MODIFIED docs/external-id/customers/concept-planning-your-solution.md

Modified by Gearoid O'Donnell on Jun 17, 2026 3:25 PM
📖 View on learn.microsoft.com

+63 / -86 lines changed

Commit: Add native authentication cross-links and approach context across External ID docs (P0/P1) (#13186)

Changes:

Before

After

description: Discover the steps for setting up a customer identity and access management (CIAM) solution in an external tenant, including creating a tenant, registering apps, and setting up user flows for sign-in.
ai-usage: ai-assisted
ms.topic: concept-article
ms.date: 04/24/2026
 
ms.custom: it-pro, seo-july-2024
 
[!INCLUDE [applies-to-external-only](../includes/applies-to-external-only.md)]
 
Microsoft Entra External ID is a customizable, extensible solution for adding customer identity and access management (CIAM) to your app. Because it's built on the Microsoft Entra platform, you benefit from consistency in app integration, tenant management, and operations across your workforce and customer scenarios. When designing your configuration, it's important to understand the components of an external tenant and the Microsoft Entra features that are available for your customer scenarios.
 
This article provides a general framework for integrating your app and configuring External ID. It describes the capabilities available in an external tenant and outlines the important planning considerations for each step in your integration.
 
Adding secure sign-in to your app and setting up a customer identity and access management involves five main steps:
 
:::image type="content" source="media/concept-planning-your-solution/overview-setup-steps-inline.png" lightbox="media/concept-planning-your-solution/overview-setup-steps-inline.png" alt-text="Diagram showing an overview of the five setup steps: create a tenant, choose an authentication approach, register your application, integrate a sign-in flow, and customize and secure your sign-in.":::
 
This article describes each of these steps and outlines important planning considerations. In the following table, select a **Step** for details and planning considerations, or go directly to the **How-to guides**.

description: Discover the steps for setting up a customer identity and access management (CIAM) solution in an external tenant, including creating a tenant, registering apps, and setting up user flows for sign-in.
ai-usage: ai-assisted
ms.topic: concept-article
ms.date: 05/21/2026
 
ms.custom: it-pro, seo-july-2024
 
 
[!INCLUDE [applies-to-external-only](../includes/applies-to-external-only.md)]
 
Microsoft Entra External ID adds customer identity and access management (CIAM) to your app on the Microsoft Entra platform, so you get consistent app integration, tenant management, and operations across workforce and customer scenarios.
 
This article is a decision-making guide for the six planning steps. Each section summarizes the key choices and links to the canonical how-tos and reference docs.
 
:::image type="content" source="media/concept-planning-your-solution/planning-flow-horizontal.png" alt-text="Diagram showing the six setup steps as a horizontal flow: create an external tenant, choose an authentication approach, register your application, integrate a sign-in flow, secure your sign-in, and customize your sign-in.":::
 
Jump to a step for details, or go straight to the **How-to guides**.
 
| Step  |  How-to guides |
|---------|---------|

MODIFIED docs/id-protection/concept-risky-agents.md

Modified by shlipsey3 on Jun 17, 2026 9:10 PM
📖 View on learn.microsoft.com

+20 / -17 lines changed

Commit: agent-ga-detections-052926 (#13303)

Changes:

Before

After

title: ID Protection for Agents
description: Learn about how Microsoft Entra ID Protection identifies risky agents.
ms.topic: how-to
ms.date: 04/30/2026
ms.reviewer: etbasser
---
 
# ID Protection for agents (Preview)
 
As organizations adopt, build, and deploy autonomous AI agents, the need to monitor and protect those agents becomes critical. Microsoft Entra ID Protection helps protect your organization by automatically detecting and responding to identity-based risks on agents that have agent identities provided by [Microsoft Entra Agent ID](../agent-id/what-is-microsoft-entra-agent-id.md).
 
