📋 Microsoft Entra Documentation Changes

Daily summary for changes since April 28th 2026, 10:37 PM PDT

Report generated on April 29th 2026, 10:37 PM PDT

📊 Summary

25
Total Commits
0
New Files
16
Modified Files
0
Deleted Files
10
Contributors

📝 Modified Documentation Files

MODIFIED docs/global-secure-access/how-to-configure-explicit-forward-proxy-intune-policy.md
Modified by Alexander Pavlovsky on Apr 29, 2026 3:39 PM
📖 View on learn.microsoft.com
+50 / -48 lines changed
Commit: yet another review update
Changes:
Before
After
author: idmdev
---
 
# Configure Microsoft Edge with Global Secure Access Explicit Forward Proxy (preview) using Intune Mobile Application Management Policy
 
## Prerequisites
 
 
1. Select **+ Create** > **Managed Apps**:
 
1. **Name** = `GSA Explicit Forward Proxy Settings for Edge` (feel free to choose your own name).
1. **Target policy to**: Selected Apps.
 
1. Select **+ Select public apps**:
 
1. Search for `Edge`.
1. Select **Microsoft Edge** / **Windows**.
1. Select **Select**.
 
![Screenshot showing the public apps selection with Microsoft Edge selected.](media/how-to-configure-microsoft-edge-mam-policy/select-target-apps.png)
author: idmdev
---
 
# Configure Microsoft Edge with Global Secure Access Explicit Forward Proxy (preview) using Intune Mobile Application Management policy
 
You can automatically deliver the proxy settings and the automatic Certificate Authority trust settings in Microsoft Edge using the Intune app management policies.
 
## Prerequisites
 
 
1. Select **+ Create** > **Managed Apps**:
 
1. **Name** = `GSA Explicit Forward Proxy Settings for Edge` (feel free to choose your own name).
1. **Target policy to**: Selected Apps.
 
1. Select **+ Select public apps**:
 
1. Search for `Edge`.
1. Select **Microsoft Edge** / **Windows**.
1. Select **Select**.
MODIFIED docs/identity/role-based-access-control/includes/ai-administrator.md
Modified by Faith Moraa Ombongi on Apr 29, 2026 11:50 AM
📖 View on learn.microsoft.com
+7 / -24 lines changed
Commit: Edits - Fetched new updates, picked up Agent Developer description changes - Excluded AI Administrator role to allow furtehr discussion with engineering team - Restored auditLogs permissions for Entra Backup roles - Removed AI Administrator role from what's new
Changes:
Before
After
title: AI Administrator
description: AI Administrator
ms.topic: include
ms.date: 04/22/2026
ms.custom: include file
---
 
Assign the AI Administrator role to users who need to do the following tasks:
 
- Manage all aspects of Microsoft 365 Copilot, AI-related enterprise services, extensibility, and Search content.
- Approve and publish line-of-business copilot agents.
- Manage the full lifecycle of agent users, their licenses, and sign-in sessions.
- Read and configure Azure and Microsoft 365 service health dashboards.
- View usage reports, adoption insights, organizational insight, and message center posts.
- Create and manage support tickets in Azure and the Microsoft 365 admin center.
 
<!-- autogenerated content starts here -->
 
> | --- | --- |
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
title: AI Administrator
description: AI Administrator
ms.topic: include
ms.date: 04/29/2026
ms.custom: include file
---
 
Assign the AI Administrator role to users who need to do the following tasks:
 
- Manage all aspects of Microsoft 365 Copilot
- Manage AI-related enterprise services, extensibility, and copilot agents from the Integrated apps page in the Microsoft 365 admin center
- Approve and publish line-of-business copilot agents
- Read and configure Azure and Microsoft 365 service health dashboards
- View usage reports, adoption insights, and organizational insight
- Create and manage support tickets in Azure and the Microsoft 365 admin center
 
<!-- autogenerated content starts here -->
 
> | --- | --- |
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
MODIFIED docs/identity/saas-apps/simple-in-out-provisioning-tutorial.md
Modified by Sudhakaran-S-micro on Apr 29, 2026 9:24 AM
📖 View on learn.microsoft.com
+3 / -3 lines changed
Commit: Worked on blocking issues
Changes:
Before
After
1. Select **Reveal** on your Recovery Key and store this entire key in a safe place. **IMPORTANT!** If you're ever locked out of your Microsoft accounts and need to disconnect SSO without access, you be required to relay the Recovery Key to Simple In/Out technical support.
1. Select **Reveal** on your Bearer Token and make note of it. You'll need this for Step 5.6.
 
