MODIFIED docs/fundamentals/whats-new-ignite-2025.md

Modified by Ken Withee on Apr 30, 2026 4:19 PM
📖 View on learn.microsoft.com

+11 / -11 lines changed

Commit: Fix broken cross-references in whats-new pages

Changes:

Before

After

- [Sign-in and audit logs for agents](../agent-id/sign-in-audit-logs-agents.md) (New)
- [Agent access packages](../agent-id/agent-access-packages.md) (New)
- [Configure inheritable permissions blueprints](../agent-id/configure-inheritable-permissions-blueprints.md) (New)
- [Manage agent in end user experience](../agent-id/manage-agent.md) (New)
- [Manage agents without identity](../agent-id/manage-agents-without-identity.md) (New)
- [Authorization for Agent ID](../agent-id/authorization-agent-id.md) (New)
- [Reference registry roles](../agent-id/reference-registry-roles.md) (New)
- [Create blueprint](../agent-id/create-blueprint.md) (New)
- [Create and delete agent identities](../agent-id/create-delete-agent-identities.md) (New)
- [Manage agent blueprint](../agent-id/manage-agent-blueprint.md) (New)
- [Autonomous agent request tokens](../agent-id/autonomous-agent-request-tokens.md) (New)
- [Autonomous agent request agent user tokens](../agent-id/autonomous-agent-request-agent-user-tokens.md) (New)
- [Autonomous agent request authorization from Entra admin](../agent-id/autonomous-agent-request-authorization-entra-admin.md) (New)
- [Authenticate users and acquire tokens for interactive agents](../agent-id/interactive-agent-authentication-authorization-flow.md) (New)
- [Call API: Azure services](../agent-id/call-api-azure-services.md) (New)
- [Call API: Custom](../agent-id/call-api-custom.md) (New)
### Microsoft Entra ID Governance
 
**Next-generation identity governance with AI integration.** Enhanced lifecycle workflows, intelligent risk-based approvals, and streamlined access package management deliver comprehensive identity governance at enterprise scale.
- [What are agent identities (Agent IDs)?](../agent-id/identity-platform/what-are-agent-identities.md) (New)

- [Sign-in and audit logs for agents](../agent-id/sign-in-audit-logs-agents.md) (New)
- [Agent access packages](../agent-id/agent-access-packages.md) (New)
- [Configure inheritable permissions blueprints](../agent-id/configure-inheritable-permissions-blueprints.md) (New)
- Manage agent in end user experience (New)
- [Manage agents without identity](../agent-id/manage-agents-without-identity.md) (New)
- [Authorization for Agent ID](../agent-id/authorization-agent-id.md) (New)
- [Reference registry roles](../agent-id/reference-registry-roles.md) (New)
- [Create blueprint](../agent-id/create-blueprint.md) (New)
- [Create and delete agent identities](../agent-id/create-delete-agent-identities.md) (New)
- [Manage agent blueprint](../agent-id/manage-agent-blueprint.md) (New)
- Autonomous agent request tokens (New)
- Autonomous agent request agent user tokens (New)
- Autonomous agent request authorization from Entra admin (New)
- [Authenticate users and acquire tokens for interactive agents](../agent-id/interactive-agent-authentication-authorization-flow.md) (New)
- [Call API: Azure services](../agent-id/call-api-azure-services.md) (New)
- [Call API: Custom](../agent-id/call-api-custom.md) (New)
### Microsoft Entra ID Governance
 
**Next-generation identity governance with AI integration.** Enhanced lifecycle workflows, intelligent risk-based approvals, and streamlined access package management deliver comprehensive identity governance at enterprise scale.
- [What are agent identities (Agent IDs)?](../agent-id/what-are-agent-identities.md) (New)

MODIFIED docs/global-secure-access/concept-bring-your-own-device.md

Modified by cagautham on Apr 30, 2026 3:51 PM
📖 View on learn.microsoft.com

+12 / -3 lines changed

Commit: Clarify BYOD support and device registration steps

Changes:

Before

After

    1. Install Microsoft Authenticator from the App Store and register the device to the tenant or install the Company Portal app (no device enrollment required).
    2. Install the Microsoft Defender app from Google Play and complete sign-in.
    3. A device-wide VPN profile is created. The Global Secure Access tile is off by default; the user must turn it on to send Private Access traffic.
- Enable required traffic profiles for these users.
 
