and taking actions without human intervention. Examples include agents that monitor network logs for security operations, manage infrastructure deployments with autoscaling, or generate and publish routine communications.
 
- Agents' user accounts are agents designed to function with human user characteristics, including persistent identities and access to organizational systems. Agents' user accounts might join teams, access documents, participate in meetings, and require mailbox and calendar access like human users.
 
These deployment models present distinct security and governance challenges.

 
# Security for AI agents with Microsoft Entra Agent ID
 
AI agents are autonomous software systems that can perceive their environment, make decisions, and take action. AI agents can expand organizational capabilities but also introduce security challenges that differ from traditional application security. This introduction explains why AI security matters, the challenges AI agents present, the concept of agent sprawl, and how Microsoft provides security mechanisms for AI agents in enterprise environments.
 
## Types of AI agents
 
Organizations are increasingly deploying AI agents for diverse tasks, such as:
 
- Assistive agents can perform specific, well-defined tasks on demand.
    - Analyze customer data for sales recommendations
    - Support questions with escalation to human representatives
    - Analyze market data for financial reporting
- Autonomous agents can operate independently, making decisions and taking actions without human intervention.
    - Monitor network logs for security operations
    - Manage infrastructure deployments with autoscaling
    - Generate and publish routine communications
- An agent's user account can function with human user characteristics, including persistent identities and access to organizational systems.
    - Join teams, access documents, or participate in meetings
    - Require mailbox and calendar access like human users

MODIFIED docs/identity/app-proxy/application-proxy-configure-complex-application.md

Modified by Ken Withee on Mar 26, 2026 8:40 PM
📖 View on learn.microsoft.com

+9 / -3 lines changed

Commit: Editorial quality fixes: 18 clarity, signpost, and code block issues

Changes:

Before

After

 
:::image type="content" source="./media/application-proxy-configure-complex-application/complex-app-structure-1.png" alt-text="Diagram of domain structure for a complex application showing resource sharing between primary and secondary application.":::
 
With [Microsoft Entra application proxy](overview-what-is-app-proxy.md), you can address this issue by using complex application publishing that is made up of multiple URLs across various domains. 
 
:::image type="content" source="./media/application-proxy-configure-complex-application/complex-app-flow-1.png" alt-text="Diagram of a Complex application with multiple application segments definition.":::
 
This article shows you how to configure wildcard application publishing in your environment.
 
## Characteristics of application segments for complex applications
- Application segments are only configured on a wildcard application.
- External and alternate URL should match the wildcard external and alternate URL domain of the application respectively.
- Application segment URLs (internal and external) need to maintain uniqueness across complex applications.
    > Regular applications always take precedence over a complex app (wildcard application).
 
## Prerequisites
- Enable application proxy and install a connector that has line of sight to your applications. See the tutorial [Add an on-premises application for remote access through application proxy](application-proxy-add-on-premises-application.md) to learn how to prepare your on-premises environment, install and register a connector, and test the connector.

 
:::image type="content" source="./media/application-proxy-configure-complex-application/complex-app-structure-1.png" alt-text="Diagram of domain structure for a complex application showing resource sharing between primary and secondary application.":::
 
With [Microsoft Entra application proxy](overview-what-is-app-proxy.md), you can address these challenges by using complex application publishing that is made up of multiple URLs across various domains. 
 
:::image type="content" source="./media/application-proxy-configure-complex-application/complex-app-flow-1.png" alt-text="Diagram of a Complex application with multiple application segments definition.":::
 
This article shows you how to configure wildcard application publishing in your environment.
 
## Characteristics of application segments for complex applications
 
Application segments for complex applications have the following characteristics:
 
- Application segments are only configured on a wildcard application.
- External and alternate URL should match the wildcard external and alternate URL domain of the application respectively.
- Application segment URLs (internal and external) need to maintain uniqueness across complex applications.
    > Regular applications always take precedence over a complex app (wildcard application).
 
## Prerequisites

MODIFIED docs/identity/app-proxy/application-proxy-network-topology.md

Modified by Ken Withee on Mar 26, 2026 8:40 PM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: Editorial quality fixes: 18 clarity, signpost, and code block issues

Changes:

Before

After

 
Place the connector close to the target application in the customer network. This configuration minimizes step 3 in the topography diagram, because the connector and application are close.
 
If your connector needs a line of sight to the domain controller, then this pattern is advantageous. Most customers use this pattern, because it works well for most scenarios. This pattern can also be combined with pattern 2 to optimize traffic between the service and the connector.
 
### Pattern 2: Take advantage of ExpressRoute with Microsoft peering
 
Although the focus of this article is connector placement, you can also change the placement of the application to get better latency characteristics.
 
