πŸ“‹ Microsoft Entra Documentation Changes

Daily summary for changes since May 18th 2026, 11:17 PM PDT

Report generated on May 19th 2026, 11:17 PM PDT

πŸ“Š Summary

13
Total Commits
0
New Files
5
Modified Files
0
Deleted Files
6
Contributors

πŸ“ Modified Documentation Files

MODIFIED docs/global-secure-access/overview-what-is-global-secure-access.md
Modified by Dr Bill Mcilhargey on May 19, 2026 1:44 PM
πŸ“– View on learn.microsoft.com
+34 / -24 lines changed
Commit: Update feature comparison table with links and licensing notes
Changes:
Before
After
 
### Feature comparison table
 
| Feature | Entra P1/P2 License - Microsoft traffic profile | Internet Access License* - Internet Access profile | Private Access License* - Private Access profile |
|----------------------------------|:----------------------------------------------:|:-------------------------------------------------:|:-----------------------------------------------:|
| Windows client | βœ… | βœ… | βœ… |
| macOS client | βœ… | βœ… | βœ… |
| Mobile client (iOS, Android) | βœ… | βœ… | βœ… |
| Traffic logs | βœ… | βœ… | βœ… |
| Remote network (branch connectivity) | βœ… | βœ… | |
| Universal Tenant Restrictions | βœ… | | |
| Compliant network check | βœ… | | |
| Source IP restoration | βœ… | | |
| Microsoft 365 Enriched logs | βœ… | | |
| Universal Conditional Access (CA)| βœ… | βœ… | |
| Context-aware network security | | βœ… | |
| Web category filtering | | βœ… | |
| Fully qualified domain name (FQDN) filtering | | βœ… | |
| Universal Continuous Access Evaluation (CAE) | βœ… | βœ… | βœ… |
| VPN replacement with an identity-centric ZTNA | | | βœ… |
 
### Feature comparison table
 
| Feature | Entra P1/P2 License - Microsoft traffic profile | Internet Access LicenseΒΉ - Internet Access profile | Private Access LicenseΒΉ - Private Access profile |
|----------------------------------|:----------------------------------------------:|:-------------------------------------------------:|:-----------------------------------------------:|
| [Windows client](how-to-install-windows-client.md) | βœ… | βœ… | βœ… |
| [macOS client](how-to-install-macos-client.md) | βœ… | βœ… | βœ… |
| Mobile client ([iOS](how-to-install-ios-client.md), [Android](how-to-install-android-client.md)) | βœ… | βœ… | βœ… |
| [Traffic logs (Preview)](how-to-view-traffic-logs.md) | βœ… | βœ… | βœ… |
| [Remote network (branch connectivity)](concept-remote-network-connectivity.md) | βœ… | βœ… | |
| [Direct Microsoft services connectivity](how-to-manage-microsoft-profile.md) | βœ… | | |
| [Universal Tenant Restrictions](how-to-universal-tenant-restrictions.md) | βœ… | | |
| [Compliant network check](how-to-compliant-network.md) | βœ… | | |
| [Source IP restoration](how-to-source-ip-restoration.md) | βœ… | | |
| [Microsoft 365 Enriched logs](how-to-view-enriched-logs.md) | βœ… | | |
| [Universal Conditional Access (CA)](concept-universal-conditional-access.md)| βœ… | βœ… | |
| [Context-aware network security](concept-internet-access.md) | | βœ… | |
| [Web category filtering](how-to-configure-web-content-filtering.md) | | βœ… | |
| [Fully qualified domain name (FQDN) filtering](how-to-configure-web-content-filtering.md) | | βœ… | |
| [TLS inspection](tutorial-internet-access-tls-inspection.md) | | βœ… | |
MODIFIED docs/identity/conditional-access/controls.md
Modified by shlipsey3 on May 19, 2026 6:15 PM
πŸ“– View on learn.microsoft.com
+2 / -4 lines changed
Commit: pm-revision
Changes:
Before
After
title: Custom controls in Microsoft Entra Conditional Access
description: Learn how custom controls in Microsoft Entra Conditional Access work.
ms.topic: concept-article
ms.date: 05/13/2026
ms.reviewer: gkinasewitz
ms.custom: sfi-image-nochange
---
Custom controls are a preview capability of Microsoft Entra ID. When you use custom controls, users are redirected to a compatible service to meet authentication requirements outside of Microsoft Entra ID. To meet this control, a user's browser redirects to the external service, performs any required authentication, and then redirects back to Microsoft Entra ID. Microsoft Entra ID verifies the response and, if the user is successfully authenticated or validated, the user continues in the Conditional Access flow.
 
