📋 Microsoft Entra Documentation Changes

Daily summary for changes since June 29th 2026, 11:41 PM PDT

Report generated on June 30th 2026, 11:41 PM PDT

📊 Summary

20
Total Commits
7
New Files
13
Modified Files
0
Deleted Files
8
Contributors

🆕 New Documentation Files

+161 lines added
Commit: idp-unified-risk-061726 (#13538)
+113 lines added
Commit: Add GSA Microsoft traffic tutorials (#13603)
+78 lines added
Commit: Add GSA Microsoft traffic tutorials (#13603)
+77 lines added
Commit: Add GSA Microsoft traffic tutorials (#13603)
+71 lines added
Commit: Add GSA Microsoft traffic tutorials (#13603)
+70 lines added
Commit: Add GSA Microsoft traffic tutorials (#13603)
+61 lines added
Commit: Add OIDC API reference and OIDC extensibility reference (#12865)

📝 Modified Documentation Files

Modified by learn-build-service-prod[bot] on Jun 30, 2026 4:34 PM
📖 View on learn.microsoft.com
+120 / -53 lines changed
Commit: Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/entra-docs (branch main) (#13711)
Changes:
Before
After
title: Configure Harness for automatic user provisioning with Microsoft Entra ID
description: Learn how to configure Microsoft Entra ID to automatically provision and deprovision user accounts to Harness.
ms.topic: how-to
ms.date: 03/11/2026
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Harness so that I can streamline the user management process and ensure that users have the appropriate access to Harness.
 
# Configure Harness for automatic user provisioning with Microsoft Entra ID
 
In this article, you learn how to configure Microsoft Entra ID to automatically provision and deprovision users or groups to Harness.
 
> [!NOTE]
> This article describes a connector that's built on top of the Microsoft Entra user provisioning service. For important information about this service and answers to frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](~/identity/app-provisioning/user-provisioning.md).
>
> This connector is currently in preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
 
## Prerequisites
 
The scenario outlined in this article assumes that you already have the following prerequisites:
 
title: Configure Harness for automatic user provisioning with Microsoft Entra ID
description: Learn how to configure Microsoft Entra ID to automatically provision and deprovision user accounts to Harness.
ms.topic: how-to
ms.date: 06/18/2026
ai-usage: ai-assisted
ms.custom: sfi-image-nochange
# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Harness so that I can streamline the user management process and ensure that users have the appropriate access to Harness.
 
 
---
 
# Configure Harness for automatic user provisioning with Microsoft Entra ID
 
 
This article explains how to configure Microsoft Entra ID to automatically provision and deprovision users or groups to Harness. Automatic provisioning eliminates manual user management by synchronizing user lifecycle changes from your identity provider to Harness.
 
> [!NOTE]
> This article describes a connector that is built on top of the Microsoft Entra user provisioning service. For information about this service, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](~/identity/app-provisioning/user-provisioning.md).
>
> This connector is currently in preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+85 / -44 lines changed
Commit: Update GSA Purview text content type docs (#13629)
Changes:
Before
After
---
title: Create content policies for network content filtering
description: "Discover how to configure network content filtering with Global Secure Access to enforce data protection policies and secure sensitive files in real time."
ms.topic: how-to
ms.date: 04/18/2026
ms.reviewer: buzaher,shkhalid
ms.custom: sfi-image-nochange
ai-usage: ai-assisted
 
---
 
# Create a content policy to filter network file content
 
Global Secure Access supports network content filtering through content policies. This feature helps you safeguard against unintended data exposure and prevents inline data leaks to generative AI applications and internet destinations. By extending data protection capabilities to the network layer through Global Secure Access, network content filtering enables your organization to enforce data policies on network traffic in real time. You can discover and protect files shared with unsanctioned destinations, such as generative AI and unmanaged cloud apps, from managed endpoints through browsers, applications, add-ins, APIs, and more.
 
The network content filtering solution brings together Microsoft Purview's data classification service and the identity-centric network security policies in Global Secure Access. This combination creates an advanced network-layer data security solution, Data Loss Prevention (DLP), that's identity-centric and policy-driven. By combining content inspection with real-time user risk evaluation, you can enforce granular controls over sensitive data movement across the network without compromising user productivity or security posture.
 
