πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since April 20th 2026, 9:52 PM PDT

Report generated on April 21st 2026, 9:52 PM PDT

πŸ“Š Summary

31
Total Commits
0
New Files
15
Modified Files
0
Deleted Files
14
Contributors

πŸ“ Modified Documentation Files

MODIFIED docs/identity/saas-apps/knowbe4-security-awareness-training-provisioning-tutorial.md
Modified by Shreya Goyal (HCL Technologies Corporate Services) on Apr 21, 2026 2:08 PM
πŸ“– View on learn.microsoft.com
+9 / -9 lines changed
Commit: Updated files
Changes:
Before
After
1. Navigate to the **User Management > User Provisioning** section of your settings.
1. Select **Enable User Provisioning (User Syncing)** to display more provisioning settings.
 
![Screenshot of User Provisioning (User Syncing)](media/knowbe4-security-awareness-training-provisioning-tutorial\user-sync.png)
 
1. By default, the toggle is set to **ADI**. Select the **SCIM** toggle to begin setting up.
1. Expand your SCIM settings by selecting **+ SCIM Settings**.
 
![Screenshot of Tenant Url](media/knowbe4-security-awareness-training-provisioning-tutorial\tenant-url.png)
 
1. Select **Generate SCIM Token**. This will open a new window with your token ID. Copy this ID and save it to a place that you can easily access later. It's important that you save this token because once you close this window, you can't view the token again. Once you’ve saved the information, select **OK** to close the window.
 
1. Copy the Tenant URL and save it to a place that you can easily access later.
1. Make sure that the Test Mode option is selected.
 
![Screenshot of Tenant Mode](media/knowbe4-security-awareness-training-provisioning-tutorial\test-mode.png)
 
>[!NOTE]
>We recommend keeping **Test Mode** enabled until you’ve configured the connection between KnowBe4 and your identity provider and have run a successful sync. Test Mode is used to generate a report of what will happen when SCIM is enabled. This means no changes are made to your console so you can configure your setup without worrying about changes to your console. When you're ready, you can disable **Test Mode** from your **Account Settings** to enable syncing.If you're switching from ADI to SCIM, **Test Mode** is enabled automatically after you save your **Account Settings**.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Navigate to the **User Management > User Provisioning** section of your settings.
1. Select **Enable User Provisioning (User Syncing)** to display more provisioning settings.
 
![Screenshot of User Provisioning (User Syncing).](media/knowbe4-security-awareness-training-provisioning-tutorial\user-sync.png)
 
1. By default, the toggle is set to **ADI**. Select the **SCIM** toggle to begin setting up.
1. Expand your SCIM settings by selecting **+ SCIM Settings**.
 
![Screenshot of the SCIM tenant URL configuration settings.](media/knowbe4-security-awareness-training-provisioning-tutorial\tenant-url.png)
 
1. Select **Generate SCIM Token**. This will open a new window with your token ID. Copy this ID and save it to a place that you can easily access later. It's important that you save this token because once you close this window, you can't view the token again. Once you’ve saved the information, select **OK** to close the window.
 
1. Copy the Tenant URL and save it to a place that you can easily access later.
1. Make sure that the Test Mode option is selected.
 
![Screenshot of the SCIM test mode configuration option.](media/knowbe4-security-awareness-training-provisioning-tutorial\test-mode.png)
 
>[!NOTE]
>We recommend keeping **Test Mode** enabled until you’ve configured the connection between KnowBe4 and your identity provider and have run a successful sync. Test Mode is used to generate a report of what will happen when SCIM is enabled. This means no changes are made to your console so you can configure your setup without worrying about changes to your console. When you're ready, you can disable **Test Mode** from your **Account Settings** to enable syncing.If you're switching from ADI to SCIM, **Test Mode** is enabled automatically after you save your **Account Settings**.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
MODIFIED docs/identity/saas-apps/lanschool-air-provisioning-tutorial.md
Modified by Shreya Goyal (HCL Technologies Corporate Services) on Apr 21, 2026 2:08 PM
πŸ“– View on learn.microsoft.com
+8 / -8 lines changed
Commit: Updated files
Changes:
Before
After
1. Log into LanSchool Air as Site Admin.
1. Select the menu at the top left then select **Settings**.
 