* When a new user is provisioned from Microsoft Entra ID to Simple In/Out, Simple In/Out will set that user's role to the default role for your organization. This role will govern the user's permissions inside Simple In/Out. For existing users that may be converted to SSO, Simple In/Out will maintain their existing role.
 
* After users are provisioned to Simple In/Out, any administrator-level user can edit a user's role. This is done by selecting a user on the Simple In/Out board, then selecting the **Edit User** button that appears in the user's profile dialog.
 
* You can change the default role in Simple In/Out and customize the permissions in the role on Simple In/Out's website.
 
1. Within Simple In/Out's website, select **Settings** in the upper-right
1. Select **Roles** under the **USERS** menu on the left.
1. Select **Reveal** on your Recovery Key and store this entire key in a safe place. **IMPORTANT!** If you're ever locked out of your Microsoft accounts and need to disconnect SSO without access, you be required to relay the Recovery Key to Simple In/Out technical support.
1. Select **Reveal** on your Bearer Token and make note of it. You'll need this for Step 5.6.
 
* When a new user is provisioned from Microsoft Entra ID to Simple In/Out, Simple In/Out will set that user's role to the default role for your organization. This role will govern the user's permissions inside Simple In/Out. For existing users that may be converted to SSO, Simple In/Out will maintain their existing role.
 
* After users are provisioned to Simple In/Out, any administrator-level user can edit a user's role. This is done by selecting a user on the Simple In/Out board, then selecting the **Edit User** button that appears in the user's profile dialog.
 
* You can change the default role in Simple In/Out and customize the permissions in the role on Simple In/Out's website.
 
1. Within Simple In/Out's website, select **Settings** in the upper-right
1. Select **Roles** under the **USERS** menu on the left.
MODIFIED docs/identity/role-based-access-control/includes/entra-backup-administrator.md
Modified by Faith Moraa Ombongi on Apr 29, 2026 11:50 AM
📖 View on learn.microsoft.com
+3 / -1 lines changed
Commit: Edits - Fetched new updates, picked up Agent Developer description changes - Excluded AI Administrator role to allow furtehr discussion with engineering team - Restored auditLogs permissions for Entra Backup roles - Removed AI Administrator role from what's new
Changes:
Before
After
title: Entra Backup Administrator
description: Entra Backup Administrator
ms.topic: include
ms.date: 04/22/2026
ms.custom: include file
---
 
> [!div class="mx-tableFixed"]
> | Actions | Description |
> | --- | --- |
> | microsoft.directory/backup/preview/cancel | Cancel a Microsoft Entra backup operation to compare a backup snapshot with the current state. |
> | microsoft.directory/backup/preview/create | Create a Microsoft Entra backup operation that allows a user to compare a backup snapshot with the current state. |
> | microsoft.directory/backup/recovery/cancel | Cancel a Microsoft Entra recovery operation to recover the contents of a backup snapshot |
> | microsoft.directory/backup/recovery/create | Create a Microsoft Entra recovery operation that allows a user to recover the contents of a backup snapshot. |
> | microsoft.directory/backup/standard/read | List Microsoft Entra backups (for example, backup IDs and timestamps), view difference reports, and list recovery jobs and their associated properties. |
 
 
title: Entra Backup Administrator
description: Entra Backup Administrator
ms.topic: include
ms.date: 04/29/2026
ms.custom: include file
---
 
> [!div class="mx-tableFixed"]
> | Actions | Description |
> | --- | --- |
> | microsoft.directory/auditLogs/standard/read | Read standard properties on audit logs, excluding custom security attributes audit logs |
> | microsoft.directory/backup/preview/cancel | Cancel a Microsoft Entra backup operation to compare a backup snapshot with the current state. |
> | microsoft.directory/backup/preview/create | Create a Microsoft Entra backup operation that allows a user to compare a backup snapshot with the current state. |
> | microsoft.directory/backup/recovery/cancel | Cancel a Microsoft Entra recovery operation to recover the contents of a backup snapshot |
> | microsoft.directory/backup/recovery/create | Create a Microsoft Entra recovery operation that allows a user to recover the contents of a backup snapshot. |
> | microsoft.directory/backup/standard/read | List Microsoft Entra backups (for example, backup IDs and timestamps), view difference reports, and list recovery jobs and their associated properties. |
 
