MODIFIED docs/global-secure-access/how-to-migrate-direct-access-to-private-access.md

Modified by Jay on Mar 16, 2026 10:40 PM
📖 View on learn.microsoft.com

+32 / -22 lines changed

Commit: Refine DirectAccess-to-Private Access docs

Changes:

Before

After

ms.author: jayrusso
ms.service: global-secure-access
ms.topic: how-to
ms.date: 03/13/2026
ms.reviewer: buzaher
 
#customer intent: As a security administrator, I want to migrate from DirectAccess to Microsoft Entra Private Access so that I can provide secure, identity-aware access to private resources without the limitations of legacy VPN solutions.
 
# Migrate from DirectAccess to Microsoft Entra Private Access
 
DirectAccess provides organizations with seamless remote connectivity to internal resources without traditional VPN connections. However, DirectAccess relies on IPv6 transition technologies (IP-HTTPS, Teredo, ISATAP, 6to4), requires domain-joined Windows Enterprise clients, and provides full network-level access once connected. These architectural constraints don't align with modern hybrid and cloud-first environments where organizations need identity-aware, per-application access across diverse device types. Microsoft Entra Private Access is a cloud-based Zero Trust Network Access (ZTNA) solution that replaces the need for legacy VPN and DirectAccess infrastructure. It uses the [Global Secure Access client](/entra/global-secure-access/concept-clients) and [private network connectors](/entra/global-secure-access/how-to-configure-connectors) to provide conditional, per-app access to private resources without exposing your network to inbound connections. Migrating from DirectAccess to Microsoft Entra Private Access reduces infrastructure complexity, strengthens your Zero Trust posture, and extends secure access to any managed or unmanaged device.
 
### Technical incompatibilities between DirectAccess and Private Access
 
 
Before you begin the migration, ensure the following requirements are met:
 
- Microsoft Entra Private Access is enabled in your tenant. Your pilot user is descoped from Private Access [user assignment](/entra/global-secure-access/how-to-manage-users-groups-assignment) initially.
- Private Access connectivity is configured by using [Quick Access](/entra/global-secure-access/how-to-configure-quick-access) or [per-app access](/entra/global-secure-access/how-to-configure-per-app-access).
- [Private DNS](/entra/global-secure-access/concept-private-name-resolution) and name resolution for internal resources is configured as required.

ms.author: jayrusso
ms.service: global-secure-access
ms.topic: how-to
ms.date: 03/16/2026
ms.reviewer: buzaher
 
#customer intent: As a security administrator, I want to migrate from DirectAccess to Microsoft Entra Private Access so that I can provide secure, identity-aware access to private resources without the limitations of legacy VPN solutions.
 
# Migrate from DirectAccess to Microsoft Entra Private Access
 
DirectAccess provides remote connectivity to internal resources but relies on IPv6 transition technologies, requires domain-joined Windows Enterprise clients, and grants full network-level access once connected. However, these architectural constraints don't meet the needs of modern hybrid and cloud-first environments.
 
Microsoft Entra Private Access is a cloud-based, Zero Trust Network Access (ZTNA) solution that replaces legacy VPN and DirectAccess infrastructure. It uses the [Global Secure Access client](/entra/global-secure-access/concept-clients) and [private network connectors](/entra/global-secure-access/how-to-configure-connectors), to deliver conditional, per-app access to private resources without exposing your network to inbound connections. Migrating to Microsoft Entra Private Access reduces infrastructure complexity, strengthens your Zero Trust posture, and extends secure access to any managed or unmanaged device.
 
### Technical incompatibilities between DirectAccess and Private Access
 
 
Before you begin the migration, ensure the following requirements are met:
 
- Microsoft Entra Private Access is enabled in your tenant. Descope the pilot user from Private Access [user assignment](/entra/global-secure-access/how-to-manage-users-groups-assignment) for the initial setup.

MODIFIED docs/external-id/tutorial-bulk-invite.md

Modified by TheWriteDoc on Mar 27, 2026 8:34 PM
📖 View on learn.microsoft.com

+25 / -24 lines changed

Commit: userstory538967

Changes:

Before

After

title: Bulk invite B2B users
description: Learn how to bulk invite B2B collaboration users in Microsoft Entra External ID. Follow the steps to prepare a CSV file, upload it, and verify guest users in the directory.
ms.topic: tutorial
ms.date: 11/17/2025
ms.collection: M365-identity-device-management
ms.custom: sfi-image-nochange
# Customer intent: As a Microsoft Entra admin, I want to learn how to bulk invite external users to my organization using the Microsoft Entra admin center, so that I can efficiently manage user invitations and onboarding.
---
# Tutorial: Bulk invite B2B collaboration users in Microsoft Entra External ID
 
 
> [!div class="checklist"]
>
> * Use **Bulk invite users** to prepare a comma-separated value (.csv) file with the user information and invitation preferences
> * Upload the .csv file to Microsoft Entra ID
> * Verify the users were added to the directory
 
## Prerequisites
- If you don’t have Microsoft Entra ID, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin.
- You need two or more test email accounts that you can send the invitations to. The accounts must be from outside your organization. You can use any type of account, including social accounts such as gmail.com or outlook.com addresses.

