πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since April 1st 2026, 9:36 PM PDT

Report generated on April 2nd 2026, 9:36 PM PDT

πŸ“Š Summary

30
Total Commits
0
New Files
10
Modified Files
1
Deleted Files
13
Contributors

πŸ“ Modified Documentation Files

MODIFIED docs/identity/users/users-revoke-access.md
Modified by Ken Withee on Apr 2, 2026 9:14 PM
πŸ“– View on learn.microsoft.com
+26 / -4 lines changed
Commit: Fix emergency revoke access: prerequisites and multi-device bug (AB#364538, AB#367361)
Changes:
Before
After
description: How to revoke all access for a user in Microsoft Entra ID
ms.topic: how-to
ms.reviewer: yukarppa
ms.date: 01/07/2025
ms.custom: it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
---
 
 
To mitigate the risks, you must understand how tokens work. There are many kinds of tokens, which fall into one of the patterns discussed in this article.
 
## Access tokens and refresh tokens
 
Access tokens and refresh tokens are frequently used with thick client applications, and also used in browser-based applications such as single page apps.
 
### Microsoft Entra environment
 
As an administrator in Microsoft Entra ID, open PowerShell, run `Connect-MgGraph`, and take the following actions:
 
1. Disable the user in Microsoft Entra ID. Refer to [Update-MgUser](/powershell/module/microsoft.graph.users/update-mguser).
 
description: How to revoke all access for a user in Microsoft Entra ID
ms.topic: how-to
ms.reviewer: yukarppa
ms.date: 04/02/2026
ms.custom: it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
---
 
 
To mitigate the risks, you must understand how tokens work. There are many kinds of tokens, which fall into one of the patterns discussed in this article.
 
## Prerequisites
 
The PowerShell steps in this article require the following:
 
