📋 Microsoft Entra Documentation Changes

ms.date: 11/12/2024

#Customer intent: As a dev, devops, or it admin, I want to prevent telephony fraud by choosing which countries and regions to accept telecom traffic from.

When a country code is blocked, customers trying to set up SMS verification for multifactor authentication (MFA) for your application might encounter the message "Try another verification method." To resolve this issue, you can activate telephony traffic for the specific country code for your application.

You can use the Microsoft Graph API `onPhoneMethodLoadStart` event policy to manage telephony traffic for apps in your external tenant. With this event policy, you can activate or deactivate country codes for specific countries and regions.

ms.date: 04/09/2025

#customer intent: As an IT admin, I want to configure SAML/WS-Fed based identity provider federation with AD FS, so that I can enable federation between Microsoft Entra B2B and IdPs that use the SAML or WS-Fed protocol.

|Attribute |Value |

|---------|---------|

|AssertionConsumerService |`https://login.microsoftonline.com/login.srf` |

|Audience |`urn:federation:MicrosoftOnline` |

|Issuer |The issuer URI of the partner IdP, for example `http://www.example.com/exk10l6w90DHM0yi...` |

ms.date: 09/16/2025

#Customer intent: As a dev, devops, or it admin, I want to

After you add the MSA (live.com) as one of your user flow's sign-in options, customers can sign up and sign in to your application with their Microsoft account.

- A Microsoft account (live.com). If you don't already have one, sign up at https://www.live.com/.

ms.date: 11/17/2025

#Customer intent: As an administrator, I want to add a guest user to my Microsoft Entra directory and send them an invitation via PowerShell, so that they can collaborate with my organization using their own work, school, or social account.

There are many ways you can invite external partners to your apps and services with Microsoft Entra B2B collaboration. In the previous quickstart, you saw how to add guest users directly in the Microsoft Entra admin center. You can also use PowerShell to add guest users, either one at a time or in bulk. In this quickstart, you’ll use the New-MgInvitation command to add one guest user to your Microsoft Entra tenant.

ms.date: 03/12/2025

#Customer intent: As a developer, devops, or it administrator, I want to learn how to configure the standard OpenID Connect claims with the claims my identity provider provides in my external tenant.

In OpenID Connect protocol, claims are used to communicate information about the end user and contains pieces of information about a user that an identity provider states inside the ID token they issue for that user. The ID Token is a security token that contains claims about the end-user. These ID token claims are used to uniquely identify and provide information about the user during sign-up. These information pieces are stored in the corresponding user attributes in the user's profile in your directory.

To set up claims mapping, you need to create an identity provider (IdP) in your Microsoft Entra External ID tenant. The IdP configuration includes the **Claims mapping** section where you can configure the standard OpenID Connect (OIDC) claims with the claims your identity provider provides in the ID Token.

:::image type="content" source="media/reference-oidc-claims-mapping-customers/oidc-claims-mapping.png" alt-text="Screenshot of adding claims mapping.":::

ms.date: 04/10/2025

#Customer intent: As a dev, devops, or it admin, I want to learn how to add Apple as an identity provider for my external tenant.

By setting up federation with Apple, you can allow customers to sign in to your applications with their own Apple accounts. After you've added Apple as one of your application's sign-in options, on the sign-in page, customers can sign-in to Microsoft Entra External ID with an Apple account. (Learn more about [authentication methods and identity providers for customers](concept-authentication-methods-customers.md).)

To enable sign-in for customers with an Apple ID, you need to create an application in [Apple Developer panel](https://developer.apple.com/). If you don't already have an Apple ID, you can create one at Certificates, Identifiers & Profiles section.

ms.date: 02/05/2025

To manage these scenarios previously, you had to manually delete the guest user’s account from your directory and reinvite the user. Now you can use the Microsoft Entra admin center, PowerShell, or the Microsoft Graph invitation API to reset the user's redemption status and reinvite the user while keeping the user's object ID, group memberships, and app assignments. When the user redeems the new invitation, the UserPrincipalName (UPN) of the user doesn't change, but the user's sign-in name changes to the new email. Then the user can sign in using the new email or an email you've added to the `otherMails` property of the user object.