title: Bulk invite B2B users
description: Learn how to bulk invite B2B collaboration users in Microsoft Entra External ID. Follow the steps to prepare a CSV file, upload it, and verify guest users in the directory.
ms.topic: tutorial
ms.date: 03/27/2026
ai-usage: ai-assisted
ms.collection: M365-identity-device-management
ms.custom: sfi-image-nochange
#customer intent: As a Microsoft Entra admin, I want to learn how to bulk invite external users to my organization using the Microsoft Entra admin center, so that I can efficiently manage user invitations and onboarding.
---
# Tutorial: Bulk invite B2B collaboration users in Microsoft Entra External ID
 
 
> [!div class="checklist"]
>
> * Use **Bulk invite users** to prepare a comma-separated value (.csv) file with user information and invitation preferences.
> * Upload the .csv file to Microsoft Entra ID.
> * Verify that users were added to the directory.
 
## Prerequisites
 

MODIFIED docs/external-id/customers/concept-authentication-methods-customers.md

Modified by TheWriteDoc on Mar 27, 2026 8:34 PM
📖 View on learn.microsoft.com

+16 / -15 lines changed

Commit: userstory538967

Changes:

Before

After

title: Identity providers for external tenants
description: Learn sign-in and MFA options for customer identity and access management (CIAM), including email, one-time passcodes, social providers, SAML/WS-Fed, and OIDC.
ms.topic: concept-article
ms.date: 10/07/2025
ms.custom: it-pro, seo-july-2024
#customer intent: As an External ID administrator, I want to configure and enable multiple identity providers (such as email one-time passcode, Google, Facebook, Apple, SAML/WS-Fed, and custom OIDC) for external users, so that they can easily sign in and access our apps and resources.
---
 
- **Password reset**: If you enable email and password sign-in, a password reset link appears on the password page. If the user forgets their password, selecting this link sends a one-time passcode to their email address. After verification, the user can choose a new password.
 
   :::image type="content" source="media/concept-authentication-methods-customers/email-password-sign-in.png" alt-text="Screenshots of the email with password sign-in screens." border="false":::
 
When you [create a sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md#create-and-customize-a-user-flow), **Email with password** is the default option.
 
 
When you enable username sign-in, users can choose to sign in with either their email address or their username. If they choose to sign in with their username, they will be prompted to enter a password, similar to Email and password sign-in. If you [enable password reset](how-to-customize-branding-customers.md#to-customize-self-service-password-reset), users can reset their password by selecting the password reset link on the sign-in page.
 
   :::image type="content" source="media/how-to-sign-in-alias/alias-sign-in.png" alt-text="Screenshot of the username sign-in option.":::
 
## Email with one-time passcode sign-in

title: Identity providers for external tenants
description: Learn sign-in and MFA options for customer identity and access management (CIAM), including email, one-time passcodes, social providers, SAML/WS-Fed, and OIDC.
ms.topic: concept-article
ms.date: 03/27/2026
ai-usage: ai-assisted
ms.custom: it-pro, seo-july-2024
#customer intent: As an External ID administrator, I want to configure and enable multiple identity providers (such as email one-time passcode, Google, Facebook, Apple, SAML/WS-Fed, and custom OIDC) for external users, so that they can easily sign in and access our apps and resources.
---
 
- **Password reset**: If you enable email and password sign-in, a password reset link appears on the password page. If the user forgets their password, selecting this link sends a one-time passcode to their email address. After verification, the user can choose a new password.
 
   :::image type="content" source="media/concept-authentication-methods-customers/email-password-sign-in.png" alt-text="Email and password screens shown during local account sign-up and sign-in." border="false":::
 
When you [create a sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md#create-and-customize-a-user-flow), **Email with password** is the default option.
 
 
When you enable username sign-in, users can choose to sign in with either their email address or their username. If they choose to sign in with their username, they will be prompted to enter a password, similar to Email and password sign-in. If you [enable password reset](how-to-customize-branding-customers.md#to-customize-self-service-password-reset), users can reset their password by selecting the password reset link on the sign-in page.
 
   :::image type="content" source="media/how-to-sign-in-alias/alias-sign-in.png" alt-text="Username sign-in option on the sign-in page.":::
 

MODIFIED docs/external-id/microsoft-account.md

Modified by TheWriteDoc on Mar 27, 2026 8:34 PM
📖 View on learn.microsoft.com

+17 / -13 lines changed

Commit: userstory538967

Changes:

Before

After

---
 
title: Use Microsoft Accounts
description: Enable your external business partners and guest users to use their Microsoft Account (MSA) to sign in to your apps for B2B collaboration.
ms.topic: how-to
ms.date: 04/14/2025
ms.collection: M365-identity-device-management
ms.custom: seo-july-2024
 
#Customer intent: As a B2B collaboration administrator, I want to understand the built-in capability for using Microsoft account (MSA) as an identity provider for External ID, so that guest users can use their personal Microsoft accounts to sign in without additional configuration.
---
 
# Use Microsoft accounts (MSA) for B2B collaboration
 
[!INCLUDE [applies-to-workforce-only](./includes/applies-to-workforce-only.md)]
 
Your B2B guest users can use their own personal Microsoft accounts for B2B collaboration without further configuration. Guest users can redeem your B2B collaboration invitations or complete your sign-up user flows using their personal Microsoft account.
 
