📋 Microsoft Entra Documentation Changes

Daily summary for changes since May 13th 2026, 11:01 PM PDT

Report generated on May 14th 2026, 11:01 PM PDT

📊 Summary

30
Total Commits
0
New Files
13
Modified Files
0
Deleted Files
9
Contributors

📝 Modified Documentation Files

MODIFIED docs/agent-id/migrate-copilot-studio-agents-to-agent-id.md
Modified by shlipsey3 on May 14, 2026 6:39 PM
📖 View on learn.microsoft.com
+54 / -44 lines changed
Commit: agent-id-copilot-migration-051426
Changes:
Before
After
---
title: Migrate Copilot Studio agents to Agent ID
titleSuffix: Microsoft Entra Agent ID
description: Learn how to migrate Microsoft Copilot Studio agents from legacy service principals to Microsoft Entra Agent ID for enhanced governance and security.
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 04/30/2026
ms.custom: agent-id, msecd-doc-authoring-1012
ai-usage: ai-assisted
#customer intent: As an IT admin or Copilot Studio maker, I want to migrate my Copilot Studio agents from legacy service principals to Microsoft Entra Agent ID so that I can take advantage of agent-specific governance, Conditional Access, and audit capabilities.
---
 
# Migrate Copilot Studio agents to Agent ID
 
Microsoft Copilot Studio agents created before March 18, 2026 (or before your tenant opted in to Agent ID integration) authenticate by using platform-managed service principals. These service principals let agents communicate with Azure Bot Service, Microsoft Teams, and Bot Framework skills, but Microsoft Entra treats them as standard applications, not as AI agents. Migrating to Agent ID gives you agent-specific governance, including Conditional Access policies, centralized audit logging, and lifecycle management.
 
This article shows you how to migrate these platform-managed service principals to Agent ID. Because Copilot Studio manages the agent code, credentials, and deployment lifecycle, the migration approach differs from custom-built agents. For agents where you own the code and identity configuration, see [Migrate custom app registrations to Agent ID](migrate-custom-app-registrations-to-agent-id.md).
 
## Prerequisites
---
title: Migrate Copilot Studio agents to Agent ID
titleSuffix: Microsoft Entra Agent ID
description: Learn how to recreate Microsoft Copilot Studio agents with Microsoft Entra Agent ID for enhanced governance and security. No in-place migration path exists today.
author: Dickson-Mwendia
ms.author: dmwendia
ms.topic: how-to
ms.date: 05/14/2026
ms.custom: agent-id, msecd-doc-authoring-1012
ai-usage: ai-assisted
#customer intent: As an IT admin or Copilot Studio maker, I want to understand how to recreate my Copilot Studio agents with Microsoft Entra Agent ID so that I can take advantage of agent-specific governance, Conditional Access, and audit capabilities.
---
 
# Migrate Copilot Studio agents to Agent ID
 
> [!IMPORTANT]
> There's no automated or in-place migration path to convert an existing Copilot Studio agent's service principal to an Agent ID. To use Agent ID with Copilot Studio, you must **create a new agent** with Agent ID integration enabled, manually reconfigure it, and then decommission the legacy agent. This article describes that recreate-and-deprecate process.
 
Microsoft Copilot Studio agents created before March 18, 2026 (or before your tenant opted in to Agent ID integration) authenticate by using platform-managed service principals. These service principals let agents communicate with Azure Bot Service, Microsoft Teams, and Bot Framework skills, but Microsoft Entra treats them as standard applications, not as AI agents. Adopting Agent ID gives you agent-specific governance, including Conditional Access policies, centralized audit logging, and lifecycle management.
 
MODIFIED docs/identity/authentication/concept-system-preferred-authentication.md
Modified by Justinha on May 5, 2026 3:23 PM
📖 View on learn.microsoft.com
+9 / -9 lines changed
Commit: Clean up system-preferred MFA documentation
Changes:
Before
After
---
title: System-preferred authentication
description: Learn how system-preferred authentication evaluates methods to prompt users with the most secure sign-in option for both primary and multifactor authentication.
ms.topic: how-to
ms.date: 04/15/2026
ms.reviewer: msft-poulomi
ms.custom: msecd-doc-authoring-106
author: Justinha
ms.author: Justinha
ai-usage: ai-assisted
 
For example, if a user registered both a password and a passkey, system-preferred authentication prompts the user to sign in with the passkey instead of the password. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered.
 
