πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since March 30th 2026, 9:53 PM PDT

Report generated on March 31st 2026, 9:53 PM PDT

πŸ“Š Summary

68
Total Commits
0
New Files
20
Modified Files
0
Deleted Files
21
Contributors

πŸ“ Modified Documentation Files

MODIFIED docs/identity/hybrid/cloud-sync/tutorial-group-provisioning.md
Modified by Nuno Alexandre on Mar 31, 2026 7:17 AM
πŸ“– View on learn.microsoft.com
+137 / -37 lines changed
Commit: Revise OU names and enhance cloud sync tutorial
Changes:
Before
After
 
Display name | Distinguished name
-------------|-------------------
Groups | OU=Marketing,DC=contoso,DC=com
Sales | OU=Sales,DC=contoso,DC=com
Marketing | OU=Groups,DC=contoso,DC=com
 
 
## Add users to cloud-native or Source of Authority (SOA) converted security groups
To configure provisioning, follow these steps:
 
[!INCLUDE [sign in](../../../includes/cloud-sync-sign-in.md)]
3. Select **New configuration**.
4. Select **Microsoft Entra ID to AD sync**.
 
:::image type="content" source="media/how-to-configure-entra-to-active-directory/entra-to-ad-1.png" alt-text="Screenshot of configuration selection." lightbox="media/how-to-configure-entra-to-active-directory/entra-to-ad-1.png":::
 
5. On the configuration screen, select your domain and whether to enable password hash sync. Select **Create**.
 
:::image type="content" source="media/how-to-configure/new-ux-configure-2.png" alt-text="Screenshot of a new configuration." lightbox="media/how-to-configure/new-ux-configure-2.png":::
 
Display name | Distinguished name
-------------|-------------------
Marketing | OU=Marketing,DC=contoso,DC=com
Sales | OU=Sales,DC=contoso,DC=com
Groups | OU=Groups,DC=contoso,DC=com
 
 
## Add users to cloud-native or Source of Authority (SOA) converted security groups
To configure provisioning, follow these steps:
 
[!INCLUDE [sign in](../../../includes/cloud-sync-sign-in.md)]
3. Select **New configuration**.
4. Select **Microsoft Entra ID to AD sync**.
 
:::image type="content" source="media/how-to-configure-entra-to-active-directory/entra-to-ad-1.png" alt-text="Screenshot of configuration selection." lightbox="media/how-to-configure-entra-to-active-directory/entra-to-ad-1.png":::
 
5. On the configuration screen, select your domain. Select **Create**.
 
MODIFIED docs/identity/devices/whats-new-linux.md
Modified by Justin Ploegert on Mar 31, 2026 4:08 PM
πŸ“– View on learn.microsoft.com
+85 / -81 lines changed
Commit: updated urls
Changes:
Before
After
---
title: What's new in Microsoft single sign-on for Linux
description: Discusses new feature releases of Microsoft single sign-on for Linux
author: ploegert
ms.author: jploegert
ms.topic: whats-new
ms.date: 02/03/2026
ms.custom: linux-related-content
---
 
# What's new in Microsoft single sign-on for Linux
Microsoft periodically adds and modifies the features and functionality of the Microsoft identity platform to improve its security, usability, and standards compliance.
 
Unless otherwise noted, the changes described here apply only to applications registered after the stated effective date of the change.
 
 
This article provides information about the latest updates to Microsoft single sign-on for Linux.
 
## Microsoft-Identity-Broker - Version Lifecycle and Support Matrix
 
---
title: What's new in Microsoft single sign-on for Linux
description: Discusses new feature releases of Microsoft single sign-on for Linux
ai-usage: ai-assisted
author: ploegert
ms.author: jploegert
ms.topic: whats-new
ms.date: 03/31/2026
ms.custom: linux-related-content
---
 
# What's new in Microsoft single sign-on for Linux
Microsoft periodically adds and modifies features and functionality in the Microsoft identity platform to improve security, usability, and standards compliance.
 
Unless otherwise noted, the changes described here apply only to applications registered after the stated effective date of the change.
 
 
This article provides information about the latest updates to Microsoft single sign-on for Linux.
 
