📋 Microsoft Entra Documentation Changes

Daily summary for changes since April 2nd 2026, 9:24 PM PDT

Report generated on April 3rd 2026, 9:24 PM PDT

📊 Summary

30
Total Commits
2
New Files
12
Modified Files
0
Deleted Files
11
Contributors

🆕 New Documentation Files

NEW docs/agent-id/concept-agent-id-design-patterns.md
Added by shlipsey3 on Apr 3, 2026 4:40 PM
📖 View on learn.microsoft.com
+149 lines added
Commit: agent-id-decision-guide-040326
NEW docs/agent-id/how-to-plan-agent-identity-architecture.md
Added by shlipsey3 on Apr 3, 2026 4:40 PM
📖 View on learn.microsoft.com
+129 lines added
Commit: agent-id-decision-guide-040326

📝 Modified Documentation Files

MODIFIED docs/agent-id/identity-platform/agent-service-principals.md
Modified by shlipsey3 on Apr 3, 2026 4:40 PM
📖 View on learn.microsoft.com
+27 / -34 lines changed
Commit: agent-id-decision-guide-040326
Changes:
Before
After
---
title: Agent identities, service principals, and applications
description: Learn about agent service principals in Microsoft Entra, including agent identity blueprint Principal and Agent Identity, and how they differ from traditional service principals in authentication, permissions, and lifecycle management.
titleSuffix: Microsoft Entra Agent ID
ms.topic: concept-article
ms.date: 11/04/2025
ms.custom: agent-id-ignite
ms.reviewer: dastrock
 
 
# Agent identities, service principals, and applications
 
The agent app model introduces specific service principal types with distinct roles and characteristics compared to nonagent application service principals. This article explains service principals in the agent application model, how they relate to agent identity blueprint and differ from nonagent application service principals.
 
## Agent identity blueprint principal
 
Agent identity blueprint principals are created automatically when an agent identity blueprint is instantiated in a tenant. These service principals provide the runtime representation of the agent identity blueprint within the tenant's directory and enable the agent identity blueprint to perform operations like creating instances and managing lifecycle operations.
 
The creation process involves consent operations that require permissions like `AgentIdentity.Create` and `ServicePrincipal.Manage.OwnedBy`. The agent identity blueprint principal enables the agent identity blueprint to obtain app-only tokens for Microsoft Graph calls necessary to create and manage agent identities. This process is essential because agent blueprints themselves can't directly obtain tokens for Microsoft Graph operations.
 
---
title: Agent identities, service principals, and applications
description: Learn about agent service principals in Microsoft Entra and how they differ from traditional service principals in authentication, permissions, and lifecycle management.
titleSuffix: Microsoft Entra Agent ID
ms.topic: concept-article
ms.date: 04/03/2026
ms.custom: agent-id-ignite
ms.reviewer: dastrock
 
 
# Agent identities, service principals, and applications
 
Agent identities are built on the same service principal infrastructure that applications use throughout Microsoft Entra, but they're a distinct object type. Standard service principals were designed for static, deterministic workloads and operate using their own credentials directly. Agent identities add a delegation model where the blueprint acquires tokens on behalf of each agent identity, support a one-to-many blueprint relationship, require an assigned sponsor, and generate agent-specific audit entries.
 
This article explains the following concepts:
- The service principal types in the agent app model
- How they relate to agent identity blueprints
- How they differ from standard application service principals
 
## Agent identity blueprint principal
MODIFIED docs/agent-id/identity-platform/key-concepts.md
Modified by shlipsey3 on Apr 3, 2026 4:40 PM
📖 View on learn.microsoft.com
+19 / -17 lines changed
Commit: agent-id-decision-guide-040326
Changes:
Before
After
---
title: Fundamental concepts in Microsoft agent identity platform
titleSuffix: Microsoft Entra Agent ID
description: Discover the role of agent identities in AI authentication. Understand their unique identifiers, token usage, and how they enable secure access to systems.
author: omondiatieno
ms.author: jomondi
ms.reviewer: dastrock
ms.date: 11/04/2025
ms.custom: agent-id-ignite
ms.topic: concept-article
#customer intent: As a developer, I want to understand the core concepts of agent identities and blueprints in Microsoft Entra ID so that I can implement secure authentication patterns for AI agents in my applications.
---
# Agent identity and blueprint concepts in Microsoft Entra ID
 
The Microsoft agent identity platform provides specialized identity constructs designed specifically for AI agents operating in enterprise environments. These identity constructs enable secure authentication and authorization patterns that differ from traditional user and application identities, addressing the unique requirements of autonomous AI systems.
 