- [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true) installed. Install the required modules:
 
```PowerShell
Install-Module Microsoft.Graph.Users
Install-Module Microsoft.Graph.Users.Actions
Install-Module Microsoft.Graph.Identity.DirectoryManagement
MODIFIED docs/identity/devices/howto-vm-sign-in-azure-ad-windows.md
Modified by Ortagus Winfrey on Apr 2, 2026 9:09 PM
πŸ“– View on learn.microsoft.com
+10 / -7 lines changed
Commit: Updates
Changes:
Before
After
 
This feature currently supports the following Windows Server distributions:
 
- Windows Server 2025 or later installed with Desktop Experience.
 
This feature is now available in the following Azure clouds:
 
To use passwordless authentication for your Windows Server VMs in Azure, the session host (VM) must be running:
 
- Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.
- Windows Server 2025 or later installed.
 
Both [Password-based authentication](../../architecture/auth-password-based-sso.md), and [Passwordless authentication](../../identity/authentication/concept-authentication-passkeys-fido2.md) are supported to sign in to Windows virtual machines.
 
> [!IMPORTANT]
> Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from client devices that are either Microsoft Entra registered or Microsoft Entra joined or Microsoft Entra hybrid joined to the *same* directory as the VM. Additionally, to RDP by using Microsoft Entra credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.
>
> If you're using a Microsoft Entra registered client device, you must enter credentials in the `AzureAD\UPN` format (for example, `AzureAD\john@contoso.com`). At this time, you can use Azure Bastion to sign in with Microsoft Entra authentication [via the Azure CLI and the native RDP client mstsc](/azure/bastion/native-client).
 
To sign in to your Windows Server 2019 virtual machine by using Microsoft Entra ID:
 
This feature currently supports the following Windows Server distributions:
 
- Windows 11 24H2 or later installed.
- Windows Server 2025 or later installed with Desktop Experience.
 
This feature is now available in the following Azure clouds:
 
To use passwordless authentication for your Windows Server VMs in Azure, the session host (VM) must be running:
 
- Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.
- Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.
- Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.
- Windows Server 2025 or later installed.
 
Both [Password-based authentication](../../architecture/auth-password-based-sso.md), and [Passwordless authentication](../../identity/authentication/concept-authentication-passkeys-fido2.md) are supported to sign in to Windows virtual machines.
 
> [!IMPORTANT]
> Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are either Microsoft Entra registered(minimum required build is 20H1) or Microsoft Entra joined or Microsoft Entra hybrid joined to the *same* directory as the VM. Additionally, to RDP by using Microsoft Entra credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.
>
MODIFIED docs/identity/hybrid/connect/how-to-connect-sync-staging-server.md
Modified by Nuno Alexandre on Apr 2, 2026 5:40 AM
πŸ“– View on learn.microsoft.com
+7 / -9 lines changed
Commit: Learn Editor: Update how-to-connect-sync-staging-server.md
Changes:
Before
After
 
Staging mode can be used for several scenarios, including:
 
* High availability.
* Test and deploy new configuration changes.
* Introduce a new server and decommission the old.
 
During installation, you can select the server to be in **staging mode**. This action makes the server active for import and synchronization, but it doesn't run any exports. A server in staging mode isn't running password sync or password writeback, even if you selected these features during installation. When you disable staging mode, the server starts exporting, enables password sync, and enables password writeback.
 
> [!NOTE]
> Suppose you have a Microsoft Entra Connect with Password Hash Synchronization feature enabled. When you enable staging mode, the server stops synchronizing password changes from on-premises AD. When you disable staging mode, the server resumes synchronizing password changes from where it last left off. If the server is left in staging mode for an extended period of time, it can take a while for the server to synchronize all password changes that had occurred during the time period.
>
>
 
You can still force an export by using the synchronization service manager.
 
A server in staging mode continues to receive changes from Active Directory and Microsoft Entra ID and can quickly take over the responsibilities of another server in the event of a failure.
 
For those of you with knowledge of older sync technologies, the staging mode is different since the server has its own SQL database. This architecture allows the staging mode server to be located in a different datacenter.
 
 
Staging mode can be used for several scenarios, including:
 
* Fault tolerance.
* Test and deploy new configuration changes.
* Introduce a new server and decommission the old.
 