## Microsoft Identity Broker version lifecycle and support matrix
MODIFIED docs/identity/devices/sso-linux.md
Modified by Justin Ploegert on Mar 31, 2026 4:08 PM
πŸ“– View on learn.microsoft.com
+69 / -95 lines changed
Commit: updated urls
Changes:
Before
After
---
title: Microsoft single sign-on for Linux
description: Overview of Microsoft single sign-on for Linux that enables Microsoft Entra ID integration and seamless authentication.
author: ploegert
ms.author: jploegert
ms.topic: overview
ms.date: 02/03/2026
ms.custom: linux-related-content
---
 
 
This feature empowers users on Linux desktop clients to register their devices with Microsoft Entra ID, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.
 
- Provides Microsoft Entra ID registration & enrollment of Linux desktops
- Provides SSO capabilities for native and web applications (for example, Azure CLI, Microsoft Edge, Teams PWA) to access Microsoft 365 and Azure protected resources
- Provides SSO for Microsoft Entra accounts across applications that use MSAL for .NET or MSAL for Python, enabling customers to use Microsoft Authentication Library (MSAL) to integrate SSO into custom apps
- Enables Conditional Access policies protecting web applications via Microsoft Edge
- Enables standard Intune compliance policies
- Enables support for Bash scripts for custom compliance policies
 
---
title: Microsoft single sign-on for Linux
description: Overview of Microsoft single sign-on for Linux that enables Microsoft Entra ID integration and seamless authentication.
ai-usage: ai-assisted
author: ploegert
ms.author: jploegert
ms.topic: overview
ms.date: 03/31/2026
ms.custom: linux-related-content
---
 
 
This feature empowers users on Linux desktop clients to register their devices with Microsoft Entra ID, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.
 
- Registers Linux desktops with Microsoft Entra ID and enrolls them in Microsoft Intune.
- Enables SSO for native and web applications (for example, Azure CLI, Microsoft Edge, and Teams PWA).
- Enables SSO for apps that use MSAL for .NET or MSAL for Python.
- Supports Conditional Access policies for web apps through Microsoft Edge.
- Supports standard Microsoft Intune compliance policies.
- Supports Bash scripts for custom compliance policies.
MODIFIED docs/identity/app-provisioning/entra-id-scim-api-reference.md
Modified by jenniferf-skc on Mar 31, 2026 3:12 PM
πŸ“– View on learn.microsoft.com
+42 / -42 lines changed
Commit: Incorporating PR reviewer edits
Changes:
Before
After
 
| Endpoint | Supported HTTP methods | Description |
|---|---|---|
| `/serviceproviderconfig` | GET | Fetch configuration details about the Entra ID SCIM implementation, such as supported authentication schemes, available endpoints, and compliance with SCIM protocols. |
| `/resourcetypes` | GET | Retrieve information about the resource types (Users and Groups) supported by Entra ID. |
| `/schemas` | GET | Retrieve detailed information about the schemas supported by Entra ID. |
| `/users` | GET, POST, PATCH, DELETE | Read, create, update, and delete user data in Entra ID. |
| `/groups` | GET, POST, PATCH, DELETE | Read, create, update, and delete group and group membership data in Entra ID. |
 
The following sections contain examples of API requests and responses currently supported in the Microsoft Entra ID SCIM implementation, along with important notes and constraints to consider in your design.
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"urn:ietf:params:scim:schemas:extension:Microsoft:Entra:2.0:User"
],
"id": "97c0abe1-14f7-417b-951c-bc8e2a17f200",
"active": true,
"displayName": "Ellen Reckert",
"name": {
"department": "Human Resources US",
"employeeNumber": "100009",
"manager": {
 
| Endpoint | Supported HTTP methods | Description |
|---|---|---|
| `/serviceproviderconfig` | GET | Fetch configuration details about the Microsoft Entra ID SCIM implementation, such as supported authentication schemes, available endpoints, and compliance with SCIM protocols. |
| `/resourcetypes` | GET | Retrieve information about the resource types (Users and Groups) supported by Microsoft Entra ID. |
| `/schemas` | GET | Retrieve detailed information about the schemas supported by Microsoft Entra ID. |
| `/users` | GET, POST, PATCH, DELETE | Read, create, update, and delete user data in Microsoft Entra ID. |
| `/groups` | GET, POST, PATCH, DELETE | Read, create, update, and delete group and group membership data in Entra ID. |
 