![Screenshot of Settings menu](media/lanschool-air-provisioning-tutorial/settings.png)
 
1. Select **SSO Configuration**.
 
![Screenshot of Configuration](media/lanschool-air-provisioning-tutorial/sso-configuration.png)
 
1. Select **Generate New**. The system generates a random secrete token. **Select Copy**.
 
![Screenshot of Token generation](media/lanschool-air-provisioning-tutorial/generate-token.png)
 
<a name='step-3-add-lanschool-air-from-the-azure-ad-application-gallery'></a>
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Entra ID** > **Enterprise apps**
 
![Screenshot of Enterprise applications blade](common/enterprise-applications.png)
 
1. Log into LanSchool Air as Site Admin.
1. Select the menu at the top left then select **Settings**.
 
![Screenshot of the Settings menu in the LanSchool Air admin.](media/lanschool-air-provisioning-tutorial/settings.png)
 
1. Select **SSO Configuration**.
 
![Screenshot of the the SSO Configuration settings page.](media/lanschool-air-provisioning-tutorial/sso-configuration.png)
 
1. Select **Generate New**. The system generates a random secrete token. **Select Copy**.
 
![Screenshot of the SCIM token generation dialog](media/lanschool-air-provisioning-tutorial/generate-token.png)
 
<a name='step-3-add-lanschool-air-from-the-azure-ad-application-gallery'></a>
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Entra ID** > **Enterprise apps**
 
![Screenshot of Enterprise applications blade.](common/enterprise-applications.png)
 
MODIFIED docs/identity/saas-apps/kpifire-provisioning-tutorial.md
Modified by Shreya Goyal (HCL Technologies Corporate Services) on Apr 21, 2026 2:08 PM
πŸ“– View on learn.microsoft.com
+6 / -6 lines changed
Commit: Updated files
Changes:
Before
After
1. Sign in to https://app.kpifire.com with admin rights
1. Navigate to **Settings->API Settings->Add New Token** to generate the SCIM token.
 
[ ![Screenshot of kpifire token generation](media/kpifire-provisioning-tutorial/kpifire-token-generation.png) ](media/kpifire-provisioning-tutorial/kpifire-token-generation.png#lightbox)
 
1. Copy and save the SCIM token. This value is entered in the **Secret Token** field in the Provisioning tab of your kpifire application.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Entra ID** > **Enterprise apps**
 
![Screenshot of Enterprise applications blade](common/enterprise-applications.png)
 
1. In the applications list, select **kpifire**.
 
![Screenshot of The kpifire link in the Applications list](common/all-applications.png)
 
1. Select the **Provisioning** tab.
 
![Screenshot of Provisioning tab](common/provisioning.png)
 
1. Sign in to https://app.kpifire.com with admin rights
1. Navigate to **Settings->API Settings->Add New Token** to generate the SCIM token.
 
[ ![Screenshot of the kpifire token generation page.](media/kpifire-provisioning-tutorial/kpifire-token-generation.png) ](media/kpifire-provisioning-tutorial/kpifire-token-generation.png#lightbox)
 
1. Copy and save the SCIM token. This value is entered in the **Secret Token** field in the Provisioning tab of your kpifire application.
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Entra ID** > **Enterprise apps**
 
![Screenshot of Enterprise applications blade.](common/enterprise-applications.png)
 
1. In the applications list, select **kpifire**.
 
![Screenshot of the kpifire link in the Applications list](common/all-applications.png)
 
1. Select the **Provisioning** tab.
 
![Screenshot of the Provisioning tab in the application settings.](common/provisioning.png)
 