Increasingly, organizations are moving their networks into hosted environments. The move enables them to place their apps in a hosted environment that is also part of their corporate network, and still be within the domain. In this case, the patterns discussed in the preceding sections can be applied to the new application location. If you're considering this option, see [Microsoft Entra Domain Services](/entra/identity/domain-services/overview).
 
Additionally, consider organizing your connectors using [connector groups](application-proxy-connector-groups.md) to target apps that are in different locations and networks.
 
**Scenario:** The app is in an organization's network in the US, with users in the same region. No ExpressRoute or VPN exists between the Azure datacenter and the corporate network.
 
**Recommendation:** Follow pattern 1, explained in the previous section. For improved latency, consider using ExpressRoute, if needed.
 
Optimize hop 3 by placing the connector near the app. The connector typically is installed with line of sight to the app and to the datacenter to perform KCD operations.

 
Place the connector close to the target application in the customer network. This configuration minimizes step 3 in the topography diagram, because the connector and application are close.
 
If your connector needs a line of sight to the domain controller, then this pattern is advantageous. Most customers use this pattern, because it works well for most scenarios. This pattern can also be combined with [Pattern 2](#pattern-2-take-advantage-of-expressroute-with-microsoft-peering) to optimize traffic between the service and the connector.
 
### Pattern 2: Take advantage of ExpressRoute with Microsoft peering
 
Although the focus of this article is connector placement, you can also change the placement of the application to get better latency characteristics.
 
Increasingly, organizations are moving their networks into hosted environments. The move enables them to place their apps in a hosted environment that is also part of their corporate network, and still be within the domain. In this case, [Pattern 1](#pattern-1-put-the-connector-close-to-the-application), [Pattern 2](#pattern-2-take-advantage-of-expressroute-with-microsoft-peering), and [Pattern 3](#pattern-3-take-advantage-of-expressroute-with-private-peering) can be applied to the new application location. If you're considering this option, see [Microsoft Entra Domain Services](/entra/identity/domain-services/overview).
 
Additionally, consider organizing your connectors using [connector groups](application-proxy-connector-groups.md) to target apps that are in different locations and networks.
 
**Scenario:** The app is in an organization's network in the US, with users in the same region. No ExpressRoute or VPN exists between the Azure datacenter and the corporate network.
 
**Recommendation:** Follow [Pattern 1](#pattern-1-put-the-connector-close-to-the-application), explained in the previous section. For improved latency, consider using ExpressRoute, if needed.
 
Optimize hop 3 by placing the connector near the app. The connector typically is installed with line of sight to the app and to the datacenter to perform KCD operations.

MODIFIED docs/fundamentals/configure-security.md

Modified by Jay on Mar 26, 2026 4:40 PM
📖 View on learn.microsoft.com

+5 / -5 lines changed

Commit: Replace comma with 'or' in Internet/Private Access license strings

Changes:

