đź“‹ Microsoft Entra Documentation Changes

Daily summary for changes since April 21st 2026, 9:56 PM PDT

Report generated on April 22nd 2026, 9:56 PM PDT

đź“Š Summary

30
Total Commits
0
New Files
12
Modified Files
0
Deleted Files
14
Contributors

đź“ť Modified Documentation Files

MODIFIED docs/id-governance/entitlement-management-access-package-create-app.md
Modified by ArvindHarinder1 on Apr 22, 2026 6:50 PM
đź“– View on learn.microsoft.com
+34 / -34 lines changed
Commit: Update entitlement-management-access-package-create-app.md
Changes:
Before
After
1. If your scenario requires the ability to override a separation of duties check, then you can also [set up additional access packages for those override scenarios](entitlement-management-access-package-incompatible.md#configuring-multiple-access-packages-for-override-scenarios).
 
## Add assignments of existing users who already have access to the application
 
Add assignments of existing users, who already have access to the application, to the access package and its direct assignment policy. You can [directly assign each user](entitlement-management-access-package-assignments.md#assign-a-user-to-an-access-package-with-powershell) to an access package.
 
1. Retrieve the existing application role assignments.
 
}
```
 
## Add assignments for users existing users who already have accounts in your application
When you use the Microsoft Entra provisioning service to [discover](~/identity/app-provisioning/how-to-account-discovery.md) users in your application, you can easily assign those users to an access package. [Download](https://aka.ms/AssignCorrelatedUsersPowerShell) the Assign-CorrelatedUsersWithRules.ps1 file. See the example approaches for adding assignments.
 
1. Assign all discovered users to a specific access package (dry run):
 
```powershell
.\Assign-CorrelatedUsersWithRules.ps1 -ServicePrincipalId "7A22..." ` -RulesFile ".\access-package-rules.csv" -DryRun
```
 
1. If your scenario requires the ability to override a separation of duties check, then you can also [set up additional access packages for those override scenarios](entitlement-management-access-package-incompatible.md#configuring-multiple-access-packages-for-override-scenarios).
 
## Add assignments of existing users who already have access to the application
**Option 1**
When you use the Microsoft Entra provisioning service to [discover](~/identity/app-provisioning/how-to-account-discovery.md) users in your application, you can easily assign those users to an access package. [Download](https://aka.ms/AssignCorrelatedUsersPowerShell) the Assign-CorrelatedUsersWithRules.ps1 file. See the example approaches for adding assignments.
 
1. Assign all discovered users to a specific access package (dry run):
 
```powershell
.\Assign-CorrelatedUsersWithRules.ps1 -ServicePrincipalId "7A22..." ` -RulesFile ".\access-package-rules.csv" -DryRun
```
 
1. Assign all discovered users to a specific access package:
 