During installation or via the wizard, you can select the server to be in **staging mode**. This action makes the server active for import and synchronization, but it doesn't run any exports. A server in staging mode isn't running password sync or password writeback, even if you selected these features during installation. When you disable staging mode, the server starts exporting, enables password sync, and enables password writeback.
 
When staging mode is disabled, password sync resumes from the last recorded watermark. If the server was left in staging mode for an extended period of time, password sync might need a long catch-up period (possibly many hours or longer in large environments) to process all the password changes that occurred while it was in staging mode. During catch-up, newly changed passwords don't work in Microsoft Entra ID immediately because they are processed only after the backlog is completed. If business impact is high (for example, in a case of a failover), consider from time to time promoting the staging server to active temporarily and keeping it active until password sync catch-up completes (preferably during off-peak hours), so that future role switches have a smaller backlog of password changes to process. To confirm that password sync is progressing during catch-up, monitor the server’s application event logs for ongoing activity (for example, Event IDs 654/656 indicating batch processing). You may also see per-user success events (for example, Event ID 657) that can help you validate that password changes are being processed.
 
> [!WARNING]
> Password sync catch-up can take an extended period of time after disabling staging mode. **Do not restart the sync services during catch-up** β€” stopping the service can cause PHS to resume from an earlier watermark when it starts again, which increases the time to become current.
>
A server in staging mode continues to receive changes from Active Directory and Microsoft Entra ID and can quickly take over the responsibilities of another server in the event of a failure. In staging mode, you can still force an export by using the synchronization service manager.
 
For those of you with knowledge of older sync technologies, the staging mode is different since the server has its own SQL database. This architecture allows the staging mode server to be located in a different datacenter.
 
 
 
MODIFIED docs/identity/users/groups-settings-v2-cmdlets.md
Modified by Ken Withee on Apr 2, 2026 8:50 PM
πŸ“– View on learn.microsoft.com
+7 / -1 lines changed
Commit: Add Prerequisites section to PowerShell group management article (AB#350890)
Changes:
Before
After
description: This page provides PowerShell examples to help you manage your groups in Microsoft Entra ID
keywords: Azure AD, Azure Active Directory, PowerShell, Groups, Group management
ms.topic: how-to
ms.date: 12/19/2024
ms.reviewer: yukarppa
ms.custom: it-pro, has-azure-ad-ps-ref, sfi-ga-nochange
---
 
This article contains examples of how to use PowerShell to manage your groups in Microsoft Entra ID, part of Microsoft Entra. It also tells you how to get set up with the Microsoft Graph PowerShell module. First, you must [download the Microsoft Graph PowerShell module](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true).
 
## Install the Microsoft Graph PowerShell module
 
To install the MgGroup PowerShell module, use the following commands:
 
 
 
 
 
 
description: This page provides PowerShell examples to help you manage your groups in Microsoft Entra ID
keywords: Azure AD, Azure Active Directory, PowerShell, Groups, Group management
ms.topic: how-to
ms.date: 04/02/2026
ms.reviewer: yukarppa
ms.custom: it-pro, has-azure-ad-ps-ref, sfi-ga-nochange
---
 
This article contains examples of how to use PowerShell to manage your groups in Microsoft Entra ID, part of Microsoft Entra. It also tells you how to get set up with the Microsoft Graph PowerShell module. First, you must [download the Microsoft Graph PowerShell module](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true).
 
## Prerequisites
 
- [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true) installed.
- Sign in with an account that has at least the [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator) role.
- The `Group.ReadWrite.All` permission scope must be consented for the Microsoft Graph PowerShell application in your tenant. When you run `Connect-MgGraph`, you're prompted to consent if it hasn't been granted previously. An admin account is required for initial consent. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started?view=graph-powershell-1.0&preserve-view=true).
 
## Install the Microsoft Graph PowerShell module
 
To install the MgGroup PowerShell module, use the following commands:
MODIFIED docs/identity/devices/howto-arc-sign-in-windows.md
Modified by Ortagus Winfrey on Apr 2, 2026 8:56 PM
πŸ“– View on learn.microsoft.com
+4 / -3 lines changed
Commit: Revert windows 11 support
Changes:
Before
After
 
This feature currently supports the following Windows Server distributions:
 
- Windows Server 2025 or later installed with Desktop Experience.
 
This feature is now available in the following Azure clouds:
- **Client device requirements**: The device initiating the RDP connection must be:
- Microsoft Entra joined to the same directory as the Arc-enabled server, or
- Microsoft Entra hybrid joined to the same directory, or