Before

After

| [Global Secure Access cloud firewall protects branch office internet traffic](zero-trust-protect-networks.md#global-secure-access-cloud-firewall-protects-branch-office-internet-traffic) | Microsoft Entra Internet Access |
| [Internet traffic is inspected across all Secure Web Gateway defense layers](zero-trust-protect-networks.md#internet-traffic-is-inspected-across-all-secure-web-gateway-defense-layers) | Microsoft Entra Internet Access |
| [Network validation is configured through Universal Continuous Access Evaluation](zero-trust-protect-networks.md#network-validation-is-configured-through-universal-continuous-access-evaluation) | Microsoft Entra Internet Access or Microsoft Entra Private Access |
| [Global Secure Access client is deployed on all managed endpoints](zero-trust-protect-networks.md#global-secure-access-client-is-deployed-on-all-managed-endpoints) | Microsoft Entra Internet Access, Microsoft Entra Private Access |
| [Global Secure Access licenses are available in the tenant and assigned to users](zero-trust-protect-networks.md#global-secure-access-licenses-are-available-in-the-tenant-and-assigned-to-users) | Microsoft Entra Internet Access, Microsoft Entra Private Access |
| [Microsoft 365 traffic is actively flowing through Global Secure Access](zero-trust-protect-networks.md#microsoft-365-traffic-is-actively-flowing-through-global-secure-access) | Microsoft Entra Suite |
| [Universal tenant restrictions block unauthorized external tenant access](zero-trust-protect-networks.md#universal-tenant-restrictions-block-unauthorized-external-tenant-access) | Microsoft Entra Internet Access |
| [External collaboration is governed by explicit cross-tenant access policies](zero-trust-protect-networks.md#external-collaboration-is-governed-by-explicit-cross-tenant-access-policies) | Microsoft Entra ID P1 |
| [Conditional Access policies use compliant network controls](zero-trust-protect-networks.md#conditional-access-policies-use-compliant-network-controls) | Microsoft Entra ID P1 |
| [Global Secure Access signaling for Conditional Access is enabled](zero-trust-protect-networks.md#global-secure-access-signaling-for-conditional-access-is-enabled) | Microsoft Entra Internet Access |
| [Network traffic is routed through Global Secure Access for security policy enforcement](zero-trust-protect-networks.md#network-traffic-is-routed-through-global-secure-access-for-security-policy-enforcement) | Microsoft Entra Internet Access, Microsoft Entra Private Access |
| [Traffic forwarding profiles are scoped to appropriate users and groups for controlled deployment](zero-trust-protect-networks.md#traffic-forwarding-profiles-are-scoped-to-appropriate-users-and-groups-for-controlled-deployment) | Microsoft Entra Internet Access, Microsoft Entra Private Access |
| [Private network connectors are active and healthy to maintain Zero Trust access to internal resources](zero-trust-protect-networks.md#private-network-connectors-are-active-and-healthy-to-maintain-zero-trust-access-to-internal-resources) | Microsoft Entra Private Access |
| [Private network connectors are running the latest version](zero-trust-protect-networks.md#private-network-connectors-are-running-the-latest-version) | Microsoft Entra Private Access |
| [At least two Private Access connectors are active and healthy per connector group](zero-trust-protect-networks.md#at-least-two-private-access-connectors-are-active-and-healthy-per-connector-group) | Microsoft Entra Private Access |
| [All Microsoft Entra recommendations are addressed](zero-trust-monitor-detect.md#all-microsoft-entra-recommendations-are-addressed) | Microsoft Entra ID P1 |
| [Network access activity is visible to security operations for threat detection and response](zero-trust-monitor-detect.md#network-access-activity-is-visible-to-security-operations-for-threat-detection-and-response) | Microsoft Entra ID P1 |
| [Network access logs are retained for security analysis and compliance requirements](zero-trust-monitor-detect.md#network-access-logs-are-retained-for-security-analysis-and-compliance-requirements) | Microsoft Entra ID P1 |
| [Global Secure Access deployment logs are populated and reviewed](zero-trust-monitor-detect.md#global-secure-access-deployment-logs-are-populated-and-reviewed) | Microsoft Entra Internet Access, Microsoft Entra Private Access |
 

| [Global Secure Access cloud firewall protects branch office internet traffic](zero-trust-protect-networks.md#global-secure-access-cloud-firewall-protects-branch-office-internet-traffic) | Microsoft Entra Internet Access |
| [Internet traffic is inspected across all Secure Web Gateway defense layers](zero-trust-protect-networks.md#internet-traffic-is-inspected-across-all-secure-web-gateway-defense-layers) | Microsoft Entra Internet Access |
| [Network validation is configured through Universal Continuous Access Evaluation](zero-trust-protect-networks.md#network-validation-is-configured-through-universal-continuous-access-evaluation) | Microsoft Entra Internet Access or Microsoft Entra Private Access |
| [Global Secure Access client is deployed on all managed endpoints](zero-trust-protect-networks.md#global-secure-access-client-is-deployed-on-all-managed-endpoints) | Microsoft Entra Internet Access or Microsoft Entra Private Access |
| [Global Secure Access licenses are available in the tenant and assigned to users](zero-trust-protect-networks.md#global-secure-access-licenses-are-available-in-the-tenant-and-assigned-to-users) | Microsoft Entra Internet Access or Microsoft Entra Private Access |
| [Microsoft 365 traffic is actively flowing through Global Secure Access](zero-trust-protect-networks.md#microsoft-365-traffic-is-actively-flowing-through-global-secure-access) | Microsoft Entra Suite |
| [Universal tenant restrictions block unauthorized external tenant access](zero-trust-protect-networks.md#universal-tenant-restrictions-block-unauthorized-external-tenant-access) | Microsoft Entra Internet Access |
| [External collaboration is governed by explicit cross-tenant access policies](zero-trust-protect-networks.md#external-collaboration-is-governed-by-explicit-cross-tenant-access-policies) | Microsoft Entra ID P1 |
| [Conditional Access policies use compliant network controls](zero-trust-protect-networks.md#conditional-access-policies-use-compliant-network-controls) | Microsoft Entra ID P1 |
| [Global Secure Access signaling for Conditional Access is enabled](zero-trust-protect-networks.md#global-secure-access-signaling-for-conditional-access-is-enabled) | Microsoft Entra Internet Access |
| [Network traffic is routed through Global Secure Access for security policy enforcement](zero-trust-protect-networks.md#network-traffic-is-routed-through-global-secure-access-for-security-policy-enforcement) | Microsoft Entra Internet Access or Microsoft Entra Private Access |
| [Traffic forwarding profiles are scoped to appropriate users and groups for controlled deployment](zero-trust-protect-networks.md#traffic-forwarding-profiles-are-scoped-to-appropriate-users-and-groups-for-controlled-deployment) | Microsoft Entra Internet Access or Microsoft Entra Private Access |
| [Private network connectors are active and healthy to maintain Zero Trust access to internal resources](zero-trust-protect-networks.md#private-network-connectors-are-active-and-healthy-to-maintain-zero-trust-access-to-internal-resources) | Microsoft Entra Private Access |
| [Private network connectors are running the latest version](zero-trust-protect-networks.md#private-network-connectors-are-running-the-latest-version) | Microsoft Entra Private Access |
| [At least two Private Access connectors are active and healthy per connector group](zero-trust-protect-networks.md#at-least-two-private-access-connectors-are-active-and-healthy-per-connector-group) | Microsoft Entra Private Access |
| [All Microsoft Entra recommendations are addressed](zero-trust-monitor-detect.md#all-microsoft-entra-recommendations-are-addressed) | Microsoft Entra ID P1 |
| [Network access activity is visible to security operations for threat detection and response](zero-trust-monitor-detect.md#network-access-activity-is-visible-to-security-operations-for-threat-detection-and-response) | Microsoft Entra ID P1 |
| [Network access logs are retained for security analysis and compliance requirements](zero-trust-monitor-detect.md#network-access-logs-are-retained-for-security-analysis-and-compliance-requirements) | Microsoft Entra ID P1 |
| [Global Secure Access deployment logs are populated and reviewed](zero-trust-monitor-detect.md#global-secure-access-deployment-logs-are-populated-and-reviewed) | Microsoft Entra Internet Access or Microsoft Entra Private Access |
 

