MODIFIED docs/external-id/customers/reference-user-permissions.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+3 / -3 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

 
To better understand the typical use cases for users in an external tenant, we can categorize them as follows:
 
- **External users** are consumers and business customers who use the apps registered in your external tenant. They typically retain default user permissions, meaning you don't assign them administrative roles. These users are usually created through self-service sign-up, but you can create them with the [Create new external user](~/fundamentals/how-to-create-delete-users.yml#create-a-new-external-user) option in the Microsoft Entra admin center or with Microsoft Graph. 
 
- **Internal users** are usually admins to whom you assign [Microsoft Entra roles](~/identity/role-based-access-control/permissions-reference.md). You can create internal users and assign roles using the [Create new user](~/fundamentals/how-to-create-delete-users.yml#create-a-new-user) option in the admin center or with Microsoft Graph.
 
- **Invited users** are usually admins you invite to the external tenant and to whom you assign [Microsoft Entra roles](~/identity/role-based-access-control/permissions-reference.md). If they're not assigned a role, they have default user permissions. You can invite users and assign roles using the [Invite external user](~/fundamentals/how-to-create-delete-users.yml#invite-an-external-user) option in the admin center or with Microsoft Graph.
 
When users are created in an external tenant, they all start with default permissions. However, you can assign [Microsoft Entra roles](~/identity/role-based-access-control/permissions-reference.md) to those users who need to perform administrative tasks within the external tenant.

 
To better understand the typical use cases for users in an external tenant, we can categorize them as follows:
 
- **External users** are consumers and business customers who use the apps registered in your external tenant. They typically retain default user permissions, meaning you don't assign them administrative roles. These users are usually created through self-service sign-up, but you can create them with the [Create new external user](~/fundamentals/how-to-create-delete-users.md#create-a-new-external-user) option in the Microsoft Entra admin center or with Microsoft Graph. 
 
- **Internal users** are usually admins to whom you assign [Microsoft Entra roles](~/identity/role-based-access-control/permissions-reference.md). You can create internal users and assign roles using the [Create new user](~/fundamentals/how-to-create-delete-users.md#create-a-new-user) option in the admin center or with Microsoft Graph.
 
- **Invited users** are usually admins you invite to the external tenant and to whom you assign [Microsoft Entra roles](~/identity/role-based-access-control/permissions-reference.md). If they're not assigned a role, they have default user permissions. You can invite users and assign roles using the [Invite external user](~/fundamentals/how-to-create-delete-users.md#invite-an-external-user) option in the admin center or with Microsoft Graph.
 
When users are created in an external tenant, they all start with default permissions. However, you can assign [Microsoft Entra roles](~/identity/role-based-access-control/permissions-reference.md) to those users who need to perform administrative tasks within the external tenant.

MODIFIED docs/external-id/customers/how-to-entra-id-federation-customers.md

Modified by Vimala Ranganathan on May 8, 2026 7:49 PM
📖 View on learn.microsoft.com

+0 / -4 lines changed

Commit: Remove 'Invite an external user through the admin center' section

Changes:

Before

After

 
An external user can self-register in the External ID tenant by using the sign-up and sign-in user flow. When the user selects the federated Microsoft Entra ID identity provider on the sign-in page and authenticates with their organizational account, a user account is automatically created in the external tenant. For more information, see [Create a sign-up and sign-in user flow for customers](how-to-user-flow-sign-up-sign-in-customers.md).
 
### Invite an external user through the admin center
 
An admin can invite an external user from the Microsoft Entra admin center. The invited user receives an email invitation and can redeem it by selecting the invitation link, which creates the user account in the External ID tenant. For more information, see [Invite users to your external tenant](/entra/external-id/customers/how-to-manage-customer-accounts#invite-a-customer).
 
### Create the user with Microsoft Graph API
 
An admin can use the [Microsoft Graph API](/graph/api/user-post-users?tabs=http#example-3-create-a-customer-account-in-external-tenants) to create a user directly in the External ID tenant. This approach is useful for automated provisioning or migration scenarios.

 
An external user can self-register in the External ID tenant by using the sign-up and sign-in user flow. When the user selects the federated Microsoft Entra ID identity provider on the sign-in page and authenticates with their organizational account, a user account is automatically created in the external tenant. For more information, see [Create a sign-up and sign-in user flow for customers](how-to-user-flow-sign-up-sign-in-customers.md).
 
