📋 Microsoft Entra Documentation Changes

Daily summary for changes since April 5th 2026, 9:40 PM PDT

Report generated on April 6th 2026, 9:40 PM PDT

📊 Summary

16
Total Commits
0
New Files
6
Modified Files
0
Deleted Files
8
Contributors

📝 Modified Documentation Files

MODIFIED docs/fundamentals/entra-admin-center.md
Modified by Ken Withee on Apr 6, 2026 3:57 PM
📖 View on learn.microsoft.com
+41 / -5 lines changed
Commit: Enhance admin center overview with task table and navigation detail AB#567035
Changes:
Before
After
title: Microsoft Entra admin center
description: Overview of the Microsoft Entra admin center interface for configuring and managing Microsoft Entra products.
ms.topic: overview
ms.date: 04/03/2026
ms.custom: sfi-image-nochange
#Customer intent: As a user, I want an overview of the products and features available in the Microsoft Entra admin center and then be able to easily navigate to learn more about those products and features.
---
 
## Overview
 
The [Microsoft Entra admin center](https://entra.microsoft.com/) is a web-based identity portal for Microsoft Entra products. It provides a unified administrative experience for organizations to configure and manage their Microsoft Entra solutions in a centralized location.
 
## Explore the Microsoft Entra admin center
 
The Microsoft Entra admin center is organized by product. Access the products through the search bar or left-hand menu.
 
**Home** includes at-a-glance information about your tenant, recent activities, and other helpful resources, including shortcuts and deployment guides.
:::image type="content" source="./media/entra-admin-center/entra-admin-center-home.png" alt-text="Screenshot of the Microsoft Entra admin center overview home page.":::
 
title: Microsoft Entra admin center
description: Overview of the Microsoft Entra admin center interface for configuring and managing Microsoft Entra products.
ms.topic: overview
ms.date: 04/06/2026
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
#Customer intent: As a user, I want an overview of the products and features available in the Microsoft Entra admin center and then be able to easily navigate to learn more about those products and features.
---
 
## Overview
 
The [Microsoft Entra admin center](https://entra.microsoft.com/) is a web-based portal that provides a unified administrative experience for configuring and managing Microsoft Entra products in a centralized location. From the admin center, administrators can manage users and groups, configure authentication methods, create Conditional Access policies, monitor identity security posture, and govern access across the organization.
 
The admin center brings together the following Microsoft Entra product areas, each accessible from the left-hand navigation menu:
 
- **[Entra ID](#entra-id)** — Manage users, groups, devices, applications, roles, and authentication methods.
- **[ID Protection](#id-protection)** — Monitor and respond to identity-based risks with risk policies and reports.
- **[Identity Governance](#identity-governance)** — Control access lifecycle with entitlement management, access reviews, and lifecycle workflows.
- **[Verified ID](#verified-id)** — Issue and manage verifiable credentials.
- **[Global Secure Access](#global-secure-access)** — Secure access to apps and resources with Private Access and Internet Access.
MODIFIED docs/identity/conditional-access/controls.md
Modified by Ken Withee on Apr 6, 2026 2:46 PM
📖 View on learn.microsoft.com
+2 / -2 lines changed
Commit: Address review feedback: fix retirement claim, update stale names, update ms.date AB#556043
Changes:
Before
After
title: Custom controls in Microsoft Entra Conditional Access
description: Learn how custom controls in Microsoft Entra Conditional Access work.
ms.topic: concept-article
ms.date: 04/01/2026
ms.reviewer: gkinasewitz
ms.custom: sfi-image-nochange
---
Custom controls are a preview capability of Microsoft Entra ID. When you use custom controls, users are redirected to a compatible service to meet authentication requirements outside of Microsoft Entra ID. To meet this control, a user's browser redirects to the external service, performs any required authentication, and then redirects back to Microsoft Entra ID. Microsoft Entra ID verifies the response and, if the user is successfully authenticated or validated, the user continues in the Conditional Access flow.
 
> [!IMPORTANT]
> Custom controls are deprecated and will be retired on September 30, 2026. External MFA (previously known as external authentication methods) is the replacement for custom controls and is now generally available. External MFA provides several benefits over the custom controls approach. Existing custom controls will continue to function until retirement, but new implementations should use external MFA. Start planning your migration now.
 