 
### Licensing
 
[!INCLUDE [entra-agent-id-license](../includes/licensing-agent-id.md)]
 
## How it works
 
Because agents can operate autonomously and on behalf of (OBO) a user, they can display unique sign-in behavior. Agents can take initiative, interact with sensitive data, and operate at scale. Microsoft Entra ID Protection for agents is designed to identify and mitigate risks associated with these capabilities. The system determines a baseline for an agent's normal activity and then continuously monitors it for anomalies in Microsoft Entra ID. Once an agent exhibits suspicious behavior, ID Protection flags the activity and marks it as risky. 
 

title: ID Protection for Agents
description: Learn about how Microsoft Entra ID Protection identifies risky agents.
ms.topic: how-to
ms.date: 06/17/2026
ms.reviewer: etbasser, owinfrey
---
 
# ID Protection for agents
 
As organizations adopt, build, and deploy autonomous AI agents, the need to monitor and protect those agents becomes critical. Microsoft Entra ID Protection helps protect your organization by automatically detecting and responding to identity-based risks on agents that have agent identities provided by [Microsoft Entra Agent ID](../agent-id/what-is-microsoft-entra-agent-id.md).
 
 
### Licensing
 
Starting soon, ID Protection for agents will require a [Microsoft Agent 365 license](https://www.microsoft.com/microsoft-agent-365#plans-and-pricing) to extend protection to agents through [Microsoft Entra Agent ID](../agent-id/what-is-microsoft-entra-agent-id.md#how-to-get-started).
 
## How it works
 
Because agents can operate autonomously and on behalf of a user, they can display unique sign-in behavior. Agents can take initiative, interact with sensitive data, and operate at scale. Microsoft Entra ID Protection for agents identifies and mitigates risks associated with these capabilities. **Learning Mode** automatically suppresses behavioral alerts for agents that lack sufficient activity history, preventing false positives during onboarding and after periods of inactivity. A separate detection runs in parallel to ensure genuinely malicious early-life behavior is still caught. Once an agent exhibits suspicious behavior, ID Protection flags the activity as risky. 
 

MODIFIED docs/id-protection/concept-risk-detection-types.md

Modified by shlipsey3 on Jun 17, 2026 9:10 PM
📖 View on learn.microsoft.com

+5 / -3 lines changed

Commit: agent-ga-detections-052926 (#13303)

Changes:

Before

After

description: Learn about risk detections and risk levels, including the difference between real-time and offline detections. 
ms.service: entra-id-protection
ms.topic: concept-article
ms.date: 07/16/2025
ms.reviewer: cokoopma
 
---
 
> [!NOTE]
> Looking for the **Risk detections mapped to riskEventType** table? It moved to the new [**Risk detection and event types**](concept-identity-protection-risks.md) article.
 
## Agent detections (Preview)
 
The **Risk detections** report includes a dedicated tab for **Agent detections** that displays risk detections specifically for autonomous AI agents using [Microsoft Entra Agent ID](../agent-id/identity-professional/what-is-microsoft-entra-agent-id.md). These detections help identify suspicious activities associated with agents, allowing administrators to monitor and respond to potential threats effectively. For a list of the risk detections associated with agents, see [ID Protection for agents](concept-risky-agents.md#activities-contributing-to-risk).
 
:::image type="content" source="media/concept-risk-detection-types/risk-detections-report.png" alt-text="Screenshot showing the Agent detections column on the risk detections report." lightbox="media/concept-risk-detection-types/risk-detections-report.png":::
 
## Related content
 
- [Learn about risk-based access policies](concept-identity-protection-policies.md)

description: Learn about risk detections and risk levels, including the difference between real-time and offline detections. 
ms.service: entra-id-protection
ms.topic: concept-article
ms.date: 06/10/2026
ms.reviewer: etbasser, owinfrey
 
---
 
> [!NOTE]
> Looking for the **Risk detections mapped to riskEventType** table? It moved to the new [**Risk detection and event types**](concept-identity-protection-risks.md) article.
 
## Agent detections
 
The **Risk detections** report includes a dedicated tab for **Agent detections** that displays risk detections specifically for autonomous AI agents using [Microsoft Entra Agent ID](../agent-id/identity-professional/what-is-microsoft-entra-agent-id.md). These detections help identify suspicious activities associated with agents, allowing administrators to monitor and respond to potential threats effectively. For a list of the risk detections associated with agents, see [ID Protection for agents](concept-risky-agents.md#activities-contributing-to-risk).
 
