MODIFIED docs/agent-id/concept-inheritable-permissions.md

Modified by omondiatieno on May 6, 2026 2:15 PM
📖 View on learn.microsoft.com

+132 / -341 lines changed

Commit: fix wrong copy paste

Changes:

Before

After

---
title: Configure inheritable permissions for agent identity blueprints
description: Learn how to configure inheritable permissions for agent identity blueprints to automatically grant OAuth 2.0 delegated permission scopes and application roles to agent identities.
author: omondiatieno
ms.topic: how-to
ms.date: 04/14/2026
ms.author: jomondi
ms.reviewer: ergreenl
 
#Customer intent: As an IT administrator managing agent identity blueprints, I want to configure inheritable permissions so that newly created agent identities can automatically inherit OAuth 2.0 delegated permission scopes and application roles without requiring interactive consent prompts.
---
 
# Configure inheritable permissions for agent identity blueprints
 
Inheritable permissions let agent identities automatically inherit delegated permission (scopes) and application permissions (app-roles) from their parent agent identity blueprint. Use inheritable permissions to preauthorize a base set of scopes and roles so that newly created agent identities can take action without interactive user or admin consent prompts.
 
## Prerequisites
 
- An existing agent identity blueprint already created and configured
- Either of the following permissions:

---
title: Inheritable Permissions and Required Resource Access in Microsoft Entra Agent ID
description: Understand the difference between required resource access declarations and inheritable permissions for agent identity blueprints in Microsoft Entra Agent ID.
author: shlipsey3
ms.author: sarahlipsey
ms.reviewer: sarahlipsey
ms.service: entra-agent-id
ms.topic: concept-article
ms.custom: msecd-doc-authoring-1012
ms.date: 04/30/2026
ai-usage: ai-assisted
 
#customer intent: As a developer or IT administrator, I want to understand the difference between required resource access and inheritable permissions so that I can configure agent identity blueprints to balance security with ease of deployment.
 
---
 
# Inheritable permissions and required resource access in Microsoft Entra Agent ID
 
When you build an agent identity blueprint, there are two key permission-related configurations: *required resource access* and *inheritable permissions*. These configurations work together to define what an agent needs, what administrators review during consent, and how permissions flow to agent identities.
 

MODIFIED docs/agent-id/configure-inheritable-permissions-blueprints.md

Modified by omondiatieno on May 6, 2026 2:15 PM
📖 View on learn.microsoft.com

+232 / -63 lines changed

Commit: fix wrong copy paste

Changes:

Before

After

---
title: Configure inheritable permissions for agent identity blueprints
description: Learn how to configure inheritable permissions for agent identity blueprints to automatically grant OAuth 2.0 delegated permission scopes to agent identities.
author: omondiatieno
ms.topic: how-to
ms.custom: msecd-doc-authoring-1012
ms.date: 04/28/2026
ms.author: jomondi
ms.reviewer: ergreenl
 
#Customer intent: As an IT administrator managing agent identity blueprints, I want to configure inheritable permissions so that newly created agent identities can automatically inherit OAuth 2.0 delegated permission scopes without requiring interactive consent prompts.
---
 
# Request permissions for agent identity blueprints
 
Configure inheritable permissions on an agent identity blueprint to preauthorize a base set of delegated scopes and application roles. Agent identities created from the blueprint automatically inherit those permissions without interactive consent prompts.
 
For conceptual background on how inheritable permissions relate to required resource access and direct permission grants, see [Inheritable permissions and required resource access](concept-inheritable-permissions.md).
 
## Prerequisites

---
title: Configure inheritable permissions for agent identity blueprints
description: Learn how to configure inheritable permissions for agent identity blueprints to automatically grant OAuth 2.0 delegated permission scopes and application roles to agent identities.
author: omondiatieno
ms.topic: how-to
ms.date: 04/14/2026
ms.author: jomondi
ms.reviewer: ergreenl
 
#Customer intent: As an IT administrator managing agent identity blueprints, I want to configure inheritable permissions so that newly created agent identities can automatically inherit OAuth 2.0 delegated permission scopes and application roles without requiring interactive consent prompts.
---
 
# Configure inheritable permissions for agent identity blueprints
 
Inheritable permissions let agent identities automatically inherit delegated permission (scopes) and application permissions (app-roles) from their parent agent identity blueprint. Use inheritable permissions to preauthorize a base set of scopes and roles so that newly created agent identities can take action without interactive user or admin consent prompts.
 