 
## Core identity concepts
 
The following concepts form the foundation of the agent identity system in Microsoft Entra ID.
---
title: Fundamental concepts in Microsoft Entra Agent ID
titleSuffix: Microsoft Entra Agent ID
description: Discover the role of agent identities in AI authentication. Understand their unique identifiers, token usage, and how they enable secure access to systems.
author: omondiatieno
ms.author: jomondi
ms.reviewer: dastrock
ms.date: 04/03/2026
ms.custom: agent-id-ignite
ms.topic: concept-article
#customer intent: As a developer, I want to understand the core concepts of agent identities and blueprints in Microsoft Entra ID so that I can implement secure authentication patterns for AI agents in my applications.
---
# Microsoft Entra Agent ID key concepts
 
The Microsoft agent identity platform provides specialized identity constructs designed specifically for AI agents operating in enterprise environments. These identity constructs enable secure authentication and authorization patterns that differ from traditional user and application identities, addressing the unique requirements of autonomous AI systems.
 
 
## Core identity concepts
 
The following concepts form the foundation of Microsoft Entra Agent ID and the Microsoft agent identity platform.
MODIFIED docs/agent-id/concept-agent-id-design-patterns.md
Modified by shlipsey3 on Apr 3, 2026 4:52 PM
📖 View on learn.microsoft.com
+10 / -10 lines changed
Commit: link-fix
Changes:
Before
After
 
This article describes common AI agent deployment patterns and how they map to Microsoft Entra Agent ID. The article starts with a review of key identity concepts, describes permisssions and trust boundaries, and then walks through common deployment patterns.
 
For step-by-step decision guidance on how many blueprints and agent identities to create, see [Plan your agent identity architecture](plan-agent-identity-architecture.md).
 
[!INCLUDE [entra-agent-id-preview-note](../../includes/entra-agent-id-preview-note.md)]
 
## Key concepts
 
The following components are the foundation of Microsoft Entra Agent ID. If you're new to them, start with [Microsoft Entra Agent ID key concepts](../identity-platform/key-concepts.md) before continuing with this article.
 
### Identity constructs
 
The following identity constructs are used throughout the patterns described in this article:
- **[Agent identity blueprint](../identity-platform/agent-blueprint.md)**: The template and authentication foundation for one or more agent identities. It holds credentials and policies that apply to all agent identities created from it.
- **[Agent identity blueprint principal](../identity-platform/agent-blueprint.md#agent-identity-blueprint-principals)**: The Microsoft Entra object created when a blueprint is added to a tenant. It's what actually acquires tokens, creates agent identities, and appears in audit logs on behalf of the blueprint.
- **[Agent identity](../identity-platform/agent-identities.md)**: The runtime identity for a specific AI agent, with its own permissions on downstream resources.
- **[Agent's user account](../identity-platform/agent-users.md)**: An optional 1:1 account paired with an agent identity, needed only when the agent must access systems that require a user object.
 
### Permissions models
 
This article describes common AI agent deployment patterns and how they map to Microsoft Entra Agent ID. The article starts with a review of key identity concepts, describes permisssions and trust boundaries, and then walks through common deployment patterns.
 
For step-by-step decision guidance on how many blueprints and agent identities to create, see [Plan your agent identity architecture](how-to-plan-agent-identity-architecture.md).
 
[!INCLUDE [entra-agent-id-preview-note](../includes/entra-agent-id-preview-note.md)]
 
## Key concepts
 
The following components are the foundation of Microsoft Entra Agent ID. If you're new to them, start with [Microsoft Entra Agent ID key concepts](identity-platform/key-concepts.md) before continuing with this article.
 
### Identity constructs
 
The following identity constructs are used throughout the patterns described in this article:
- **[Agent identity blueprint](identity-platform/agent-blueprint.md)**: The template and authentication foundation for one or more agent identities. It holds credentials and policies that apply to all agent identities created from it.
- **[Agent identity blueprint principal](identity-platform/agent-blueprint.md#agent-identity-blueprint-principals)**: The Microsoft Entra object created when a blueprint is added to a tenant. It's what actually acquires tokens, creates agent identities, and appears in audit logs on behalf of the blueprint.
- **[Agent identity](identity-platform/agent-identities.md)**: The runtime identity for a specific AI agent, with its own permissions on downstream resources.
- **[Agent's user account](identity-platform/agent-users.md)**: An optional 1:1 account paired with an agent identity, needed only when the agent must access systems that require a user object.
 