The following sections contain examples of API requests and responses currently supported in the Microsoft Entra ID SCIM implementation, along with important notes and constraints to consider in your design.
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"urn:ietf:params:scim:schemas:extension:Microsoft:Entra:2.0:User"
],
"id": "d3d3d3d3-eeee-ffff-aaaa-b4b4b4b4b4b4",
"active": true,
"displayName": "Ellen Reckert",
"name": {
"department": "Human Resources US",
"employeeNumber": "100009",
"manager": {
MODIFIED docs/identity/app-provisioning/disable-scim-api.md
Modified by jenniferf-skc on Mar 31, 2026 3:12 PM
πŸ“– View on learn.microsoft.com
+25 / -0 lines changed
Commit: Incorporating PR reviewer edits
Changes:
Before
After
 
1. Confirm the action when prompted. After the feature is turned off, all SCIM API calls to the tenant return an error and billing stops.
 
## Next steps
 
- [Enable the SCIM Provisioning API](enable-scim-api.md) – Learn how to enable the SCIM Provisioning API and set up credentials.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1. Confirm the action when prompted. After the feature is turned off, all SCIM API calls to the tenant return an error and billing stops.
 
 
## Verify that the SCIM API is disabled
 
Use the following steps to validate that the disable operation was successful.
 
1. Obtain an app-only access token that previously worked for SCIM API calls.
 
1. Send a GET request to any SCIM endpoint. For example, call the user read endpoint:
 
```http
GET https://graph.microsoft.com/rp/scim/users/{id}
Authorization: Bearer {token}
Accept: application/json
```
 
1. Confirm that the API returns **HTTP 400 Bad Request**.
 
MODIFIED docs/identity/app-provisioning/scim-support-in-entra-id.md
Modified by jenniferf-skc on Mar 31, 2026 3:12 PM
πŸ“– View on learn.microsoft.com
+10 / -12 lines changed
Commit: Incorporating PR reviewer edits
Changes:
Before
After
ms.subservice: app-provisioning
author: jenniferf-skc
manager: pmwongera
ms.date: 03/26/2026
ms.author: jfields
ms.reviewer: chmutali
ai-usage: ai-assisted
 
#customer intent: Learn about SCIM support in Microsoft Entra ID, including how to provision users and groups to SaaS applications or into Entra using SCIM APIs.
---
 
# SCIM support in Microsoft Entra ID
 
Microsoft Entra ID supports the **System for Cross‑domain Identity Management (SCIM) 2.0** standard in multiple ways, depending on the provisioning scenario. Entra can act as:
 
- A **SCIM client**, provisioning users and groups from Entra into third‑party applications.
- A **SCIM service provider**, exposing SCIM APIs that allow external systems to provision users and groups directly into Entra.
 
This article provides an overview of SCIM support in Microsoft Entra ID and helps you understand which capabilities and documentation apply to your scenario.
 
ms.subservice: app-provisioning
author: jenniferf-skc
manager: pmwongera
ms.date: 03/31/2026
ms.author: jfields
ms.reviewer: chmutali
ai-usage: ai-assisted
 
#customer intent: Learn about SCIM support in Microsoft Entra ID, including how to provision users and groups to SaaS applications or into Microsoft Entra using SCIM APIs.
---
 
# SCIM support in Microsoft Entra ID
 
Microsoft Entra ID supports the **System for Cross‑domain Identity Management (SCIM) 2.0** standard in multiple ways, depending on the provisioning scenario. Microsoft Entra can act as:
 
- A **SCIM client**, provisioning users and groups from Microsoft Entra into partner applications.
- A **SCIM service provider**, exposing SCIM APIs that allow external systems to provision users and groups directly into MicrosoftEntra.
 
This article provides an overview of SCIM support in Microsoft Entra ID and helps you understand which capabilities and documentation apply to your scenario.
 