- Microsoft Entra registered to the same directory.
 
- **Password restrictions**: Temporary passwords cannot be used for remote desktop connections. Users with temporary passwords must change their password through another method (such as the Azure portal) before attempting to connect.
 
 
Exit code 51 translates to "This extension isn't supported on this operating system."
 
The AADLoginForWindows extension is intended to be installed only on Arc-enabled Windows Servers with Windows Server 2022 or later operating systems. Ensure that your version of Windows Server is supported. If it isn't supported, uninstall the extension.
 
## Troubleshoot sign-in problems
 
 
This feature currently supports the following Windows Server distributions:
 
- Windows 11 24H2 or later installed.
- Windows Server 2025 or later installed with Desktop Experience.
 
This feature is now available in the following Azure clouds:
- **Client device requirements**: The device initiating the RDP connection must be:
- Microsoft Entra joined to the same directory as the Arc-enabled server, or
- Microsoft Entra hybrid joined to the same directory, or
- Microsoft Entra registered (Windows 10 20H1 or later) to the same directory.
 
- **Password restrictions**: Temporary passwords cannot be used for remote desktop connections. Users with temporary passwords must change their password through another method (such as the Azure portal) before attempting to connect.
 
 
Exit code 51 translates to "This extension isn't supported on this operating system."
 
The AADLoginForWindows extension is intended to be installed only on Arc-enabled Windows Servers with Windows Server 2025 or Windows 11 24H2 on Arc-enabled Windows Server. Ensure that your version of Windows Server is supported. If it isn't supported, uninstall the extension.
 
## Troubleshoot sign-in problems
MODIFIED docs/identity/monitoring-health/reference-sla-performance.md
Modified by YalingQing on Apr 2, 2026 9:28 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Learn Editor: Update reference-sla-performance.md
Changes:
Before
After
| --- | --- | --- | --- | --- | --- | --- |
| January | | 99.998% | 99.998% | 99.999% | 99.998% | 99.999% |
| February | 99.999% | 99.999% | 99.999% | 99.999% | 99.998% | 99.999% |
| March | 99.568% | 99.998% | 99.999% | 99.999% | 99.996% | |
| April | 99.999% | 99.999% | 99.999% | 99.999% | 99.999%*| |
| May | 99.999% | 99.999% | 99.999% | 99.999% | 99.999% | |
| June | 99.999% | 99.999% | 99.999% | 99.999% | 99.999% | |
| --- | --- | --- | --- | --- | --- | --- |
| January | | 99.998% | 99.998% | 99.999% | 99.998% | 99.999% |
| February | 99.999% | 99.999% | 99.999% | 99.999% | 99.998% | 99.999% |
| March | 99.568% | 99.998% | 99.999% | 99.999% | 99.996% | 99.999% |
| April | 99.999% | 99.999% | 99.999% | 99.999% | 99.999%*| |
| May | 99.999% | 99.999% | 99.999% | 99.999% | 99.999% | |
| June | 99.999% | 99.999% | 99.999% | 99.999% | 99.999% | |
MODIFIED docs/identity/saas-apps/github-enterprise-server-tutorial.md
Modified by Regan Downer on Apr 2, 2026 4:07 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Apply suggestion from @v-regandowner
Changes:
Before
After
* GitHub Enterprise Server supports [Automated user provisioning](./github-enterprise-server-provisioning-tutorial.md).
 
> [!NOTE]
> The `GitHub Enterprise Server` application currently doesn’t support SCIM provisioning in government cloud platforms. This limitation is due to `GitHub Enterprise Server` requiring the User-Agent header, which isn’t included in provisioning requests sent from government cloud environments.
 
## Add GitHub Enterprise Server from the gallery
 
* GitHub Enterprise Server supports [Automated user provisioning](./github-enterprise-server-provisioning-tutorial.md).
 
> [!NOTE]
> The GitHub Enterprise Server application currently doesn't support SCIM provisioning in government cloud platforms. This limitation is due to GitHub Enterprise Server requiring the `User-Agent` header, which isn't included in provisioning requests sent from government cloud environments.
 
## Add GitHub Enterprise Server from the gallery
 
MODIFIED docs/identity/app-provisioning/known-issues.md
Modified by rolyon on Apr 2, 2026 3:55 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: provisioning inbound scenario update
Changes:
Before
After
- Provisioning passwords isn't supported.
- Provisioning nested groups beyond the first level is not supported.
- Provisioning is not supported for B2C tenants, including into or out of the tenant.
- Provisioning (inbound) is not supported for External ID tenants.
- Not all provisioning apps are available in all clouds.
 
::: zone pivot="app-provisioning"
- Provisioning passwords isn't supported.
- Provisioning nested groups beyond the first level is not supported.
- Provisioning is not supported for B2C tenants, including into or out of the tenant.
- Inbound provisioning using System for Cross‑domain Identity Management (SCIM) is not supported. Use Microsoft Graph and [Microsoft Graph batch](/graph/json-batching) instead.
- Not all provisioning apps are available in all clouds.
 
::: zone pivot="app-provisioning"
MODIFIED docs/identity-platform/apple-sso-plugin.md