### Permissions models
MODIFIED docs/agent-id/how-to-plan-agent-identity-architecture.md
Modified by shlipsey3 on Apr 3, 2026 4:52 PM
📖 View on learn.microsoft.com
+8 / -8 lines changed
Commit: link-fix
Changes:
Before
After
1. **How many blueprints** your system requires.
1. **How many agent identities** to create per blueprint.
 
Work through these decisions in order, because earlier choices shape later ones. Some single-agent deployments might only need the first two steps. For examples of how these decisions map to real-world agent architectures, see [Agent ID design patterns](agent-id-design-patterns.md).
 
[!INCLUDE [entra-agent-id-preview-note](../../includes/entra-agent-id-preview-note.md)]
 
## Step 1: Choose an identity type
 
- Blueprint-managed credentials and lifecycle: you create, rotate, and delete agent identities through their parent blueprint, not individually.
- Support for ephemeral agent identities that are created at runtime with inheritable permissions already granted through the blueprint, and deleted when the task completes.
 
For a detailed comparison, see [Agent identities, service principals, and applications](../identity-platform/agent-service-principals.md).
 
### Why not a regular user account?
 
 
Some agents need both. For example, an agent might run a nightly background sync using the autonomous pattern and also respond to user chat messages using the interactive pattern. In this case, implement both OAuth flows and select the appropriate token based on the operation.
 
- For autonomous agents, see [Request agent tokens for autonomous agents](../identity-platform/autonomous-agent-request-tokens.md).
1. **How many blueprints** your system requires.
1. **How many agent identities** to create per blueprint.
 
Work through these decisions in order, because earlier choices shape later ones. Some single-agent deployments might only need the first two steps. For examples of how these decisions map to real-world agent architectures, see [Agent ID design patterns](concept-agent-id-design-patterns.md).
 
[!INCLUDE [entra-agent-id-preview-note](../includes/entra-agent-id-preview-note.md)]
 
## Step 1: Choose an identity type
 
- Blueprint-managed credentials and lifecycle: you create, rotate, and delete agent identities through their parent blueprint, not individually.
- Support for ephemeral agent identities that are created at runtime with inheritable permissions already granted through the blueprint, and deleted when the task completes.
 
For a detailed comparison, see [Agent identities, service principals, and applications](identity-platform/agent-service-principals.md).
 
### Why not a regular user account?
 
 
Some agents need both. For example, an agent might run a nightly background sync using the autonomous pattern and also respond to user chat messages using the interactive pattern. In this case, implement both OAuth flows and select the appropriate token based on the operation.
 
- For autonomous agents, see [Request agent tokens for autonomous agents](identity-platform/autonomous-agent-request-tokens.md).
MODIFIED docs/external-id/customers/how-to-entra-id-federation-customers.md
Modified by garrodonnell on Apr 3, 2026 9:59 AM
📖 View on learn.microsoft.com
+4 / -4 lines changed
Commit: Fix MS Learn style issues: product naming, punctuation, formatting
Changes:
Before
After
ms.custom: it-pro
ai-usage: ai-assisted
 
#Customer intent: As a developer, devops, or it administrator, I want to learn how to add a Microsoft Entra ID tenant as an OpenID Connect identity provider in my external tenant.
---
# Add a Microsoft Entra ID tenant as an OpenID Connect identity provider
 
 
`https://<tenant-subdomain>.ciamlogin.com/<custom-domain>/federation/oauth2`
 
For step by step guidance, see [Register an application](/entra/identity-platform/quickstart-register-app).
 
After the app is registered, complete the following configuration:
 
 
## Configure the identity provider in the external tenant
 
After you register the external tenant in the Microsoft Entra ID tenant, add it as a custom OIDC identity provider in the external tenant. Follow the steps in [Configure a new OpenID Connect identity provider in the admin center](how-to-custom-oidc-federation-customers.md#configure-a-new-openid-connect-identity-provider-in-the-admin-center) and use the following Entra ID-specific values:
 
| Setting | Value |
ms.custom: it-pro
ai-usage: ai-assisted
 
#Customer intent: As a developer, DevOps, or IT administrator, I want to learn how to add a Microsoft Entra ID tenant as an OpenID Connect identity provider in my external tenant.
---
# Add a Microsoft Entra ID tenant as an OpenID Connect identity provider
 
 
`https://<tenant-subdomain>.ciamlogin.com/<custom-domain>/federation/oauth2`
 
For step-by-step guidance, see [Register an application](/entra/identity-platform/quickstart-register-app).
 