:::image type="content" source="media/concept-risk-detection-types/risk-detections-report.png" alt-text="Screenshot showing the Agent detections column on the risk detections report." lightbox="media/concept-risk-detection-types/risk-detections-report.png":::
 
In agent on-behalf-of flows, where an agent acts using a user's delegated permissions, risky activity is attributed to the **user** rather than the agent. This approach targets remediation at the compromised user session without disrupting the agent for other users. Risk detections in this table apply specifically to autonomous agent activity.
 
## Related content

MODIFIED docs/identity/role-based-access-control/includes/microsoft-entra-joined-device-local-administrator.md

Modified by Ken Withee on Jun 17, 2026 5:27 PM
📖 View on learn.microsoft.com

+4 / -3 lines changed

Commit: Clarify joiner local administrator behavior

Changes:

Before

After

title: Microsoft Entra Joined Device Local Administrator
description: Microsoft Entra Joined Device Local Administrator
ms.topic: include
ms.date: 01/26/2026
ms.custom: include file
---
 
This role is available for assignment only as an additional local administrator in [Device settings](~/identity/devices/assign-local-admin.md). Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra ID. They do not have the ability to manage devices objects in Microsoft Entra ID.
 
<!-- autogenerated content starts here -->
 
> | --- | --- |
> | microsoft.directory/groupSettings/standard/read | Read basic properties on group settings |
> | microsoft.directory/groupSettingTemplates/standard/read | Read basic properties on group setting templates |
 
 

title: Microsoft Entra Joined Device Local Administrator
description: Microsoft Entra Joined Device Local Administrator
ms.topic: include
ms.date: 06/17/2026
ms.custom: include file
---
 
This role is available for assignment only as an additional local administrator in [Device settings](~/identity/devices/assign-local-admin.md). Users with this role become local machine administrators on all Windows 10 or newer devices that are joined to Microsoft Entra ID. They do not have the ability to manage device objects in Microsoft Entra ID.
 
This role is separate from the device registration policy setting that controls whether the user who performs Microsoft Entra join becomes a local administrator on the device they join.
 
<!-- autogenerated content starts here -->
 
> | --- | --- |
> | microsoft.directory/groupSettings/standard/read | Read basic properties on group settings |
> | microsoft.directory/groupSettingTemplates/standard/read | Read basic properties on group setting templates |

MODIFIED docs/includes/licensing-conditional-access.md

Modified by shlipsey3 on Jun 17, 2026 9:10 PM
📖 View on learn.microsoft.com

+4 / -2 lines changed

Commit: agent-ga-detections-052926 (#13303)

Changes:

Before

After

author: kenwith
ms.service: entra-id
ms.topic: include
ms.date: 01/31/2025
ms.author: kenwith
ms.custom: include file,licensing
---
 
[!INCLUDE [Active Directory P1 license](~/includes/entra-p1-license.md)]
 
Customers with [Microsoft 365 Business Premium licenses](/office365/servicedescriptions/office-365-service-descriptions-technet-library) also have access to Conditional Access features. 
 
Risk-based policies require access to [Microsoft Entra ID Protection](~/id-protection/overview-identity-protection.md), which is a Microsoft Entra ID P2 feature.
 
Microsoft Entra Suite includes all Microsoft Entra Conditional Access features.
 
Other products and features that could interact with Conditional Access policies require appropriate licensing for those products and features.
 
 
 

author: kenwith
ms.service: entra-id
ms.topic: include
ms.date: 06/10/2026
ms.author: kenwith
ms.custom: include file,licensing
---
 
[!INCLUDE [Active Directory P1 license](~/includes/entra-p1-license.md)]
 
Microsoft Entra Suite includes all Microsoft Entra Conditional Access features.
 
Customers with [Microsoft 365 Business Premium licenses](/office365/servicedescriptions/office-365-service-descriptions-technet-library) also have access to Conditional Access features. 
 