> [!IMPORTANT]
> Custom controls are deprecated and scheduled for retirement in late 2026. External MFA (previously known as external authentication methods) is now generally available and replaces custom controls. Existing custom controls continue to function during the transition period, but new implementations should use external MFA. Start planning your migration now.
>
> For step-by-step migration instructions, see [Migrate from custom controls to external MFA](how-to-migrate-custom-controls-external-mfa.md).
 
For more information, see [Manage external MFA in Microsoft Entra ID](../authentication/how-to-authentication-external-method-manage.md).
 
title: Custom controls in Microsoft Entra Conditional Access
description: Learn how custom controls in Microsoft Entra Conditional Access work.
ms.topic: concept-article
ms.date: 05/19/2026
ms.reviewer: gkinasewitz
ms.custom: sfi-image-nochange
---
Custom controls are a preview capability of Microsoft Entra ID. When you use custom controls, users are redirected to a compatible service to meet authentication requirements outside of Microsoft Entra ID. To meet this control, a user's browser redirects to the external service, performs any required authentication, and then redirects back to Microsoft Entra ID. Microsoft Entra ID verifies the response and, if the user is successfully authenticated or validated, the user continues in the Conditional Access flow.
 
> [!IMPORTANT]
> Custom controls are deprecated. Adding new custom controls and editing existing custom controls will not be allowed starting September 2026. Full retirement is scheduled for early 2027. Start planning your migration now. For more information, see the [External MFA GA announcement](https://techcommunity.microsoft.com/blog/microsoft-entra-blog/external-mfa-in-microsoft-entra-id-is-now-generally-available/4488926).
 
For more information, see [Manage external MFA in Microsoft Entra ID](../authentication/how-to-authentication-external-method-manage.md).
 
 
 
MODIFIED docs/agent-id/agent-owners-sponsors-managers.md
Modified by Dr Bill Mcilhargey on May 19, 2026 12:41 PM
πŸ“– View on learn.microsoft.com
+3 / -3 lines changed
Commit: Update agent-owners-sponsors-managers.md to clarify owner and sponsor roles, including support for guest users
Changes:
Before
After
 
## Owners
 
Owners usually serve as technical administrators for agents, handling operational and configuration aspects. Individual users and service principals can be set as owners. Groups aren't supported as owners. Service principals as owners enable automated management of agent identities. Owners are optional for agent identity blueprints and agent identities.
 
### Owner responsibilities
 
 
Sponsors provide business accountability for agents, making lifecycle decisions without technical administrative access. They understand the business purpose of the agent, and they can determine whether an agent is still needed or requires access. Sponsors are required for agent identity blueprints and agent identities, ensuring every agent has a designated business owner.
 
Sponsorship should be maintained ensuring succession when an employee who's a sponsor moves or leaves. Both users and groups can be assigned as sponsors. When a group is assigned, all members of the group have sponsor rights over the Agent ID object. Not all group types are supported as sponsors. The following group types are allowed:
 
- Dynamic membership groups (security or Microsoft 365)
- Assigned membership groups (Microsoft 365)
 
| | Agent user account sponsors | Agent identity, blueprint, blueprint principal sponsors |
|--|--|--|
| **Allowed types** | Users, groups (any) | Users, select groups (dynamic membership, Microsoft 365). Role-assignable groups not supported. |
| **Limits** | Maximum 5 sponsors | Maximum 100 sponsors, with no more than 5 groups |
| **Authorization** | No direct authorization to modify sponsors users | Delete or disable the agent identity and modify its sponsors |
 
## Owners
 
Owners usually serve as technical administrators for agents, handling operational and configuration aspects. Individual users (including guest users) and service principals can be set as owners. Groups aren't supported as owners. Service principals as owners enable automated management of agent identities. Owners are optional for agent identity blueprints and agent identities.
 
### Owner responsibilities
 
 
Sponsors provide business accountability for agents, making lifecycle decisions without technical administrative access. They understand the business purpose of the agent, and they can determine whether an agent is still needed or requires access. Sponsors are required for agent identity blueprints and agent identities, ensuring every agent has a designated business owner.
 
