MODIFIED docs/identity/managed-identities-azure-resources/how-to-assign-managed-identity-via-azure-policy.md

Modified by Ken Withee on May 5, 2026 5:01 PM
📖 View on learn.microsoft.com

+25 / -23 lines changed

Commit: Address Acrolinx findings in how-to-assign-managed-identity-via-azure-policy

Changes:

Before

After

title: Use Azure Policy to assign managed identities (preview)
description: Documentation for the Azure Policy that can be used to assign managed identities to Azure resources.
ms.topic: how-to
ms.date: 05/23/2022

---


Azure Monitoring Agents require a [managed identity](overview.md) on the monitored Azure Virtual Machines (VMs). This document describes the behavior of a built-in Azure Policy provided by Microsoft that helps ensure a managed identity, needed for these scenarios, is assigned to VMs at scale.

While using system-assigned managed identity is possible, when used at scale (for example, for all VMs in a subscription) it results in substantial number of identities created (and deleted) in Microsoft Entra ID. To avoid this churn of identities, it is recommended to use user-assigned managed identities, which can be created once and shared across multiple VMs.

## Policy definition and details


When executed, the policy takes the following actions:

1. Create, if not exist, a new built-in user-assigned managed identity in the subscription and each Azure region based on the VMs that are in scope of the policy.
2. Once created, put a lock on the user-assigned managed identity so that it will not be accidentally deleted.
3. Assign the built-in user-assigned managed identity to Virtual Machines from the subscription and region based on the VMs that are in scope of the policy.

title: Use Azure Policy to assign managed identities (preview)
description: Documentation for the Azure Policy that can be used to assign managed identities to Azure resources.
ms.topic: how-to
ms.date: 05/05/2026
ai-usage: ai-assisted

---


Azure Monitoring Agents require a [managed identity](overview.md) on the monitored Azure Virtual Machines (VMs). This document describes the behavior of a built-in Azure Policy provided by Microsoft that helps ensure a managed identity, needed for these scenarios, is assigned to VMs at scale.

While using a system-assigned managed identity is possible, when used at scale (for example, for all VMs in a subscription) it results in a substantial number of identities created (and deleted) in Microsoft Entra ID. To avoid this churn of identities, use user-assigned managed identities. They can be created once and shared across multiple VMs.

## Policy definition and details


When executed, the policy takes the following actions:

1. Create a new built-in user-assigned managed identity (if one doesn't exist) in the subscription. The identity is created in each Azure region based on the VMs that are in scope of the policy.
1. Lock the user-assigned managed identity to prevent accidental deletion.

MODIFIED docs/fundamentals/create-new-tenant.md

Modified by kenwith on May 5, 2026 6:38 PM
📖 View on learn.microsoft.com

+26 / -2 lines changed

Commit: Inline create-new-tenant include and remove duplicate

Changes:

Before

After

title: Quickstart - Access and create new tenant
description: Instructions about how to find Microsoft Entra ID and how to create a new tenant for your organization.
ms.topic: quickstart
ms.date: 03/12/2026
ms.custom: it-pro, fasttrack-edit, mode-other, sfi-image-nochange
ms.collection: M365-identity-device-management
#Customer Intent: As an IT admin, I want to create a new Microsoft Entra tenant so that I can set up a directory for my organization or development environment.
 
# [Workforce / B2C](#tab/workforce)
 
[!INCLUDE [Create](../includes/definitions/create-new-tenant.md)]
 
# [Secure add-on tenant creation (preview)](#tab/governed-workforce)

title: Quickstart - Access and create new tenant
description: Instructions about how to find Microsoft Entra ID and how to create a new tenant for your organization.
ms.topic: quickstart
ms.date: 05/05/2026
ms.custom: it-pro, fasttrack-edit, mode-other, sfi-image-nochange
ms.collection: M365-identity-device-management
#Customer Intent: As an IT admin, I want to create a new Microsoft Entra tenant so that I can set up a directory for my organization or development environment.
 
# [Workforce / B2C](#tab/workforce)
 
1. Sign in to the [Azure portal](https://portal.azure.com).
 
1. From the Azure portal menu, select **Microsoft Entra ID**.
 
1. Navigate to **Entra ID** > **Overview** > **Manage tenants**.
 
1. Select **Create**.
 
   :::image type="content" source="media/create-new-tenant/portal.png" alt-text="Screenshot of Microsoft Entra ID - Overview page - Create a tenant.":::
 

MODIFIED docs/includes/licensing-move-microsoft-365-admin-center.md

Modified by kenwith on May 5, 2026 7:21 PM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: Fix grammar, malformed HTML, typos in 4 licensing-* includes

Changes:

Before

After

---
author: kenwith
ms.author: kenwith
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include
ms.custom: sfi-ga-nochange
    Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/users/$userid/reprocessLicense 
    ```
 
### What if I don’t have a Microsoft 365 Admin account or license and I manage licenses from the Azure portal?
 
For non-Microsoft 365 users, transitioning to managing licenses through a Microsoft 365 Admin Center account is essential.
 