System-preferred authentication is a Microsoft managed setting, which is a [tristate policy](#authentication-method-feature-configuration-properties). The **Microsoft managed** value of system-preferred authentication is **Enabled**. If you don't want to enable system-preferred authentication, change the state from **Microsoft managed** to **Disabled**, or exclude users and groups from the policy.
 
After system-preferred authentication is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered.
 
 
## Enable system-preferred authentication by using Graph APIs
 
---
title: System-preferred authentication in Microsoft Entra ID
description: Learn how system-preferred authentication evaluates methods to prompt users with the most secure sign-in option for both primary and multifactor authentication.
ms.topic: concept
ms.date: 04/15/2026
ms.reviewer: msft-poulomi
ms.custom: msecd-doc-authoring-1012
author: Justinha
ms.author: Justinha
ai-usage: ai-assisted
 
For example, if a user registered both a password and a passkey, system-preferred authentication prompts the user to sign in with the passkey instead of the password. The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered.
 
System-preferred authentication is a Microsoft managed setting, which is a [three-state policy](#authentication-method-feature-configuration-properties) (enabled, disabled, or Microsoft managed). The **Microsoft managed** value of system-preferred authentication is **Enabled**. If you don't want to enable system-preferred authentication, change the state from **Microsoft managed** to **Disabled**, or exclude users and groups from the policy.
 
After system-preferred authentication is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered.
 
 
## Enable system-preferred authentication by using Graph APIs
 
MODIFIED docs/agent-id/concept-agent-identity-deletion.md
Modified by Philippe Signoret on May 14, 2026 10:00 PM
📖 View on learn.microsoft.com
+16 / -1 lines changed
Commit: Add audit log details for cascade cleanup of agent identities
Changes:
Before
After
author: shlipsey3
ms.author: sarahlipsey
ms.topic: concept-article
ms.date: 04/28/2026
ms.custom: agent-id
ai-usage: ai-assisted
 
> [!IMPORTANT]
> If you restore the agent identity blueprint principal before the background cleanup runs, child agent identities aren't affected. After the cleanup runs, each child identity must be restored individually. Restoring the agent identity blueprint principal doesn't reverse cascade deletions that already occurred.
 
## Orphaned objects and quota considerations
 
When an agent identity blueprint principal is permanently deleted, any associated agent identities and agents' user accounts that weren't deleted become **orphaned objects** and become soft-deleted. Orphaned objects can't authenticate but continue to count toward directory quota until they're permanently deleted after the 30-day retention period expires.
 
 
 
 
 
 
 
author: shlipsey3
ms.author: sarahlipsey
ms.topic: concept-article
ms.date: 05/15/2026
ms.custom: agent-id
ai-usage: ai-assisted
 
> [!IMPORTANT]
> If you restore the agent identity blueprint principal before the background cleanup runs, child agent identities aren't affected. After the cleanup runs, each child identity must be restored individually. Restoring the agent identity blueprint principal doesn't reverse cascade deletions that already occurred.
 
### Cascade cleanup in audit logs
 
When the background cleanup task deletes agent identities, the deletions appear in your tenant's [Microsoft Entra audit logs](~/identity/monitoring-health/concept-audit-logs.md). These entries have the following characteristics:
 
| Audit log field | Value |
|---|---|
| **Activity** | Delete service principal |
| **Initiated by (actor)** | Application: *Delete Agent Identities Task* |
| **Actor App ID** | (blank) |
 
MODIFIED docs/identity-platform/quickstart-register-app.md
Modified by Derdus Kenga on May 14, 2026 12:28 PM
📖 View on learn.microsoft.com
+7 / -10 lines changed
Commit: Fix UI drift in app registration and redirect URI articles
Changes:
Before
After
manager: pmwongera
ms.author: cwerner
ms.custom:
ms.date: 01/29/2025
ms.service: identity-platform
ms.topic: how-to
#Customer intent: As developer, I want to know how to register my application in Microsoft Entra tenant. I want to understand the additional configurations to help make my application secure.
---
 