MODIFIED docs/identity/hybrid/connect/tshoot-clear-on-premises-attributes.md
Modified by Nuno Alexandre on Apr 21, 2026 5:09 AM
πŸ“– View on learn.microsoft.com
+9 / -3 lines changed
Commit: Learn Editor: Update tshoot-clear-on-premises-attributes.md
Changes:
Before
After
- onPremisesDistinguishedName
- onPremisesDomainName
- onPremisesImmutableId
- onPremisesSamAccountName
- onPremisesSecurityIdentifier
- onPremisesUserPrincipalName
- onPremisesDistinguishedName
- onPremisesDomainName
- onPremisesImmutableId
- onPremisesSamAccountName
- onPremisesSecurityIdentifier
- onPremisesUserPrincipalName
- onPremisesDistinguishedName
- onPremisesDomainName
- onPremisesImmutableId
- onPremisesObjectIdentifier
- sonPremisesSamAccountName
- onPremisesSecurityIdentifier *
- onPremisesUserPrincipalName
 
- onPremisesDistinguishedName
- onPremisesDomainName
- onPremisesImmutableId
- onPremisesObjectIdentifier
 
- onPremisesSamAccountName
- onPremisesSecurityIdentifier
- onPremisesUserPrincipalName
- onPremisesDistinguishedName
- onPremisesDomainName
- onPremisesImmutableId
- onPremisesObjectIdentifier
 
- onPremisesSamAccountName
- onPremisesSecurityIdentifier
- onPremisesUserPrincipalName
- onPremisesDistinguishedName
- onPremisesDomainName
- onPremisesImmutableId
- onPremisesObjectIdentifier *
MODIFIED docs/global-secure-access/tutorial-internet-access-application-discovery.md
Modified by paulth1 on Apr 21, 2026 7:51 PM
πŸ“– View on learn.microsoft.com
+5 / -6 lines changed
Commit: edit pass: entra-internet-access-lab-tutorials
Changes:
Before
After
 
### What is shadow IT?
 
Shadow IT refers to applications and services that are used by employees without the IT department's knowledge or approval. This use creates risk such as the following examples.
 
| Risk category | Examples | Why it matters |
|---|---|---|
| Data loss | Uploading files to personal cloud storage | Sensitive data leaves corporate control. |
| Compliance | Using apps that don't meet regulatory requirements | Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act violations. |
| Security | Apps with poor security practices | Credential theft and malware delivery. |
| Licensing | Duplicate tools across teams | Wasted IT budget. |
 
#### Shadow AI: The new frontier
 
Generative AI tools (ChatGPT, Claude, Gemini, and others) present unique challenges:
 
- Employees might paste sensitive data into prompts.
- Confidential information might be used to train AI models.
 
## Step 3: Identify generative AI applications
 
### What is shadow IT?
 
*Shadow IT* refers to applications and services that are used by employees without the IT department's knowledge or approval. This use creates risk such as the following examples.
 
| Risk category | Examples | Why it matters |
|---|---|---|
| Data loss | Uploading files to personal cloud storage | Sensitive data leaves corporate control. |
| Compliance | Using apps that don't meet regulatory requirements | Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act violations. |
| Security | Using apps with poor security practices | Credential theft and malware delivery. |
| Licensing | Duplicating tools across teams | Wasted IT budget. |
 
#### Shadow AI: The new frontier
 
*Shadow AI* is the unauthorized use of AI tools by employees without approval or security clearance. Generative AI tools (ChatGPT, Claude, Gemini, and others) present unique challenges:
 
- Employees might paste sensitive data into prompts.
- Confidential information might be used to train AI models.
 