Risk-based policies require access to [Microsoft Entra ID Protection](~/id-protection/overview-identity-protection.md), which is a Microsoft Entra ID P2 feature.
 
Starting soon, Conditional Access for agents will require a [Microsoft Agent 365 license](https://www.microsoft.com/microsoft-agent-365#plans-and-pricing) to apply policies to agents through [Microsoft Entra Agent ID](../agent-id/what-is-microsoft-entra-agent-id.md#how-to-get-started).
 
Other products and features that could interact with Conditional Access policies require appropriate licensing for those products and features.
 

MODIFIED docs/identity/devices/device-join-plan.md

Modified by Ken Withee on Jun 17, 2026 5:27 PM
📖 View on learn.microsoft.com

+4 / -1 lines changed

Commit: Clarify joiner local administrator behavior

Changes:

Before

After

description: Explains the steps that are required to implement Microsoft Entra joined devices in your environment.
 
ms.topic: how-to
ms.date: 06/27/2025
ms.reviewer: sandeo
---
# How to: Plan your Microsoft Entra join implementation
| Require device OEM support | No | Yes | No |
| Supported versions | 1511+ | 1709+ | 1703+ |
 
Choose your deployment approach or approaches by reviewing the previous table and reviewing the following considerations for adopting either approach:
 
- Are your users tech savvy to go through the setup themselves?
 
 
 

description: Explains the steps that are required to implement Microsoft Entra joined devices in your environment.
 
ms.topic: how-to
ms.date: 06/17/2026
ms.reviewer: sandeo
---
# How to: Plan your Microsoft Entra join implementation
| Require device OEM support | No | Yes | No |
| Supported versions | 1511+ | 1709+ | 1703+ |
 
> [!NOTE]
> In self-service setup, the user who completes Microsoft Entra join becomes the device's primary user and is a local administrator on that device by default. This local administrator status applies to the device only. It doesn't grant a Microsoft Entra directory role. For Windows Autopilot, the user account type is configurable. Bulk enrollment doesn't add users who sign in after the device is joined to the local Administrators group.
 
Choose your deployment approach or approaches by reviewing the previous table and reviewing the following considerations for adopting either approach:
 
- Are your users tech savvy to go through the setup themselves?

MODIFIED docs/identity/devices/manage-device-identities.md

Modified by Ken Withee on Jun 17, 2026 5:27 PM
📖 View on learn.microsoft.com

+3 / -2 lines changed

Commit: Clarify joiner local administrator behavior

Changes:

Before

After

title: Manage devices in Microsoft Entra ID using the Microsoft Entra admin center
description: This article describes how to use the Microsoft Entra admin center to manage device identities and monitor related event information.
ms.topic: how-to
ms.date: 02/03/2026
ms.reviewer: myra-ramdenbourg
ms.custom: sfi-image-nochange
---
   > [!NOTE]
   > The **Maximum number of devices** setting applies to devices that are either Microsoft Entra joined or Microsoft Entra registered. This setting doesn't apply to Microsoft Entra hybrid joined devices.
 
- **Manage Additional local administrators on Microsoft Entra joined devices**: This setting allows you to select the users who are granted local administrator rights on a device. These users are added to the Device Administrators role in Microsoft Entra ID. 
- **Enable Microsoft Entra Local Administrator Password Solution (LAPS) (preview)**: LAPS is the management of local account passwords on Windows devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With cloud version of LAPS, customers can enable storing and rotation of local admin passwords for both Microsoft Entra ID and Microsoft Entra hybrid join devices. To learn how to manage LAPS in Microsoft Entra ID, see [the overview article](howto-manage-local-admin-passwords.md).
 
- **Restrict non-admin users from recovering the BitLocker key(s) for their owned devices**: Admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission are unable to view or copy their BitLocker key(s) for their owned devices. You must be at least a [Privileged Role Administrator](../role-based-access-control/permissions-reference.md#privileged-role-administrator) to update this setting. 
 

title: Manage devices in Microsoft Entra ID using the Microsoft Entra admin center
description: This article describes how to use the Microsoft Entra admin center to manage device identities and monitor related event information.
ms.topic: how-to
ms.date: 06/17/2026
ms.reviewer: myra-ramdenbourg
ms.custom: sfi-image-nochange
---
   > [!NOTE]
   > The **Maximum number of devices** setting applies to devices that are either Microsoft Entra joined or Microsoft Entra registered. This setting doesn't apply to Microsoft Entra hybrid joined devices.
 