## macOS
 
BYOD support without device enrollment is available through Microsoft Entra device registration.
- Install and register the device using the Company Portal (no device enrollment required).
- Enable required traffic profiles for these users.
 
## Tenant selection and switching (Preview)
 
| Windows Microsoft Entra Registered device | User selects a tenant at first sign-in; remains connected to that tenant. | ❌ | ❌ | ❌ | ✅ | Cannot switch to other registered tenants for now. Allows user to switch to a resource tenant using external user access(B2B). |
| MacOS Microsoft Entra Registered device with and without device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | ✅ | ✅ | ✅ | ✅ | Uses Company Portal to Microsoft Entra register the device. |
| Android Microsoft Entra Registered with and without device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | ✅ | ✅ | ✅ | ✅ | Applies to enrolled devices with Company Portal. For unmanaged devices, Microsoft Entra registration can be done with Company portal and Authenticator app. |
| iOS Microsoft Entra Registered with device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | ✅ | ✅ | ✅ | ✅ | Applies to enrolled devices with Company Portal. Unmanaged devices are not supported as of now. |
 
### Summary
- ✅ Device join takes precedence on Windows.

    1. Install Microsoft Authenticator from the App Store and register the device to the tenant or install the Company Portal app (no device enrollment required).
    2. Install the Microsoft Defender app from Google Play and complete sign-in.
    3. A device-wide VPN profile is created. The Global Secure Access tile is off by default; the user must turn it on to send Private Access traffic.
- Enable private traffic profiles for these users.
 
## iOS
 
- BYOD support without device enrollment is available using Microsoft Authenticator through Microsoft Entra device registration.
- On the device:
    1. Install Microsoft Authenticator from the App Store and register the device to the tenant.
    2. Install the Microsoft Defender app from Google Play and complete sign-in.
    3. A device-wide VPN profile is created. The Global Secure Access tile is off by default; the user must turn it on to send Private Access traffic.
- Enable private traffic profiles for these users.
 
## macOS
 
BYOD support without device enrollment is available through Microsoft Entra device registration.
- Install and register the device using the Company Portal (no device enrollment required).
- Enable private traffic profiles for these users.
 

MODIFIED docs/identity/authentication/concept-registration-mfa-sspr-combined.md

Modified by Diana Richards on Apr 30, 2026 8:17 PM
📖 View on learn.microsoft.com

+7 / -3 lines changed

Commit: accepting all copilot suggestions per the author

Changes:

Before

After

 
### Session controls for Combined Registration
By default, Combined registration enforces all MFA capable users to strongly authenticate prior to registering or managing their security info.
 
- Adding or modifying a passkey (FIDO2) method requires users to have strongly authenticated within the past 5 minutes. If MFA hasn't been completed in the past 5 minutes, the user is asked to sign-in and complete fresh MFA.
- Starting August 25, 2025, as announced in MC1135479, users are required to complete multifactor authentication (MFA) when managing credentials or accessing My Sign-ins if they haven't done so within the last 10 minutes of their current session.
Enforcing Authentication Strengths to security info registration can conflict with both aforementioned requirements, with end-users potentially experiencing the error message *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*. Changes can be made at the tenant level, such as enforcing "Sign-in frequency: every time" to the "Register security info" user action or enabling Passkeys for Windows Hello for Business users, or at the user level, such as ensuring they authenticate with a session at most 10 minutes old or ensuring they authenticate with a combination of methods included in the enforced Authentication Strength.
 