1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="./media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
1. Browse to **Entra ID** > **App registrations** and select **New registration**.
1. Enter a meaningful **Name** for your app, for example *identity-client-app*. App users can see this name, and it can be changed at any time. You can have multiple app registrations with the same name.
1. Under **Supported account types**, specify who can use the application. We recommend you select **Accounts in this organizational directory only** for most applications. Refer to the table for more information on each option.
 
| Supported account types | Description |
| ----------------------- | ------------- |
| **Accounts in this organizational directory only** | For *single-tenant* apps for use only by users (or guests) in *your* tenant. |
| **Accounts in any organizational directory** | For *multitenant* apps and you want users in *any* Microsoft Entra tenant to be able to use your application. Ideal for software-as-a-service (SaaS) applications that you intend to provide to multiple organizations. |
| **Accounts in any organizational directory and personal Microsoft accounts** | For *multitenant* apps that support both organizational and personal Microsoft accounts (for example, Skype, Xbox, Live, Hotmail). |
| **Personal Microsoft accounts** | For apps used only by personal Microsoft accounts (for example, Skype, Xbox, Live, Hotmail). |
manager: pmwongera
ms.author: cwerner
ms.custom:
ms.date: 05/14/2026
ms.service: identity-platform
ms.topic: how-to
ai-usage: ai-assisted
#Customer intent: As developer, I want to know how to register my application in Microsoft Entra tenant. I want to understand the additional configurations to help make my application secure.
---
 
1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="./media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
1. Browse to **Entra ID** > **App registrations** and select **New registration**.
1. Enter a meaningful **Name** for your app, for example *identity-client-app*. App users can see this name, and it can be changed at any time. You can have multiple app registrations with the same name.
1. Under **Supported account types**, open the dropdown and select who can use the application. We recommend **Single tenant only - \<your tenant\>** for most applications. Refer to the table for more information on each option.
 
| Supported account types | Description |
| ----------------------- | ------------- |
| **Single tenant only - \<your tenant\>** | For *single-tenant* apps for use only by users (or guests) in *your* tenant. |
| **Multiple Entra ID tenants** | For *multitenant* apps when you want users in *any* Microsoft Entra tenant to be able to use your application. Ideal for software-as-a-service (SaaS) applications that you intend to provide to multiple organizations. |
| **Any Entra ID Tenant + Personal Microsoft accounts** | For *multitenant* apps that support both organizational and personal Microsoft accounts (for example, Skype, Xbox, Live, Hotmail). |
MODIFIED docs/identity-platform/how-to-add-redirect-uri.md
Modified by Derdus Kenga on May 14, 2026 12:28 PM
📖 View on learn.microsoft.com
+7 / -8 lines changed
Commit: Fix UI drift in app registration and redirect URI articles
Changes:
Before
After
manager: pmwongera
ms.author: cwerner
ms.custom:
ms.date: 05/23/2025
ms.service: identity-platform
ms.topic: how-to
#Customer intent: As developer, I want to know how to register my application in Microsoft Entra tenant. I want to understand the additional configurations to help make my application secure.
---
 
 
## Add a redirect URI
 
A *redirect URI* is where the Microsoft identity platform sends security tokens after authentication. Redirect URIs are configured in **Platform configurations** in the Microsoft Entra admin center. For **Web** and **Single-page applications**, you need to specify a redirect URI manually. For **Mobile and desktop** platforms, you select from generated redirect URIs.
 
Follow these steps to configure settings based on your target platform or device:
 
1. In the Microsoft Entra admin center, in **App registrations**, select your application.
1. Under **Manage**, select **Authentication**.
1. Under **Platform configurations**, select **Add a platform**.
1. Under **Configure platforms**, select the tile for your application type (platform) to configure its settings.
manager: pmwongera
ms.author: cwerner
ms.custom:
ms.date: 05/14/2026
ms.service: identity-platform
ms.topic: how-to
ai-usage: ai-assisted
#Customer intent: As developer, I want to know how to register my application in Microsoft Entra tenant. I want to understand the additional configurations to help make my application secure.
---
 
 
## Add a redirect URI
 
A *redirect URI* is where the Microsoft identity platform sends security tokens after authentication. Redirect URIs are configured on the **Authentication** page in the Microsoft Entra admin center. For **Web** and **Single-page applications**, you specify a redirect URI manually. For **Mobile and desktop** platforms, you select from generated redirect URIs.
 