Modified by ms-robgarcia on Apr 2, 2026 3:46 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Clarify Secure Enclave device provisioning requirements
Changes:
Before
After
If your applications or MDM solutions depend on accessing Microsoft Entra device registration keys through Keychain, you must update them to use the Microsoft Authentication Library (MSAL) and the Enterprise SSO plug-in to maintain compatibility with the Microsoft identity platform.
 
> [!IMPORTANT]
> Devices using Secure Enclave for storing device identity keys will also need to be provisioned with Enterprise SSO or [Platform SSO](/intune/intune-service/configuration/platform-sso-macos) to report [device identity](../identity/devices/overview.md) to Microsoft Entra ID.
 
### Using Microsoft Authentication Library (MSAL) to read registration device Information
 
If your applications or MDM solutions depend on accessing Microsoft Entra device registration keys through Keychain, you must update them to use the Microsoft Authentication Library (MSAL) and the Enterprise SSO plug-in to maintain compatibility with the Microsoft identity platform.
 
> [!IMPORTANT]
> Managed devices using Secure Enclave for storing device identity keys will also need to be provisioned with Enterprise SSO or [Platform SSO](/intune/intune-service/configuration/platform-sso-macos) to report [device identity](../identity/devices/overview.md) to Microsoft Entra ID.
 
### Using Microsoft Authentication Library (MSAL) to read registration device Information
 
MODIFIED docs/architecture/secure-generative-ai.md
Modified by shlipsey3 on Apr 2, 2026 2:17 PM
πŸ“– View on learn.microsoft.com
+0 / -2 lines changed
Commit: remove-link
Changes:
Before
After
 
Enforce least privilege principles and apply the right access controls to keep your organization secure with [Conditional Access policies](../identity/conditional-access/plan-conditional-access.md). Think of Conditional Access policies as if-then statements where identities that meet certain criteria can only access resources if they meet specific requirements such as MFA or device compliance status.
 
[Restrict access to Gen AI apps based on signals](/entra/identity/conditional-access/policy-all-users-copilot-ai-security) like users, groups, roles, location, or risk to enhance policy decisions.
 
- Use the [authentication strength](../identity/authentication/concept-authentication-strengths.md) Conditional Access control that specifies combinations of authentication methods to access a resource. Require users to complete [phishing-resistant multifactor authentication](../identity/conditional-access/policy-all-users-mfa-strength.md) (MFA) to access Gen AI apps.
- Deploy [Microsoft Purview adaptive protection](/purview/insider-risk-management-adaptive-protection) to mitigate and manage AI usage risks. Use the [Insider Risk](../identity/conditional-access/concept-conditional-access-conditions.md#insider-risk) condition to [block Gen AI apps access for users with elevated insider risk](../identity/conditional-access/policy-risk-based-insider-block.md).
- Deploy [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) to incorporate device compliance signals into Conditional Access policy decisions. Use the device compliance condition to [require users to have a compliant device to access Gen AI apps.](../identity/conditional-access/policy-all-users-device-compliance.md)
 
Enforce least privilege principles and apply the right access controls to keep your organization secure with [Conditional Access policies](../identity/conditional-access/plan-conditional-access.md). Think of Conditional Access policies as if-then statements where identities that meet certain criteria can only access resources if they meet specific requirements such as MFA or device compliance status.
 
- Use the [authentication strength](../identity/authentication/concept-authentication-strengths.md) Conditional Access control that specifies combinations of authentication methods to access a resource. Require users to complete [phishing-resistant multifactor authentication](../identity/conditional-access/policy-all-users-mfa-strength.md) (MFA) to access Gen AI apps.
- Deploy [Microsoft Purview adaptive protection](/purview/insider-risk-management-adaptive-protection) to mitigate and manage AI usage risks. Use the [Insider Risk](../identity/conditional-access/concept-conditional-access-conditions.md#insider-risk) condition to [block Gen AI apps access for users with elevated insider risk](../identity/conditional-access/policy-risk-based-insider-block.md).
- Deploy [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) to incorporate device compliance signals into Conditional Access policy decisions. Use the device compliance condition to [require users to have a compliant device to access Gen AI apps.](../identity/conditional-access/policy-all-users-device-compliance.md)
 
 

πŸ—‘οΈ Deleted Documentation Files

DELETED docs/identity/conditional-access/policy-all-users-copilot-ai-security.md
Deleted by shlipsey3 on Apr 2, 2026 2:16 PM
πŸ“– Was available at: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-copilot-ai-security
-143 lines removed
Commit: ca-remove-gen-ai

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to merill@merill.net

πŸ”— Visit Repository