Organizations can modify the authentication requirements by defining [Conditional Access policies for securing security info registration](~/identity/conditional-access/policy-all-users-security-info-registration.md).

 
### Session controls for Combined Registration
By default, Combined registration enforces all MFA-capable users to strongly authenticate prior to registering or managing their security info.
 
- Adding or modifying a passkey (FIDO2) method requires users to have strongly authenticated within the past 5 minutes. If MFA hasn't been completed in the past 5 minutes, the user is asked to sign in and complete fresh MFA.
- Starting August 25, 2025, as announced in MC1135479, users are required to complete multifactor authentication (MFA) when managing credentials or accessing My Sign-ins if they haven't done so within the last 10 minutes of their current session.
Enforcing authentication strengths for security info registration can conflict with both of these requirements. Users might experience the error message *"Let’s try something else. Another sign-in method is required to access this resource. Close your browser and try again, but choose another way to sign-in"*.
 
You can make changes at either the tenant level or the user level:
 
- At the tenant level, enforce **Sign-in frequency: Every time** for the **Register security info** user action, or enable passkeys for Windows Hello for Business users.
- At the user level, ensure that users authenticate with a session that's no more than 10 minutes old, or ensure that they authenticate with a combination of methods included in the enforced authentication strength.
Organizations can modify the authentication requirements by defining [Conditional Access policies for securing security info registration](~/identity/conditional-access/policy-all-users-security-info-registration.md).

MODIFIED docs/fundamentals/whats-new.md

Modified by Ken Withee on Apr 30, 2026 4:19 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: Fix broken cross-references in whats-new pages

Changes:

Before

After

**Service category:** User Experience and Management  
**Product capability:** User Authentication  
 
In Microsoft Entra tenants, customers can create a single, tenant-wide, customized branding experience that applies to all apps. We are introducing a concept of Branding "themes" to allow customers to create different branding experiences for specific applications. For more information, see [Customize the sign-in experience for your application with branding themes in external tenants (Preview)](../external-id/customers/how-to-customize-branding-themes-apps.md)
 
---
 
*   The existing [registry Graph API](/graph/api/resources/agentregistry) will be deprecated and replaced by a new API powered by Agent 365. Agents registered via the current API will need to be re-registered. We’ll follow up soon with details on the deprecation date and the availability of the new registry Graph API.  
*   All agent access and governance capabilities remain fully available through Agent ID and Agent 365.  
 
For more information, see: [Agent Registry convergence with Microsoft Agent 365](../agent-id/identity-platform/agent-registry-convergence.md).
 
---
 
**Service category:** Other  
**Product capability:** End User Experiences  
 
The Manage agents end user experiences lets you view, and control, agent identities you own or sponsor. With the manage agents feature, you can easily see which agents you’re responsible for, review their details, and take action to enable, disable, or request access for them. Learn more: [Manage Agents in end user experience (Preview)](../agent-id/manage-agent.md).
 
---

**Service category:** User Experience and Management  
**Product capability:** User Authentication  
 
In Microsoft Entra tenants, customers can create a single, tenant-wide, customized branding experience that applies to all apps. We are introducing a concept of Branding "themes" to allow customers to create different branding experiences for specific applications.
 
---
 
*   The existing [registry Graph API](/graph/api/resources/agentregistry) will be deprecated and replaced by a new API powered by Agent 365. Agents registered via the current API will need to be re-registered. We’ll follow up soon with details on the deprecation date and the availability of the new registry Graph API.  
*   All agent access and governance capabilities remain fully available through Agent ID and Agent 365.  
 
For more information, see: [Agent Registry convergence with Microsoft Agent 365](../agent-id/agent-registry-convergence.md).
 
---
 
**Service category:** Other  
**Product capability:** End User Experiences  
 
The Manage agents end user experiences lets you view, and control, agent identities you own or sponsor. With the manage agents feature, you can easily see which agents you’re responsible for, review their details, and take action to enable, disable, or request access for them.
 