- **Manage Additional local administrators on Microsoft Entra joined devices**: This setting lets you select users who are granted local administrator rights on all Microsoft Entra joined devices in the tenant. These users are assigned to the Microsoft Entra Joined Device Local Administrator role, which applies tenant-wide.
- **Registering user is added as local administrator on the device during Microsoft Entra join**: This setting controls whether users who perform Microsoft Entra join are added to the local Administrators group on the device they join. This setting affects local device administrator membership only. It doesn't assign a Microsoft Entra directory role, such as Global Administrator, and it doesn't add the user to the Microsoft Entra Joined Device Local Administrator role. To verify the result, check the local Administrators group on the device or use a device management tool. In Microsoft Graph, this setting is represented by the `azureADJoin.localAdmins.registeringUsers` property of the [device registration policy](/graph/api/resources/deviceregistrationpolicy).
- **Enable Microsoft Entra Local Administrator Password Solution (LAPS) (preview)**: LAPS is the management of local account passwords on Windows devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With cloud version of LAPS, customers can enable storing and rotation of local admin passwords for both Microsoft Entra ID and Microsoft Entra hybrid join devices. To learn how to manage LAPS in Microsoft Entra ID, see [the overview article](howto-manage-local-admin-passwords.md).
 
- **Restrict non-admin users from recovering the BitLocker key(s) for their owned devices**: Admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission are unable to view or copy their BitLocker key(s) for their owned devices. You must be at least a [Privileged Role Administrator](../role-based-access-control/permissions-reference.md#privileged-role-administrator) to update this setting. 

MODIFIED docs/external-id/customers/faq-customers.md

Modified by Gearoid O'Donnell on Jun 17, 2026 3:25 PM
📖 View on learn.microsoft.com

+3 / -2 lines changed

Commit: Add native authentication cross-links and approach context across External ID docs (P0/P1) (#13186)

Changes:

Before

After

title: Frequently asked questions
description: Find answers to frequently asked questions about Microsoft Entra External ID. Learn about pricing, features, and the future of Azure AD B2C and External Identities. 
ms.topic: faq
ms.date: 01/06/2026
ms.custom: it-pro
---
 
 
### Can I build a fully custom authentication sign-in experience?
 
[Native authentication](concept-native-authentication.md) empowers you to take complete control over the design of the sign-in experience of your mobile applications. It allows you to craft stunning, pixel-perfect authentication screens that are seamlessly integrated into your apps, rather than relying on browser-based solutions. Read more in our [blog](https://devblogs.microsoft.com/identity/native-auth-for-external-id/).
 
### What integrations does External ID support for developers?
 
 

title: Frequently asked questions
description: Find answers to frequently asked questions about Microsoft Entra External ID. Learn about pricing, features, and the future of Azure AD B2C and External Identities. 
ms.topic: faq
ms.date: 05/20/2026
ai-usage: ai-assisted
ms.custom: it-pro
---
 
 
### Can I build a fully custom authentication sign-in experience?
 
Yes. Microsoft Entra External ID supports two authentication approaches: **browser-delegated authentication**, which redirects users to a Microsoft-hosted sign-in page, and **native authentication**, which lets you build the sign-in UI directly into your app. Native authentication gives you full control over the sign-in experience for mobile and single-page applications but requires more development effort and shared security responsibility. To compare both approaches and decide which is right for your app, see [Choose an authentication approach](concept-choose-authentication-approach.md).
 