Follow these steps to configure settings based on your target platform or device:
 
1. In the Microsoft Entra admin center, in **App registrations**, select your application.
1. Under **Manage**, select **Authentication**.
1. On the **Redirect URI configuration** tab, select **Add Redirect URI**.
MODIFIED docs/identity/authentication/how-to-authentication-passkeys-fido2.md
Modified by Justinha on Apr 15, 2026 5:42 PM
📖 View on learn.microsoft.com
+9 / -0 lines changed
Commit: Remove DPC branding, rename to system-preferred authentication
Changes:
Before
After
 
If a user's UPN changes, you can no longer modify passkeys (FIDO2) to account for the change. If the user has a passkey (FIDO2), they need to sign in to [Security info](https://mysignins.microsoft.com/security-info), delete the old passkey (FIDO2), and add a new one.
 
## Related content
 
- [Passkeys (FIDO2) authentication method in Microsoft Entra ID](concept-authentication-passkeys-fido2.md)
 
 
 
 
 
 
 
 
 
 
If a user's UPN changes, you can no longer modify passkeys (FIDO2) to account for the change. If the user has a passkey (FIDO2), they need to sign in to [Security info](https://mysignins.microsoft.com/security-info), delete the old passkey (FIDO2), and add a new one.
 
## Next steps
 
After you enable passkey profiles, share end-user registration and sign-in guidance for each passkey type:
 
- **Synced passkeys** — [Register a passkey (FIDO2)](how-to-register-passkey.md) | [Sign in with a passkey (FIDO2)](how-to-sign-in-passkey.md)
- **Passkeys in Microsoft Authenticator** — [Enable passkeys in Authenticator](how-to-enable-authenticator-passkey.md) | [Register a passkey in Authenticator](how-to-register-passkey-authenticator.md) | [Sign in with passkeys in Authenticator](how-to-sign-in-passkey-authenticator.md)
- **Microsoft Entra passkeys on Windows (preview)** — [Enable passkeys on Windows](how-to-authentication-entra-passkeys-on-windows.md)
- **FIDO2 security keys** — [Register a passkey with a security key](how-to-register-passkey-with-security-key.md)
 
## Related content
 
- [Passkeys (FIDO2) authentication method in Microsoft Entra ID](concept-authentication-passkeys-fido2.md)
MODIFIED docs/identity-platform/includes/registration/quickstart-register-app.md
Modified by Derdus Kenga on May 14, 2026 12:28 PM
📖 View on learn.microsoft.com
+0 / -6 lines changed
Commit: Fix UI drift in app registration and redirect URI articles
Changes:
Before
After
1. Leave **Redirect URI (optional)** alone for now as you configure a redirect URI in the next section.
1. Select **Register** to complete the initial app registration.
 
:::image type="content" source="../../media/quickstart-register-app/portal-02-app-reg-01.png" alt-text="Screenshot of Microsoft Entra admin center in a web browser, showing the Register an application pane." lightbox="../../media/quickstart-register-app/portal-02-app-reg-01.png":::
 
When registration finishes, the Microsoft Entra admin center displays the app registration's **Overview** pane. You see the **Application (client) ID**. Also called the *client ID*, this value uniquely identifies your application in the Microsoft identity platform.
 
> [!IMPORTANT]
 
Your application's code, or more typically an authentication library used in your application, also uses the client ID. The ID is used as part of validating the security tokens it receives from the identity platform.
 
:::image type="content" source="../../media/quickstart-register-app/portal-03-app-reg-02.png" alt-text="Screenshot of the Microsoft Entra admin center in a web browser, showing an app registration's Overview pane." lightbox="../../media/quickstart-register-app/portal-03-app-reg-02.png":::
 
## Add a redirect URI
 
A *redirect URI* is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.
1. Under **Platform configurations**, select **Add a platform**.
1. Under **Configure platforms**, select the tile for your application type (platform) to configure its settings.
 
:::image type="content" source="/azure/active-directory/develop/media/quickstart-register-app/portal-04-app-reg-03-platform-config.png" alt-text="Screenshot of the platform configuration pane in the Azure portal." border="false":::
1. Leave **Redirect URI (optional)** alone for now as you configure a redirect URI in the next section.
1. Select **Register** to complete the initial app registration.
 