```powershell
.\Assign-CorrelatedUsersWithRules.ps1 -ServicePrincipalId "7A22..." `-AccessPackageId "6e809820-1f6a-4ff8-adc9-991f9f3151bd" `-PolicyId "8de7482f-ff17-4310-a8f5-3f35bcf02cca"
```
 
1. Assign users to packages based on rules that you define (example rules file):
 
MODIFIED docs/identity/saas-apps/openforms-provisioning-tutorial.md
Modified by Shreya Goyal (HCL Technologies Corporate Services) on Apr 22, 2026 12:30 PM
đź“– View on learn.microsoft.com
+33 / -33 lines changed
Commit: Updated openforms provisioning
Changes:
Before
After
---
title: Configure OpenForms for automatic user provisioning with Microsoft Entra ID
description: Learn how to automatically provision and de-provision user accounts from Microsoft Entra ID to OpenForms.
author: jeevansd
manager: pmwongera
ms.topic: how-to
ms.date: 03/25/2025
ms.author: jeedes
 
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to OpenForms so that I can streamline the user management process and ensure that users have the appropriate access to OpenForms.
---
 
# Configure OpenForms for automatic user provisioning with Microsoft Entra ID
 
This article describes the steps you need to perform in both OpenForms and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and de-provisions users and groups to [OpenForms](https://granicus.com/solution/govservice/openforms) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](~/identity/app-provisioning/user-provisioning.md).
 
 
## Supported capabilities
> [!div class="checklist"]
> * Create users in OpenForms.
---
title: Configure Granicus Forms & Workflow for automatic user provisioning with Microsoft Entra ID
description: Learn how to automatically provision and de-provision user accounts from Microsoft Entra ID to Forms & Workflow.
author: jeevansd
manager: pmwongera
ms.topic: how-to
ms.date: 04/21/2026
ms.author: jeedes
 
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Forms & Workflow so that I can streamline the user management process and ensure that users have the appropriate access to Forms & Workflow.
---
 
# Configure Granicus Forms & Workflow for automatic user provisioning with Microsoft Entra ID
 
This article describes the steps you need to perform in both Forms & Workflow and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and de-provisions users and groups to [Forms & Workflow](https://granicus.com/product/forms-workflow-openforms) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](~/identity/app-provisioning/user-provisioning.md).
 
 
## Supported capabilities
> [!div class="checklist"]
> * Create users in Forms & Workflow.
MODIFIED docs/identity/authentication/concept-system-preferred-multifactor-authentication.md
Modified by Justinha on Apr 22, 2026 11:06 AM
đź“– View on learn.microsoft.com
+36 / -28 lines changed
Commit: Preview: Rename system-preferred MFA to system-preferred authentication
Changes:
Before
After
---
title: System-preferred multifactor authentication (MFA)
description: Learn how system-preferred multifactor authentication evaluates methods to prompt users with the most secure sign-in option.
ms.topic: how-to
ms.date: 04/15/2026
ms.reviewer: msft-poulomi
ms.custom: msecd-doc-authoring-106
author: Justinha
# Customer intent: As an identity administrator, I want to encourage users to sign in with the most secure authentication method so that I can improve my organization's sign-in security.
---
 
# System-preferred multifactor authentication
 
System-preferred multifactor authentication (MFA) prompts users to sign in by using the most secure method they registered.
It's an important security enhancement for users who authenticate by using phone-based methods.
Administrators can enable system-preferred MFA to improve sign-in security and discourage less secure sign-in methods like Short Message Service (SMS).
 
For example, if a user registered both SMS and Microsoft Authenticator push notifications as methods for MFA, system-preferred MFA prompts the user to sign in by using the more secure push notification method. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered.
 
System-preferred MFA is a Microsoft managed setting, which is a [tristate policy](#authentication-method-feature-configuration-properties). The **Microsoft managed** value of system-preferred MFA is **Enabled**. If you don't want to enable system-preferred MFA, change the state from **Microsoft managed** to **Disabled**, or exclude users and groups from the policy.
---
title: System-preferred authentication
description: Learn how system-preferred authentication evaluates methods to prompt users with the most secure sign-in option.
ms.topic: how-to
ms.date: 04/21/2026
ms.reviewer: msft-poulomi
ms.custom: msecd-doc-authoring-106
author: Justinha
# Customer intent: As an identity administrator, I want to encourage users to sign in with the most secure authentication method so that I can improve my organization's sign-in security.
---
 
# System-preferred authentication
 
System-preferred authentication prompts users to sign in by using the most secure method they registered.
It's an important security enhancement for users who authenticate by using phone-based methods.
Administrators can enable system-preferred authentication to improve sign-in security and discourage less secure sign-in methods like Short Message Service (SMS).
 
For example, if a user registered both SMS and Microsoft Authenticator push notifications as methods for MFA, system-preferred authentication prompts the user to sign in by using the more secure push notification method. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered.
 