For more information, see [Manage external MFA in Microsoft Entra ID](../authentication/how-to-authentication-external-method-manage.md).
 
title: Custom controls in Microsoft Entra Conditional Access
description: Learn how custom controls in Microsoft Entra Conditional Access work.
ms.topic: concept-article
ms.date: 04/06/2026
ms.reviewer: gkinasewitz
ms.custom: sfi-image-nochange
---
Custom controls are a preview capability of Microsoft Entra ID. When you use custom controls, users are redirected to a compatible service to meet authentication requirements outside of Microsoft Entra ID. To meet this control, a user's browser redirects to the external service, performs any required authentication, and then redirects back to Microsoft Entra ID. Microsoft Entra ID verifies the response and, if the user is successfully authenticated or validated, the user continues in the Conditional Access flow.
 
> [!IMPORTANT]
> Custom controls will be deprecated on September 30, 2026. External MFA (previously known as external authentication methods) is the replacement for custom controls and is now generally available. External MFA provides several benefits over the custom controls approach. Existing custom controls will continue to function during the transition period, but new implementations should use external MFA. Start planning your migration now.
 
For more information, see [Manage external MFA in Microsoft Entra ID](../authentication/how-to-authentication-external-method-manage.md).
 
MODIFIED docs/identity/conditional-access/plan-conditional-access.md
Modified by John Flores on Apr 6, 2026 8:01 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Increase Conditional Access policy limit to 240
Changes:
Before
After
 
### Minimize the number of Conditional Access policies
 
Creating a policy for each app isn't efficient and makes managing policies difficult. Conditional Access has a limit of 195 policies per tenant. This 195-policy limit includes Conditional Access policies in any state, including report-only mode, on, or off.
 
Analyze your apps and group them by the same resource requirements for the same users. For example, if all Microsoft 365 apps or all HR apps have the same requirements for the same users, create a single policy and include all the apps it applies to.
 
 
### Minimize the number of Conditional Access policies
 
Creating a policy for each app isn't efficient and makes managing policies difficult. Conditional Access has a limit of 240 policies per tenant. This 240-policy limit includes Conditional Access policies in any state, including report-only mode, on, or off.
 
Analyze your apps and group them by the same resource requirements for the same users. For example, if all Microsoft 365 apps or all HR apps have the same requirements for the same users, create a single policy and include all the apps it applies to.
 
MODIFIED docs/identity/conditional-access/managed-policies.md
Modified by Jared Ross on Apr 6, 2026 3:12 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Update monitoring instructions for Microsoft policies
Changes:
Before
After
 
[Custom controls don't satisfy multifactor authentication claim requirements](controls.md#creating-custom-controls). If your organization uses custom controls you should [migrate to external authentication methods](/entra/identity/authentication/how-to-authentication-external-method-manage), the replacement of custom controls. Your external authentication provider must support external authentication methods and provide the necessary configuration guidance for integration.
 
### How do I monitor when Microsoft makes a change to these policies or adds a new one?
 
Administrators with **AuditLog.Read.All** and **Directory.Read** permissions can query the audit log for entries initiated by **Microsoft Managed Policy Manager** in the **Policy** category. For example, use [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) to find entries with this query string: `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=initiatedBy/app/displayName eq 'Microsoft Managed Policy Manager' and category eq 'Policy'`.
 
 
[Custom controls don't satisfy multifactor authentication claim requirements](controls.md#creating-custom-controls). If your organization uses custom controls you should [migrate to external authentication methods](/entra/identity/authentication/how-to-authentication-external-method-manage), the replacement of custom controls. Your external authentication provider must support external authentication methods and provide the necessary configuration guidance for integration.
 
### How do I monitor when Microsoft makes a change to these policies, adds a new one, or deletes one?
 
Administrators with **AuditLog.Read.All** and **Directory.Read** permissions can query the audit log for entries initiated by **Microsoft Managed Policy Manager** in the **Policy** category. For example, use [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) to find entries with this query string: `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=initiatedBy/app/displayName eq 'Microsoft Managed Policy Manager' and category eq 'Policy'`.
 