Microsoft accounts are set up by a user to get access to consumer-oriented Microsoft products and cloud services, such as Outlook, OneDrive, Xbox LIVE, or Microsoft 365. The account is created and stored in the Microsoft consumer identity account system, run by Microsoft.
 

---
 
title: Use Microsoft accounts
description: Enable your external business partners and guest users to use their Microsoft account (MSA) to sign in to your apps for B2B collaboration.
ms.topic: how-to
ms.date: 03/27/2026
ai-usage: ai-assisted
ms.collection: M365-identity-device-management
ms.custom: seo-july-2024
 
#customer intent: As a B2B collaboration administrator, I want to understand the built-in capability for using Microsoft account (MSA) as an identity provider for Microsoft Entra External ID, so that guest users can use their personal Microsoft accounts to sign in without additional configuration.
---
 
# Use Microsoft accounts for B2B collaboration
 
[!INCLUDE [applies-to-workforce-only](./includes/applies-to-workforce-only.md)]
 
Your B2B guest users can use their own personal Microsoft accounts for B2B collaboration without further configuration. Guest users can redeem your B2B collaboration invitations or complete your sign-up user flows using their personal Microsoft account.
 
Microsoft accounts are set up by a user to get access to consumer-oriented Microsoft products and cloud services, such as Outlook, OneDrive, Xbox, or Microsoft 365. The account is created and stored in the Microsoft consumer identity account system, run by Microsoft.

MODIFIED docs/external-id/default-account.md

Modified by TheWriteDoc on Mar 27, 2026 8:34 PM
📖 View on learn.microsoft.com

+13 / -9 lines changed

Commit: userstory538967

Changes:

Before

After

---
title: Use Microsoft Entra Accounts
description: Enable your external business partners and guest users to use their Microsoft Entra work or school accounts to sign in to your apps for B2B collaboration.
ms.topic: how-to
ms.date: 04/09/2025
ms.collection: M365-identity-device-management
ms.custom: seo-july-2024
#customer intent: As a B2B collaboration administrator, I want to understand the built-in capability for using Microsoft Entra ID as an identity provider for external guests, so that guest users can use their Microsoft Entra work or school account to sign in without additional configuration.
---
 
# Use Microsoft Entra work and school accounts for B2B collaboration
 
[!INCLUDE [applies-to-workforce-only](./includes/applies-to-workforce-only.md)]
 
 
When you [invite a guest user](add-users-administrator.yml) to B2B collaboration, you can specify their Microsoft Entra account as the **Email address** they use to sign in.
 
:::image type="content" source="media/default-account/default-account-invite.png" alt-text="Screenshot of inviting a guest user using the Microsoft Entra account." lightbox="media/default-account/default-account-invite.png":::
 
<a name='azure-ad-account-in-self-service-sign-up-user-flows'></a>

---
title: Use Microsoft Entra accounts
description: Enable your external business partners and guest users to use their Microsoft Entra work or school accounts to sign in to your apps for B2B collaboration.
ms.topic: how-to
ms.date: 03/27/2026
ai-usage: ai-assisted
ms.collection: M365-identity-device-management
ms.custom: seo-july-2024
#customer intent: As a B2B collaboration administrator, I want to understand the built-in capability for using Microsoft Entra ID as an identity provider for external guests, so that guest users can use their Microsoft Entra work or school account to sign in without additional configuration.
---
 
# Use Microsoft Entra work or school accounts for B2B collaboration
 
[!INCLUDE [applies-to-workforce-only](./includes/applies-to-workforce-only.md)]
 
 
When you [invite a guest user](add-users-administrator.yml) to B2B collaboration, you can specify their Microsoft Entra account as the **Email address** they use to sign in.
 
:::image type="content" source="media/default-account/default-account-invite.png" alt-text="Invite user pane showing a Microsoft Entra work or school account as the sign-in email." lightbox="media/default-account/default-account-invite.png":::
 

MODIFIED docs/external-id/cross-cloud-settings.md

Modified by TheWriteDoc on Mar 27, 2026 8:34 PM
📖 View on learn.microsoft.com

+9 / -9 lines changed

Commit: userstory538967

Changes:

Before

After

---
title: Cross Cloud Settings
description: Enable secure cross-cloud B2B collaboration between organizations in different sovereign (national) Microsoft Azure clouds by configuring Microsoft cloud settings.
ms.topic: how-to
ms.date: 04/14/2025
ms.collection: M365-identity-device-management
ms.custom: it-pro, seo-july-2024, sfi-image-nochange
#customer intent: As an admin configuring B2B collaboration between partner organizations in different Microsoft Azure clouds, I want to enable collaboration with the partner's cloud, add the partner to my organizational settings, and configure inbound and outbound settings, so that Microsoft Entra B2B collaboration between the organizations is enabled.
 