System-preferred authentication is a Microsoft managed setting, which is a [tristate policy](#authentication-method-feature-configuration-properties):
MODIFIED docs/identity/saas-apps/stackit-cloud-tutorial.md
Modified by Hamsika45 on Apr 22, 2026 9:26 AM
đź“– View on learn.microsoft.com
+16 / -16 lines changed
Commit: Update stackit-cloud-tutorial.md
Changes:
Before
After
---
title: Configure STACKIT Cloud for Single sign-on with Microsoft Entra ID
description: Learn how to configure single sign-on between Microsoft Entra ID and STACKIT Cloud.
ms.reviewer: jomondi
ms.topic: how-to
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and STACKIT Cloud so that I can control who has access to STACKIT Cloud, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
 
# Configure STACKIT Cloud for Single sign-on with Microsoft Entra ID
 
In this article, you learn how to integrate STACKIT Cloud with Microsoft Entra ID. When you integrate STACKIT Cloud with Microsoft Entra ID, you can:
 
* Control in Microsoft Entra ID who has access to STACKIT Cloud.
* Enable your users to be automatically signed-in to STACKIT Cloud with their Microsoft Entra accounts.
 
## Scenario description
 
In this article, you configure and test Microsoft Entra SSO in a test environment.
 
STACKIT Cloud supports **SP** initiated SSO.
---
title: Configure STACKIT Cloud for single sign-on with Microsoft Entra ID
description: Learn how to configure single sign-on between Microsoft Entra ID and STACKIT Cloud.
ms.reviewer: jomondi
ms.topic: how-to
# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and STACKIT Cloud so that I can control who has access to STACKIT Cloud, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location.
---
 
# Configure STACKIT Cloud for single sign-on with Microsoft Entra ID
 
In this article, you learn how to integrate STACKIT Cloud with Microsoft Entra ID. When you integrate STACKIT Cloud with Microsoft Entra ID, you can:
 
* Control in Microsoft Entra ID who has access to STACKIT Cloud.
* Enable your users to be automatically signed-in to STACKIT Cloud with their Microsoft Entra accounts.
 
## Scenario description
 
In this article, you configure and test Microsoft Entra SSO in a test environment.
 
STACKIT Cloud supports **SP** initiated SSO.
MODIFIED docs/identity/conditional-access/concept-authentication-transfer.md
Modified by Ken Withee on Apr 22, 2026 8:17 PM
đź“– View on learn.microsoft.com
+7 / -7 lines changed
Commit: Address PR feedback: tighten supported apps, sign-in log guidance, P1 troubleshooting
Changes:
Before
After
description: Learn how authentication transfer connects users to apps across desktop and mobile devices, including supported apps, end-user experience, limitations, and troubleshooting.
ai-usage: ai-assisted
ms.topic: concept-article
ms.date: 04/08/2026
ms.reviewer: anjusingh, ludwignick
---
# Conditional Access: Authentication transfer (preview)
 
When a user performs authentication transfer, the session is considered [protocol tracked](concept-authentication-flows.md#protocol-tracking). Protocol tracking means that the session state persists through subsequent token refreshes. Subsequent sign-in attempts within the same session might be subject to authentication flows policy enforcement, even if they don't use authentication transfer.
 
## Supported apps and platforms
 
Authentication transfer is available for Microsoft apps that support the cross-device QR code flow. The transfer flow works from desktop apps on Windows or macOS to mobile apps on iOS or Android.
 
> [!IMPORTANT]
> Authentication transfer is only supported for Microsoft apps. Non-Microsoft apps don't support this flow.
 
## End-user experience
 
 
description: Learn how authentication transfer connects users to apps across desktop and mobile devices, including supported apps, end-user experience, limitations, and troubleshooting.
ai-usage: ai-assisted
ms.topic: concept-article
ms.date: 04/22/2026
ms.reviewer: anjusingh, ludwignick
---
# Conditional Access: Authentication transfer (preview)
 
When a user performs authentication transfer, the session is considered [protocol tracked](concept-authentication-flows.md#protocol-tracking). Protocol tracking means that the session state persists through subsequent token refreshes. Subsequent sign-in attempts within the same session might be subject to authentication flows policy enforcement, even if they don't use authentication transfer.
 
## Supported apps
 
Authentication transfer is available for Microsoft apps that support the cross-device QR code flow. For example, users might see a QR code in the desktop version of Outlook that, when scanned on their mobile device, transfers their authenticated state to the mobile version of Outlook. Support varies by app and version. Check the relevant Microsoft app documentation to confirm whether it supports authentication transfer.
 
> [!IMPORTANT]
> Authentication transfer isn't supported for non-Microsoft apps.
 
## End-user experience
 
 
MODIFIED docs/fundamentals/whats-new.md
Modified by Justinha on Apr 22, 2026 11:06 AM
đź“– View on learn.microsoft.com
+3 / -3 lines changed
Commit: Preview: Rename system-preferred MFA to system-preferred authentication
Changes:
Before
After
 
Microsoft Entra Backup and Recovery is a built-in solution to help restore your tenant after accidental changes or malicious updates. Always on by default, it automatically backs up critical directory objects — including users, groups, applications, service principals, managed identities, conditional Access policies, named locations, agent IDs, and authentication and authorization policy, so admins can quickly restore them to a previously known good state.
 