## Step 3: Identify generative AI applications
MODIFIED docs/global-secure-access/tutorial-internet-access-url-filtering.md
Modified by paulth1 on Apr 21, 2026 7:51 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: edit pass: entra-internet-access-lab-tutorials
Changes:
Before
After
 
| Aspect | FQDN filtering | URL filtering |
|--------|----------------|---------------|
| Requires TLS inspection | No | Yes. |
| Visibility | Domain only | Full path. |
| Example match | `www.youtube.com` | `www.youtube.com/shorts`. |
| Use case | Block or allow entire sites | Block or allow specific sites. |
| Granularity | Coarse | Fine-grained. |
 
## Objective
 
 
| Aspect | FQDN filtering | URL filtering |
|--------|----------------|---------------|
| Requires TLS inspection | No | Yes |
| Visibility | Domain only | Full path |
| Example match | `www.youtube.com` | `www.youtube.com/shorts` |
| Use case | Block or allow entire sites | Block or allow specific sites |
| Granularity | Coarse | Fine-grained |
 
## Objective
 
MODIFIED docs/identity/saas-apps/kpn-grip-provisioning-tutorial.md
Modified by Shreya Goyal (HCL Technologies Corporate Services) on Apr 21, 2026 2:08 PM
πŸ“– View on learn.microsoft.com
+5 / -5 lines changed
Commit: Updated files
Changes:
Before
After
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Entra ID** > **Enterprise apps**
 
![Screenshot of Enterprise applications blade](common/enterprise-applications.png)
 
1. In the applications list, select **KPN Grip**.
 
![Screenshot of The KPN Grip link in the Applications list](common/all-applications.png)
 
1. Select the **Provisioning** tab.
 
![Screenshot of Provisioning tab](common/provisioning.png)
 
1. Select **+ New configuration**.
 
![Screenshot of Provisioning tab automatic](common/application-provisioning.png)
 
1. In the **Tenant URL** field, enter your KPN Grip Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to KPN Grip. If the connection fails, ensure your KPN Grip account has the required admin permissions and try again.
 
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Entra ID** > **Enterprise apps**
 
![Screenshot of Enterprise applications blade.](common/enterprise-applications.png)
 
1. In the applications list, select **KPN Grip**.
 
![Screenshot of the KPN Grip link in the Applications list.](common/all-applications.png)
 
1. Select the **Provisioning** tab.
 
![Screenshot of the Provisioning tab in the application settings.](common/provisioning.png)
 
1. Select **+ New configuration**.
 
![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. In the **Tenant URL** field, enter your KPN Grip Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to KPN Grip. If the connection fails, ensure your KPN Grip account has the required admin permissions and try again.
 
 
MODIFIED docs/global-secure-access/tutorial-internet-access-web-content-filtering.md
Modified by paulth1 on Apr 21, 2026 7:51 PM
πŸ“– View on learn.microsoft.com
+4 / -4 lines changed
Commit: edit pass: entra-internet-access-lab-tutorials
Changes:
Before
After
- **100 = highest priority**: Evaluated first.
- **65,000 = lowest priority**: Evaluated last.
- **Traditional firewall logic**: Lower numbers = higher precedence.
- **Best practice:** Add spacing of ~100 between priorities for future flexibility.
 
- **Multi-profile processing**: When multiple Conditional Access policies match a user's traffic, *all matching security profiles are processed* in priority order of the security profiles themselves.
 
↓
All policies in Custom Security Profile are evaluated
↓
Baseline Profile (priority 65000) ALSO executes ← Always runs as catch-all
```
 
You can create organization-wide protections in the baseline profile while still allowing higher-priority custom profiles to create exceptions for specific groups. Higher-priority security profiles still take precedence over the baseline security profile if there are conflicting rules between the two profiles.
In this exercise, you accomplished the following tasks:
 
- **Created a web content filtering policy:** You defined rules by using both FQDN-based blocking (specific domains) and category-based blocking (gambling as a web category).
- **Understood the baseline profile:** You learned that the baseline profile applies to all internet traffic tunneled through Global Secure Access (GSA), which makes it ideal for organization-wide protections.
- **Linked policies to security profiles:** You learned that policies must be linked to a security profile. Security profiles must be linked to Conditional Access policies to be assigned to users and take effect. The baseline security profile (used in this tutorial) doesn't require Conditional Access and applies to all internet traffic.
- **Observed the "connection reset" error:** You learned that without TLS inspection, GSA can only drop the connection, which results in a generic browser error rather than a helpful message.
- **100 = highest priority**: Evaluated first.
- **65,000 = lowest priority**: Evaluated last.
- **Traditional firewall logic**: Lower numbers = higher precedence.
- **Best practice:** Add spacing of about 100 between priorities for future flexibility.
 
- **Multi-profile processing**: When multiple Conditional Access policies match a user's traffic, *all matching security profiles are processed* in priority order of the security profiles themselves.
 
↓
All policies in Custom Security Profile are evaluated
↓
Baseline Profile (priority 65,000) ALSO executes ← Always runs as catch-all
```
 