MODIFIED docs/identity/hybrid/cloud-sync/migrate-group-writeback.md

Modified by Nuno Alexandre on Mar 26, 2026 6:38 PM
📖 View on learn.microsoft.com

+5 / -4 lines changed

Commit: Learn Editor: Update migrate-group-writeback.md

Changes:

Before

After

 
## Prerequisites
 
 - A Microsoft Entra account with at least a [Hybrid Identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) role.
 - An on-premises Active Directory account with at least domain administrator permissions.
     
   Required to access the `adminDescription` attribute and copy it to the `msDS-ExternalDirectoryObjectId` attribute.
 
By default, Microsoft Entra Connect Sync uses the following format when naming groups are written back:
 
- **Default format:** `CN=Group_&lt;guid&gt;,OU=&lt;container&gt;,DC=&lt;domain component&gt;,DC=\<domain component>`
- **Example:** `CN=Group_3a5c3221-c465-48c0-95b8-e9305786a271,OU=WritebackContainer,DC=contoso,DC=com`
 
To make it easier to find groups being written back from Microsoft Entra ID to Active Directory, Microsoft Entra Connect Sync added an option to write back the group name by using the cloud display name. To use this option, select **Writeback Group Distinguished Name with Cloud Display Name** during initial setup of Group Writeback v2. If this feature is enabled, Microsoft Entra Connect uses the following new format instead of the default format:
 
- **New format:** `CN=&lt;display name&gt;_&lt;last 12 digits of object ID&gt;,OU=&lt;container&gt;,DC=&lt;domain component&gt;,DC=\<domain component>`
- **Example:** `CN=Sales_e9305786a271,OU=WritebackContainer,DC=contoso,DC=com`
 
By default, Microsoft Entra Cloud Sync uses the new format, even if the Writeback Group Distinguished Name with Cloud Display Name feature isn't enabled in Microsoft Entra Connect Sync. If you use the default Microsoft Entra Connect Sync naming and then migrate the group so that it's managed by Microsoft Entra Cloud Sync, the group is renamed to the new format. Use the following section to allow Microsoft Entra Cloud Sync to use the default format from Microsoft Entra Connect.

 
## Prerequisites
 
- A Microsoft Entra account with at least a [Hybrid Identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) role.
 - An on-premises Active Directory account with at least domain administrator permissions.
     
   Required to access the `adminDescription` attribute and copy it to the `msDS-ExternalDirectoryObjectId` attribute.
 