### Create the user with Microsoft Graph API
 
An admin can use the [Microsoft Graph API](/graph/api/user-post-users?tabs=http#example-3-create-a-customer-account-in-external-tenants) to create a user directly in the External ID tenant. This approach is useful for automated provisioning or migration scenarios.

MODIFIED docs/workload-id/workload-identities-overview.md

Modified by rolyon on May 8, 2026 4:03 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Incorporate feedback to remove blueprints from workload identities overview

Changes:

Before

After

title: Workload identities
description: Understand the concepts and supported scenarios for using workload identity in Microsoft Entra.
ms.topic: overview
ms.date: 03/13/2025
ms.reviewer: arluca, ilanas, hosamsh
ms.custom: aaddev
#Customer intent: As a developer, I want workload identities so I can authenticate with Microsoft Entra ID and access Microsoft Entra protected resources.
 
AI agents — autonomous software systems that reason, make decisions, and take actions on behalf of users or organizations — represent a distinct category of machine identity with unique security requirements. Unlike traditional workloads that execute predetermined logic, AI agents make dynamic decisions and adapt behavior, which requires purpose-built identity constructs with stronger governance controls.
 
[Microsoft Entra Agent ID](~/agent-id/what-is-microsoft-entra-agent-id.md) provides these constructs through agent identities and agent identity blueprints. Agent identities offer enforced human sponsorship, lifecycle governance from provisioning through deactivation, and at-scale management through blueprints that apply centralized security policies across all agent instances of a given type. For more information, see [Microsoft Entra security for AI overview](~/agent-id/security-for-ai-overview.md).
 
## Next steps
 

title: Workload identities
description: Understand the concepts and supported scenarios for using workload identity in Microsoft Entra.
ms.topic: overview
ms.date: 05/08/2026
ms.reviewer: arluca, ilanas, hosamsh
ms.custom: aaddev
#Customer intent: As a developer, I want workload identities so I can authenticate with Microsoft Entra ID and access Microsoft Entra protected resources.
 
AI agents — autonomous software systems that reason, make decisions, and take actions on behalf of users or organizations — represent a distinct category of machine identity with unique security requirements. Unlike traditional workloads that execute predetermined logic, AI agents make dynamic decisions and adapt behavior, which requires purpose-built identity constructs with stronger governance controls.
 
[Microsoft Entra Agent ID](~/agent-id/what-is-microsoft-entra-agent-id.md) provides these constructs through agent identities. Agent identities offer enforced human sponsorship, lifecycle governance from provisioning through deactivation, and at-scale management that apply centralized security policies across all agent instances of a given type. For more information, see [Microsoft Entra security for AI overview](~/agent-id/security-for-ai-overview.md).
 
## Next steps
 

MODIFIED docs/fundamentals/entra-admin-center.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

 
| Task | Description | Learn more |
|------|-------------|------------|
| Create or delete users | Add new members or guests to your organization, or remove existing users. | [Create or delete users](./how-to-create-delete-users.yml) |
| Manage groups | Create and manage groups to organize users for access management and licensing. | [Manage groups and group membership](./how-to-manage-groups.yml) |
| Assign roles | Delegate administrative responsibilities using built-in or custom roles. | [Overview of role-based access control](~/identity/role-based-access-control/custom-overview.md) |
| Manage applications | Register and configure applications for single sign-on and API access. | [What is application management?](~/identity/enterprise-apps/what-is-application-management.md) |
## Related content
 
* [What is Microsoft Entra?](./what-is-entra.md)
* [Create or delete users](./how-to-create-delete-users.yml)
* [Manage groups and group membership](./how-to-manage-groups.yml)
* [Overview of role-based access control](~/identity/role-based-access-control/custom-overview.md)
* [What is Conditional Access?](~/identity/conditional-access/overview.md)

 
| Task | Description | Learn more |
|------|-------------|------------|
| Create or delete users | Add new members or guests to your organization, or remove existing users. | [Create or delete users](./how-to-create-delete-users.md) |
| Manage groups | Create and manage groups to organize users for access management and licensing. | [Manage groups and group membership](./how-to-manage-groups.yml) |
| Assign roles | Delegate administrative responsibilities using built-in or custom roles. | [Overview of role-based access control](~/identity/role-based-access-control/custom-overview.md) |
| Manage applications | Register and configure applications for single sign-on and API access. | [What is application management?](~/identity/enterprise-apps/what-is-application-management.md) |
## Related content
 