MODIFIED docs/identity/role-based-access-control/includes/entra-backup-reader.md
Modified by Faith Moraa Ombongi on Apr 29, 2026 11:50 AM
📖 View on learn.microsoft.com
+3 / -1 lines changed
Commit: Edits - Fetched new updates, picked up Agent Developer description changes - Excluded AI Administrator role to allow furtehr discussion with engineering team - Restored auditLogs permissions for Entra Backup roles - Removed AI Administrator role from what's new
Changes:
Before
After
title: Entra Backup Reader
description: Entra Backup Reader
ms.topic: include
ms.date: 04/22/2026
ms.custom: include file
---
 
> [!div class="mx-tableFixed"]
> | Actions | Description |
> | --- | --- |
> | microsoft.directory/backup/preview/cancel | Cancel a Microsoft Entra backup operation to compare a backup snapshot with the current state. |
> | microsoft.directory/backup/preview/create | Create a Microsoft Entra backup operation that allows a user to compare a backup snapshot with the current state. |
> | microsoft.directory/backup/standard/read | List Microsoft Entra backups (for example, backup IDs and timestamps), view difference reports, and list recovery jobs and their associated properties. |
 
 
title: Entra Backup Reader
description: Entra Backup Reader
ms.topic: include
ms.date: 04/29/2026
ms.custom: include file
---
 
> [!div class="mx-tableFixed"]
> | Actions | Description |
> | --- | --- |
> | microsoft.directory/auditLogs/standard/read | Read standard properties on audit logs, excluding custom security attributes audit logs |
> | microsoft.directory/backup/preview/cancel | Cancel a Microsoft Entra backup operation to compare a backup snapshot with the current state. |
> | microsoft.directory/backup/preview/create | Create a Microsoft Entra backup operation that allows a user to compare a backup snapshot with the current state. |
> | microsoft.directory/backup/standard/read | List Microsoft Entra backups (for example, backup IDs and timestamps), view difference reports, and list recovery jobs and their associated properties. |
 
MODIFIED docs/identity/role-based-access-control/permissions-reference.md
Modified by Faith Moraa Ombongi on Apr 29, 2026 11:50 AM
📖 View on learn.microsoft.com
+2 / -2 lines changed
Commit: Edits - Fetched new updates, picked up Agent Developer description changes - Excluded AI Administrator role to allow furtehr discussion with engineering team - Restored auditLogs permissions for Entra Backup roles - Removed AI Administrator role from what's new
Changes:
Before
After
title: Microsoft Entra built-in roles
description: Describes the Microsoft Entra built-in roles and permissions.
ms.topic: reference
ms.date: 04/22/2026
ms.reviewer: abhijeetsinha
ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
---
> | Role | Description | Template ID |
> | --- | --- | --- |
> | [Agent ID Administrator](#agent-id-administrator) | Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | db506228-d27e-4b7d-95e5-295956d6615f |
> | [Agent ID Developer](#agent-id-developer) | Create an agent blueprint and its service principal in a tenant. User will be added as an owner of the agent blueprint and its service principal. | adb2368d-a9be-41b5-8667-d96778e081b0 |
> | [Agent Registry Administrator](#agent-registry-administrator) | Manage all aspects of the Agent Registry service in Microsoft Entra ID | 6b942400-691f-4bf0-9d12-d8a254a2baf5 |
> | [AI Administrator](#ai-administrator) | Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | d2562ede-74db-457e-a7b6-544e236ebb61 |
> | [AI Reader](#ai-reader) | Read all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 1fe13547-53f6-408d-ac04-7f8eed167b38 |
title: Microsoft Entra built-in roles
description: Describes the Microsoft Entra built-in roles and permissions.
ms.topic: reference
ms.date: 04/29/2026
ms.reviewer: abhijeetsinha
ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
---
> | Role | Description | Template ID |
> | --- | --- | --- |
> | [Agent ID Administrator](#agent-id-administrator) | Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | db506228-d27e-4b7d-95e5-295956d6615f |
> | [Agent ID Developer](#agent-id-developer) | Create an agent identity blueprint and its agent identity blueprint principal in a tenant. User will be added as an owner of the created agent identity blueprint and its agent identity blueprint principal. | adb2368d-a9be-41b5-8667-d96778e081b0 |
> | [Agent Registry Administrator](#agent-registry-administrator) | Manage all aspects of the Agent Registry service in Microsoft Entra ID | 6b942400-691f-4bf0-9d12-d8a254a2baf5 |
> | [AI Administrator](#ai-administrator) | Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | d2562ede-74db-457e-a7b6-544e236ebb61 |
> | [AI Reader](#ai-reader) | Read all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 1fe13547-53f6-408d-ac04-7f8eed167b38 |
MODIFIED docs/identity/saas-apps/signagelive-provisioning-tutorial.md
Modified by Sudhakaran-S-micro on Apr 29, 2026 9:24 AM
📖 View on learn.microsoft.com
+2 / -2 lines changed
Commit: Worked on blocking issues
Changes:
Before
After
 