At public preview Entra Backup and Recovery automatically takes daily backup of a tenant’s supported directory objects. If a tenant has Microsoft Entra ID P1 or P2 licenses, one backup is taken each day and retained for five days. Admins can view available snapshots, generate difference reports to understand what has changed, and run recovery jobs to restore objects to a prior state.
 
This gives your organization a reliable, built in safety net helping you recover with confidence, minimize downtime, and protect your tenant from accidental changes, misconfigurations, or security compromises. For more information, see: [Microsoft Entra Backup and Recovery overview (Preview)](../backup/overview.md).
 
 
Starting in April 2026, the Authentication Methods Policy Update and Authentication Methods Policy Reset audit log activities has been updated to improve readability and clarity. Previously, audit logs included the full authentication methods policy payload in both the old and new values, even when only a small number of settings were changed. With this update, audit log entries now surface only the specific properties that were modified, along with their corresponding old and new values.
 
Policy-wide updates—such as Registration Campaigns and System‑preferred MFA—may continue to include the full policy payload. The activity name and triggering events remain unchanged. This update affects formatting only and does not change policy behavior. For more information, see: [Core Directory](../identity/monitoring-health/reference-audit-activities.md#core-directory)
 
---
 
 
**What’s changing**
 
Beginning **June 1, 2026**, Microsoft Entra ID will block any attempt by Entra Connect Sync or Cloud Sync from hard-matching a new user object from Active Directory to an existing cloud-managed Entra ID user object that hold [Microsoft Entra roles](../identity/role-based-access-control/permissions-reference.md).
 
**This means**:
 
Microsoft Entra Backup and Recovery is a built-in solution to help restore your tenant after accidental changes or malicious updates. Always on by default, it automatically backs up critical directory objects — including users, groups, applications, service principals, managed identities, conditional Access policies, named locations, agent IDs, and authentication and authorization policy, so admins can quickly restore them to a previously known good state.
 
At preview, Entra Backup and Recovery automatically takes daily backup of a tenant’s supported directory objects. If a tenant has Microsoft Entra ID P1 or P2 licenses, one backup is taken each day and retained for five days. Admins can view available snapshots, generate difference reports to understand what has changed, and run recovery jobs to restore objects to a prior state.
 
This gives your organization a reliable, built in safety net helping you recover with confidence, minimize downtime, and protect your tenant from accidental changes, misconfigurations, or security compromises. For more information, see: [Microsoft Entra Backup and Recovery overview (Preview)](../backup/overview.md).
 
 
Starting in April 2026, the Authentication Methods Policy Update and Authentication Methods Policy Reset audit log activities has been updated to improve readability and clarity. Previously, audit logs included the full authentication methods policy payload in both the old and new values, even when only a small number of settings were changed. With this update, audit log entries now surface only the specific properties that were modified, along with their corresponding old and new values.
 
Policy-wide updates—such as Registration Campaigns and System‑preferred authentication—may continue to include the full policy payload. The activity name and triggering events remain unchanged. This update affects formatting only and does not change policy behavior. For more information, see: [Core Directory](../identity/monitoring-health/reference-audit-activities.md#core-directory).
 
---
 
 
**What’s changing**
 
Beginning **June 1, 2026**, Microsoft Entra ID will block any attempt by Entra Connect Sync or Cloud Sync from hard-matching a new user object from Active Directory to an existing cloud-managed Entra ID user object that holds [Microsoft Entra roles](../identity/role-based-access-control/permissions-reference.md).
 
**This means**:
MODIFIED docs/identity/authentication/how-to-authentication-external-method-manage.md
Modified by Justinha on Apr 22, 2026 11:06 AM
đź“– View on learn.microsoft.com
+3 / -3 lines changed
Commit: Preview: Rename system-preferred MFA to system-preferred authentication
Changes:
Before
After
 
Users who are enabled for external MFA can use it when they sign-in and multifactor authentication is required.
 
If the user has other ways to sign in and [system-preferred MFA](/entra/identity/authentication/concept-system-preferred-multifactor-authentication) is enabled, those other methods appear by default order. The user can choose to use a different method, and then select external MFA. For example, if the user has Authenticator enabled as another method, they get prompted for [number matching](/entra/identity/authentication/how-to-mfa-number-match).
 
:::image type="content" border="true" source="./media/how-to-authentication-external-method-manage/system-preferred.png" alt-text="Screenshot of how to choose an external MFA when system-preferred MFA is enabled.":::
 
If the user has no other methods enabled, they can just choose external MFA. They're redirected to the external authentication provider to complete authentication.
 
1. Select the user who needs to be registered for external MFA.
1. In the User menu, select **Authentication Methods**, and select **+ Add Authentication Method**.