MODIFIED docs/identity-platform/tutorial-native-authentication-single-page-app-react-social-sign-in.md
Modified by Derdus Kenga on Mar 31, 2026 9:31 AM
πŸ“– View on learn.microsoft.com
+10 / -8 lines changed
Commit: address review commnets
Changes:
Before
After
---
title: Support Social Sign-in in a React SPA With Native Auth JS SDK
description: Learn how to add social sign-in with Google, Facebook, and Apple identity providers to your React SPA using native authentication JavaScript SDK.
author: kengaderdus
manager: dougeby
ms.author: kengaderdus
ms.topic: tutorial
ms.date: 03/30/2026
ai-usage: ai-assisted
#Customer intent: As a developer, I want to support federated identity providers (social sign-in) in my React single-page application that uses native authentication JavaScript SDK so that users can sign up and sign in with Google, Facebook, and Apple identity providers.
---
 
# Tutorial: Support federated identity providers in a React single-page app by using native authentication JavaScript SDK (preview)
 
[!INCLUDE [applies-to-external-only](../external-id/includes/applies-to-external-only.md)]
 
In this tutorial, you learn how to let users sign up and sign in with their existing social accounts, such as Google, Facebook, or Apple, in your React single-page application (SPA) by using native authentication's JavaScript SDK for external tenants.
 
 
In this tutorial, you:
---
title: Support Social Sign-in in a React SPA With Native Auth JS SDK
description: Learn how to add social sign-in with Apple, Facebook and Google identity providers to your React SPA using native authentication JavaScript SDK.
author: kengaderdus
manager: dougeby
ms.author: kengaderdus
ms.topic: tutorial
ms.date: 03/30/2026
ai-usage: ai-assisted
#Customer intent: As a developer, I want to support federated identity providers (social sign-in) in my React single-page application that uses native authentication JavaScript SDK so that users can sign up and sign in with Apple, Facebook and Google identity providers.
---
 
# Tutorial: Support federated identity providers in a React single-page app by using native authentication JavaScript SDK (preview)
 
[!INCLUDE [applies-to-external-only](../external-id/includes/applies-to-external-only.md)]
 
In this tutorial, you learn how to let users sign up and sign in with their existing social accounts, such as Apple, Facebook and Google, in your React single-page application (SPA) by using native authentication's JavaScript SDK for external tenants.
 
 
In this tutorial, you:
MODIFIED docs/agent-id/identity-platform/agent-blueprint.md
Modified by shlipsey3 on Mar 31, 2026 7:03 PM
πŸ“– View on learn.microsoft.com
+4 / -12 lines changed
Commit: merge-cleanup
Changes:
Before
After
title: Agent identity blueprints in Microsoft Entra Agent ID
description: Understand agent identity blueprints, how agents are defined, and how authentication works within the Agent ID platform.
titleSuffix: Microsoft Entra Agent ID
ms.date: 03/26/2026
ms.custom: agent-id-ignite
ms.topic: concept-article
 
 
### Credentials
 
Credentials used to authenticate an agent identity are configured on the agent identity blueprint. When an AI agent wants to perform an operation, the credentials configured on the agent identity blueprint are used to request an access token from Microsoft Entra ID. OAuth permissions granted to a agent identity blueprint are granted to all agent identities created from that blueprint.
 
For auth protocols, see [Agent ID authentication protocols](./agent-oauth-protocols.md)
 
### Security
 
 
### Used to create agent identities
 
Blueprints don't just hold information. They're also a special identity type in a Microsoft Entra ID tenant. A blueprint can perform exactly one operation in the tenant: provision or deprovision agent identities. To create an agent identity, a blueprint has:
title: Agent identity blueprints in Microsoft Entra Agent ID
description: Understand agent identity blueprints, how agents are defined, and how authentication works within the Agent ID platform.
titleSuffix: Microsoft Entra Agent ID
ms.date: 03/31/2026
ms.custom: agent-id-ignite
ms.topic: concept-article
 
 
### Credentials
 
Credentials used to authenticate an agent identity are configured on the agent identity blueprint. When an AI agent wants to perform an operation, the credentials configured on the agent identity blueprint are used to request an access token from Microsoft Entra ID. OAuth permissions granted to a agent identity blueprint are granted to all agent identities created from that blueprint. There are several credentials types that can be used for agent identities. For more information on these, see [credentials for agent identities](./agent-identities.md#authorizing-agent-identities). For auth protocols, see [Agent ID authentication protocols](./agent-oauth-protocols.md)
 