* [What is Microsoft Entra?](./what-is-entra.md)
* [Create or delete users](./how-to-create-delete-users.md)
* [Manage groups and group membership](./how-to-manage-groups.yml)
* [Overview of role-based access control](~/identity/role-based-access-control/custom-overview.md)
* [What is Conditional Access?](~/identity/conditional-access/overview.md)

MODIFIED docs/fundamentals/users-restore.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

You can permanently delete a user from your organization without waiting the 30 days for automatic deletion. A permanently deleted user can't be restored by anyone, including Microsoft customer support.
 
> [!NOTE]
> If you permanently delete a user by mistake, you have to create a new user and manually enter all the previous information. For more information about creating a new user, see [Add or delete users](./how-to-create-delete-users.yml).
 
### To permanently delete a user
 
 
## Related content
 
- [Add or delete users](./how-to-create-delete-users.yml)
- [Assign roles to users](./how-subscriptions-associated-directory.md)
- [Add or change profile information](./how-to-manage-user-profile-info.md)

You can permanently delete a user from your organization without waiting the 30 days for automatic deletion. A permanently deleted user can't be restored by anyone, including Microsoft customer support.
 
> [!NOTE]
> If you permanently delete a user by mistake, you have to create a new user and manually enter all the previous information. For more information about creating a new user, see [Add or delete users](./how-to-create-delete-users.md).
 
### To permanently delete a user
 
 
## Related content
 
- [Add or delete users](./how-to-create-delete-users.md)
- [Assign roles to users](./how-subscriptions-associated-directory.md)
- [Add or change profile information](./how-to-manage-user-profile-info.md)

MODIFIED docs/identity/monitoring-health/quickstart-access-log-with-graph-api.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

To complete the scenario in this quickstart, you need:
 
- **Access to a Microsoft Entra tenant**: If you don't have access to a Microsoft Entra tenant, see [Create your Azure free account today](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn). 
- **A test account called Isabella Simonsen**: If you don't know how to create a test account, see [Add cloud-based users](../../fundamentals/how-to-create-delete-users.yml).
- **Access to the Microsoft Graph API**: If you don't have access yet, see [Microsoft Graph authentication and authorization basics](/graph/auth/auth-concepts).
 
## Perform a failed sign-in
 
## Clean up resources
 
When no longer needed, delete the test user. If you don't know how to delete a Microsoft Entra user, see [Delete users from Microsoft Entra ID](../../fundamentals/how-to-create-delete-users.yml).
 
## Next steps

To complete the scenario in this quickstart, you need:
 
- **Access to a Microsoft Entra tenant**: If you don't have access to a Microsoft Entra tenant, see [Create your Azure free account today](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn). 
- **A test account called Isabella Simonsen**: If you don't know how to create a test account, see [Add cloud-based users](../../fundamentals/how-to-create-delete-users.md).
- **Access to the Microsoft Graph API**: If you don't have access yet, see [Microsoft Graph authentication and authorization basics](/graph/auth/auth-concepts).
 
## Perform a failed sign-in
 
## Clean up resources
 
When no longer needed, delete the test user. If you don't know how to delete a Microsoft Entra user, see [Delete users from Microsoft Entra ID](../../fundamentals/how-to-create-delete-users.md).
 
## Next steps

MODIFIED docs/identity/monitoring-health/quickstart-analyze-sign-in.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

- An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
- A Microsoft Entra tenant with a [Premium P1 license](~/fundamentals/get-started-premium.md).
- A user with the **Reports Reader**, **Security Reader**, or **Security Administrator** role for the tenant.
- **A test account called Isabella Simonsen** - If you don't know how to create a test account, see [Add cloud-based users](~/fundamentals/how-to-create-delete-users.yml).
 
## Perform a failed sign-in
 
## Clean up resources
 
When no longer needed, delete the test user. If you don't know how to delete a Microsoft Entra user, see [Delete users from Microsoft Entra ID](~/fundamentals/how-to-create-delete-users.yml). 
 
## Related content

- An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
- A Microsoft Entra tenant with a [Premium P1 license](~/fundamentals/get-started-premium.md).
- A user with the **Reports Reader**, **Security Reader**, or **Security Administrator** role for the tenant.
- **A test account called Isabella Simonsen** - If you don't know how to create a test account, see [Add cloud-based users](~/fundamentals/how-to-create-delete-users.md).
 