The scenario outlined in this article assumes that you already have the following prerequisites:
 
* [!INCLUDE [common-prerequisites.md](~/identity/saas-apps/includes/common-prerequisites.md)].
* [A Signagelive tenant](https://signagelive.com/pricing/)
* A user account in Signagelive with Admin permissions.
 
 
1. In the applications list, select **Signagelive**.
 
![Screenshot of the Signagelive link in the Applications list](common/all-applications.png)
 
1. Select the **Provisioning** tab.
 
 
The scenario outlined in this article assumes that you already have the following prerequisites:
 
[!INCLUDE [common-prerequisites.md](~/identity/saas-apps/includes/common-prerequisites.md)].
* [A Signagelive tenant](https://signagelive.com/pricing/)
* A user account in Signagelive with Admin permissions.
 
 
1. In the applications list, select **Signagelive**.
 
![Screenshot of the Signagelive link in the Applications list.](common/all-applications.png)
 
1. Select the **Provisioning** tab.
 
MODIFIED docs/identity/saas-apps/netskope-administrator-console-provisioning-tutorial.md
Modified by Sudhakaran-S-micro on Apr 29, 2026 8:59 AM
📖 View on learn.microsoft.com
+2 / -2 lines changed
Commit: Worked on blocking issues
Changes:
Before
After
 
1. Review the user attributes that are synchronized from Microsoft Entra ID to Netskope User Authentication in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Netskope User Authentication for update operations. If you choose to change the [matching target attribute](~/identity/app-provisioning/customize-application-attributes.md), you need to ensure that the Netskope User Authentication API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
 
![Netskope User Authentication User Attributes](media/netskope-administrator-console-provisioning-tutorial/userattributes.png)
 
1. Review the group attributes that are synchronized from Microsoft Entra ID to Netskope User Authentication in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Netskope User Authentication for update operations. Select the **Save** button to commit any changes.
 
![Netskope User Authentication Group Attributes](media/netskope-administrator-console-provisioning-tutorial/groupattributes.png)
 
1. To configure scoping filters, refer to the instructions provided in the [Scoping filter article](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
 
 
1. Review the user attributes that are synchronized from Microsoft Entra ID to Netskope User Authentication in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Netskope User Authentication for update operations. If you choose to change the [matching target attribute](~/identity/app-provisioning/customize-application-attributes.md), you need to ensure that the Netskope User Authentication API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
 
![Screenshot of the Netskope User Authentication User Attributes.](media/netskope-administrator-console-provisioning-tutorial/userattributes.png)
 
1. Review the group attributes that are synchronized from Microsoft Entra ID to Netskope User Authentication in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Netskope User Authentication for update operations. Select the **Save** button to commit any changes.
 
![Screenshot of the Netskope User Authentication Group Attributes.](media/netskope-administrator-console-provisioning-tutorial/groupattributes.png)
 
1. To configure scoping filters, refer to the instructions provided in the [Scoping filter article](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
 
MODIFIED docs/identity/saas-apps/palo-alto-networks-scim-connector-provisioning-tutorial.md
Modified by Sudhakaran-S-micro on Apr 29, 2026 8:59 AM
📖 View on learn.microsoft.com
+2 / -2 lines changed
Commit: Worked on blocking issues
Changes:
Before
After
|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String||
|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String||
 
> [!NOTE]
> **Schema Discovery** is enabled on this app. Hence you might see more attributes in the application than mentioned in the table above.
 
