📋 Microsoft Entra Documentation Changes

 

Microsoft single sign-on for Linux is supported on the following operating systems (physical or Hyper-V machines with x86/64 CPUs):

 

- Ubuntu Desktop 24.04 LTS (Long Term Support)

- Red Hat Enterprise Linux 9 (Long Term Support)

 

### System Requirements

 

- User accounts synchronized with or created in Microsoft Entra ID

- Appropriate licensing for conditional access policies (if applicable)

 

 

The following animation shows the sign-in experience for brokered flows on Linux.

 

---

 

> [!NOTE]

 

## Changes

 

 

 

GA release of the Microsoft Identity Broker for Linux, now using a newly rewritten C++ broker instead of the previous Java-based broker.

 

#### Assets

 

- Ubuntu-24.04 - [microsoft-identity-broker_2.5.0-noble_amd64.deb ](https://packages.microsoft.com/ubuntu/24.04/prod/pool/main/m/microsoft-identity-broker/microsoft-identity-broker_2.5.0-noble_amd64.deb)

- Ubuntu-22.04 - [microsoft-identity-broker_2.5.0-jammy_amd64.deb](https://packages.microsoft.com/ubuntu/22.04/prod/pool/main/m/microsoft-identity-broker/microsoft-identity-broker_2.5.0-jammy_amd64.deb)

 

 

### 2.0.3 - Oct 21, 2025 - (Preview Release in fast Insiders channel)

 

| **Definition** | <ul><li>Joined only to Microsoft Entra ID requiring organizational account to sign in to the device</li></ul> |

| **Primary audience** | <ul><li>Suitable for both cloud-only and hybrid organizations. </li><li>Applicable to all users in an organization</li></ul> |

| **Device ownership** | <ul><li>Organization</li></ul> |

| **Provisioning** | <ul><li>Self-service: Windows Out of Box Experience (OOBE) or Settings</li><li>Bulk enrollment</li><li>Windows Autopilot</li><li>(Public preview) Apple Automated Device Enrollment (applies to Apple devices only)</li></ul> |

| **Device management** | <ul><li>Mobile Device Management (example: Microsoft Intune)</li><li>[Configuration Manager standalone or co-management with Microsoft Intune](/mem/configmgr/comanage/overview)</li></ul> |

| **Key capabilities** | <ul><li>single sign-on (SSO) to both cloud and on-premises resources</li><li>Conditional Access</li><li>[Self-service Password Reset and Windows Hello PIN reset on lock screen](../authentication/howto-sspr-windows.md)</li></ul> |

 

The following are the supported sign-in options for Microsoft Entra joined devices. The availability of these options depends on the device's operating system and configuration. For example, Windows Hello for Business requires additional setup and may not be available on all devices.

 

| --------------------- | --- | --- | --- | --- | ---| --- |

|Windows 10/11 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |

 

 

You sign in to Microsoft Entra joined devices using a Microsoft Entra account. Access to resources can be controlled based on your account and [Conditional Access policies](../conditional-access/policy-alt-all-users-compliant-hybrid-or-mfa.md) applied to the device.

title: What are Microsoft Entra recommendations?

description: Provides a general overview of Microsoft Entra recommendations so you can keep your tenant secure and healthy.

ms.topic: overview

ms.reviewer: jadedsouza

ms.custom: sfi-ga-nochange

# Customer intent: As a Microsoft Entra administrator, I want guidance to so that I can keep my Microsoft Entra tenant in a healthy state.

Each recommendation contains a description, a summary of the value of addressing the recommendation, and a step-by-step action plan. If applicable, impacted resources associated with the recommendation are listed, so you can resolve each affected area. If a recommendation doesn't have any associated resources, the impacted resource type is *Tenant level*, so your step-by-step action plan impacts the entire tenant and not just a specific resource. The system processes recommendation data daily, reflecting activity from the preceding 24-hour window. Occasionally, data synchronization may extend up to 72 hours.

 

 

## Recommendations overview table

 

The recommendations listed in the following table are currently available in public preview or general availability the types of resources addressed by the recommendation, and more. The license requirements for recommendations in public preview are subject to change. The table provides links to available documentation for those recommendations that required separate guidance.

title: Recommendation to minimize MFA prompts from known devices

description: Learn about the recommendation to minimize multifactor authentication prompts from known devices in Microsoft Entra ID.

ms.topic: how-to

ms.reviewer: jadedsouza

ms.custom: sfi-image-nochange

# Customer intent: As an IT admin, I want to minimize the number of multifactor authentication prompts my users receive from known devices so that they can access resources more easily and securely.

 

This article covers the recommendation to minimize multifactor authentication prompts from known devices. This recommendation is called `tenantMFA` in the recommendations API in Microsoft Graph.

 

## Description

 

As an admin, you want to maintain security for your company’s resources, but you also want your employees to easily access resources as needed. While enabling MFA is a good practice, you should try to keep the number of MFA prompts your users have to go through at a minimum. One option you have to accomplish this goal is to **allow users to remember multifactor authentication on trusted devices**.

description: Learn about the recommendation to migrate application authentication from AD FS to Microsoft Entra ID

 

ms.topic: how-to

ms.reviewer: jadedsouza

 

# Customer intent: As an IT admin, I want to migrate my applications from Active Directory Federated Services (AD FS) to Microsoft Entra ID so that I can take advantage of the security features of Microsoft Entra ID and maximize the value of my applications.