### What integrations does External ID support for developers?
 

MODIFIED docs/agent-id/integrate-aws-bedrock-agent.md

Modified by shlipsey3 on Jun 17, 2026 9:12 PM
📖 View on learn.microsoft.com

+1 / -2 lines changed

Commit: agent-id-metadata1 (#13532)

Changes:

Before

After

title: Secure an Amazon Bedrock agent with Microsoft Entra Agent ID
titleSuffix: Microsoft Entra Agent ID
description: Learn how to use the Microsoft Entra Auth SDK (sidecar) to secure an Amazon Bedrock AI agent with its own identity for calling downstream APIs.
ms.service: entra
ms.topic: how-to
ms.date: 04/30/2026
ms.reviewer: razi.rais
ms.custom: agent-id, msecd-doc-authoring-1012
 
#customer intent: As a developer building AI agents on Amazon Bedrock, I want to secure my agent with Microsoft Entra Agent ID so that it can call downstream APIs with its own identity.
---

title: Secure an Amazon Bedrock agent with Microsoft Entra Agent ID
titleSuffix: Microsoft Entra Agent ID
description: Learn how to use the Microsoft Entra Auth SDK (sidecar) to secure an Amazon Bedrock AI agent with its own identity for calling downstream APIs.
ms.topic: how-to
ms.date: 04/30/2026
ms.reviewer: razi.rais
ms.custom: msecd-doc-authoring-1012
 
#customer intent: As a developer building AI agents on Amazon Bedrock, I want to secure my agent with Microsoft Entra Agent ID so that it can call downstream APIs with its own identity.
---
 

MODIFIED docs/agent-id/integrate-n8n-agent.md

Modified by shlipsey3 on Jun 17, 2026 9:12 PM
📖 View on learn.microsoft.com

+1 / -2 lines changed

Commit: agent-id-metadata1 (#13532)

Changes:

Before

After

title: Secure an n8n agent with Microsoft Entra Agent ID
titleSuffix: Microsoft Entra Agent ID
description: Deploy n8n on Azure Container Apps and secure AI agent workflows with Microsoft Entra Agent ID and Microsoft Graph MCP Server for Enterprise.
ms.service: entra
ms.topic: how-to
ms.date: 06/15/2026
author: Dickson-Mwendia
ms.author: dmwendia
ms.reviewer: astaykov
ms.custom: agent-id, msecd-doc-authoring-1013
ai-usage: ai-assisted
 
#customer intent: As a developer or IT admin, I want to secure n8n workflows with Microsoft Entra Agent ID so that my n8n agents can access Microsoft Graph and MCP Server for Enterprise using agent identities.

title: Secure an n8n agent with Microsoft Entra Agent ID
titleSuffix: Microsoft Entra Agent ID
description: Deploy n8n on Azure Container Apps and secure AI agent workflows with Microsoft Entra Agent ID and Microsoft Graph MCP Server for Enterprise.
ms.topic: how-to
ms.date: 06/15/2026
author: Dickson-Mwendia
ms.author: dmwendia
ms.reviewer: astaykov
ms.custom: msecd-doc-authoring-1013
ai-usage: ai-assisted
 
#customer intent: As a developer or IT admin, I want to secure n8n workflows with Microsoft Entra Agent ID so that my n8n agents can access Microsoft Graph and MCP Server for Enterprise using agent identities.
 

MODIFIED docs/includes/licensing-identity-protection.md

Modified by shlipsey3 on Jun 17, 2026 9:10 PM
📖 View on learn.microsoft.com

+2 / -1 lines changed

Commit: agent-ga-detections-052926 (#13303)

Changes:

Before

After

ms.custom: include file,licensing
---
 
 
[!INCLUDE [Microsoft Entra ID P2 license](~/includes/entra-p2-license.md)]
 
| Capability | Details | Microsoft Entra ID Free / Microsoft 365 Apps | Microsoft Entra ID P1 | Microsoft Entra ID P2 / Microsoft Entra Suite |
| --- | --- | --- | --- | --- |
| Risk policies | Sign-in and user risk policies (via Conditional Access) | No | No | Yes |
 

ms.custom: include file,licensing
---
 
[!INCLUDE [Microsoft Entra ID P2 license](~/includes/entra-p2-license.md)]
 