1. Select **External authentication method**.
1. Select one or more external MFA method, and select **Save**.
1. A success message appears, and the methods that you previously selected are listed in **Usable authentication methods**.
 
## Best practices for using external MFA and Conditional Access
 
Users who are enabled for external MFA can use it when they sign-in and multifactor authentication is required.
 
If the user has other ways to sign in and [system-preferred authentication](/entra/identity/authentication/concept-system-preferred-multifactor-authentication) is enabled, those other methods appear by default order. The user can choose to use a different method, and then select external MFA. For example, if the user has Authenticator enabled as another method, they get prompted for [number matching](/entra/identity/authentication/how-to-mfa-number-match).
 
:::image type="content" border="true" source="./media/how-to-authentication-external-method-manage/system-preferred.png" alt-text="Screenshot of how to choose an external MFA when system-preferred authentication is enabled.":::
 
If the user has no other methods enabled, they can just choose external MFA. They're redirected to the external authentication provider to complete authentication.
 
1. Select the user who needs to be registered for external MFA.
1. In the User menu, select **Authentication Methods**, and select **+ Add Authentication Method**.
1. Select **External authentication method**.
1. Select one or more external MFA methods, and select **Save**.
1. A success message appears, and the methods that you previously selected are listed in **Usable authentication methods**.
 
## Best practices for using external MFA and Conditional Access
MODIFIED docs/id-governance/identity-governance-applications-existing-users.md
Modified by ArvindHarinder1 on Apr 22, 2026 6:17 PM
đź“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: Update identity-governance-applications-existing-users.md
Changes:
Before
After
 
## Collect existing users from the application and confirm which ones match with Microsoft Entra ID users
 
Now that you have provided the connectivity details and matching attribute as part of your provisioning configureation, Microsoft Entra can discover the existing users in your application. Click on the [discover identities](~/identity/app-provisioning/how-to-account-discovery.md) button in the provisioning overview page. Once the report is generatd, you will have a view of all the users in your application, which users in the application match with a Microsoft Entra ID user, which users are already assigned to the enterprise application in Microsoft Entra ID, and which users in the application are not matched with a Microsoft Entra ID user).
 
 
## Create app role assignments in Microsoft Entra ID
When an application role assignment is created in Microsoft Entra ID for a user to an application, and the application supports provisioning, then:
 
- Microsoft Entra ID will query the application via SCIM, or its directory or database, to determine if the user already exists.
- When subsequent updates are made to the user's attributes in Microsoft Entra ID, Microsoft Entra ID will sent those updates to the application.
- The user will remain in the application indefinitely unless they're updated outside Microsoft Entra ID, or until the assignment in Microsoft Entra ID is removed.
- On the next access review of that application's role assignments, the user will be included in the access review.
- If the user is denied in an access review, their application role assignment will be removed. Microsoft Entra ID will notify the application that the user is blocked from sign-in.
 
## Collect existing users from the application and confirm which ones match with Microsoft Entra ID users
 
Now that you have provided the connectivity details and matching attribute as part of your provisioning configuration, Microsoft Entra can discover the existing users in your application. Click on the [discover identities](~/identity/app-provisioning/how-to-account-discovery.md) button in the provisioning overview page. Once the report is generated, you will have a view of all the users in your application, which users in the application match with a Microsoft Entra ID user, which users are already assigned to the enterprise application in Microsoft Entra ID, and which users in the application are not matched with a Microsoft Entra ID user).
 
 
## Create app role assignments in Microsoft Entra ID
When an application role assignment is created in Microsoft Entra ID for a user to an application, and the application supports provisioning, then:
 
- Microsoft Entra ID will query the application via SCIM, or its directory or database, to determine if the user already exists.
- When subsequent updates are made to the user's attributes in Microsoft Entra ID, Microsoft Entra ID will send those updates to the application.
- The user will remain in the application indefinitely unless they're updated outside Microsoft Entra ID, or until the assignment in Microsoft Entra ID is removed.
- On the next access review of that application's role assignments, the user will be included in the access review.
- If the user is denied in an access review, their application role assignment will be removed. Microsoft Entra ID will notify the application that the user is blocked from sign-in.
MODIFIED docs/identity/authentication/concept-authentication-default-enablement.md
Modified by Justinha on Apr 22, 2026 11:06 AM
đź“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Preview: Rename system-preferred MFA to system-preferred authentication
Changes:
Before
After