## Enable the cloud in your Microsoft cloud settings
 
 
In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
1. Browse to **Entra ID** > **External Identities** > **Cross-tenant access settings**, then select **Microsoft cloud settings**.
1. Select the checkboxes next to the external Microsoft Azure clouds you want to enable.
 
   :::image type="content" source="media/cross-cloud-settings/cross-cloud-settings.png" alt-text="Screenshot showing Microsoft cloud settings." border="true":::
 

---
title: Cross-cloud settings
description: Enable secure cross-cloud B2B collaboration between organizations in different sovereign (national) Microsoft Azure clouds by configuring Microsoft cloud settings.
ms.topic: how-to
ms.date: 03/27/2026
ai-usage: ai-assisted
ms.collection: M365-identity-device-management
ms.custom: it-pro, seo-july-2024, sfi-image-nochange
#customer intent: As an admin configuring B2B collaboration between partner organizations in different Microsoft Azure clouds, I want to enable collaboration with the partner's cloud, add the partner to my organizational settings, and configure inbound and outbound settings, so that Microsoft Entra B2B collaboration between the organizations is enabled.
 
## Enable the cloud in your Microsoft cloud settings
 
In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
1. Browse to **Entra ID** > **External Identities** > **Cross-tenant access settings**, then select **Microsoft cloud settings**.
1. Select the checkboxes next to the external Microsoft Azure clouds you want to enable.
 
   :::image type="content" source="media/cross-cloud-settings/cross-cloud-settings.png" alt-text="Microsoft cloud settings page with external cloud options selected." border="true":::
 

MODIFIED docs/external-id/authentication-conditional-access.md

Modified by TheWriteDoc on Mar 27, 2026 5:57 PM
📖 View on learn.microsoft.com

+9 / -8 lines changed

Commit: userstory538966

Changes:

Before

After

title: Authentication and Conditional Access for B2B users
description: Learn how to enforce multifactor authentication policies for Microsoft Entra B2B users.
ms.topic: concept-article
ms.date: 07/07/2025
ms.collection: M365-identity-device-management
ms.custom: no-azure-ad-ps-ref, sfi-image-nochange
#customer intent: As an IT admin managing external user access to resources in my organization, I want to understand the authentication flow and Conditional Access policies for external users, so that I can ensure secure access and compliance with our organization's policies.
---
> [!TIP]
> This article applies to B2B collaboration and B2B direct connect in workforce tenants. For information about external tenants, see [Security and governance in Microsoft Entra External ID](customers/concept-security-customers.md).
 
When an external user accesses resources in your organization, the authentication flow is determined by the collaboration method (B2B collaboration or B2B direct connect), user's identity provider (an external Microsoft Entra tenant, social identity provider, and so on), Conditional Access policies, and the [cross-tenant access settings](cross-tenant-access-overview.md) configured both in the user's home tenant and the tenant hosting resources.
 
This article describes the authentication flow for external users who are accessing resources in your organization. Organizations can enforce multiple Conditional Access policies for their external users, which can be enforced at the tenant, app, or individual user level in the same way that they're enabled for full-time employees and members of the organization.
 
Organizations can enforce Conditional Access policies for external B2B collaboration and B2B direct connect users in the same way that they’re enabled for full-time employees and members of the organization. With the introduction of cross-tenant access settings, you can also trust MFA and device claims from external Microsoft Entra organizations. This section describes important considerations for applying Conditional Access to users outside of your organization. 
 
> [!NOTE]
> Custom Controls with Conditional Access are not support for cross-tenant trusts. 
 

title: Authentication and Conditional Access for B2B users
description: Learn how to enforce multifactor authentication policies for Microsoft Entra B2B users.
ms.topic: concept-article
ms.date: 03/27/2026
ms.collection: M365-identity-device-management
ai-usage: ai-assisted
ms.custom: no-azure-ad-ps-ref, sfi-image-nochange
#customer intent: As an IT admin managing external user access to resources in my organization, I want to understand the authentication flow and Conditional Access policies for external users, so that I can ensure secure access and compliance with our organization's policies.
---
> [!TIP]
> This article applies to B2B collaboration and B2B direct connect in workforce tenants. For information about external tenants, see [Security and governance in Microsoft Entra External ID](customers/concept-security-customers.md).
 
When an external user accesses resources in your organization, the authentication flow is determined by the collaboration method (B2B collaboration or B2B direct connect), user's identity provider (for example, an external Microsoft Entra tenant or social identity provider), Conditional Access policies, and the [cross-tenant access settings](cross-tenant-access-overview.md) configured both in the user's home tenant and the tenant hosting resources.
 
This article describes the authentication flow for external users who are accessing resources in your organization. Organizations can enforce multiple Conditional Access policies for their external users, which can be enforced at the tenant, app, or individual user level in the same way that they're enabled for full-time employees and members of the organization.
 
Organizations can enforce Conditional Access policies for external B2B collaboration and B2B direct connect users in the same way that they’re enabled for full-time employees and members of the organization. With the introduction of cross-tenant access settings, you can also trust MFA and device claims from external Microsoft Entra organizations. This section describes important considerations for applying Conditional Access to users outside of your organization. 
 