After the app is registered, complete the following configuration:
 
 
## Configure the identity provider in the external tenant
 
After you register the external tenant in the Microsoft Entra ID tenant, add it as a custom OIDC identity provider in the external tenant. Follow the steps in [Configure a new OpenID Connect identity provider in the admin center](how-to-custom-oidc-federation-customers.md#configure-a-new-openid-connect-identity-provider-in-the-admin-center) and use the following Microsoft Entra ID-specific values:
 
| Setting | Value |
MODIFIED docs/identity/devices/assign-local-admin.md
Modified by Ken Withee on Apr 3, 2026 4:00 PM
📖 View on learn.microsoft.com
+3 / -3 lines changed
Commit: Clarify placeholder values in local admin command examples (AB#481870)
Changes:
Before
After
title: How to manage local administrators on Microsoft Entra joined devices
description: Learn how to assign Azure roles to the local administrators group of a Windows device.
ms.topic: how-to
ms.date: 06/27/2025
ms.reviewer:
ms.custom: sfi-ga-nochange
#Customer intent: As an IT admin, I want to manage the local administrators group assignment during a Microsoft Entra join, so that I can control who can manage Microsoft Entra joined devices
 
Additionally, you can also add users using the command prompt:
 
- If your tenant users are synchronized from on-premises Active Directory, use `net localgroup administrators /add "Contoso\username"`.
- If your tenant users are created in Microsoft Entra ID, use `net localgroup administrators /add "AzureAD\UserUpn"`
 
## Considerations
 
title: How to manage local administrators on Microsoft Entra joined devices
description: Learn how to assign Azure roles to the local administrators group of a Windows device.
ms.topic: how-to
ms.date: 04/03/2026
ms.reviewer:
ms.custom: sfi-ga-nochange
#Customer intent: As an IT admin, I want to manage the local administrators group assignment during a Microsoft Entra join, so that I can control who can manage Microsoft Entra joined devices
 
Additionally, you can also add users using the command prompt:
 
- If your tenant users are synchronized from on-premises Active Directory, use `net localgroup administrators /add "<domain>\<username>"`, where `<domain>` is your on-premises Active Directory domain name and `<username>` is the user's SAM account name.
- If your tenant users are created in Microsoft Entra ID, use `net localgroup administrators /add "AzureAD\<UserUPN>"`, where `<UserUPN>` is the user's User Principal Name.
 
## Considerations
 
MODIFIED docs/external-id/customers/how-to-migrate-passwords-just-in-time.md
Modified by garrodonnell on Apr 3, 2026 1:28 PM
📖 View on learn.microsoft.com
+2 / -3 lines changed
Commit: Update JIT migration doc to use built-in portal role
Changes:
Before
After
ai-usage: ai-assisted
author: garrodonnell
ms.topic: how-to
ms.date: 12/12/2025
ms.author: godonnell
 
## Customer intent: As a developer or administrator responsible for managing user identities, I want to implement Just-In-Time (JIT) password migration to migrate user credentials from a legacy identity provider to Microsoft Entra External ID, so that users can continue using their existing passwords without requiring an immediate password reset or bulk migration of password hashes.
- An account with the following roles assigned:
- [Application Administrator](../../identity/role-based-access-control/permissions-reference.md#application-administrator)
- [User Administrator](../../identity/role-based-access-control/permissions-reference.md#user-administrator)
- Authentication Extensibility Password Administrator. This role gives you the necessary permissions to create and manage custom authentication extensions for password migration. The role definition ID is `0b00bede-4072-4d22-b441-e7df02a1ef63`.
You can find more information about role assignments in the [Microsoft Entra ID roles documentation](/entra/identity/role-based-access-control/manage-roles-portal?tabs=ms-graph).
 
 
## Overview of the JIT migration process
ai-usage: ai-assisted
author: garrodonnell
ms.topic: how-to
ms.date: 04/03/2026
ms.author: godonnell
 
## Customer intent: As a developer or administrator responsible for managing user identities, I want to implement Just-In-Time (JIT) password migration to migrate user credentials from a legacy identity provider to Microsoft Entra External ID, so that users can continue using their existing passwords without requiring an immediate password reset or bulk migration of password hashes.
- An account with the following roles assigned:
- [Application Administrator](../../identity/role-based-access-control/permissions-reference.md#application-administrator)
- [User Administrator](../../identity/role-based-access-control/permissions-reference.md#user-administrator)
- [Authentication Extensibility Password Administrator](../../identity/role-based-access-control/permissions-reference.md#authentication-extensibility-password-administrator). This built-in role is available in the Azure portal and gives you the necessary permissions to create and manage custom authentication extensions for password migration. For more information about role assignments, see [Assign Microsoft Entra roles](/entra/identity/role-based-access-control/manage-roles-portal).
 