Microsoft Entra ID roles: Global Administrator, User Administrator, and License Administrator have access to the Microsoft 365 Admin Center to manage licenses using their existing Microsoft Entra ID account. You don't have to be a Microsoft 365 customer to use the Microsoft 365 admin center. You don't have to be a Microsoft 365 customer to use the Microsoft 365 admin center, and can manage licenses there regardless. You don't have to be a Microsoft 365 customer to use the Microsoft 365 admin center, and can manage licenses there regardless. All Microsoft Entra customers have access to the Microsoft 365 Admin Center for domain and license management.
 
### How can I view license consumption and utilization now?
 
 
## Known Issues:

---
author: kenwith
ms.author: kenwith
ms.date: 05/05/2026
ms.service: entra-id
ms.topic: include
ms.custom: sfi-ga-nochange
    Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/users/$userid/reprocessLicense 
    ```
 
### What if I don't have a Microsoft 365 Admin account or license and I manage licenses from the Azure portal?
 
For non-Microsoft 365 users, transitioning to managing licenses through a Microsoft 365 Admin Center account is essential.
 
Microsoft Entra ID roles: Global Administrator, User Administrator, and License Administrator have access to the Microsoft 365 Admin Center to manage licenses using their existing Microsoft Entra ID account. You don't have to be a Microsoft 365 customer to use the Microsoft 365 admin center, and can manage licenses there regardless. All Microsoft Entra customers have access to the Microsoft 365 Admin Center for domain and license management.
 
### How can I view license consumption and utilization now?
 
 
## Known Issues:

MODIFIED docs/includes/licensing-change.md

Modified by kenwith on May 5, 2026 7:21 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Fix grammar, malformed HTML, typos in 4 licensing-* includes

Changes:

Before

After

---
author: kenwith
ms.author: kenwith
ms.date: 03/12/2025
ms.service: entra-id
ms.topic: include
---
 
> [!NOTE]
> Starting September 1, 2024, the Microsoft Entra ID Admin Center and the Microsoft Azure portal no longer supports license assignment through their user interfaces. To manage license assignments for users and groups, administrators must use the Microsoft 365 Admin Center. This update is designed to streamline the license management process within the Microsoft ecosystem. This change is limited to the user interface. API and PowerShell access remain unaffected. For detailed guidance on assigning licenses using the Microsoft 365 Admin Center, refer to the following resources:
> - [Assign or Unassign Licenses for Users in the Microsoft 365 Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users?view=o365-worldwide&preserve-view=true)
> - [Add Users and Assign Licenses in Microsoft 365](/microsoft-365/admin/add-users/add-users?view=o365-worldwide&preserve-view=true)
> - [Assign Licenses to a Group Using the Microsoft 365 Admin Center](~/identity/users/licensing-admin-center.md)
 </br>We encourage all administrators to familiarize themselves with the new procedures to ensure a smooth transition. For any further assistance or inquiries, contact our [support team](https://support.microsoft.com/contactus).

---
author: kenwith
ms.author: kenwith
ms.date: 05/05/2026
ms.service: entra-id
ms.topic: include
---
 
> [!NOTE]
> Starting September 1, 2024, the Microsoft Entra ID Admin Center and the Microsoft Azure portal no longer support license assignment through their user interfaces. To manage license assignments for users and groups, administrators must use the Microsoft 365 Admin Center. This update is designed to streamline the license management process within the Microsoft ecosystem. This change is limited to the user interface. API and PowerShell access remain unaffected. For detailed guidance on assigning licenses using the Microsoft 365 Admin Center, refer to the following resources:
> - [Assign or Unassign Licenses for Users in the Microsoft 365 Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users?view=o365-worldwide&preserve-view=true)
> - [Add Users and Assign Licenses in Microsoft 365](/microsoft-365/admin/add-users/add-users?view=o365-worldwide&preserve-view=true)
> - [Assign Licenses to a Group Using the Microsoft 365 Admin Center](~/identity/users/licensing-admin-center.md)
 <br>We encourage all administrators to familiarize themselves with the new procedures to ensure a smooth transition. For any further assistance or inquiries, contact our [support team](https://support.microsoft.com/contactus).

MODIFIED docs/includes/licensing-pim.md

Modified by kenwith on May 5, 2026 7:21 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Fix grammar, malformed HTML, typos in 4 licensing-* includes

Changes:

Before

After

---
author: kenwith
ms.author: kenwith
ms.date: 08/12/2025
manager: pmwongera
ms.service: entra-id
ms.topic: include
| --- | --- | --- |
| Woodgrove Bank has 10 administrators for different departments and 2 [Privileged Role Administrators](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 |
| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 |
| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users’ managers of which six aren't in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 |
 
### When a license expires for PIM
 
 
- Permanent role assignments to Microsoft Entra roles are unaffected.
- The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
- Eligible role assignments of Microsoft Entra roles are removed, as users no longer be able to activate privileged roles.
- Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
- Privileged Identity Management no longer sends emails on role assignment changes.