Sponsorship should be maintained ensuring succession when an employee who's a sponsor moves or leaves. Both users (including guest users) and groups can be assigned as sponsors. When a group is assigned, all members of the group have sponsor rights over the Agent ID object. Not all group types are supported as sponsors. The following group types are allowed:
 
- Dynamic membership groups (security or Microsoft 365)
- Assigned membership groups (Microsoft 365)
 
| | Agent user account sponsors | Agent identity, blueprint, blueprint principal sponsors |
|--|--|--|
| **Allowed types** | Users (including guests), groups (any) | Users (including guests), select groups (dynamic membership, Microsoft 365). Role-assignable groups not supported. |
| **Limits** | Maximum 5 sponsors | Maximum 100 sponsors, with no more than 5 groups |
| **Authorization** | No direct authorization to modify sponsors users | Delete or disable the agent identity and modify its sponsors |
MODIFIED docs/identity/conditional-access/how-to-migrate-custom-controls-external-mfa.md
Modified by shlipsey3 on May 19, 2026 6:15 PM
πŸ“– View on learn.microsoft.com
+2 / -2 lines changed
Commit: pm-revision
Changes:
Before
After
title: Migrate from custom controls to external MFA in Conditional Access
description: Learn how to migrate from custom controls to external multifactor authentication in Microsoft Entra Conditional Access.
ms.topic: how-to
ms.date: 05/13/2026
ms.author: sarahlipsey
author: shlipsey3
manager: pmwongera
External multifactor authentication (MFA) lets users choose an external provider to meet MFA requirements when they sign in with a work or school account. Custom controls in Microsoft Entra Conditional Access previously provided similar functionality, but with the general availability of external MFA (previously known as external authentication methods), custom controls are deprecated and scheduled for retirement. This guide provides the steps to migrate existing custom control Conditional Access policies to external MFA.
 
> [!IMPORTANT]
> Custom controls are deprecated and will be retired in September 2026. Start planning your migration now. For more information, see the [External MFA GA announcement](https://techcommunity.microsoft.com/blog/microsoft-entra-blog/external-mfa-in-microsoft-entra-id-is-now-generally-available/4488926).
 
*This guide is relevant only if your organization currently uses custom controls. If you don't use custom controls, no action is needed.*
 
title: Migrate from custom controls to external MFA in Conditional Access
description: Learn how to migrate from custom controls to external multifactor authentication in Microsoft Entra Conditional Access.
ms.topic: how-to
ms.date: 05/19/2026
ms.author: sarahlipsey
author: shlipsey3
manager: pmwongera
External multifactor authentication (MFA) lets users choose an external provider to meet MFA requirements when they sign in with a work or school account. Custom controls in Microsoft Entra Conditional Access previously provided similar functionality, but with the general availability of external MFA (previously known as external authentication methods), custom controls are deprecated and scheduled for retirement. This guide provides the steps to migrate existing custom control Conditional Access policies to external MFA.
 
> [!IMPORTANT]
> Custom controls are deprecated. Adding new custom controls and editing existing custom controls will not be allowed starting September 2026. Full retirement is scheduled for early 2027. Start planning your migration now. For more information, see the [External MFA GA announcement](https://techcommunity.microsoft.com/blog/microsoft-entra-blog/external-mfa-in-microsoft-entra-id-is-now-generally-available/4488926).
 
*This guide is relevant only if your organization currently uses custom controls. If you don't use custom controls, no action is needed.*
 
MODIFIED docs/global-secure-access/scripts/powershell-windows-client-install-proof-of-concept.md
Modified by Jeffrey Bley on May 19, 2026 1:01 PM
πŸ“– View on learn.microsoft.com
+1 / -1 lines changed
Commit: Fix typo in Chrome DoH settings PowerShell script
Changes:
Before
After
@{ Key="HKLM:\SOFTWARE\Policies\Microsoft\Edge"; Name="BuiltInDnsClientEnabled"; Type="DWord"; Value=0 },
@{ Key="HKLM:\SOFTWARE\Policies\Microsoft\Edge"; Name="QuicAllowed"; Type="DWord"; Value=0 },
# Chrome DoH and QUIC settings
@{ Key="HKLM:\SOFTWARE\Policies\Google\Chrome"; Name="DnsOverHttpsMode"; ype="String"; Value="off" },
@{ Key="HKLM:\SOFTWARE\Policies\Google\Chrome"; Name="QuicAllowed"; Type="DWord"; Value=0 }
)
# --- Track whether the IPv4-preferred setting was already correct ---
@{ Key="HKLM:\SOFTWARE\Policies\Microsoft\Edge"; Name="BuiltInDnsClientEnabled"; Type="DWord"; Value=0 },
@{ Key="HKLM:\SOFTWARE\Policies\Microsoft\Edge"; Name="QuicAllowed"; Type="DWord"; Value=0 },
# Chrome DoH and QUIC settings
@{ Key="HKLM:\SOFTWARE\Policies\Google\Chrome"; Name="DnsOverHttpsMode"; Type="String"; Value="off" },
@{ Key="HKLM:\SOFTWARE\Policies\Google\Chrome"; Name="QuicAllowed"; Type="DWord"; Value=0 }
)
# --- Track whether the IPv4-preferred setting was already correct ---

πŸ€– This report was automatically generated by the Entra Docs Monitor

πŸ“§ Delivered to merill@merill.net

πŸ”— Visit Repository