## Perform a failed sign-in
 
## Clean up resources
 
When no longer needed, delete the test user. If you don't know how to delete a Microsoft Entra user, see [Delete users from Microsoft Entra ID](~/fundamentals/how-to-create-delete-users.md). 
 
## Related content

MODIFIED docs/identity/saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial.md

Modified by Hamsika45 on May 8, 2026 4:35 PM
📖 View on learn.microsoft.com

+3 / -0 lines changed

Commit: Update github-enterprise-managed-user-oidc-provisioning-tutorial.md

Changes:

Before

After

 
Add GitHub Enterprise Managed User (OIDC) from the Microsoft Entra application gallery to start managing provisioning to GitHub Enterprise Managed User (OIDC). If you have previously setup GitHub Enterprise Managed User (OIDC) for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](~/identity/enterprise-apps/add-application-portal.md).
 
## Step 4: Define who is in scope for provisioning
 
[!INCLUDE [create-assign-users-provisioning.md](~/identity/saas-apps/includes/create-assign-users-provisioning.md)]

 
Add GitHub Enterprise Managed User (OIDC) from the Microsoft Entra application gallery to start managing provisioning to GitHub Enterprise Managed User (OIDC). If you have previously setup GitHub Enterprise Managed User (OIDC) for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](~/identity/enterprise-apps/add-application-portal.md).
 
> [!NOTE]
> If you need another instance of the application then you can consent to  GitHub Enterprise Managed User (OIDC) - ghe.com and please work with GitHub account team to enable this feature for your instance.
 
## Step 4: Define who is in scope for provisioning
 
[!INCLUDE [create-assign-users-provisioning.md](~/identity/saas-apps/includes/create-assign-users-provisioning.md)]

MODIFIED docs/agent-id/security-for-ai-overview.md

Modified by rolyon on May 8, 2026 6:21 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Graph API link

Changes:

Before

After

- Ensure sponsors and owners are assigned and maintained for each agent identity, preventing orphaned agent identities.
- Enforce that agent access to resources is intentional, auditable, and time-bound through access packages.
- Apply Conditional Access rules, permissions, and governance controls at the [blueprint level](identity-platform/agent-blueprint.md) so all current and future agent instances inherit them automatically, with the ability to disable an entire class of agents in a single operation.
- Maintain a complete inventory of all agent identities through centralized discovery and management in the Microsoft Entra admin center and [Microsoft Graph](/graph/api/resources/agentidentity?view=graph-rest-beta&preserve-view=true), preventing shadow AI and enabling organizations to track agents across the full lifecycle — from registration and credential management through deactivation and decommissioning.
 
For more information, see [Identity governance for agents](/entra/id-governance/agent-id-governance-overview).
 

- Ensure sponsors and owners are assigned and maintained for each agent identity, preventing orphaned agent identities.
- Enforce that agent access to resources is intentional, auditable, and time-bound through access packages.
- Apply Conditional Access rules, permissions, and governance controls at the [blueprint level](identity-platform/agent-blueprint.md) so all current and future agent instances inherit them automatically, with the ability to disable an entire class of agents in a single operation.
- Maintain a complete inventory of all agent identities through centralized discovery and management in the Microsoft Entra admin center and [Microsoft Graph](/graph/api/resources/agentidentity), preventing shadow AI and enabling organizations to track agents across the full lifecycle — from registration and credential management through deactivation and decommissioning.
 
For more information, see [Identity governance for agents](/entra/id-governance/agent-id-governance-overview).
 

MODIFIED docs/id-governance/identity-governance-overview.md

Modified by rolyon on May 8, 2026 4:03 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Date update

Changes:

Before

After

description: Microsoft Entra ID Governance enables you to balance your organization's need for security and end user productivity with the right processes and visibility.
editor: markwahl-msft
ms.topic: overview
ms.date: 04/09/2025
ms.reviewer: markwahl-msft
#Customer Intent: As an IT admin, I want to understand Microsoft Entra ID Governance so that I can balance security and end user productivity with the right processes and visibility.
---

description: Microsoft Entra ID Governance enables you to balance your organization's need for security and end user productivity with the right processes and visibility.
editor: markwahl-msft
ms.topic: overview
ms.date: 05/08/2026
ms.reviewer: markwahl-msft
#Customer Intent: As an IT admin, I want to understand Microsoft Entra ID Governance so that I can balance security and end user productivity with the right processes and visibility.
---