| [Registration campaign](how-to-mfa-registration-campaign.md) | Enabled for text message and voice call users |
| [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled |
| [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled |
| [System-preferred MFA](concept-system-preferred-multifactor-authentication.md) | Enabled |
| [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Enabled |
| [Report suspicious activity](howto-mfa-mfasettings.md#report-suspicious-activity) | Disabled |
 
| [Registration campaign](how-to-mfa-registration-campaign.md) | Enabled for text message and voice call users |
| [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled |
| [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled |
| [System-preferred authentication](concept-system-preferred-multifactor-authentication.md) | Enabled |
| [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Enabled |
| [Report suspicious activity](howto-mfa-mfasettings.md#report-suspicious-activity) | Disabled |
 
MODIFIED docs/identity/authentication/how-to-mfa-authenticator-lite.md
Modified by Justinha on Apr 22, 2026 11:06 AM
đź“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Preview: Rename system-preferred MFA to system-preferred authentication
Changes:
Before
After
- Your organization needs to enable Authenticator (second factor) push notifications for all users or select groups. We recommend that you enable Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API. Authenticator Lite isn't eligible for on-premises user accounts or organizations with an active MFA server.
 
> [!TIP]
> We recommend that you also enable [system-preferred MFA](concept-system-preferred-multifactor-authentication.md) when you enable Authenticator Lite. With system-preferred MFA enabled, users try to sign in with Authenticator Lite before they try less secure telephony methods like SMS or voice call.
 
- If your organization is using the Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, upgrade to the latest versions for a consistent experience.
- Users enabled for shared device mode on Outlook mobile aren't eligible for Authenticator Lite.
- Your organization needs to enable Authenticator (second factor) push notifications for all users or select groups. We recommend that you enable Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API. Authenticator Lite isn't eligible for on-premises user accounts or organizations with an active MFA server.
 
> [!TIP]
> We recommend that you also enable [system-preferred authentication](concept-system-preferred-multifactor-authentication.md) when you enable Authenticator Lite. With system-preferred authentication enabled, users try to sign in with Authenticator Lite before they try less secure telephony methods like SMS or voice call.
 
- If your organization is using the Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, upgrade to the latest versions for a consistent experience.
- Users enabled for shared device mode on Outlook mobile aren't eligible for Authenticator Lite.
MODIFIED docs/external-id/customers/migrate-from-b2c-to-external-id.md
Modified by garrodonnell on Apr 22, 2026 9:24 AM
đź“– View on learn.microsoft.com
+0 / -1 lines changed
Commit: Remove phone-based MFA limitation notices from migration articles
Changes:
Before
After
> [!NOTE]
> The following Azure AD B2C features aren't available in Microsoft Entra External ID and should be addressed before migration:
> - **Social identity providers configured through B2C custom policies.** Social federation must be reconfigured using External ID's built-in social identity provider support. Third-party identity providers configured through B2C custom policies aren't supported.
> - **Phone-based MFA (SMS and voice call).** Plan to transition affected users to a supported MFA method such as email one-time passcode.
 
See [Test user flows](how-to-test-user-flows.md), [Samples](samples-ciam-all.md), and [Custom extension attribute collection](~/identity-platform/custom-extension-attribute-collection.md) for guidance.
 
> [!NOTE]
> The following Azure AD B2C features aren't available in Microsoft Entra External ID and should be addressed before migration:
> - **Social identity providers configured through B2C custom policies.** Social federation must be reconfigured using External ID's built-in social identity provider support. Third-party identity providers configured through B2C custom policies aren't supported.
 
See [Test user flows](how-to-test-user-flows.md), [Samples](samples-ciam-all.md), and [Custom extension attribute collection](~/identity-platform/custom-extension-attribute-collection.md) for guidance.
 
 
MODIFIED docs/external-id/customers/plan-your-migration-from-b2c-to-external-id.md
Modified by garrodonnell on Apr 22, 2026 9:24 AM
đź“– View on learn.microsoft.com
+0 / -1 lines changed
Commit: Remove phone-based MFA limitation notices from migration articles
Changes:
Before
After
- Authentication context or step-up authentication.
- Session-based controls.
- Application assignment via groups.
- Phone-based MFA (SMS and voice call). Plan to transition affected users to a supported MFA method such as email one-time passcode before migrating applications.
- Passkeys aren't currently available in Microsoft Entra External ID or HSC mode.
 
**Federation and ecosystem integrations**
- Authentication context or step-up authentication.
- Session-based controls.
- Application assignment via groups.
- Passkeys aren't currently available in Microsoft Entra External ID or HSC mode.
 
**Federation and ecosystem integrations**
 

🤖 This report was automatically generated by the Entra Docs Monitor

📧 Delivered to merill@merill.net

đź”— Visit Repository