:::image type="content" source="media/reset-redemption-status/user-profile-b2b-collaboration.png" alt-text="Screenshot showing the B2B collaboration reset link." lightbox="media/reset-redemption-status/user-profile-b2b-collaboration.png":::

ms.date: 07/07/2025

#customer intent: As a B2B collaboration administrator, I want to add Facebook as an identity provider for self-service sign-up user flows, so that users can sign in to applications using their Facebook accounts.

After you add Facebook as one of your application's sign-in options, on the **Sign in** page, a user can enter the email they use to sign in to Facebook, or they can select **Sign-in options** and choose **Sign in with Facebook**. In either case, they're redirected to the Facebook sign in page for authentication.


description: If you have internal user accounts for partners, distributors, suppliers, vendors, and other guests, you can change to Microsoft Entra B2B collaboration by inviting them to sign in with their own external credentials or sign-in. Use either PowerShell or the Microsoft Graph invitation API.

ms.date: 02/25/2025

Sending an invitation to an existing internal account lets you retain that user’s object ID, User Principal Name (UPN), group memberships, and app assignments. You don’t need to manually delete and reinvite the user or reassign resources. To invite the user, you use the invitation API to pass both the internal user object and the guest user’s email address along with the invitation. When the user accepts the invitation, the B2B service changes the existing internal user object to a B2B user. Going forward, the user must sign in to cloud resources services using their B2B credentials.

ms.date: 09/16/2025

Applications typically receive user role information as claims in a security token. Developers have the flexibility to provide their own implementation for how role claims are to be interpreted as application permissions. This interpretation of permissions can involve using middleware or other options provided by the platform of the applications or related libraries.

| App roles| Groups|

description: Learn how to configure and use GSA Cloud Firewall to protect against unauthorized internet access from branch offices using Remote Networks for Internet Access.

ms.date: 11/18/2025

#customer intent: As a Global Secure Access administrator, I want to learn how to configure and use GSA Cloud Firewall to protect against unauthorized internet access from branch offices using Remote Networks for Internet Access.

# Configure Global Secure Access cloud firewall (preview)

Global Secure Access (GSA) Cloud Firewall (CFW) protects customers from unauthorized egress access by applying policies on network traffic. Cloud firewall provides centralized management, visibility, and consistent policies for branches.

The current scope of this preview is using GSA Cloud Firewall to enforce policies on Internet traffic from branch offices using Remote Networks for Internet Access (also in preview).

ms.date: 04/14/2025

#customer intent: As a developer or IT administrator, I want to use API connectors to customize and extend the self-service sign-up user flows, so that I can integrate with web APIs, customize the sign-up experience, and integrate with external systems for tasks such as approval workflows, identity verification, data validation, attribute manipulation, and running custom business logic.

## Overview

ms.date: 10/06/2025

#customer intent: As a B2B collaboration user flow administrator, I want to define custom attributes for user flows in Microsoft Entra, so that I can collect specific information during sign-up and extend the set of attributes stored on a guest account.

1. Browse to **Entra ID** > **External Identities** > **Overview**.

:::image type="content" source="media/user-flow-add-custom-attributes/user-attributes.png" alt-text="Screenshot of selecting custom user attributes for sign-up." lightbox="media/user-flow-add-custom-attributes/user-attributes.png":::

ms.author: barclayn

author: barclayn

manager: pmwongera

ms.date: 04/27/2025

Enabling the Admin consent workflow in a Microsoft Entra tenant is a vital security measure that mitigates risks associated with unauthorized application access and privilege escalation. This check is important because it ensures that any application requesting elevated permission undergoes a review process by designated administrators before consent is granted. The admin consent workflow in Microsoft Entra ID notifies reviewers who evaluate and approve or deny consent requests based on the application's legitimacy and necessity. If this check doesn't pass, meaning the workflow is disabled, any application can request and potentially receive elevated permissions without administrative review. This poses a substantial security risk, as malicious actors could exploit this lack of oversight to gain unauthorized access to sensitive data, perform privilege escalation, or execute other malicious activities.

ms.date: 03/10/2025

2. Select a role, such as **User Administrator**. The **Assignments** page lists the users with that role.

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Authentication Administrators](/entra/identity/role-based-access-control/permissions-reference#privileged-authentication-administrator).