By default, Microsoft Entra Connect Sync uses the following format when naming groups are written back:
 
- **Default format:** `CN=Group_<guid>,OU=<container>,DC=<domain component>,DC=<domain component>`
- **Example:** `CN=Group_3a5c3221-c465-48c0-95b8-e9305786a271,OU=WritebackContainer,DC=Contoso,DC=com`
 
To make it easier to find groups being written back from Microsoft Entra ID to Active Directory, Microsoft Entra Connect Sync added an option to write back the group name by using the cloud display name. To use this option, select **Writeback Group Distinguished Name with Cloud Display Name** during initial setup of Group Writeback v2. If this feature is enabled, Microsoft Entra Connect uses the following new format instead of the default format:
 
- **New format:** `CN=<display name>_<last 12 digits of object ID>,OU=<container>`
 
- **Example:** `CN=Sales_e9305786a271,OU=WritebackContainer,DC=contoso,DC=com`
 
By default, Microsoft Entra Cloud Sync uses the new format, even if the Writeback Group Distinguished Name with Cloud Display Name feature isn't enabled in Microsoft Entra Connect Sync. If you use the default Microsoft Entra Connect Sync naming and then migrate the group so that it's managed by Microsoft Entra Cloud Sync, the group is renamed to the new format. Use the following section to allow Microsoft Entra Cloud Sync to use the default format from Microsoft Entra Connect.

MODIFIED docs/agent-id/identity-platform/call-api-custom.md

Modified by shlipsey3 on Mar 26, 2026 7:59 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: cleanu

Changes:

Before

After

                _api = api;
            }
        
            // GET request for agent user identity using UPN
            public async Task<IActionResult> Index()
            {
        
                return View(products);
            }
            
            // GET request for agent user identity using OID
            public async Task<IActionResult> UserProducts()
            {
        
    - To use `WithAgentUserIdentity`, you can specify either UPN or OID to identify the agent's user account.
    
        ```csharp
        // Create request with agent user identity authentication with UPN
        public async Task<string> CallApiWithAgentUserIdentity(string agentIdentity, string userUpn)
        {

                _api = api;
            }
        
            // GET request for agent's user account identity using UPN
            public async Task<IActionResult> Index()
            {
        
                return View(products);
            }
            
            // GET request for agent's user account identity using OID
            public async Task<IActionResult> UserProducts()
            {
        
    - To use `WithAgentUserIdentity`, you can specify either UPN or OID to identify the agent's user account.
    
        ```csharp
        // Create request with agent's user account identity authentication with UPN
        public async Task<string> CallApiWithAgentUserIdentity(string agentIdentity, string userUpn)
        {

MODIFIED docs/identity/app-proxy/application-proxy-wildcard.md

Modified by Ken Withee on Mar 26, 2026 9:01 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Accessibility: Fix 6 short alt text entries with descriptive Screenshot that shows prefix

Changes:

Before

After

 
- Internal URL:
 
    ![Example: Wildcard in internal URL.](./media/application-proxy-wildcard/42.png)
 
- External URL:
 
    ![Example: Wildcard in external URL.](./media/application-proxy-wildcard/43.png)
 
- Internal Application SPN:
 
    ![Example: Wildcard in SPN configuration.](./media/application-proxy-wildcard/44.png)
 
By publishing the wildcard application, you can now access your three applications by navigating to the URLs you're used to (for example, `travel.adventure-works.com`).

 
- Internal URL:
 
    ![Screenshot that shows a wildcard in the internal URL field.](./media/application-proxy-wildcard/42.png)
 
- External URL:
 
    ![Screenshot that shows a wildcard in the external URL field.](./media/application-proxy-wildcard/43.png)
 
- Internal Application SPN:
 
    ![Screenshot that shows a wildcard in the SPN configuration field.](./media/application-proxy-wildcard/44.png)
 
By publishing the wildcard application, you can now access your three applications by navigating to the URLs you're used to (for example, `travel.adventure-works.com`).

MODIFIED docs/identity/app-proxy/how-to-configure-sso-with-kcd.md

Modified by Ken Withee on Mar 26, 2026 9:01 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Accessibility: Fix 6 short alt text entries with descriptive Screenshot that shows prefix

Changes:

Before

After

5. Select **Use any authentication protocol**.
6. Under **Services to which this account can present delegated credentials**, add the value for the SPN identity of the application server. The setting enables the private network connector to impersonate users in AD against the applications defined in the list.
 
   ![Connector-SVR Properties window.](./media/application-proxy-configure-single-sign-on-with-kcd/properties.jpg)
 
#### Connector and application server in different domains
1. For a list of prerequisites for working with KCD across domains, see [Kerberos Constrained Delegation across domains](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831477(v=ws.11)).
4. Enter the **Internal Application SPN** of the application server. In this example, the SPN for our published application is `http/www.contoso.com`. The SPN needs to be in the list of services to which the connector can present delegated credentials.
5. Choose the **Delegated Login Identity** for the connector to use on behalf of your users. For more information, see [Working with different on-premises and cloud identities](#working-with-different-on-premises-and-cloud-identities).
 