> [!NOTE]
> Custom Controls with Conditional Access are not supported for cross-tenant trusts.

MODIFIED docs/external-id/one-time-passcode.md

Modified by TheWriteDoc on Mar 27, 2026 5:57 PM
📖 View on learn.microsoft.com

+8 / -7 lines changed

Commit: userstory538966

Changes:

Before

After

title: Email one-time passcode authentication
description: Learn how to enable and use email one-time passcode authentication for B2B guest users in Microsoft Entra External ID. This feature provides a seamless fallback authentication method for sign-in.
ms.topic: how-to
ms.date: 11/17/2025
ms.custom: it-pro
ms.collection: M365-identity-device-management
#customer intent: As a B2B collaboration administrator, I want to make sure invited users can authenticate using email one-time passcode, so that invited users can sign in using a passcode even when other authentication methods are not available.
---
  * `https://myapps.microsoft.com/<your verified domain>.onmicrosoft.com`
  * `https://portal.azure.com/<your tenant ID>`
 
You can also give email one-time passcode guest users a direct link to an application or resource by including your tenant information, for example `https://myapps.microsoft.com/signin/X/<application ID?tenantId=<your tenant ID>`.
 
> [!NOTE]
> Email one-time passcode guest users can sign in to Microsoft Teams directly from the common endpoint without choosing **Sign-in options**. During the sign-in process to Microsoft Teams, the guest user can select a link to send a one-time passcode.
 
With one-time passcode authentication, the guest user can redeem your invitation by clicking a direct link or by using the invitation email. In either case, a message in the browser indicates that a code will be sent to the guest user's email address. The guest user selects **Send code**:
 
   ![Screenshot showing the Send code button.](media/one-time-passcode/otp-send-code.png)
 

title: Email one-time passcode authentication
description: Learn how to enable and use email one-time passcode authentication for B2B guest users in Microsoft Entra External ID. This feature provides a seamless fallback authentication method for sign-in.
ms.topic: how-to
ms.date: 03/27/2026
ms.custom: it-pro
ai-usage: ai-assisted
ms.collection: M365-identity-device-management
#customer intent: As a B2B collaboration administrator, I want to make sure invited users can authenticate using email one-time passcode, so that invited users can sign in using a passcode even when other authentication methods are not available.
---
  * `https://myapps.microsoft.com/<your verified domain>.onmicrosoft.com`
  * `https://portal.azure.com/<your tenant ID>`
 
You can also give email one-time passcode guest users a direct link to an application or resource by including your tenant information, for example `https://myapps.microsoft.com/signin/X/<application ID>?tenantId=<your tenant ID>`.
 
> [!NOTE]
> Email one-time passcode guest users can sign in to Microsoft Teams directly from the common endpoint without choosing **Sign-in options**. During the sign-in process to Microsoft Teams, the guest user can select a link to send a one-time passcode.
 
With one-time passcode authentication, the guest user can redeem your invitation by clicking a direct link or by using the invitation email. In either case, a message in the browser indicates that a code will be sent to the guest user's email address. The guest user selects **Send code**:
 
   :::image type="content" source="media/one-time-passcode/otp-send-code.png" alt-text="Screenshot showing the Send code button.":::

MODIFIED docs/id-governance/privileged-identity-management/groups-role-settings.md

Modified by Ken Withee on Mar 27, 2026 3:57 PM
📖 View on learn.microsoft.com

+13 / -1 lines changed

Commit: Add CA reauthentication guidance to 3 PIM role settings articles

Changes:

Before

After

title: Configure PIM for Groups settings
description: Learn how to configure PIM for Groups settings.
ms.topic: how-to
ms.date: 03/23/2026
ms.custom: pim, sfi-image-nochange
---
 
# Configure PIM for Groups settings
 
This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy was created because of a configuration mistake. This backup protection mechanism isn't triggered if the Conditional Access policy is turned off, is in report-only mode, or has eligible users excluded from the policy.
 
The **On activation, require Microsoft Entra Conditional Access authentication context** setting defines the authentication context requirements that users must satisfy when they activate group membership/ownership. After group membership/ownership is activated, users aren't prevented from using another browsing session, device, or location to use group membership/ownership.
 
For example, users might use an Intune-compliant device to activate group membership/ownership. Then after the role is activated, they might sign in to the same user account from another device that isn't Intune compliant and use the previously activated group ownership/membership from there.

title: Configure PIM for Groups settings
description: Learn how to configure PIM for Groups settings.
ms.topic: how-to
ms.date: 03/27/2026
ms.reviewer: tamimsangrar
ms.custom: pim, sfi-image-nochange
ai-usage: ai-assisted
---
 
# Configure PIM for Groups settings
 
This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy was created because of a configuration mistake. This backup protection mechanism isn't triggered if the Conditional Access policy is turned off, is in report-only mode, or has eligible users excluded from the policy.
 
To enforce reauthentication on every group membership or ownership activation, configure the Conditional Access policy targeting your authentication context with sign-in frequency set to **Every time** under **Session controls**. This ensures users must reauthenticate each time they activate group membership or ownership, even if they have an active session.
 