MODIFIED docs/architecture/id-protection-guide-introduction.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

    - [Conditional Access Administrator](../identity/role-based-access-control/permissions-reference.md#conditional-access-administrator)
    - [Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator)
 
  - A test user who isn't an administrator to verify that policies work as expected before you deploy real users. To create a user, follow the steps in [How to create, invite, and delete users](../fundamentals/how-to-create-delete-users.yml).
 
- A group, and the user is a member. To create a group, see [Create a group and add members in Microsoft Entra ID](../fundamentals/how-to-manage-groups.yml).

    - [Conditional Access Administrator](../identity/role-based-access-control/permissions-reference.md#conditional-access-administrator)
    - [Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator)
 
  - A test user who isn't an administrator to verify that policies work as expected before you deploy real users. To create a user, follow the steps in [How to create, invite, and delete users](../fundamentals/how-to-create-delete-users.md).
 
- A group, and the user is a member. To create a group, see [Create a group and add members in Microsoft Entra ID](../fundamentals/how-to-manage-groups.yml).

MODIFIED docs/external-id/b2b-quickstart-add-guest-users-portal.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

 
In this quickstart, you'll learn how to add a new guest user to your Microsoft Entra directory in the Microsoft Entra admin center. You'll also send an invitation and see what the guest user's invitation redemption process looks like. 
 
This guide provides the basic steps to invite an external user. To learn about all of the properties and settings that you can include when you invite an external user, see [How to create and delete a user](~/fundamentals/how-to-create-delete-users.yml).
 
If you don’t have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin.

 
In this quickstart, you'll learn how to add a new guest user to your Microsoft Entra directory in the Microsoft Entra admin center. You'll also send an invitation and see what the guest user's invitation redemption process looks like. 
 
This guide provides the basic steps to invite an external user. To learn about all of the properties and settings that you can include when you invite an external user, see [How to create and delete a user](~/fundamentals/how-to-create-delete-users.md).
 
If you don’t have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin.

MODIFIED docs/external-id/customers/how-to-manage-admin-accounts.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

 
## Add an admin account
 
Use the following steps to create a new user account and to grant admin permissions to the account by adding a Microsoft Entra role. (Only required steps are described here. For a complete description of all properties, see the Microsoft Entra ID article [How to create users](~/fundamentals/how-to-create-delete-users.yml#create-a-new-user).)
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator).
1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to your external tenant from the **Directories + subscriptions** menu.

 
## Add an admin account
 
Use the following steps to create a new user account and to grant admin permissions to the account by adding a Microsoft Entra role. (Only required steps are described here. For a complete description of all properties, see the Microsoft Entra ID article [How to create users](~/fundamentals/how-to-create-delete-users.md#create-a-new-user).)
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator).
1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to your external tenant from the **Directories + subscriptions** menu.

MODIFIED docs/fundamentals/add-custom-domain.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

## Related content
 
- [How to assign roles and administrators](./how-subscriptions-associated-directory.md)
- [How to add or delete users](./how-to-create-delete-users.yml)
- [Managing custom domain names](~/identity/users/domains-manage.md)

## Related content
 
- [How to assign roles and administrators](./how-subscriptions-associated-directory.md)
- [How to add or delete users](./how-to-create-delete-users.md)
- [Managing custom domain names](~/identity/users/domains-manage.md)

MODIFIED docs/fundamentals/create-new-tenant.md

Modified by shlipsey3 on May 8, 2026 3:35 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: create-delete-users-050826

Changes:

Before

After

 
- To change or add other domain names, see [How to add a custom domain name to Microsoft Entra ID](add-custom-domain.md).
 
- To add users, see [Add or delete a new user](./how-to-create-delete-users.yml).
 
- To add groups and members, see [Create a basic group and add members](./how-to-manage-groups.yml).

 
- To change or add other domain names, see [How to add a custom domain name to Microsoft Entra ID](add-custom-domain.md).
 
- To add users, see [Add or delete a new user](./how-to-create-delete-users.md).
 
- To add groups and members, see [Create a basic group and add members](./how-to-manage-groups.yml).

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files