### Security
 
 
### Used to create agent identities
 
Blueprints don't just hold information. They're also a special identity type in a Microsoft Entra ID tenant. A blueprint can perform exactly one operation in the tenant: provision or deprovision agent identities. All agent identities in a Microsoft Entra ID tenant are created from an agent identity blueprint. To create an agent identity, a blueprint has:
 
- An OAuth client ID: a unique ID used to request access tokens from Microsoft Entra ID.
MODIFIED docs/identity-platform/tutorial-native-authentication-single-page-app-angular-social-sign-in.md
Modified by Derdus Kenga on Mar 31, 2026 9:31 AM
πŸ“– View on learn.microsoft.com
+8 / -7 lines changed
Commit: address review commnets
Changes:
Before
After
---
title: Support Social Sign-in in an Angular SPA With Native Auth JS SDK
description: Learn how to add social sign-in with Google, Facebook, and Apple identity providers to your Angular SPA using native authentication JavaScript SDK.
author: kengaderdus
manager: dougeby
ms.author: kengaderdus
ms.date: 03/30/2026
ms.custom: msecd-doc-authoring-108
ai-usage: ai-assisted
#Customer intent: As a developer, I want to support federated identity providers (social sign-in) in my Angular single-page application that uses native authentication JavaScript SDK so that users can sign up and sign in with Google, Facebook, and Apple identity providers.
---
 
# Tutorial: Support federated identity providers in an Angular single-page app by using native authentication JavaScript SDK (preview)
 
[!INCLUDE [applies-to-external-only](../external-id/includes/applies-to-external-only.md)]
 
In this tutorial, you learn how to let users sign up and sign in with their existing social accounts, such as Google, Facebook, or Apple, in your Angular single-page application (SPA) by using native authentication's JavaScript SDK for external tenants.
 
In this tutorial, you:
 
---
title: Support Social Sign-in in an Angular SPA With Native Auth JS SDK
description: Learn how to add social sign-in with Apple, Facebook and Google identity providers to your Angular SPA using native authentication JavaScript SDK.
author: kengaderdus
manager: dougeby
ms.author: kengaderdus
ms.date: 03/30/2026
ms.custom: msecd-doc-authoring-108
ai-usage: ai-assisted
#Customer intent: As a developer, I want to support federated identity providers (social sign-in) in my Angular single-page application that uses native authentication JavaScript SDK so that users can sign up and sign in with Apple, Facebook and Google identity providers.
---
 
# Tutorial: Support federated identity providers in an Angular single-page app by using native authentication JavaScript SDK (preview)
 
[!INCLUDE [applies-to-external-only](../external-id/includes/applies-to-external-only.md)]
 
In this tutorial, you learn how to let users sign up and sign in with their existing social accounts, such as Apple, Facebook and Google, in your Angular single-page application (SPA) by using native authentication's JavaScript SDK for external tenants.
 
In this tutorial, you:
 
MODIFIED docs/identity/app-provisioning/entra-id-scim-api-schema-documentation.md
Modified by jenniferf-skc on Mar 31, 2026 3:12 PM
πŸ“– View on learn.microsoft.com
+7 / -7 lines changed
Commit: Incorporating PR reviewer edits
Changes:
Before
After
 
## User - Core
 
| SCIM Attribute | Entra ID Attribute | Notes / Restrictions |
|---|---|---|
| active | accountEnabled | |
| addresses[type eq "work"].country | country | Only one *addresses* value is allowed, and it requires a type of "work". |
| addresses[type eq "work"].locality | city |
| addresses[type eq "work"].postalCode | postalCode |
| addresses[type eq "work"].region | state |
| addresses[type eq "work"].streetAddress | streetAddress |
| displayName | displayName | |
| emails[type eq "other"].value | otherMails | A list of email addresses associated with the user that may not be linked to their Exchange Online recipient object, such as a personal email address. |
| emails[type eq "proxyAddress".value | proxyAddresses - only for values that start with smtp: (case-insensitive) | A read-only list of email addresses(Note: This attribute is currently implemented as type work, primary false and will change in an upcoming release) |
| emails[type eq "work" and primary eq true].value | mail | Only one value of type "work" and primary *true* is allowed. |
| externalId | crossDomainData.scim.v2.externalId | This attribute is persisted in the Graph entity `crossDomainData`. |
| groups.value | *See notes* | Read only. The user’s group memberships. This attribute is never returned in the JSON body of a user and is only usable for filter queries. |
 