1. Review the group attributes that are synchronized from Microsoft Entra ID to Palo Alto Networks SCIM Connector in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Palo Alto Networks SCIM Connector for update operations. Select the **Save** button to commit any changes.
 
|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String||
|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String||
 
> [!NOTE]
> **Schema Discovery** is enabled on this app. Hence you might see more attributes in the application than mentioned in the table above.
 
1. Review the group attributes that are synchronized from Microsoft Entra ID to Palo Alto Networks SCIM Connector in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Palo Alto Networks SCIM Connector for update operations. Select the **Save** button to commit any changes.
 
MODIFIED docs/identity/role-based-access-control/includes/customer-delegated-admin-relationship-administrator.md
Modified by Faith Moraa Ombongi on Apr 29, 2026 11:50 AM
📖 View on learn.microsoft.com
+2 / -1 lines changed
Commit: Edits - Fetched new updates, picked up Agent Developer description changes - Excluded AI Administrator role to allow furtehr discussion with engineering team - Restored auditLogs permissions for Entra Backup roles - Removed AI Administrator role from what's new
Changes:
Before
After
ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 04/22/2026
author: FaithOmbongi
ms.author: ombongifaith
---
> | --- | --- |
> | microsoft.commerce.tenantRelationships/customerDelegatedAdminPrivileges/allProperties/allTasks | Manage all aspects of granular delegated admin privileges (GDAP) relationships in a customer tenant. |
> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
 
ms.service: entra-id
ms.subservice: role-based-access-control
ms.topic: include
ms.date: 04/29/2026
author: FaithOmbongi
ms.author: ombongifaith
---
> | --- | --- |
> | microsoft.commerce.tenantRelationships/customerDelegatedAdminPrivileges/allProperties/allTasks | Manage all aspects of granular delegated admin privileges (GDAP) relationships in a customer tenant. |
> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
 
MODIFIED docs/identity/role-based-access-control/whats-new.md
Modified by Faith Moraa Ombongi on Apr 29, 2026 11:50 AM
📖 View on learn.microsoft.com
+1 / -2 lines changed
Commit: Edits - Fetched new updates, picked up Agent Developer description changes - Excluded AI Administrator role to allow furtehr discussion with engineering team - Restored auditLogs permissions for Entra Backup roles - Removed AI Administrator role from what's new
Changes:
Before
After
title: What's new in Microsoft Entra RBAC documentation
description: Learn about the new features and documentation improvements in Microsoft Entra role-based access control (RBAC).
ms.topic: whats-new
ms.date: 04/22/2026
 
---
 
 
| Date | Area | Description |
| --- | --- | --- |
| April 2026 | Roles | Updated permissions for the [AI Administrator](permissions-reference.md#ai-administrator) role to include capabilities to manage the lifecycle of agent users. |
| April 2026 | Roles | Added [AI Reader](permissions-reference.md#ai-reader) and [Customer Delegated Admin Relationship Administrator](permissions-reference.md#customer-delegated-admin-relationship-administrator) roles. |
| March 2026 | Roles | Added [Teams External Collaboration Administrator](permissions-reference.md#teams-external-collaboration-administrator) role. |
| March 2026 | Roles | Added [Entra Backup Administrator](permissions-reference.md#entra-backup-administrator) and [Entra Backup Reader](permissions-reference.md#entra-backup-reader) roles. |
title: What's new in Microsoft Entra RBAC documentation
description: Learn about the new features and documentation improvements in Microsoft Entra role-based access control (RBAC).
ms.topic: whats-new
ms.date: 04/29/2026
 
---
 
 
| Date | Area | Description |
| --- | --- | --- |
| April 2026 | Roles | Added [AI Reader](permissions-reference.md#ai-reader) and [Customer Delegated Admin Relationship Administrator](permissions-reference.md#customer-delegated-admin-relationship-administrator) roles. |
| March 2026 | Roles | Added [Teams External Collaboration Administrator](permissions-reference.md#teams-external-collaboration-administrator) role. |
| March 2026 | Roles | Added [Entra Backup Administrator](permissions-reference.md#entra-backup-administrator) and [Entra Backup Reader](permissions-reference.md#entra-backup-reader) roles. |
 