:::image type="content" source="media/pim-for-groups/role-settings-conditional-access-authentication-context.png" alt-text="Screenshot that shows the Edit role setting page with the Microsoft Entra Conditional Access authentication context option selected." lightbox="media/pim-for-groups/role-settings-conditional-access-authentication-context.png":::
 
When a user reauthenticates for one activation, a 10-minute window applies. If the user activates another eligible membership or ownership within this window, they aren't prompted to reauthenticate again. The 10-minute window applies across Microsoft Entra roles, Azure resource roles, and PIM for Groups.
 
When a user activates eligible group membership or ownership configured with an authentication context, they see the message: "A Conditional Access policy is enabled and may require additional verification. Click to continue." The user is then redirected to complete reauthentication as defined by the Conditional Access policy.

MODIFIED docs/id-governance/privileged-identity-management/pim-how-to-change-default-settings.md

Modified by Ken Withee on Mar 27, 2026 3:57 PM
📖 View on learn.microsoft.com

+13 / -1 lines changed

Commit: Add CA reauthentication guidance to 3 PIM role settings articles

Changes:

Before

After

title: Configure Microsoft Entra role settings in PIM
description: Learn how to configure Microsoft Entra role settings in Privileged Identity Management (PIM).
ms.topic: how-to
ms.date: 03/23/2026
ms.custom: pim, sfi-ga-nochange
---
# Configure Microsoft Entra role settings in Privileged Identity Management
 
This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy was created because of a configuration mistake. This backup protection mechanism isn't triggered if the Conditional Access policy is turned off, is in report-only mode, or has an eligible user excluded from the policy.
 
The **On activation, require Microsoft Entra Conditional Access authentication context** setting defines the authentication context requirements that users must satisfy when they activate the role. After the role is activated, users aren't prevented from using another browsing session, device, or location to use permissions.
 
For example, users might use an Intune-compliant device to activate the role. Then after the role is activated, they might sign in to the same user account from another device that isn't Intune compliant and use the previously activated role from there.

title: Configure Microsoft Entra role settings in PIM
description: Learn how to configure Microsoft Entra role settings in Privileged Identity Management (PIM).
ms.topic: how-to
ms.date: 03/27/2026
ms.reviewer: tamimsangrar
ms.custom: pim, sfi-ga-nochange
ai-usage: ai-assisted
---
# Configure Microsoft Entra role settings in Privileged Identity Management
 
 
This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy was created because of a configuration mistake. This backup protection mechanism isn't triggered if the Conditional Access policy is turned off, is in report-only mode, or has an eligible user excluded from the policy.
 
To enforce reauthentication on every role activation, configure the Conditional Access policy targeting your authentication context with sign-in frequency set to **Every time** under **Session controls**. This ensures users must reauthenticate each time they activate a privileged role, even if they have an active session.
 
:::image type="content" source="media/pim-how-to-change-default-settings/role-settings-conditional-access-authentication-context.png" alt-text="Screenshot that shows the Edit role setting page with the Microsoft Entra Conditional Access authentication context option selected." lightbox="media/pim-how-to-change-default-settings/role-settings-conditional-access-authentication-context.png":::
 
When a user reauthenticates for one role activation, a 10-minute window applies. If the user activates another eligible role within this window, they aren't prompted to reauthenticate again. The 10-minute window applies across Microsoft Entra roles, Azure resource roles, and PIM for Groups.
 
When a user activates an eligible role configured with an authentication context, they see the message: "A Conditional Access policy is enabled and may require additional verification. Click to continue." The user is then redirected to complete reauthentication as defined by the Conditional Access policy.

MODIFIED docs/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings.md

Modified by Ken Withee on Mar 27, 2026 3:57 PM
📖 View on learn.microsoft.com

+13 / -1 lines changed

Commit: Add CA reauthentication guidance to 3 PIM role settings articles

Changes:

Before

After

title: Configure Azure resource role settings in PIM
description: Learn how to configure Azure resource role settings in Privileged Identity Management (PIM).
ms.topic: how-to
ms.date: 03/23/2026
ms.custom: sfi-ga-nochange, sfi-image-nochange
---
 
# Configure Azure resource role settings in Privileged Identity Management
 
This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy was created because of a configuration mistake. This backup protection mechanism isn't triggered if the Conditional Access policy is turned off, is in report-only mode, or has an eligible user excluded from the policy.
 
The **On activation, require Microsoft Entra Conditional Access authentication context** setting defines the authentication context requirements that users must satisfy when they activate the role. After the role is activated, users aren't prevented from using another browsing session, device, or location to use permissions.
 
For example, users might use an Intune-compliant device to activate the role. Then after the role is activated, they might sign in to the same user account from another device that isn't Intune compliant and use the previously activated role from there.

title: Configure Azure resource role settings in PIM
description: Learn how to configure Azure resource role settings in Privileged Identity Management (PIM).
ms.topic: how-to
ms.date: 03/27/2026
ms.reviewer: tamimsangrar
ms.custom: sfi-ga-nochange, sfi-image-nochange
ai-usage: ai-assisted
---
 
# Configure Azure resource role settings in Privileged Identity Management
 
This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy was created because of a configuration mistake. This backup protection mechanism isn't triggered if the Conditional Access policy is turned off, is in report-only mode, or has an eligible user excluded from the policy.
 