Starting soon, ID Protection for agents will require a [Microsoft Agent 365 license](https://www.microsoft.com/microsoft-agent-365#plans-and-pricing) to extend protection to agents through [Microsoft Entra Agent ID](../agent-id/what-is-microsoft-entra-agent-id.md#how-to-get-started).
 
| Capability | Details | Microsoft Entra ID Free / Microsoft 365 Apps | Microsoft Entra ID P1 | Microsoft Entra ID P2 / Microsoft Entra Suite |
| --- | --- | --- | --- | --- |
| Risk policies | Sign-in and user risk policies (via Conditional Access) | No | No | Yes |

MODIFIED docs/identity/devices/assign-local-admin.md

Modified by Ken Withee on Jun 17, 2026 5:27 PM
📖 View on learn.microsoft.com

+2 / -1 lines changed

Commit: Clarify joiner local administrator behavior

Changes:

Before

After

title: How to manage local administrators on Microsoft Entra joined devices
description: Learn how to assign Azure roles to the local administrators group of a Windows device.
ms.topic: how-to
ms.date: 04/03/2026
ms.reviewer: 
ms.custom: sfi-ga-nochange
#Customer intent: As an IT admin, I want to manage the local administrators group assignment during a Microsoft Entra join, so that I can control who can manage Microsoft Entra joined devices
 
By default, Microsoft Entra ID adds the user performing the Microsoft Entra join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:
 
- [Windows Autopilot](/autopilot/windows-autopilot) - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by [creating an Autopilot profile](/autopilot/enrollment-autopilot#create-an-autopilot-deployment-profile).
- [Bulk enrollment](/mem/intune/enrollment/windows-bulk-enroll) - a Microsoft Entra join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device is joined aren't added to the administrators group.
 
 

title: How to manage local administrators on Microsoft Entra joined devices
description: Learn how to assign Azure roles to the local administrators group of a Windows device.
ms.topic: how-to
ms.date: 06/17/2026
ms.reviewer: 
ms.custom: sfi-ga-nochange
#Customer intent: As an IT admin, I want to manage the local administrators group assignment during a Microsoft Entra join, so that I can control who can manage Microsoft Entra joined devices
 
By default, Microsoft Entra ID adds the user performing the Microsoft Entra join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:
 
- **Device registration policy** - The device registration policy controls whether users who perform Microsoft Entra join become local administrators on the devices they join. This setting affects membership in the local Administrators group on the joined device. It doesn't assign a Microsoft Entra directory role, such as Global Administrator, and it doesn't add the user to the Microsoft Entra Joined Device Local Administrator role. In Microsoft Graph, this setting is represented by the `azureADJoin.localAdmins.registeringUsers` property of the [device registration policy](/graph/api/resources/deviceregistrationpolicy).
- [Windows Autopilot](/autopilot/windows-autopilot) - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by [creating an Autopilot profile](/autopilot/enrollment-autopilot#create-an-autopilot-deployment-profile).
- [Bulk enrollment](/mem/intune/enrollment/windows-bulk-enroll) - a Microsoft Entra join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device is joined aren't added to the administrators group.
 

MODIFIED docs/id-governance/entitlement-management-access-package-assignments.md

Modified by Ken Withee on Jun 17, 2026 5:08 PM
📖 View on learn.microsoft.com

+3 / -0 lines changed

Commit: Clarify entitlement manager admin center access

Changes:

Before

After

 
In entitlement management, you can see who is assigned to access packages, their policy, status, and identity lifecycle (preview). If an access package has an appropriate policy, you can also directly assign identities to an access package. This article describes how to view, add, and remove assignments for access packages.
 
## View who has an assignment

 
In entitlement management, you can see who is assigned to access packages, their policy, status, and identity lifecycle (preview). If an access package has an appropriate policy, you can also directly assign identities to an access package. This article describes how to view, add, and remove assignments for access packages.
 