MODIFIED docs/architecture/resilience-in-credentials.md
Modified by Ken Withee on Apr 6, 2026 2:46 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Address review feedback: fix retirement claim, update stale names, update ms.date AB#556043
Changes:
Before
After
|Certificate Based Authentication (CBA)|In most cases (depending on configuration) CBA will require a revocation check. This adds an external dependency on the CRL distribution point (CDP) |[Understanding the certificate revocation process](~/identity/authentication/concept-certificate-based-authentication-certificate-revocation-list.md#enforce-crl-validation-for-cas)|
|Pass Through Authentication (PTA)|PTA uses on-premise agents to process the password authentication.|[How does Microsoft Entra pass-through authentication work?](~/identity/hybrid/connect/how-to-connect-pta-how-it-works.md#how-does-microsoft-entra-pass-through-authentication-work)|
|Federation| Federation server(s) must be online and available to process the authentication attempt|[High availability cross-geographic AD FS deployment in Azure with Azure Traffic Manager](/windows-server/identity/ad-fs/deployment/active-directory-adfs-in-azure-with-azure-traffic-manager)|
|External Authentication Methods (EAM)| EAM provides a path for customers to use external MFA providers.|[Manage external MFA in Microsoft Entra ID](~/identity/authentication/how-to-authentication-external-method-manage.md)|
 
## How do multiple credentials help resilience?
 
|Certificate Based Authentication (CBA)|In most cases (depending on configuration) CBA will require a revocation check. This adds an external dependency on the CRL distribution point (CDP) |[Understanding the certificate revocation process](~/identity/authentication/concept-certificate-based-authentication-certificate-revocation-list.md#enforce-crl-validation-for-cas)|
|Pass Through Authentication (PTA)|PTA uses on-premise agents to process the password authentication.|[How does Microsoft Entra pass-through authentication work?](~/identity/hybrid/connect/how-to-connect-pta-how-it-works.md#how-does-microsoft-entra-pass-through-authentication-work)|
|Federation| Federation server(s) must be online and available to process the authentication attempt|[High availability cross-geographic AD FS deployment in Azure with Azure Traffic Manager](/windows-server/identity/ad-fs/deployment/active-directory-adfs-in-azure-with-azure-traffic-manager)|
|External Multifactor Authentication (External MFA)| External MFA provides a path for customers to use external MFA providers.|[Manage external MFA in Microsoft Entra ID](~/identity/authentication/how-to-authentication-external-method-manage.md)|
 
## How do multiple credentials help resilience?
 
MODIFIED docs/identity/authentication/concept-mandatory-multifactor-authentication.md
Modified by Ken Withee on Apr 6, 2026 2:46 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Address review feedback: fix retirement claim, update stale names, update ms.date AB#556043
Changes:
Before
After
 
Some customers apply Conditional Access policies to user-based service accounts. You can reclaim the user-based license, and add a [workload identities](~/workload-id/workload-identities-overview.md) license to apply [Conditional Access for workload identities](~/identity/conditional-access/workload-identity.md).
 
## Migrate federated Identity Provider to external authentication methods
 
Support for external MFA solutions is available with [external MFA](https://aka.ms/EAMAdminDocs), and can be used to meet the MFA requirement. The legacy Conditional Access custom controls preview doesn't satisfy the MFA requirement. You should migrate to external MFA to use an external solution with Microsoft Entra ID.
 
 
Some customers apply Conditional Access policies to user-based service accounts. You can reclaim the user-based license, and add a [workload identities](~/workload-id/workload-identities-overview.md) license to apply [Conditional Access for workload identities](~/identity/conditional-access/workload-identity.md).
 
## Migrate federated Identity Provider to external MFA
 
Support for external MFA solutions is available with [external MFA](https://aka.ms/EAMAdminDocs), and can be used to meet the MFA requirement. The legacy Conditional Access custom controls preview doesn't satisfy the MFA requirement. You should migrate to external MFA to use an external solution with Microsoft Entra ID.
 

🤖 This report was automatically generated by the Entra Docs Monitor

📧 Delivered to merill@merill.net

🔗 Visit Repository