## Prerequisites
 
- An existing agent identity blueprint already created and configured
- Either of the following permissions:

MODIFIED docs/identity/domain-services/security-audit-events.md

Modified by James Ndung'u (from Dev Box) on May 6, 2026 9:55 AM
📖 View on learn.microsoft.com

+19 / -6 lines changed

Commit: Update sample query for checking kerberos RC4 ticket issuance

Changes:

Before

After

View all Kerberos ticket-granting (event ID 4768) and service ticket (event ID 4769) events that used RC4 encryption in the last seven days, to identify workloads and service accounts that still rely on RC4:
 
```Kusto
AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where EventId in (4768, 4769)
| parse ResultDescription with * "Ticket Encryption Type:\t" EncryptionType "\r\n" *
| where EncryptionType has "0x17"
| parse ResultDescription with * "Account Name:\t" AccountName "\r\n" *
| parse ResultDescription with * "Service Name:\t" ServiceName "\r\n" *
| project TimeGenerated, EventId, AccountName, ServiceName, EncryptionType
| summarize Count = count() by AccountName, ServiceName, EncryptionType
| order by Count desc
```
 
 
 
 
 
 

View all Kerberos ticket-granting (event ID 4768) and service ticket (event ID 4769) events that used RC4 encryption in the last seven days, to identify workloads and service accounts that still rely on RC4:
 
```Kusto
let EncryptionTypeFromHex = (hex_value: int) {
    case(
        hex_value == 0x1, "DES-CRC",
        hex_value == 0x3, "DES-MD5",
        hex_value == 0x11, "AES128-SHA96",
        hex_value == 0x12, "AES256-SHA96",
        hex_value == 0x13, "AES128-SHA256",
        hex_value == 0x14, "AES256-SHA384",
        hex_value == 0x17, "RC4",
        "Unknown"
    )
};
AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where OperationName has "4768" or OperationName has "4769"
| parse ResultDescription with * "Ticket Encryption Type:\t" EncryptionType "\n" *
| where EncryptionType has "0x17"

MODIFIED docs/architecture/recover-from-deletions.md

Modified by Ken Withee on May 6, 2026 6:52 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: Remove (Preview) wording from Deleted policies and Deleted named locations

Changes:

Before

After

title: Recover from deletions in Microsoft Entra ID
description: Understand the difference between soft and hard deletions and how to recover or recreate objects in Microsoft Entra ID.
ms.topic: concept-article
ms.date: 11/03/2025
ms.reviewer: jricketts
ms.custom: sfi-image-nochange
ms.subservice: architecture
To restore a Conditional access policy:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Deleted Policies (Preview**).
1. Select the ellipsis (...) on the far right of the policy to restore.
1. Select **Restore**.
1. In the **Restore Conditional Access policy?** dialog box, you can choose to restore the policy in [Report-only mode](../identity/conditional-access/concept-conditional-access-report-only.md) or leave it in the state it was when deleted, which might be **On**. Make your selection and select **Restore**.
To restore a named location:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Named locations** > **Deleted Named Locations (Preview)**.
1. Select the ellipsis (...) on the far right of the location you want to restore.
1. Select **Restore**.

title: Recover from deletions in Microsoft Entra ID
description: Understand the difference between soft and hard deletions and how to recover or recreate objects in Microsoft Entra ID.
ms.topic: concept-article
ms.date: 05/06/2026
ms.reviewer: jricketts
ms.custom: sfi-image-nochange
ms.subservice: architecture
To restore a Conditional access policy:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Deleted policies**.
1. Select the ellipsis (...) on the far right of the policy to restore.
1. Select **Restore**.
1. In the **Restore Conditional Access policy?** dialog box, you can choose to restore the policy in [Report-only mode](../identity/conditional-access/concept-conditional-access-report-only.md) or leave it in the state it was when deleted, which might be **On**. Make your selection and select **Restore**.
To restore a named location:
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](~/identity/role-based-access-control/permissions-reference.md#conditional-access-administrator).
1. Browse to **Entra ID** > **Conditional Access** > **Named locations** > **Deleted named locations**.
1. Select the ellipsis (...) on the far right of the location you want to restore.
1. Select **Restore**.

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files