   ![Advanced Application Configuration.](./media/application-proxy-configure-single-sign-on-with-kcd/cwap_auth2.png)  
 
## SSO for non-Windows apps
 
 
With application proxy, you can choose the identity used to obtain the Kerberos ticket. This setting is configured per application and supports systems that require nonemail formats or alternative sign-in methods.
 
![Delegated login identity parameter.](./media/application-proxy-configure-single-sign-on-with-kcd/app_proxy_sso_diff_id_upn.png)
 
If delegated sign-in identity is used, the value might not be unique across all the domains or forests in your organization. You can avoid this issue by publishing these applications twice using two different Connector groups. Since each application has a different user audience, you can join its connectors to a different domain.

5. Select **Use any authentication protocol**.
6. Under **Services to which this account can present delegated credentials**, add the value for the SPN identity of the application server. The setting enables the private network connector to impersonate users in AD against the applications defined in the list.
 
   ![Screenshot that shows the Connector-SVR Properties window with Delegation tab.](./media/application-proxy-configure-single-sign-on-with-kcd/properties.jpg)
 
#### Connector and application server in different domains
1. For a list of prerequisites for working with KCD across domains, see [Kerberos Constrained Delegation across domains](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831477(v=ws.11)).
4. Enter the **Internal Application SPN** of the application server. In this example, the SPN for our published application is `http/www.contoso.com`. The SPN needs to be in the list of services to which the connector can present delegated credentials.
5. Choose the **Delegated Login Identity** for the connector to use on behalf of your users. For more information, see [Working with different on-premises and cloud identities](#working-with-different-on-premises-and-cloud-identities).
 
   ![Screenshot that shows the Integrated Windows Authentication configuration settings.](./media/application-proxy-configure-single-sign-on-with-kcd/cwap_auth2.png)  
 
## SSO for non-Windows apps
 
 
With application proxy, you can choose the identity used to obtain the Kerberos ticket. This setting is configured per application and supports systems that require nonemail formats or alternative sign-in methods.
 
![Screenshot that shows the Delegated Login Identity dropdown options.](./media/application-proxy-configure-single-sign-on-with-kcd/app_proxy_sso_diff_id_upn.png)
 
If delegated sign-in identity is used, the value might not be unique across all the domains or forests in your organization. You can avoid this issue by publishing these applications twice using two different Connector groups. Since each application has a different user audience, you can join its connectors to a different domain.

MODIFIED docs/global-secure-access/how-to-configure-connectors.md

Modified by Ken Withee on Mar 26, 2026 8:40 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Editorial quality fixes: 18 clarity, signpost, and code block issues

Changes:

Before

After

>
> Disable `HTTP/2` protocol support in `WinHttp` for web applications published via Microsoft Entra application proxy to work properly. `HTTP/2` is disabled by default in earlier versions of supported operating systems. Adding the following registry key and restarting the server disables `HTTP/2` on Windows Server 2019 and later. This is a machine-wide registry key.
>
> ```
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
>
> The key can be set via PowerShell with the following command:
>
> ```
> Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\' -Name EnableDefaultHTTP2 -Value 0
> ```
 
 
1. Set registry keys.
 
   ```
   Windows Registry Editor Version 5.00
 

>
> Disable `HTTP/2` protocol support in `WinHttp` for web applications published via Microsoft Entra application proxy to work properly. `HTTP/2` is disabled by default in earlier versions of supported operating systems. Adding the following registry key and restarting the server disables `HTTP/2` on Windows Server 2019 and later. This is a machine-wide registry key.
>
> ```registry
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
>
> The key can be set via PowerShell with the following command:
>
> ```powershell
> Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\' -Name EnableDefaultHTTP2 -Value 0
> ```
 
 
1. Set registry keys.
 
   ```registry
   Windows Registry Editor Version 5.00
 

MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-logic-apps.md

Modified by Ken Withee on Mar 26, 2026 8:40 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Editorial quality fixes: 18 clarity, signpost, and code block issues

Changes:

Before

After

 
        1. *Authority*: Enter *https://login.windows.net*.
 
        2. *Tenant*: Enter the **Directory (tenant) ID** noted in *Configure the Application Access*.
 
        3. *Audience*: Enter the *public* FQDN of your application registered in Microsoft Entra ID (for example, *sampleapp1.msappproxy.net*).
 
        4. *Client ID*: Enter the **Application (client) ID** noted in *Configure the Application Access*.
 
        5. *Credential Type*: **Secret**.
 
        6. *Secret*: Enter the **secret value** noted in *Configure the Application Access*.
 
5. Save the logic app and test with your trigger.

 
        1. *Authority*: Enter *https://login.windows.net*.
 
        2. *Tenant*: Enter the **Directory (tenant) ID** noted in [Configure the Application Access](#configure-the-application-access).
 