 
## Overview of the JIT migration process
 
MODIFIED docs/id-governance/lifecycle-workflow-templates.md
Modified by Ken Withee on Apr 3, 2026 9:17 PM
📖 View on learn.microsoft.com
+3 / -1 lines changed
Commit: Improve prominence of Lifecycle Workflows custom extensibility docs
Changes:
Before
After
description: Conceptual article discussing workflow templates and categories with Lifecycle Workflows.
ms.subservice: lifecycle-workflows
ms.topic: concept-article
ms.date: 03/12/2026
ms.custom: template-concept
---
 
- [`workflowTemplate` resource type](/graph/api/resources/identitygovernance-workflowtemplate?view=graph-rest-beta&preserve-view=true)
- [Lifecycle Workflow tasks and definitions](lifecycle-workflow-tasks.md)
- [Create a Lifecycle workflow](create-lifecycle-workflow.md)
 
 
description: Conceptual article discussing workflow templates and categories with Lifecycle Workflows.
ms.subservice: lifecycle-workflows
ms.topic: concept-article
ms.date: 04/03/2026
ms.custom: template-concept
---
 
- [`workflowTemplate` resource type](/graph/api/resources/identitygovernance-workflowtemplate?view=graph-rest-beta&preserve-view=true)
- [Lifecycle Workflow tasks and definitions](lifecycle-workflow-tasks.md)
- [Create a Lifecycle workflow](create-lifecycle-workflow.md)
- [Custom task extensions for workflows beyond built-in templates](lifecycle-workflow-extensibility.md)
- [Trigger Logic Apps based on custom task extensions](trigger-custom-task.md)
MODIFIED docs/external-id/customers/concept-supported-features-customers.md
Modified by garrodonnell on Apr 3, 2026 9:59 AM
📖 View on learn.microsoft.com
+1 / -3 lines changed
Commit: Fix MS Learn style issues: product naming, punctuation, formatting
Changes:
Before
After
description: Compare features and capabilities of a workforce versus an external tenant configuration. Determine which tenant type applies to your external identities scenario.
ms.topic: concept-article
ms.date: 03/30/2026
 
 
ms.custom: it-pro, seo-july-2024, sfi-ropc-nochange
#Customer intent: As a dev, DevOps, or IT admin, I want to learn about features supported in a CIAM tenant so that I can configure tenants according to my organization's needs.
---
| Microsoft personal account ([OpenID Connect](./how-to-custom-oidc-federation-customers.md)) | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | | |
| [Microsoft Entra ID federation](./how-to-entra-id-federation-customers.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | | |
| [OpenID Connect federation](./how-to-custom-oidc-federation-customers.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | | |
| [SAML/WS-Fed federation](../direct-federation.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: ||
 
## Application registration
 
description: Compare features and capabilities of a workforce versus an external tenant configuration. Determine which tenant type applies to your external identities scenario.
ms.topic: concept-article
ms.date: 03/30/2026
ms.custom: it-pro, seo-july-2024, sfi-ropc-nochange
#Customer intent: As a dev, DevOps, or IT admin, I want to learn about features supported in a CIAM tenant so that I can configure tenants according to my organization's needs.
---
| Microsoft personal account ([OpenID Connect](./how-to-custom-oidc-federation-customers.md)) | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | | |
| [Microsoft Entra ID federation](./how-to-entra-id-federation-customers.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | | |
| [OpenID Connect federation](./how-to-custom-oidc-federation-customers.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | | |
| [SAML/WS-Fed federation](../direct-federation.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | :::image type="icon" source="../media/common/applies-to-yes.png" border="false"::: | | |
 
## Application registration
 
 
 
MODIFIED docs/fundamentals/entra-admin-center.md
Modified by Ken Withee on Apr 3, 2026 9:17 PM
📖 View on learn.microsoft.com
+2 / -1 lines changed
Commit: Improve prominence of Lifecycle Workflows custom extensibility docs
Changes:
Before
After
title: Microsoft Entra admin center
description: Overview of the Microsoft Entra admin center interface for configuring and managing Microsoft Entra products.
ms.topic: overview
ms.date: 06/04/2025
ms.custom: sfi-image-nochange
#Customer intent: As a user, I want an overview of the products and features available in the Microsoft Entra admin center and then be able to easily navigate to learn more about those products and features.
---
* [Access reviews](~/id-governance/access-reviews-overview.md)
* [Privileged Identity Management](~/id-governance/privileged-identity-management/pim-configure.md)
* [Lifecycle workflows](~/id-governance/what-are-lifecycle-workflows.md)
 