Attributes in this table are part of namespace ```urn:ietf:params:scim:schemas:extension:enterprise:2.0:User```.
 
 
## User - Core
 
| SCIM Attribute | Microsoft Entra ID Attribute | Notes / Restrictions |
|---|---|---|
| active | accountEnabled | |
| addresses[type eq "work"].country/region | country/region | Only one *addresses* value is allowed, and it requires a type of "work". |
| addresses[type eq "work"].locality | city |
| addresses[type eq "work"].postalCode | postalCode |
| addresses[type eq "work"].region | state |
| addresses[type eq "work"].streetAddress | streetAddress |
| displayName | displayName | |
| emails[type eq "other"].value | otherMails | A list of email addresses associated with the user that may not be linked to their Exchange Online recipient object, such as a personal email address. |
| emails[type eq "proxyAddress"].value | proxyAddresses - only for values that start with SMTP: (case-insensitive) | A read-only list of email addresses. This attribute is currently implemented as type "work" and primary equal to false. |
| emails[type eq "work" and primary eq true].value | mail | Only one value of type "work" and primary *true* is allowed. |
| externalId | crossDomainData.scim.v2.externalId | This attribute is persisted in the Graph entity `crossDomainData`. |
| groups.value | *See notes* | Read only. The user’s group memberships. This attribute is never returned in the JSON body of a user and is only usable for filter queries. |
 
Attributes in this table are part of namespace ```urn:ietf:params:scim:schemas:extension:enterprise:2.0:User```.
 
MODIFIED docs/identity/app-provisioning/troubleshoot-scim-api-errors.md
Modified by jenniferf-skc on Mar 31, 2026 3:12 PM
πŸ“– View on learn.microsoft.com
+1 / -8 lines changed
Commit: Incorporating PR reviewer edits
Changes:
Before
After
ms.subservice: app-provisioning
author: jenniferf-skc
manager: pmwongera
ms.date: 03/24/2026
ms.author: jfields
ms.reviewer: chmutali
ai-usage: ai-assisted
 
This article helps troubleshoot common issues encountered when calling the Microsoft Entra ID SCIM APIs for user and group management.
 
 
## Error: 401 – Invalid authentication token
 
### Symptoms
- Collect details of the failing API call
- Create a support ticket
 
 
## Error: 403 – Forbidden
 
ms.subservice: app-provisioning
author: jenniferf-skc
manager: pmwongera
ms.date: 03/31/2026
ms.author: jfields
ms.reviewer: chmutali
ai-usage: ai-assisted
 
This article helps troubleshoot common issues encountered when calling the Microsoft Entra ID SCIM APIs for user and group management.
 
## Error: 401 – Invalid authentication token
 
### Symptoms
- Collect details of the failing API call
- Create a support ticket
 
 
## Error: 403 – Forbidden
 
- Collect API request details
MODIFIED docs/global-secure-access/concept-shadow-ai-discovery.md
Modified by jenniferf-skc on Mar 31, 2026 3:41 PM
πŸ“– View on learn.microsoft.com
+2 / -6 lines changed
Commit: Removing Preview tag, this feature is GA
Changes:
Before
After
author: jenniferf-skc
ms.author: jfields
ms.topic: concept-article
ms.date: 03/30/2026
ms.reviewer: kerenSemel
ai-usage: ai-assisted
 
#customer intent: As an IT admin, I want to discover and manage unsanctioned generative AI applications and tools in my organization so I can reduce security and compliance risks.
---
 
# Shadow AI discovery in Global Secure Access (Preview)
 
Shadow AI discovery in Microsoft Entra Global Secure Access is a network-based feature that provides visibility into unsanctioned AI applications and tools used in your organization. It identifies traffic to AI services like ChatGPT, Claude, SaaS MCP servers, and AI Model Provider frameworks (for example, DeepSeek, Anthropic Claude API) by analyzing network traffic. Shadow AI discovery lets administrators see which generative AI apps or tools employees are using without IT approval.
 