        3. *Audience*: Enter the *public* FQDN of your application registered in Microsoft Entra ID (for example, *sampleapp1.msappproxy.net*).
 
        4. *Client ID*: Enter the **Application (client) ID** noted in [Configure the Application Access](#configure-the-application-access).
 
        5. *Credential Type*: **Secret**.
 
        6. *Secret*: Enter the **secret value** noted in [Configure the Application Access](#configure-the-application-access).
 
5. Save the logic app and test with your trigger.

MODIFIED docs/identity/app-proxy/application-proxy-integrate-with-remote-desktop-services.md

Modified by Ken Withee on Mar 26, 2026 8:40 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Editorial quality fixes: 18 clarity, signpost, and code block issues

Changes:

Before

After

 
8. Run this command for each collection. Replace *\<yourcollectionname\>* and *\<proxyfrontendurl\>* with your own information. This command enables single sign-on between RD Web and RD Gateway, and optimizes performance.
 
   ```
   Set-RDSessionCollectionConfiguration -CollectionName "<yourcollectionname>" -CustomRdpProperty "pre-authentication server address:s:<proxyfrontendurl>`nrequire pre-authentication:i:1"
   ```
 
   **For example:**
   ```
   Set-RDSessionCollectionConfiguration -CollectionName "QuickSessionCollection" -CustomRdpProperty "pre-authentication server address:s:https://remotedesktoptest-aadapdemo.msappproxy.net/`nrequire pre-authentication:i:1"
   ```
   >[!NOTE]
   >The command uses a backtick in \``nrequire`.
 
9. To verify the modification of the custom RDP properties and view the RDP file contents that are downloaded from RDWeb for this collection, run the following command.
    ```
    (get-wmiobject -Namespace root\cimv2\terminalservices -Class Win32_RDCentralPublishedRemoteDesktop).RDPFileContents
    ```
 

 
8. Run this command for each collection. Replace *\<yourcollectionname\>* and *\<proxyfrontendurl\>* with your own information. This command enables single sign-on between RD Web and RD Gateway, and optimizes performance.
 
   ```powershell
   Set-RDSessionCollectionConfiguration -CollectionName "<yourcollectionname>" -CustomRdpProperty "pre-authentication server address:s:<proxyfrontendurl>`nrequire pre-authentication:i:1"
   ```
 
   **For example:**
   ```powershell
   Set-RDSessionCollectionConfiguration -CollectionName "QuickSessionCollection" -CustomRdpProperty "pre-authentication server address:s:https://remotedesktoptest-aadapdemo.msappproxy.net/`nrequire pre-authentication:i:1"
   ```
   >[!NOTE]
   >The command uses a backtick in \``nrequire`.
 
9. To verify the modification of the custom RDP properties and view the RDP file contents that are downloaded from RDWeb for this collection, run the following command.
    ```powershell
    (get-wmiobject -Namespace root\cimv2\terminalservices -Class Win32_RDCentralPublishedRemoteDesktop).RDPFileContents
    ```
 

MODIFIED docs/identity/app-proxy/application-proxy-qlik.md

Modified by Ken Withee on Mar 26, 2026 8:40 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Editorial quality fixes: 18 clarity, signpost, and code block issues

Changes:

Before

After

### Application 2: Qlik Sense virtual proxy 
Follow the same steps as for Application #1, with the following exceptions: 
 
**Step #5**: The Internal URL should now be the Qlik Sense URL with the authentication port used by the application. The default is **4244** for HTTPS, and **4248** for HTTP for Qlik Sense releases before April 2018. The default for Qlik Sense releases after April 2018 is **443** for HTTPS and **80** for HTTP. For example, `https//demo.qlik.com:4244`.
 
**Step #10:** Don’t set up single sign-on. Leave the **single sign-on** option disabled.
 
## Testing 
Your application is now ready to test. Access the external URL you used to publish Qlik Sense in Application #1, and sign in as a user assigned to both applications.  

### Application 2: Qlik Sense virtual proxy 
Follow the same steps as for Application #1, with the following exceptions: 
 
**Step #5** (required fields): The Internal URL should now be the Qlik Sense URL with the authentication port used by the application. The default is **4244** for HTTPS, and **4248** for HTTP for Qlik Sense releases before April 2018. The default for Qlik Sense releases after April 2018 is **443** for HTTPS and **80** for HTTP. For example, `https//demo.qlik.com:4244`.
 
**Step #8** (single sign-on): Don't set up single sign-on. Leave the **single sign-on** option disabled.
 
## Testing 
Your application is now ready to test. Access the external URL you used to publish Qlik Sense in Application #1, and sign in as a user assigned to both applications.  