You can create organization-wide protections in the baseline profile while still allowing higher-priority custom profiles to create exceptions for specific groups. Higher-priority security profiles still take precedence over the baseline security profile if there are conflicting rules between the two profiles.
In this exercise, you accomplished the following tasks:
 
- **Created a web content filtering policy:** You defined rules by using both FQDN-based blocking (specific domains) and category-based blocking (gambling as a web category).
- **Understood the baseline profile:** You learned that the baseline profile applies to all internet traffic tunneled through GSA, which makes it ideal for organization-wide protections.
- **Linked policies to security profiles:** You learned that policies must be linked to a security profile. Security profiles must be linked to Conditional Access policies to be assigned to users and take effect. The baseline security profile (used in this tutorial) doesn't require Conditional Access and applies to all internet traffic.
- **Observed the "connection reset" error:** You learned that without TLS inspection, GSA can only drop the connection, which results in a generic browser error rather than a helpful message.
MODIFIED docs/id-protection/howto-identity-protection-remediate-unblock.md
Modified by shlipsey3 on Apr 21, 2026 3:34 PM
πŸ“– View on learn.microsoft.com
+7 / -1 lines changed
Commit: idp-update-042126
Changes:
Before
After
title: Remediate risks and unblock users
description: Learn how to configure user self-remediation and manually remediate risky users in Microsoft Entra ID Protection.
ms.topic: how-to
ms.date: 01/05/2026
ms.reviewer: ebasseri
 
# Customer intent: As an IT admin, I want to learn how to remediate risks and unblock users in Microsoft Entra ID Protection.
- **Risk state**: "At risk" -> "Dismissed"
- **Risk detail**: "-" -> "Microsoft Entra ID Protection assessed sign-in safe"
 
## Administrator manual remediation
 
Some situations require an IT administrator to manually remediate sign-in or user risk. If you don't have risk-based policies configured, if the risk level doesn't meet the criteria for self-remediation, or if time is of the essence, you might need to take one of the following actions:
 
 
 
 
 
 
title: Remediate risks and unblock users
description: Learn how to configure user self-remediation and manually remediate risky users in Microsoft Entra ID Protection.
ms.topic: how-to
ms.date: 04/21/2026
ms.reviewer: ebasseri
 
# Customer intent: As an IT admin, I want to learn how to remediate risks and unblock users in Microsoft Entra ID Protection.
- **Risk state**: "At risk" -> "Dismissed"
- **Risk detail**: "-" -> "Microsoft Entra ID Protection assessed sign-in safe"
 
### Threat-informed remediation by Microsoft
 
In limited cases, Microsoft Threat Intelligence identifies accounts, sessions, or resources being actively used in attack campaigns targeting Microsoft Entra tenants. When Microsoft has high-confidence evidence of compromise that poses an active risk to your organization, Microsoft might take remediation action on your behalf to help contain the threat.
 
These actions are recorded in the Microsoft Entra audit logs with *Microsoft* listed as the initiator. Administrators retain full control of their tenant and can reverse any action taken through this process after completing their own investigation.
 