> [!IMPORTANT]
> Shadow AI discovery is currently in preview.
> This information relates to a prerelease product that might be substantially modified before its release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## Why shadow AI discovery matters
 
author: jenniferf-skc
ms.author: jfields
ms.topic: concept-article
ms.date: 03/31/2026
ms.reviewer: kerenSemel
ai-usage: ai-assisted
 
#customer intent: As an IT admin, I want to discover and manage unsanctioned generative AI applications and tools in my organization so I can reduce security and compliance risks.
---
 
# Shadow AI discovery in Global Secure Access
 
Shadow AI discovery in Microsoft Entra Global Secure Access is a network-based feature that provides visibility into unsanctioned AI applications and tools used in your organization. It identifies traffic to AI services like ChatGPT, Claude, SaaS MCP servers, and AI Model Provider frameworks (for example, DeepSeek, Anthropic Claude API) by analyzing network traffic. Shadow AI discovery lets administrators see which generative AI apps or tools employees are using without IT approval.
 
## Why shadow AI discovery matters
 
Unmanaged AI usage can introduce serious risks, including:
 
 
 
MODIFIED docs/identity/app-provisioning/how-to-account-discovery.md
Modified by jenniferf-skc on Mar 31, 2026 6:01 PM
πŸ“– View on learn.microsoft.com
+2 / -3 lines changed
Commit: PM updates
Changes:
Before
After
title: Discover identities in target applications with Account Discovery (preview)
description: Learn how to use Account Discovery to find and categorize existing user accounts in target applications, match them to Microsoft Entra ID users, and prepare for provisioning governance.
ms.topic: how-to
ms.date: 03/27/2026
ms.author: jfields
author: jenniferf-skc
ms.reviewer: arvinh
 
- Account Discovery requires a **direct matching attribute** for user correlation. Expression-based transformations aren't supported for matching.
- If multiple matching attributes are configured, only the **first** matching attribute is used.
- Account Discovery isn't supported for the following application including:
- Workday
- SAP SuccessFactors
- API-driven provisioning apps
- SAP Cloud Identity Services
- Salesforce
- Atlassian
- On-premises applications (SQL, LDAP, REST, SOAP, PowerShell). For more information, see [Microsoft Entra on-premises application provisioning architecture](on-premises-application-provisioning-architecture.md).
 
## Discover identities in a target application
title: Discover identities in target applications with Account Discovery (preview)
description: Learn how to use Account Discovery to find and categorize existing user accounts in target applications, match them to Microsoft Entra ID users, and prepare for provisioning governance.
ms.topic: how-to
ms.date: 03/31/2026
ms.author: jfields
author: jenniferf-skc
ms.reviewer: arvinh
 
- Account Discovery requires a **direct matching attribute** for user correlation. Expression-based transformations aren't supported for matching.
- If multiple matching attributes are configured, only the **first** matching attribute is used.
- See [Supported applications](#supported-applications) for applications that support Account Discovery. Account Discovery isn't supported for the following applications including:
- Workday
- SAP SuccessFactors
- API-driven provisioning apps
- SAP Cloud Identity Services
- Salesforce
- Atlassian
 
## Discover identities in a target application
 
MODIFIED docs/identity/app-provisioning/known-issues.md
Modified by rolyon on Mar 31, 2026 7:18 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: provisioning inbound scenario
Changes:
Before
After
title: Known issues for provisioning in Microsoft Entra ID
description: Learn about known issues when you work with automated application provisioning or cross-tenant synchronization in Microsoft Entra ID.
ms.topic: troubleshooting
ms.date: 10/04/2025
ms.reviewer: arvinh
zone_pivot_groups: app-provisioning-cross-tenant-synchronization
---
- Provisioning passwords isn't supported.
- Provisioning nested groups beyond the first level is not supported.
- Provisioning is not supported for B2C tenants, including into or out of the tenant.
- Provisioning is not supported for External ID tenants, including into or out of the tenant.
- Not all provisioning apps are available in all clouds.
 