---

MODIFIED docs/verified-id/using-facecheck.md

Modified by Ken Withee on Apr 30, 2026 9:17 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Replace 'yourdomain.com' placeholder with 'verifiedid.contoso.com'

Changes:

Before

After

  "requestedCredentials": [
    {
      "type": "VerifiedEmployee",
      "acceptedIssuers": [ "did:web:yourdomain.com" ],
      "configuration": {
        "validation": {
          "allowRevoked": false,
```json
  "verifiedCredentialsData": [ 
    { 
      "issuer": "did:web:yourdomain.com", 
      "type": [ "VerifiableCredential", "VerifiedEmployee" ], 
      "claims": { 
        ... 

  "requestedCredentials": [
    {
      "type": "VerifiedEmployee",
      "acceptedIssuers": [ "did:web:verifiedid.contoso.com" ],
      "configuration": {
        "validation": {
          "allowRevoked": false,
```json
  "verifiedCredentialsData": [ 
    { 
      "issuer": "did:web:verifiedid.contoso.com", 
      "type": [ "VerifiableCredential", "VerifiedEmployee" ], 
      "claims": { 
        ... 

MODIFIED docs/verified-id/how-to-register-didwebsite.md

Modified by Ken Withee on Apr 30, 2026 9:17 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Replace 'yourdomain.com' placeholder with 'verifiedid.contoso.com'

Changes:

Before

After

The portal verifies that `did.json` is reachable and correct when you select **Refresh registration status**. You should also consider verifying that you can request that URL in a browser to avoid errors like not using HTTPS, a bad TLS/SSL certificate, or the URL not being public. If the `did.json` file can't be requested anonymously in a browser or via tools such as `curl`, without warnings or errors, the portal won't be able to complete the **Refresh registration status** step.
 
> [!NOTE]
> If you're experiencing problems refreshing your registration status, you can troubleshoot it by running `curl -Iv https://yourdomain.com/.well-known/did.json` on a machine with Ubuntu OS. Windows Subsystem for Linux with Ubuntu also works. If curl fails, refreshing the registration status won't work.
 
## Next steps

The portal verifies that `did.json` is reachable and correct when you select **Refresh registration status**. You should also consider verifying that you can request that URL in a browser to avoid errors like not using HTTPS, a bad TLS/SSL certificate, or the URL not being public. If the `did.json` file can't be requested anonymously in a browser or via tools such as `curl`, without warnings or errors, the portal won't be able to complete the **Refresh registration status** step.
 
> [!NOTE]
> If you're experiencing problems refreshing your registration status, you can troubleshoot it by running `curl -Iv https://verifiedid.contoso.com/.well-known/did.json` on a machine with Ubuntu OS. Windows Subsystem for Linux with Ubuntu also works. If curl fails, refreshing the registration status won't work.
 
## Next steps

MODIFIED docs/id-governance/tenant-governance/automatic-governance-relationships.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Automatic formation of governance relationships (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how Microsoft Entra Tenant Governance automatically establishes governance relationships when you create add-on tenants using secure tenant creation.
author: barclayn
ms.author: owinfrey
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/26/2026

title: Automatic formation of governance relationships (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how Microsoft Entra Tenant Governance automatically establishes governance relationships when you create add-on tenants using secure tenant creation.
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/26/2026
 
 

MODIFIED docs/id-governance/tenant-governance/configuration-management.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Configuration management in Tenant Governance (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn about configuration management capabilities in Microsoft Entra Tenant Governance, including baselines and drift monitoring
author: barclayn
ms.author: barclayn
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/11/2026

title: Configuration management in Tenant Governance (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn about configuration management capabilities in Microsoft Entra Tenant Governance, including baselines and drift monitoring
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/11/2026
 
 