MODIFIED docs/global-secure-access/concept-explicit-forward-proxy.md
Modified by Alexander Pavlovsky on Apr 29, 2026 3:39 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: yet another review update
Changes:
Before
After
ms.reviewer:
---
 
# Explicit Forward Proxy (preview) Overview
 
Explicit Forward Proxy (EFP) is one of the traffic acquisition mechanisms that's useful in scenarios where installation of the Global Secure Access (GSA) client is difficult or not possible. EFP is an effective mechanism to protect internet traffic when users use browsers to access resources from:
* multi-session Virtual Desktop Infrastructure (VDI)
ms.reviewer:
---
 
# Explicit Forward Proxy (preview) overview
 
Explicit Forward Proxy (EFP) is one of the traffic acquisition mechanisms that's useful in scenarios where installation of the Global Secure Access (GSA) client is difficult or not possible. EFP is an effective mechanism to protect internet traffic when users use browsers to access resources from:
* multi-session Virtual Desktop Infrastructure (VDI)
MODIFIED docs/global-secure-access/concept-proxy-automatic-configuration-files.md
Modified by Alexander Pavlovsky on Apr 29, 2026 3:39 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: yet another review update
Changes:
Before
After
ms.reviewer:
---
 
# Introduction to Proxy Automatic Configuration (PAC) Files
 
A PAC file is a mechanism used to automatically determine which proxy server a web browser or application should use for a given request. PAC files are an integral part of Explicit Forward Proxy configuration, enabling flexible and dynamic traffic steering decisions. In the context of Global Secure Access, PAC files are similar to the traffic forwarding policies of the GSA client.
 
ms.reviewer:
---
 
# Introduction to Proxy Automatic Configuration (PAC) files
 
A PAC file is a mechanism used to automatically determine which proxy server a web browser or application should use for a given request. PAC files are an integral part of Explicit Forward Proxy configuration, enabling flexible and dynamic traffic steering decisions. In the context of Global Secure Access, PAC files are similar to the traffic forwarding policies of the GSA client.
 
MODIFIED docs/global-secure-access/how-to-configure-conditional-access-policy-for-explicit-forward-proxy.md
Modified by Alexander Pavlovsky on Apr 29, 2026 3:39 PM
📖 View on learn.microsoft.com
+0 / -2 lines changed
Commit: yet another review update
Changes:
Before
After
> The Explicit Forward Proxy feature is currently in PREVIEW.
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## Overview
 
Explicit Forward Proxy (EFP) for Microsoft Entra Internet Access relies on IP affinity, among other mechanisms, for session management. While not required, we recommend that you configure a Conditional Access policy that restricts the use of EFP on networks your organization trusts. Additionally, you use Conditional Access policies to assign the Microsoft Entra Internet Access security profiles to users.
 
## Prerequisites
> The Explicit Forward Proxy feature is currently in PREVIEW.
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
Explicit Forward Proxy (EFP) for Microsoft Entra Internet Access relies on IP affinity, among other mechanisms, for session management. While not required, we recommend that you configure a Conditional Access policy that restricts the use of EFP on networks your organization trusts. Additionally, you use Conditional Access policies to assign the Microsoft Entra Internet Access security profiles to users.
 
## Prerequisites
 
 
MODIFIED docs/global-secure-access/how-to-configure-explicit-forward-proxy.md
Modified by Alexander Pavlovsky on Apr 29, 2026 3:39 PM
📖 View on learn.microsoft.com
+0 / -2 lines changed
Commit: yet another review update
Changes:
Before
After
 
# How to Configure Explicit Forward Proxy (preview)
 
## Overview
 
Explicit Forward Proxy (EFP) allows you to use Secure Web and AI Gateway capabilities of Microsoft Entra Internet Access without installing the Global Secure Access (GSA) client. EFP works with any browser that supports proxy automatic configuration (PAC).
 
> [!IMPORTANT]
 
# How to Configure Explicit Forward Proxy (preview)
 
Explicit Forward Proxy (EFP) allows you to use Secure Web and AI Gateway capabilities of Microsoft Entra Internet Access without installing the Global Secure Access (GSA) client. EFP works with any browser that supports proxy automatic configuration (PAC).
 
> [!IMPORTANT]
 
 

🤖 This report was automatically generated by the Entra Docs Monitor

📧 Delivered to merill@merill.net

🔗 Visit Repository