To enforce reauthentication on every role activation, configure the Conditional Access policy targeting your authentication context with sign-in frequency set to **Every time** under **Session controls**. This ensures users must reauthenticate each time they activate a privileged role, even if they have an active session.
 
:::image type="content" source="media/pim-resource-roles-configure-role-settings/role-settings-conditional-access-authentication-context.png" alt-text="Screenshot that shows the Edit role setting page with the Microsoft Entra Conditional Access authentication context option selected." lightbox="media/pim-resource-roles-configure-role-settings/role-settings-conditional-access-authentication-context.png":::
 
When a user reauthenticates for one role activation, a 10-minute window applies. If the user activates another eligible role within this window, they aren't prompted to reauthenticate again. The 10-minute window applies across Microsoft Entra roles, Azure resource roles, and PIM for Groups.
 
When a user activates an eligible role configured with an authentication context, they see the message: "A Conditional Access policy is enabled and may require additional verification. Click to continue." The user is then redirected to complete reauthentication as defined by the Conditional Access policy.

MODIFIED docs/external-id/customers/how-to-google-federation-customers.md

Modified by TheWriteDoc on Mar 27, 2026 5:57 PM
📖 View on learn.microsoft.com

+6 / -5 lines changed

Commit: userstory538966

Changes:

Before

After

title: Add Google as an identity provider
description: Learn how to add Google as an identity provider for your external tenant.
ms.topic: how-to
ms.date: 09/16/2025
ms.custom: it-pro, has-azure-ad-ps-ref, sfi-ga-nochange
#Customer intent: As a dev, devops, or it admin, I want to
---
 
# Add Google as an identity provider
 
## Create a Google application
 
To enable sign-in for customers with a Google account, you need to create an application in [Google Developers Console](https://console.developers.google.com/). For more information, see [Setting up OAuth 2.0](https://support.google.com/googleapi/answer/6158849). If you don't already have a Google account, you can sign up at [`https://accounts.google.com/signup`](https://accounts.google.com/signup).
 
1. Sign in to the [Google Developers Console](https://console.developers.google.com/) with your Google account credentials.
1. Accept the terms of service if you're prompted to do so.
1. In the upper-left corner of the page, select the project list, and then select **New Project**.
1. Enter a **Project Name**, select **Create**.
1. Record the values of **Client ID** and **Client secret**. You need both values to configure Google as an identity provider in your tenant.
 

title: Add Google as an identity provider
description: Learn how to add Google as an identity provider for your external tenant.
ms.topic: how-to
ms.date: 03/27/2026
ms.custom: it-pro, has-azure-ad-ps-ref, sfi-ga-nochange
ai-usage: ai-assisted
#Customer intent: As a dev, devops, or it admin, I want to add Google as an identity provider for my external tenant so that customers can sign in with their Google accounts.
---
 
# Add Google as an identity provider
 
## Create a Google application
 
To enable sign-in for customers with a Google account, you need to create an application in [Google Cloud console](https://console.cloud.google.com/). For more information, see [Manage OAuth clients](https://support.google.com/cloud/answer/15549257). If you don't already have a Google account, you can sign up at [`https://accounts.google.com/signup`](https://accounts.google.com/signup).
 
1. Sign in to the [Google Cloud console](https://console.cloud.google.com/) with your Google account credentials.
1. Accept the terms of service if you're prompted to do so.
1. In the upper-left corner of the page, select the project list, and then select **New Project**.
1. Enter a **Project Name**, select **Create**.
1. Record the values of **Client ID** and **Client secret**. You need both values to configure Google as an identity provider in your tenant.

MODIFIED docs/external-id/customers/how-to-define-custom-attributes.md

Modified by TheWriteDoc on Mar 27, 2026 5:57 PM
📖 View on learn.microsoft.com

+4 / -3 lines changed

Commit: userstory538966

Changes:

Before

After

title: Define custom attributes
description: Learn how to create and define new custom attributes to be collected from users during sign-up and sign-in.
ms.topic: how-to
ms.date: 09/16/2025
ms.custom: it-pro, sfi-image-nochange
#Customer intent: As a developer, devops, IT admin, I want to create custom attributes in my tenant and add them to my sign-up user flow so that I can collect then during sign-up.
---
 
> [!TIP]
> This article applies to user flows in external tenants. For information about workforce tenants, see [Collect custom user attributes during B2B collaboration sign-up](../user-flow-add-custom-attributes.md).
 
If your app requires more information than the built-in user attributes provide, you can add your own attributes. We refer to these attributes as *custom user attributes*.
 
To define a custom user attribute, you first create the attribute at the tenant level so it can be used in any user flow in the tenant. Then you assign the attribute to your sign-up user flow and configure how you want it to appear on the sign-up page.
 
Learn more about custom user attributes in [User profile attributes](concept-user-attributes.md) article.
 