::: zone pivot="app-provisioning"
title: Known issues for provisioning in Microsoft Entra ID
description: Learn about known issues when you work with automated application provisioning or cross-tenant synchronization in Microsoft Entra ID.
ms.topic: troubleshooting
ms.date: 03/31/2026
ms.reviewer: arvinh
zone_pivot_groups: app-provisioning-cross-tenant-synchronization
---
- Provisioning passwords isn't supported.
- Provisioning nested groups beyond the first level is not supported.
- Provisioning is not supported for B2C tenants, including into or out of the tenant.
- Provisioning (inbound) is not supported for External ID tenants.
- Not all provisioning apps are available in all clouds.
 
::: zone pivot="app-provisioning"
MODIFIED docs/agent-id/identity-platform/agent-id-ai-guided-setup.md
Modified by shlipsey3 on Mar 31, 2026 5:51 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: pm-review
Changes:
Before
After
1. **Validate prerequisites**: Confirms Frontier is enabled, checks Microsoft Entra roles, validates that PowerShell 7+ and the Microsoft Graph beta module are installed.
2. **Authorize and connect**: Connects to Microsoft Graph with the required scopes and sets the profile to beta.
3. **Create the agent identity blueprint**: Collects a display name, identifies the sponsor (you), creates the blueprint with the required `@odata.type` and `OData-Version` headers, and records the `appId`.
4. **Configure credentials**: Adds a managed identity (for production) or a client secret or certificate (for local development/testing) to the blueprint.
5. **Configure identifier URI and scope**: Sets `identifierUris` to `api://{appId}`, creates an `access_agent` OAuth2 permission scope for agent-to-agent and user-to-agent communication.
6. **Create the blueprint principal**: Creates the service principal for the blueprint (the principal is **not** autocreated and must be done explicitly).
7. **Create agent identities**: Creates one or more agent identity service principals under the blueprint.
- **Display name**: The display name for your agent identity blueprint (for example, "Contoso Budget Agent").
- **Sponsor**: The user who is accountable for the agent. Defaults to the currently signed-in user.
- **Owner**: The user or service principal who can make technical changes to the blueprint. Optional but recommended.
- **Credential type**: Whether to use a managed identity (recommended for production) or a client secret or certificate (for local development).
- **Agent identity count**: How many agent identities to create under this blueprint.
- **Derived value confirmation**: Review autogenerated names and URIs before resources are created.
 
1. **Validate prerequisites**: Confirms Frontier is enabled, checks Microsoft Entra roles, validates that PowerShell 7+ and the Microsoft Graph beta module are installed.
2. **Authorize and connect**: Connects to Microsoft Graph with the required scopes and sets the profile to beta.
3. **Create the agent identity blueprint**: Collects a display name, identifies the sponsor (you), creates the blueprint with the required `@odata.type` and `OData-Version` headers, and records the `appId`.
4. **Configure credentials**: Adds a managed identity (for production) or a certificate or client secret (for local development/testing) to the blueprint.
5. **Configure identifier URI and scope**: Sets `identifierUris` to `api://{appId}`, creates an `access_agent` OAuth2 permission scope for agent-to-agent and user-to-agent communication.
6. **Create the blueprint principal**: Creates the service principal for the blueprint (the principal is **not** autocreated and must be done explicitly).
7. **Create agent identities**: Creates one or more agent identity service principals under the blueprint.
- **Display name**: The display name for your agent identity blueprint (for example, "Contoso Budget Agent").
- **Sponsor**: The user who is accountable for the agent. Defaults to the currently signed-in user.
- **Owner**: The user or service principal who can make technical changes to the blueprint. Optional but recommended.
- **Credential type**: Whether to use a managed identity (recommended for production) or a certificate or client secret (for local development).
- **Agent identity count**: How many agent identities to create under this blueprint.
- **Derived value confirmation**: Review autogenerated names and URIs before resources are created.
 

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to merill@merill.net

πŸ”— Visit Repository