When registration finishes, the Microsoft Entra admin center displays the app registration's **Overview** pane. You see the **Application (client) ID**. Also called the *client ID*, this value uniquely identifies your application in the Microsoft identity platform.
 
> [!IMPORTANT]
 
Your application's code, or more typically an authentication library used in your application, also uses the client ID. The ID is used as part of validating the security tokens it receives from the identity platform.
 
## Add a redirect URI
 
A *redirect URI* is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.
1. Under **Platform configurations**, select **Add a platform**.
1. Under **Configure platforms**, select the tile for your application type (platform) to configure its settings.
 
| Platform | Configuration settings |
| --------- | ---------------------- |
| **Web** | Enter a **Redirect URI** for your app. This URI is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.<br/><br/>Front-channel logout URL and implicit and hybrid flow properties can also be configured.<br/><br/>Select this platform for standard web applications that run on a server. |
 
 
MODIFIED docs/fundamentals/whats-new-archive.md
Modified by Justinha on Apr 15, 2026 5:42 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Remove DPC branding, rename to system-preferred authentication
Changes:
Before
After
**Service category:** MFA
**Product capability:** 3rd Party Integration
 
Support for external auth methods as a supported method begins rolling out at the beginning of March 2025. When this is live in a tenant where system preferred is enabled and users are in scope of an external auth methods policy, those users will be prompted for their external authentication method if their most secure registered method is Microsoft Authenticator notification. External Authentication Method will appear as third in the list of most secure methods. If the user has a Temporary Access Pass (TAP) or Passkey (FIDO2) device registered, they'll be prompted for those. In addition, users in the scope of an external auth methods policy will have the ability to delete all registered second factor methods from their account, even if the method being deleted is specified as the default sign in method or is system preferred. For more information, see: [System-preferred multifactor authentication - Authentication methods policy](../identity/authentication/concept-system-preferred-multifactor-authentication.md).
 
---
 
**Service category:** MFA
**Product capability:** 3rd Party Integration
 
Support for external auth methods as a supported method begins rolling out at the beginning of March 2025. When this is live in a tenant where system preferred is enabled and users are in scope of an external auth methods policy, those users will be prompted for their external authentication method if their most secure registered method is Microsoft Authenticator notification. External Authentication Method will appear as third in the list of most secure methods. If the user has a Temporary Access Pass (TAP) or Passkey (FIDO2) device registered, they'll be prompted for those. In addition, users in the scope of an external auth methods policy will have the ability to delete all registered second factor methods from their account, even if the method being deleted is specified as the default sign in method or is system preferred. For more information, see: [System-preferred authentication - Authentication methods policy](../identity/authentication/concept-system-preferred-authentication.md).
 
---
 
MODIFIED docs/identity-platform/reference-native-authentication-api.md
Modified by Justinha on Apr 15, 2026 5:42 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Remove DPC branding, rename to system-preferred authentication
Changes:
Before
After
 
Microsoft Entra determines the default MFA method for the user by priority as follows:
 
1. Use [a system-preferred MFA](../identity/authentication/concept-system-preferred-multifactor-authentication.md).
1. Use an MFA set as default on the user by the tenant administrator.
1. User has only one registered MFA method. -->
 
 
Microsoft Entra determines the default MFA method for the user by priority as follows:
 
1. Use [system-preferred authentication](../identity/authentication/concept-system-preferred-authentication.md).
1. Use an MFA set as default on the user by the tenant administrator.
1. User has only one registered MFA method. -->
 
MODIFIED docs/identity/authentication/concept-authentication-default-enablement.md
Modified by Justinha on Apr 15, 2026 5:42 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Remove DPC branding, rename to system-preferred authentication
Changes:
Before
After
| [Registration campaign](how-to-mfa-registration-campaign.md) | Enabled |
| [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled |
| [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled |
| [System-preferred authentication](concept-system-preferred-multifactor-authentication.md) | Enabled |
| [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Enabled |
| [Report suspicious activity](howto-mfa-mfasettings.md#report-suspicious-activity) | Disabled |
 
| [Registration campaign](how-to-mfa-registration-campaign.md) | Enabled |
| [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled |
| [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled |
| [System-preferred authentication](concept-system-preferred-authentication.md) | Enabled |
| [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Enabled |
| [Report suspicious activity](howto-mfa-mfasettings.md#report-suspicious-activity) | Disabled |
 
MODIFIED docs/identity/authentication/how-to-authentication-external-method-manage.md
Modified by Justinha on Apr 15, 2026 5:42 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Remove DPC branding, rename to system-preferred authentication
Changes:
Before
After
 
Users who are enabled for external MFA can use it when they sign-in and multifactor authentication is required.
 