### Verified ID
 
 
title: Microsoft Entra admin center
description: Overview of the Microsoft Entra admin center interface for configuring and managing Microsoft Entra products.
ms.topic: overview
ms.date: 04/03/2026
ms.custom: sfi-image-nochange
#Customer intent: As a user, I want an overview of the products and features available in the Microsoft Entra admin center and then be able to easily navigate to learn more about those products and features.
---
* [Access reviews](~/id-governance/access-reviews-overview.md)
* [Privileged Identity Management](~/id-governance/privileged-identity-management/pim-configure.md)
* [Lifecycle workflows](~/id-governance/what-are-lifecycle-workflows.md)
* [Custom task extensions for Lifecycle workflows](~/id-governance/lifecycle-workflow-extensibility.md)
 
### Verified ID
 
MODIFIED docs/external-id/customers/concept-planning-your-solution.md
Modified by garrodonnell on Apr 3, 2026 9:59 AM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Fix MS Learn style issues: product naming, punctuation, formatting
Changes:
Before
After
 
- **Requirements for token claims**. If your application requires specific user attributes, you can include them in the token sent to your application.
 
- **Identity providers**. You can set up social identity providers like [Google](how-to-google-federation-customers.md), [Facebook](how-to-facebook-federation-customers.md), [Apple](how-to-apple-federation-customers.md), a [Microsoft Entra ID tenant](how-to-entra-id-federation-customers.md), or a [custom-configured OpenID Connect (OIDC)](how-to-custom-oidc-federation-customers.md) identity provider. Then, you can add them to your user flow as sign-in options
 
### How to integrate a user flow with your app
 
 
- **Requirements for token claims**. If your application requires specific user attributes, you can include them in the token sent to your application.
 
- **Identity providers**. You can set up social identity providers like [Google](how-to-google-federation-customers.md), [Facebook](how-to-facebook-federation-customers.md), [Apple](how-to-apple-federation-customers.md), a [Microsoft Entra ID tenant](how-to-entra-id-federation-customers.md), or a [custom-configured OpenID Connect (OIDC)](how-to-custom-oidc-federation-customers.md) identity provider. Then, you can add them to your user flow as sign-in options.
 
### How to integrate a user flow with your app
 
MODIFIED docs/external-id/customers/overview-customers-ciam.md
Modified by garrodonnell on Apr 3, 2026 9:59 AM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Fix MS Learn style issues: product naming, punctuation, formatting
Changes:
Before
After
 
## Design user flows for self-service sign-up
 
You can create a simple sign-up and sign-in experience for your customers by adding a user flow to your application. The user flow defines the series of sign-up steps customers follow and the sign-in methods they can use (such as email and password, one-time passcodes, social accounts from [Google](how-to-google-federation-customers.md), [Facebook](how-to-facebook-federation-customers.md) or [Apple](how-to-apple-federation-customers.md), [Microsoft Entra ID](how-to-entra-id-federation-customers.md) federation, as well as [custom OIDC](how-to-custom-oidc-federation-customers.md) identity providers). You can also collect information from customers during sign-up by selecting from a series of user built-in attributes or adding your own custom attributes.
 
Several user flow settings let you control how the customer signs up for the application, including:
 
 
## Design user flows for self-service sign-up
 
You can create a simple sign-up and sign-in experience for your customers by adding a user flow to your application. The user flow defines the series of sign-up steps customers follow and the sign-in methods they can use (such as email and password, one-time passcodes, social accounts from [Google](how-to-google-federation-customers.md), [Facebook](how-to-facebook-federation-customers.md), or [Apple](how-to-apple-federation-customers.md), [Microsoft Entra ID](how-to-entra-id-federation-customers.md) federation, as well as [custom OIDC](how-to-custom-oidc-federation-customers.md) identity providers). You can also collect information from customers during sign-up by selecting from a series of user built-in attributes or adding your own custom attributes.
 
Several user flow settings let you control how the customer signs up for the application, including:
 

🤖 This report was automatically generated by the Entra Docs Monitor

📧 Delivered to merill@merill.net

🔗 Visit Repository