 

This article covers the recommendation to migrate apps from Active Directory Federated Services (AD FS) to Microsoft Entra ID. This recommendation is called `adfsAppsMigration` in the recommendations API in Microsoft Graph.

 

## Description

 

As an admin responsible for managing applications, you want your applications to use the security features of Microsoft Entra ID and maximize their value. This recommendation shows up if your tenant has apps on ADFS that can 100% be migrated to Microsoft Entra ID. For more information, see [Understand the stages of migrating application authentication from AD FS to Microsoft Entra ID](../../identity/enterprise-apps/migrate-adfs-apps-stages.md).

description: Learn the importance of migrating your users to the Microsoft authenticator app in Microsoft Entra ID.

 

ms.topic: how-to

ms.reviewer: jadedsouza

 

# Customer intent: As an IT admin, I want to make sure that my users are using the most secure multi-factor authentication method available in Microsoft Entra ID.

 

This article covers the recommendation to migrate users to the Microsoft Authenticator app, which is currently a preview recommendation. This recommendation is called `useAuthenticatorApp` in the recommendations API in Microsoft Graph.

 

## Description

 

Multifactor authentication (MFA) is a key component to improve the security posture of your Microsoft Entra tenant. While SMS text and voice calls were once commonly used for multifactor authentication, they're becoming increasingly less secure. You also don't want to overwhelm your users with lots of MFA methods and messages.

title: Recommendation to migrate to Microsoft Entra MFA

description: Learn about the Microsoft Entra recommendation to migrate to Microsoft Entra multifactor authentication from MFA server

ms.topic: how-to

ms.reviewer: jupetter

 

# Customer intent: As an IT admin, I need to migrate from MFA Server to Microsoft Entra MFA to align with Microsoft Entra recommendations.

 

This article covers the recommendation to migrate from MFA server to Microsoft Entra MFA. This recommendation is called `mfaServerDeprecation` in the recommendations API in Microsoft Graph.

 

## Description

 

Azure Multi-Factor Authentication Server (MFA Server) was scheduled for retirement on September 30th, 2024. To help organizations migrate to Microsoft Entra MFA, this Microsoft Entra recommendation identifies tenants with MFA server activity. This recommendation identifies tenants with active users and MFA attempts for MFA Server in the last seven days. MFA Server client integrations, including a list of affected clients are also surfaced as a part of this recommendation.

title: Recommendation to migrate to Microsoft Graph API

description: Learn about the Microsoft Entra recommendation to migrate from Azure Active Directory Graph APIs to Microsoft Graph APIs.

ms.topic: how-to

ms.reviewer: krbash

ms.custom: sfi-image-nochange

# Customer intent: As an IT admin, I need to make sure that all apps and service principals are no longer using the Azure AD Graph APIs because they are being deprecated.

 

This article covers two recommendations to migrate applications and service principals from Azure AD Graph APIs to Microsoft Graph. These recommendations are called `aadGraphDeprecationApplication` and `aadGraphDeprecationServicePrincipal` in the recommendations API in Microsoft Graph.

 

## Description

 

The deprecation of Azure Active Directory (Azure AD) Graph APIs was announced in 2020 and are now in the retirement cycle. All applications and service principals need to migrate to the new Microsoft Graph APIs.

title: Turn off per user MFA in Microsoft Entra ID

description: Learn why you should turn off per user MFA in Microsoft Entra ID with Microsoft Entra recommendations

ms.topic: how-to

ms.reviewer: deawari

 

# Customer intent: As an IT admin, I need to know how many users in my tenant are using per-user MFA so I can make a plan to switch to Conditional Access MFA.

 

This article covers the recommendation to switch per-user multifactor authentication (MFA) accounts to Conditional Access MFA accounts. This recommendation is called `switchFromPerUserMFA` in the recommendations API in Microsoft Graph.

 

## Description

 

As an admin, you want to maintain security for your company’s resources, but you also want your employees to easily access resources as needed. MFA enables you to enhance the security posture of your tenant.

## Download and install Microsoft Entra Connect Health Agent

* Make sure that you [satisfy the requirements](how-to-connect-health-agent-install.md#requirements) for Microsoft Entra Connect Health.

* Get started using Microsoft Entra Connect Health for AD FS

* [See the installation instructions](how-to-connect-health-agent-install.md#install-the-agent-for-ad-fs).

* Get started using Microsoft Entra Connect Health for sync

* [Download and install the latest version of Microsoft Entra Connect](https://entra.microsoft.com/#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/GetStarted). The Health Agent for sync is installed as part of the Microsoft Entra Connect installation (version 1.0.9125.0 or higher).

* Get started using Microsoft Entra Connect Health for AD DS

* [See the installation instructions](how-to-connect-health-agent-install.md#install-the-agent-for-azure-ad-ds).

 

 

 

### After a CRL endpoint is configured, end users can't sign in and they see "AADSTS500173: Unable to download CRL. Invalid status code Forbidden from CRL distribution point."

 

 

### How do I find the CRL for a CA, or how do I troubleshoot the error "AADSTS2205015: The Certificate Revocation List (CRL) failed signature validation"?