---
author: kenwith
ms.author: kenwith
ms.date: 05/05/2026
manager: pmwongera
ms.service: entra-id
ms.topic: include
| --- | --- | --- |
| Woodgrove Bank has 10 administrators for different departments and 2 [Privileged Role Administrators](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 |
| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 |
| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the users' managers of which six aren't in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 |
 
### When a license expires for PIM
 
 
- Permanent role assignments to Microsoft Entra roles are unaffected.
- The Privileged Identity Management service in the Microsoft Entra admin center, and the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
- Eligible role assignments of Microsoft Entra roles are removed, as users will no longer be able to activate privileged roles.
- Any ongoing access reviews of Microsoft Entra roles ends, and Privileged Identity Management configuration settings are removed.
- Privileged Identity Management no longer sends emails on role assignment changes.

MODIFIED docs/includes/licensing-managed-identities.md

Modified by kenwith on May 5, 2026 7:21 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Fix grammar, malformed HTML, typos in 4 licensing-* includes

Changes:

Before

After

---
author: kenwith
ms.author: kenwith
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include
---
 
There are no licensing requirements for using Managed identities for Azure resources. Managed identities for Azure resources provide an automatically managed identity for applications to use when connecting to resources that support Microsoft Entra authentication. One of the benefits of using managed identities is that you don’t need to manage credentials, and they can be used at no extra cost. For more information, see [What is managed identities for Azure resources?](../identity/managed-identities-azure-resources/overview.md).

---
author: kenwith
ms.author: kenwith
ms.date: 05/05/2026
ms.service: entra-id
ms.topic: include
---
 
There are no licensing requirements for using Managed identities for Azure resources. Managed identities for Azure resources provide an automatically managed identity for applications to use when connecting to resources that support Microsoft Entra authentication. One of the benefits of using managed identities is that you don't need to manage credentials, and they can be used at no extra cost. For more information, see [What is managed identities for Azure resources?](../identity/managed-identities-azure-resources/overview.md).

MODIFIED docs/includes/entra-msi-tut-prereqs.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

title: include file
description: include file
 
author: Barclayn
ms.service: entra-id
ms.topic: include
ms.date: 01/09/2025
ms.author: barclayn
ms.custom: include file
---
 

title: include file
description: include file
 
author: kenwith
ms.service: entra-id
ms.topic: include
ms.date: 01/09/2025
ms.author: kenwith
ms.custom: include file
---
 

MODIFIED docs/includes/entra-service-limits-include.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

title: Include file
description: Include file
 
author: barclayn
ms.service: entra-id
ms.topic: include
ms.date: 03/26/2026
ms.author: barclayn
ms.custom: include file
---
Here are the usage constraints and other service limits for the Microsoft Entra service.

title: Include file
description: Include file
 
author: kenwith
ms.service: entra-id
ms.topic: include
ms.date: 03/26/2026
ms.author: kenwith
ms.custom: include file
---
Here are the usage constraints and other service limits for the Microsoft Entra service.

MODIFIED docs/includes/licensing-app-provisioning.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

---
author: barclayn
ms.author: barclayn
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include

---
author: kenwith
ms.author: kenwith
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include

MODIFIED docs/includes/licensing-multi-tenant-organizations.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

---
author: barclayn
ms.author: barclayn
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include

---
author: kenwith
ms.author: kenwith
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include

MODIFIED docs/includes/licensing-role-based-access-control.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

---
author: barclayn
ms.author: barclayn
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include

---
author: kenwith
ms.author: kenwith
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include

MODIFIED docs/includes/licensing-roles.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

---
author: barclayn
ms.author: barclayn
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include

---
author: kenwith
ms.author: kenwith
ms.date: 01/31/2025
ms.service: entra-id
ms.topic: include

MODIFIED docs/includes/licensing-verified-id.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

---
author: barclayn
ms.author: barclayn
ms.date: 03/24/2026
ms.service: entra-id
ms.topic: include

---
author: kenwith
ms.author: kenwith
ms.date: 03/24/2026
ms.service: entra-id
ms.topic: include

MODIFIED docs/includes/managed-identity-ua-character-limits.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

 title: include file
 description: include file
 
 author: barclayn
 ms.service: msi
 ms.topic: include
 ms.date: 03/11/2024
 ms.author: barclayn
 ms.custom: include file
---
 

 title: include file
 description: include file
 
 author: kenwith
 ms.service: msi
 ms.topic: include
 ms.date: 03/11/2024
 ms.author: kenwith
 ms.custom: include file
---
 

MODIFIED docs/includes/secure-recommendations/21770.md

Modified by Ken Withee on May 5, 2026 4:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Reassign barclayn to kenwith in docs/includes metadata

Changes:

Before

After

---
title: Inactive applications don’t have highly privileged Microsoft Graph API permissions 
ms.author: barclayn
author: barclayn
manager: pmwongera
ms.service: entra-id
ms.topic: include

---
title: Inactive applications don’t have highly privileged Microsoft Graph API permissions 
ms.author: kenwith
author: kenwith
manager: pmwongera
ms.service: entra-id
ms.topic: include

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files

🗑️ Deleted Documentation Files