> [!NOTE]
> These Microsoft Entra admin center steps require the signed-in user to be able to access the Microsoft Entra admin center. Entitlement management roles, such as Access package assignment manager, authorize assignment-management actions within entitlement management, but they don't by themselves change tenant-wide access settings for the admin center. If the **Restrict access to Microsoft Entra administration portal** user setting is enabled, verify that the delegated user can access the admin center, or use an authorized programmatic method. For more information about this setting, see [Default user permissions](../fundamentals/users-default-permissions.md).
 
## View who has an assignment

MODIFIED docs/id-governance/entitlement-management-access-package-manage-lifecycle.md

Modified by Ken Withee on Jun 17, 2026 5:08 PM
📖 View on learn.microsoft.com

+3 / -0 lines changed

Commit: Clarify entitlement manager admin center access

Changes:

Before

After

 
Guest users that already existed in your tenant by being invited are ungoverned. After an ungoverned guest that requests access packages lose their last access package assignment, they'll remain in the tenant indefinitely. If there are guests that have an access package assignment, and only need access from that access package, and there's no other need for them to remain in the tenant, you can convert them to be governed during the time they have that access package assignment. You can directly convert those ungoverned users to be governed by using the **Mark Guests as Governed** functionality in the top menu bar of an access package.
 
## Manage guest user lifecycle in the Microsoft Entra admin center

 
Guest users that already existed in your tenant by being invited are ungoverned. After an ungoverned guest that requests access packages lose their last access package assignment, they'll remain in the tenant indefinitely. If there are guests that have an access package assignment, and only need access from that access package, and there's no other need for them to remain in the tenant, you can convert them to be governed during the time they have that access package assignment. You can directly convert those ungoverned users to be governed by using the **Mark Guests as Governed** functionality in the top menu bar of an access package.
 
> [!NOTE]
> Managing guest user lifecycle from access package assignments in the Microsoft Entra admin center requires the signed-in user to be able to access the admin center. Entitlement management roles, such as Access package assignment manager, authorize assignment-management actions within entitlement management, but they don't by themselves change tenant-wide access settings for the admin center. If the **Restrict access to Microsoft Entra administration portal** user setting is enabled, verify that the delegated user can access the admin center, or use an authorized programmatic method. For more information about this setting, see [Default user permissions](../fundamentals/users-default-permissions.md).
 
## Manage guest user lifecycle in the Microsoft Entra admin center

MODIFIED docs/id-governance/entitlement-management-delegate.md

Modified by Ken Withee on Jun 17, 2026 5:08 PM
📖 View on learn.microsoft.com

+3 / -0 lines changed

Commit: Clarify entitlement manager admin center access

Changes:

Before

After

 
To determine the least privileged role for a task, you can also reference [Least privileged roles by task in Microsoft Entra ID](../identity/role-based-access-control/delegate-by-task.md#entitlement-management-least-privileged-roles).
 
> [!NOTE]
> Identities that have been assigned the Access package assignment manager role will no longer be able to bypass approval settings when directly assigning an identity if the access package policy requires approval. If you have a scenario in which you need to bypass approval, we recommend creating a second policy on the access package that does not require approval and is scoped only to identities who need access.

 
To determine the least privileged role for a task, you can also reference [Least privileged roles by task in Microsoft Entra ID](../identity/role-based-access-control/delegate-by-task.md#entitlement-management-least-privileged-roles).
 
> [!NOTE]
> Entitlement management roles authorize actions within entitlement management, but they don't by themselves change tenant-wide access settings for the Microsoft Entra admin center. If the **Restrict access to Microsoft Entra administration portal** user setting is enabled, a delegated user might need to be allowed to access the Microsoft Entra admin center before they can complete admin center tasks such as viewing, adding, removing, or reprocessing access package assignments. For more information about this setting, see [Default user permissions](../fundamentals/users-default-permissions.md).
 
> [!NOTE]
> Identities that have been assigned the Access package assignment manager role will no longer be able to bypass approval settings when directly assigning an identity if the access package policy requires approval. If you have a scenario in which you need to bypass approval, we recommend creating a second policy on the access package that does not require approval and is scoped only to identities who need access.

📋 Microsoft Entra Documentation Changes

📊 Summary

🆕 New Documentation Files

📝 Modified Documentation Files