MODIFIED docs/agent-id/identity-platform/autonomous-agent-request-agent-user-tokens.md

Modified by shlipsey3 on Mar 26, 2026 7:59 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: cleanu

Changes:

Before

After

                identityParentId = "<associated-agent-identity-id>"
            };
    
            // Call the downstream API (Graph) with a POST request to create an Agent User
            var jsonResult = await downstreamApi.PostForAppAsync<AgentIdUser, AgentIdUser>(
                "agent-identity",
                requestBody
// Get the service to call the downstream API (preconfigured in the appsettings.json file)
IAuthorizationHeaderProvider authorizationHeaderProvider = serviceProvider.GetService<IAuthorizationHeaderProvider>();
 
// Configure options for the agent user identity
string agentIdentity = "agent-identity-id";
string userId = "<user-object-id>";
var options = new AuthorizationHeaderProviderOptions()

                identityParentId = "<associated-agent-identity-id>"
            };
    
            // Call the downstream API (Graph) with a POST request to create an agent's user account
            var jsonResult = await downstreamApi.PostForAppAsync<AgentIdUser, AgentIdUser>(
                "agent-identity",
                requestBody
// Get the service to call the downstream API (preconfigured in the appsettings.json file)
IAuthorizationHeaderProvider authorizationHeaderProvider = serviceProvider.GetService<IAuthorizationHeaderProvider>();
 
// Configure options for the agent's user account identity
string agentIdentity = "agent-identity-id";
string userId = "<user-object-id>";
var options = new AuthorizationHeaderProviderOptions()

MODIFIED docs/agent-id/identity-platform/call-api-azure-services.md

Modified by shlipsey3 on Mar 26, 2026 7:59 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: cleanu

Changes:

Before

After

                _credential = credential;
            }
            
            // Use object ID to identify the agent user
            public async Task<List<string>> ListBlobsForAgentAsync(string agentIdentity)
            {
                // Configure for agent identity
                return blobs;
            }
 
            // Use UPN to identify the agent user\
            public async Task<List<string>> ListBlobsForAgentAsync(string agentIdentity)
            {
                // Configure for agent identity

                _credential = credential;
            }
            
            // Use object ID to identify the agent's user account
            public async Task<List<string>> ListBlobsForAgentAsync(string agentIdentity)
            {
                // Configure for agent identity
                return blobs;
            }
 
            // Use UPN to identify the agent's user account\
            public async Task<List<string>> ListBlobsForAgentAsync(string agentIdentity)
            {
                // Configure for agent identity

MODIFIED docs/global-secure-access/how-to-install-ios-client.md

Modified by cagautham on Mar 26, 2026 7:16 AM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Update images in iOS client installation guide

Changes:

Before

After

 
## Confirm Global Secure Access appears in the Defender app
Because the Global Secure Access client for iOS is integrated with Microsoft Defender for Endpoint, it's helpful to understand the end user experience. The client appears in the Defender dashboard after onboarding to Global Secure Access.   
:::image type="content" source="media/how-to-install-ios-client/ios-defender-dashboard.png" alt-text="Screenshot of the iOS Microsoft Defender dashboard.":::   
 
You can enable or disable the Global Secure Access client for iOS by setting the **EnableGSA** key in the [VPN profile](#create-a-vpn-profile-and-configure-global-secure-access-for-microsoft-defender-for-endpoint). End users can enable or disable individual **Services** or the client itself based on the configuration settings, using the appropriate toggles.   
:::image type="content" source="media/how-to-install-ios-client/ios-client-enabled-disabled.png" alt-text="Screenshot of the Global Secure Access client on iOS showing both the Enabled and Disabled status screens.":::   
 
## Troubleshooting
- The Global Secure Access tile doesn't appear in the Defender app after onboarding the tenant:

 
## Confirm Global Secure Access appears in the Defender app
Because the Global Secure Access client for iOS is integrated with Microsoft Defender for Endpoint, it's helpful to understand the end user experience. The client appears in the Defender dashboard after onboarding to Global Secure Access.   
:::image type="content" source="media/how-to-install-ios-client/ios-defender-dashboard-1.png" alt-text="Screenshot of the iOS Microsoft Defender dashboard.":::   
 
You can enable or disable the Global Secure Access client for iOS by setting the **EnableGSA** key in the [VPN profile](#create-a-vpn-profile-and-configure-global-secure-access-for-microsoft-defender-for-endpoint). End users can enable or disable individual **Services** or the client itself based on the configuration settings, using the appropriate toggles.   
:::image type="content" source="media/how-to-install-ios-client/ios-client-enabled-disabled-1.png" alt-text="Screenshot of the Global Secure Access client on iOS showing both the Enabled and Disabled status screens.":::   
 
## Troubleshooting
- The Global Secure Access tile doesn't appear in the Defender app after onboarding the tenant:

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files