MODIFIED docs/id-governance/tenant-governance/cross-tenant-delegated-administration.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Cross-tenant delegated administration (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn about cross-tenant delegated administration and how it enables centralized management across tenants in Microsoft Entra
author: barclayn
ms.author: barclayn
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/10/2026

title: Cross-tenant delegated administration (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn about cross-tenant delegated administration and how it enables centralized management across tenants in Microsoft Entra
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/10/2026
 
 

MODIFIED docs/id-governance/tenant-governance/deployment-guide.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Deploy Microsoft Entra Tenant Governance end to end (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how to deploy Microsoft Entra Tenant Governance from setup through tenant discovery, governance, and configuration monitoring
author: barclayn
ms.author: barclayn
ms.service: entra-id-governance
ms.topic: how-to
ms.date: 03/17/2026

title: Deploy Microsoft Entra Tenant Governance end to end (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how to deploy Microsoft Entra Tenant Governance from setup through tenant discovery, governance, and configuration monitoring
ms.service: entra-id-governance
ms.topic: how-to
ms.date: 03/17/2026
 
 

MODIFIED docs/id-governance/tenant-governance/governance-policy-templates.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Governance policy templates (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn about governance policy templates and how to use them to enforce consistent governance across tenants in Microsoft Entra
author: barclayn
ms.author: barclayn
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/10/2026

title: Governance policy templates (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn about governance policy templates and how to use them to enforce consistent governance across tenants in Microsoft Entra
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/10/2026
 
 

MODIFIED docs/id-governance/tenant-governance/governance-relationships.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Governance relationships in Tenant Governance (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn about governance relationships and how they enable centralized management of tenants in Microsoft Entra Tenant Governance
author: barclayn
ms.author: barclayn
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/10/2026

title: Governance relationships in Tenant Governance (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn about governance relationships and how they enable centralized management of tenants in Microsoft Entra Tenant Governance
ms.service: entra-id-governance
ms.topic: concept-article
ms.date: 03/10/2026
 
 

MODIFIED docs/id-governance/tenant-governance/how-to-create-monitor.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Create a monitor (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how to create and configure a tenant configuration monitor in Microsoft Entra Tenant Governance to track configuration drift
author: barclayn
ms.author: barclayn
ms.service: entra-id-governance
ms.topic: how-to
ms.date: 03/10/2026

title: Create a monitor (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how to create and configure a tenant configuration monitor in Microsoft Entra Tenant Governance to track configuration drift
ms.service: entra-id-governance
ms.topic: how-to
ms.date: 03/10/2026
 
 

MODIFIED docs/id-governance/tenant-governance/how-to-create-tenant.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Create a governed workforce tenant (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how to create a new Microsoft Entra tenant using the secure add-on tenant creation workflow in Tenant Governance
author: barclayn
ms.author: barclayn
ms.service: entra-id-governance
ms.topic: how-to
ms.date: 03/12/2026

title: Create a governed workforce tenant (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how to create a new Microsoft Entra tenant using the secure add-on tenant creation workflow in Tenant Governance
ms.service: entra-id-governance
ms.topic: how-to
ms.date: 03/12/2026
 
 

MODIFIED docs/id-governance/tenant-governance/how-to-delegated-administration.md

Modified by Ken Withee on Apr 30, 2026 5:28 PM
📖 View on learn.microsoft.com

+0 / -2 lines changed

Commit: Remove file-level author/ms.author overrides so docfx.json folder defaults apply

Changes:

Before

After

title: Use cross-tenant delegated administration (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how to use cross-tenant delegated administration to sign in to and manage governed tenants using your governing tenant credentials
author: barclayn
ms.author: barclayn
ms.service: entra-id-governance
ms.topic: how-to
ms.date: 03/10/2026

title: Use cross-tenant delegated administration (preview)
titleSuffix: Microsoft Entra ID Governance
description: Learn how to use cross-tenant delegated administration to sign in to and manage governed tenants using your governing tenant credentials
ms.service: entra-id-governance
ms.topic: how-to
ms.date: 03/10/2026
 
 

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files