## Create custom user attributes
 
 

title: Define custom attributes
description: Learn how to create and define new custom attributes to be collected from users during sign-up and sign-in.
ms.topic: how-to
ms.date: 03/27/2026
ms.custom: it-pro, sfi-image-nochange
ai-usage: ai-assisted
#Customer intent: As a developer, devops, IT admin, I want to create custom attributes in my tenant and add them to my sign-up user flow so that I can collect then during sign-up.
---
 
> [!TIP]
> This article applies to user flows in external tenants. For information about workforce tenants, see [Collect custom user attributes during B2B collaboration sign-up](../user-flow-add-custom-attributes.md).
 
If your app requires more information than the built-in user attributes provide, you can add your own attributes. These attributes are called *custom user attributes*.
 
To define a custom user attribute, you first create the attribute at the tenant level so it can be used in any user flow in the tenant. Then you assign the attribute to your sign-up user flow and configure how you want it to appear on the sign-up page.
 
Learn more about custom user attributes in the [User profile attributes](concept-user-attributes.md) article.
 
## Create custom user attributes
 

MODIFIED docs/global-secure-access/how-to-configure-threat-intelligence.md

Modified by Frank Gomulka on Mar 27, 2026 3:26 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: remove "preview" tag

Changes:

Before

After

ms.subservice: entra-internet-access
---
 
# How to configure Global Secure Access threat intelligence (preview)
 
## Overview
 
- You must disable Domain Name System (DNS) over HTTPS (Secure DNS) to tunnel network traffic. Use the rules of the fully qualified domain names (FQDNs) in the traffic forwarding profile. For more information, see [Configure the DNS client to support DoH](/windows-server/networking/dns/doh-client-support#configure-the-dns-client-to-support-doh).
- Disable built-in DNS client on Chrome and Microsoft Edge.
- IPv6 traffic isn't acquired by the client and is therefore transferred directly to the network. To enable all relevant traffic to be tunneled, set the network adapter properties to [IPv4 preferred](troubleshoot-global-secure-access-client-diagnostics-health-check.md#ipv4-preferred).
- User Datagram Protocol (UDP) traffic (that is, QUIC) isn't supported in the current preview of Internet Access. Most websites support fallback to Transmission Control Protocol (TCP) when QUIC can't be established. For an improved user experience, you can deploy a Windows Firewall rule that blocks outbound UDP 443: 
 
```powershell
@New-NetFirewallRule -DisplayName "Block QUIC" -Direction Outbound -Action Block -Protocol UDP  -RemotePort 443

ms.subservice: entra-internet-access
---
 
# How to configure Global Secure Access threat intelligence
 
## Overview
 
- You must disable Domain Name System (DNS) over HTTPS (Secure DNS) to tunnel network traffic. Use the rules of the fully qualified domain names (FQDNs) in the traffic forwarding profile. For more information, see [Configure the DNS client to support DoH](/windows-server/networking/dns/doh-client-support#configure-the-dns-client-to-support-doh).
- Disable built-in DNS client on Chrome and Microsoft Edge.
- IPv6 traffic isn't acquired by the client and is therefore transferred directly to the network. To enable all relevant traffic to be tunneled, set the network adapter properties to [IPv4 preferred](troubleshoot-global-secure-access-client-diagnostics-health-check.md#ipv4-preferred).
- User Datagram Protocol (UDP) traffic (that is, QUIC) isn't supported. Most websites support fallback to Transmission Control Protocol (TCP) when QUIC can't be established. For an improved user experience, you can deploy a Windows Firewall rule that blocks outbound UDP 443: 
 
```powershell
@New-NetFirewallRule -DisplayName "Block QUIC" -Direction Outbound -Action Block -Protocol UDP  -RemotePort 443

MODIFIED docs/identity/conditional-access/reference-office-365-application-contents.md

Modified by Ken Withee on Mar 27, 2026 9:06 PM
📖 View on learn.microsoft.com

+0 / -3 lines changed

Commit: Remove duplicate entries from Office 365 CA app suite reference

Changes:

Before

After

- make.gov.powerapps.us
- make.powerapps.com
- Media Analysis and Transformation Service
- Media Analysis and Transformation Service
- Message Recall
- Messaging Async Media
- MessagingAsyncMediaProd
- Microsoft Flow Portal GCC
- Microsoft Forms
- Microsoft Forms Web
- Microsoft Forms Web
- Microsoft Information Protection API
- Microsoft Office
- Microsoft Office 365 Portal
- Microsoft Teams Targeting Application
- Microsoft Teams UIS
- Microsoft Teams Web Client
- Microsoft Todo web app
- Microsoft To-Do web app
- Microsoft Virtual Events Portal

- make.gov.powerapps.us
- make.powerapps.com
- Media Analysis and Transformation Service
- Message Recall
- Messaging Async Media
- MessagingAsyncMediaProd
- Microsoft Flow Portal GCC
- Microsoft Forms
- Microsoft Forms Web
- Microsoft Information Protection API
- Microsoft Office
- Microsoft Office 365 Portal
- Microsoft Teams Targeting Application
- Microsoft Teams UIS
- Microsoft Teams Web Client
- Microsoft To-Do web app
- Microsoft Virtual Events Portal
- Microsoft Virtual Events Services
 
 

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files