If the user has other ways to sign in and [system-preferred authentication](/entra/identity/authentication/concept-system-preferred-multifactor-authentication) is enabled, those other methods appear by default order. The user can choose to use a different method, and then select external MFA. For example, if the user has Authenticator enabled as another method, they get prompted for [number matching](/entra/identity/authentication/how-to-mfa-number-match).
 
:::image type="content" border="true" source="./media/how-to-authentication-external-method-manage/system-preferred.png" alt-text="Screenshot of how to choose an external MFA when system-preferred authentication is enabled.":::
 
 
Users who are enabled for external MFA can use it when they sign-in and multifactor authentication is required.
 
If the user has other ways to sign in and [system-preferred authentication](/entra/identity/authentication/concept-system-preferred-authentication) is enabled, those other methods appear by default order. The user can choose to use a different method, and then select external MFA. For example, if the user has Authenticator enabled as another method, they get prompted for [number matching](/entra/identity/authentication/how-to-mfa-number-match).
 
:::image type="content" border="true" source="./media/how-to-authentication-external-method-manage/system-preferred.png" alt-text="Screenshot of how to choose an external MFA when system-preferred authentication is enabled.":::
 
MODIFIED docs/identity/authentication/how-to-mfa-authenticator-lite.md
Modified by Justinha on Apr 15, 2026 5:42 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Remove DPC branding, rename to system-preferred authentication
Changes:
Before
After
- Your organization needs to enable Authenticator (second factor) push notifications for all users or select groups. We recommend that you enable Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API. Authenticator Lite isn't eligible for on-premises user accounts or organizations with an active MFA server.
 
> [!TIP]
> We recommend that you also enable [system-preferred authentication](concept-system-preferred-multifactor-authentication.md) when you enable Authenticator Lite. With system-preferred authentication enabled, users try to sign in with Authenticator Lite before they try less secure telephony methods like SMS or voice call.
 
- If your organization is using the Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, upgrade to the latest versions for a consistent experience.
- Users enabled for shared device mode on Outlook mobile aren't eligible for Authenticator Lite.
- Your organization needs to enable Authenticator (second factor) push notifications for all users or select groups. We recommend that you enable Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API. Authenticator Lite isn't eligible for on-premises user accounts or organizations with an active MFA server.
 
> [!TIP]
> We recommend that you also enable [system-preferred authentication](concept-system-preferred-authentication.md) when you enable Authenticator Lite. With system-preferred authentication enabled, users try to sign in with Authenticator Lite before they try less secure telephony methods like SMS or voice call.
 
- If your organization is using the Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, upgrade to the latest versions for a consistent experience.
- Users enabled for shared device mode on Outlook mobile aren't eligible for Authenticator Lite.
MODIFIED docs/identity-platform/concept-native-authentication.md
Modified by Derdus Kenga on May 14, 2026 1:00 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: update for native auth
Changes:
Before
After
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
1. Browse to **App registrations** and select the app registration for which you want to enable public client and native authentication flows.
1. Under **Manage**, select **Authentication**.
1. Under **Advanced settings**, allow public client flows:
1. For **Enable the following mobile and desktop flows** select **Yes**.
1. For **Enable native authentication**, select **Yes**.
1. Select the **Save** button.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
1. Browse to **App registrations** and select the app registration for which you want to enable public client and native authentication flows.
1. Under **Manage**, select **Authentication**.
1. On the **Redirect URI configuration** tab, allow public client flows:
1. For **Enable the following mobile and desktop flows** select **Yes**.
1. For **Enable native authentication**, select **Yes**.
1. Select the **Save** button.

🤖 This report was automatically generated by the Entra Docs Monitor

📧 Delivered to merill@merill.net

🔗 Visit Repository