## Administrator manual remediation
 
Some situations require an IT administrator to manually remediate sign-in or user risk. If you don't have risk-based policies configured, if the risk level doesn't meet the criteria for self-remediation, or if time is of the essence, you might need to take one of the following actions:
MODIFIED docs/identity/conditional-access/concept-conditional-access-grant.md
Modified by ebasseri on Apr 21, 2026 8:39 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Update link text for risk remediation policy
Changes:
Before
After
 
### Require risk remediation
 
When user risk is detected, users can self-remediate by completing the appropriate remediation flow, regardless of their authentication method. The Microsoft-managed remediation policy in Conditional Access accommodates all authentication methods, including password-based and passwordless. For more information, see [Require risk remediation with Microsoft-managed remediation (preview)](../../id-protection/concept-identity-protection-policies.md#require-risk-remediation-control-preview).
 
When you select **Require risk remediation** as a grant control, the following settings are automatically applied to the policy:
- **Require authentication strength**
 
- [Conditional Access common policies](concept-conditional-access-policy-common.md)
 
- [Report-only mode](concept-conditional-access-report-only.md)
 
### Require risk remediation
 
When user risk is detected, users can self-remediate by completing the appropriate remediation flow, regardless of their authentication method. The Microsoft-managed remediation policy in Conditional Access accommodates all authentication methods, including password-based and passwordless. For more information, see [Require risk remediation control](../../id-protection/concept-identity-protection-policies.md#require-risk-remediation-control).
 
When you select **Require risk remediation** as a grant control, the following settings are automatically applied to the policy:
- **Require authentication strength**
 
- [Conditional Access common policies](concept-conditional-access-policy-common.md)
 
- [Report-only mode](concept-conditional-access-report-only.md)
MODIFIED docs/identity/saas-apps/kno2fy-provisioning-tutorial.md
Modified by Shreya Goyal (HCL Technologies Corporate Services) on Apr 21, 2026 2:08 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Updated files
Changes:
Before
After
 
1. Select **+ New configuration**.
 
![Screenshot of Provisioning tab automatic](common/application-provisioning.png)
 
1. In the **Tenant URL** field, enter your Kno2fy Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to Kno2fy. If the connection fails, ensure your Kno2fy account has the required admin permissions and try again.
 
 
1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
![Screenshot of Provisioning properties.](common/provisioning-properties.png)
 
1. Select **Attribute Mapping** in the left panel and select **users**.
 
 
1. Select **+ New configuration**.
 
![Screenshot of Provisioning tab automatic.](common/application-provisioning.png)
 
1. In the **Tenant URL** field, enter your Kno2fy Tenant URL and Secret Token. Select **Test Connection** to ensure Microsoft Entra ID can connect to Kno2fy. If the connection fails, ensure your Kno2fy account has the required admin permissions and try again.
 
 
1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
![Screenshot of the Provisioning properties page.](common/provisioning-properties.png)
 
1. Select **Attribute Mapping** in the left panel and select **users**.
 
MODIFIED docs/fundamentals/whats-new.md
Modified by ebasseri on Apr 21, 2026 8:42 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Update whats-new.md
Changes:
Before
After
**Service category:** Identity Protection
**Product capability:** Identity Security & Protection
 
**Self-remediation for passwordless users:** Risk-based access policies in Microsoft Entra Conditional Access now support self-remediation of risks across all authentication methods, including passwordless ones. This new control revokes compromised sessions in real-time, enables frictionless self-service, and reduces help-desk load. For more information, see: [Require risk remediation with Microsoft-managed remediation (preview)](../id-protection/concept-identity-protection-policies.md#require-risk-remediation-control-preview).
 
---
 
**Service category:** Identity Protection
**Product capability:** Identity Security & Protection
 
**Self-remediation for passwordless users:** Risk-based access policies in Microsoft Entra Conditional Access now support self-remediation of risks across all authentication methods, including passwordless ones. This new control revokes compromised sessions in real-time, enables frictionless self-service, and reduces help-desk load. For more information, see: [Require risk remediation control](../id-protection/concept-identity-protection-policies.md#require-risk-remediation-control).
 
---
 
MODIFIED docs/global-secure-access/tutorial-internet-access-content-policies.md
Modified by paulth1 on Apr 21, 2026 7:51 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: edit pass: entra-internet-access-lab-tutorials
Changes:
Before
After
 
# Tutorial: Configure content policies
 
Network content filtering in Microsoft Entra Internet Access allows administrators to use content policies to prevent the transport of specific file types over the network. This feature helps protect sensitive data by blocking uploads and downloads of certain file formats (such as .doc, .docx, .pdf, and .zip) to and from web applications like ChatGPT, Gmail, and file-sharing apps. It can also use Purview to scan files and apply network-level policies based on document sensitivity labels.
 
In this tutorial, you learn how to:
> [!div class="checklist"]
 
# Tutorial: Configure content policies
 
Network content filtering in Microsoft Entra Internet Access allows administrators to use content policies to prevent the transport of specific file types over the network. This feature helps protect sensitive data by blocking uploads and downloads of certain file formats (such as .doc, .docx, .pdf, and .zip) to and from web applications like ChatGPT, Gmail, and file-sharing apps. It can also use Microsoft Purview to scan files and apply network-level policies based on document sensitivity labels.
 
In this tutorial, you learn how to:
> [!div class="checklist"]
MODIFIED docs/global-secure-access/tutorial-internet-access-enable-traffic-forwarding.md
Modified by paulth1 on Apr 21, 2026 7:51 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: edit pass: entra-internet-access-lab-tutorials
Changes:
Before
After
 
1. Download the GSA client for Windows 11 from one of the following links. You can also use the [sample PowerShell script](scripts/powershell-windows-client-install-proof-of-concept.md).
- For standard Windows 11 machines, use `https://aka.ms/GlobalSecureAccess-Windows`.
- For ARM-based Windows 11 machines, use `https://aka.ms/GlobalSecureAccess-WindowsOnArm`.
1. Select the downloaded file and complete the wizard to install the GSA client.
1. After installation is complete, verify that the GSA client icon appears in the Windows system tray.
 
 
1. Download the GSA client for Windows 11 from one of the following links. You can also use the [sample PowerShell script](scripts/powershell-windows-client-install-proof-of-concept.md).
- For standard Windows 11 machines, use `https://aka.ms/GlobalSecureAccess-Windows`.
- For Arm-based Windows 11 machines, use `https://aka.ms/GlobalSecureAccess-WindowsOnArm`.
1. Select the downloaded file and complete the wizard to install the GSA client.
1. After installation is complete, verify that the GSA client icon appears in the Windows system tray.
 
MODIFIED docs/identity/hybrid/connect/how-to-connect-password-hash-synchronization.md
Modified by Jun Takata on Apr 21, 2026 5:04 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Update docs/identity/hybrid/connect/how-to-connect-password-hash-synchronization.md
Changes:
Before
After
You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.
 
> [!NOTE]
> Even if a user’s password has expired, the user is not prompted to change their password as long as they have an active sign-in session with Entra ID using cookies or tokens. A password change prompt is shown only when the user explicitly completes authentication using a password. If the user has an existing single sign-on (SSO) cookie, refresh token, or primary refresh token (PRT), they will not be prompted to change their password. Additionally, when a user signs in using a passwordless authentication method, password expiration is not evaluated, and the user is not prompted to change their password. For more information, see [token revocation](~/identity-platform/refresh-tokens.md).
 
##### CloudPasswordPolicyForPasswordSyncedUsersEnabled
 
You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.
 
> [!NOTE]
> Even if a user’s password has expired, the user isn't prompted to change their password as long as they have an active sign-in session with Microsoft Entra ID using cookies or tokens. A password change prompt is shown only when the user explicitly completes authentication using a password. If the user has an existing single sign-on (SSO) cookie, refresh token, or primary refresh token (PRT), they won't be prompted to change their password. Additionally, when a user signs in using a passwordless authentication method, password expiration isn't evaluated, and the user isn't prompted to change their password. For more information, see [Token revocation](~/identity-platform/refresh-tokens.md).
 
##### CloudPasswordPolicyForPasswordSyncedUsersEnabled
 

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to merill@merill.net

πŸ”— Visit Repository