> [!NOTE]
> Basic content policy (block or allow by file MIME type) is generally available. The **Scan with Purview** action in content policies is currently in preview. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
---
title: Create content policies for network content filtering
description: "Discover how to configure network content filtering with Global Secure Access to enforce data protection policies for files and text content in real time."
ms.topic: how-to
ms.date: 06/30/2026
ms.reviewer: buzaher,shkhalid
ms.custom: sfi-image-nochange
ai-usage: ai-assisted
 
---
 
# Create content policies for network content filtering
 
Global Secure Access supports network content filtering through content policies. This feature helps you safeguard against unintended data exposure and prevents inline data leaks to generative AI applications and internet destinations. By extending data protection capabilities to the network layer through Global Secure Access, network content filtering enables your organization to enforce data policies on network traffic in real time. You can discover and protect files and text content shared with unsanctioned destinations, such as generative AI and unmanaged cloud apps, from managed endpoints through browsers, applications, add-ins, APIs, and more.
 
The network content filtering solution brings together Microsoft Purview's data classification service and the identity-centric network security policies in Global Secure Access. This combination creates an advanced network-layer data security solution, Data Loss Prevention (DLP), that's identity-centric and policy-driven. By combining content inspection with real-time user risk evaluation, you can enforce granular controls over sensitive data movement across the network without compromising user productivity or security posture.
 
> [!NOTE]
> Basic content policy (block or allow by file MIME type) is generally available. The **Scan with Purview** action in content policies is currently in preview and supports inspection for selected file and text content types. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
Modified by Jennifer Fields on Jun 30, 2026 9:01 PM
📖 View on learn.microsoft.com
+22 / -3 lines changed
Commit: Add OIDC API reference and OIDC extensibility reference (#12865)
Changes:
Before
After
title: OpenID Connect (OIDC) on the Microsoft identity platform
description: Sign in Microsoft Entra users by using the Microsoft identity platform's implementation of the OpenID Connect extension to OAuth 2.0.
manager: dougeby
ms.date: 01/9/2026
ms.service: identity-platform
ms.reviewer: jmprieur, ludwignick
ms.topic: reference
 
# OpenID Connect on the Microsoft identity platform
 
OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as another authentication protocol. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called an *ID token*.
 
The full specification for OIDC is available on the OpenID Foundation's website at [OpenID Connect Core 1.0 specification](https://openid.net/specs/openid-connect-core-1_0.html).
 
## Protocol flow: Sign-in
 
The following diagram shows the basic OpenID Connect sign-in flow. The steps in the flow are described in more detail in later sections of the article.
 
![Swim-lane diagram showing the OpenID Connect protocol's sign-in flow.](./media/v2-protocols-oidc/convergence-scenarios-webapp.svg)
 
title: OpenID Connect (OIDC) on the Microsoft identity platform
description: Sign in Microsoft Entra users by using the Microsoft identity platform's implementation of the OpenID Connect extension to OAuth 2.0.
manager: dougeby
ms.author: dmwendia
ms.date: 06/30/2026
ms.service: identity-platform
ms.reviewer: jmprieur, ludwignick
ms.topic: reference
 
# OpenID Connect on the Microsoft identity platform
 
OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as another authentication protocol. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called an *ID token*.
 
> [!TIP]
> For a map of every supported way to extend OIDC behavior, see [Microsoft identity platform OIDC extensibility reference](reference-oidc-extensibility.md).
 
The full specification for OIDC is available on the OpenID Foundation's website at [OpenID Connect Core 1.0 specification](https://openid.net/specs/openid-connect-core-1_0.html).
 
## OIDC endpoint overview
 
Modified by Jennifer Fields on Jun 30, 2026 9:01 PM
📖 View on learn.microsoft.com
+15 / -1 lines changed
Commit: Add OIDC API reference and OIDC extensibility reference (#12865)
Changes:
Before
After
title: Access activity logs in Microsoft Entra ID
description: How to choose the right method for accessing and integrating the activity logs in Microsoft Entra ID.
ms.topic: how-to
ms.date: 11/11/2024
ms.reviewer: egreenberg
 
# Customer intent: As an IT admin, I want to learn about the different ways to access activity logs in Microsoft Entra ID so that I can choose the right method for my scenario and organization.
 
 
---
 
## Next steps
 
- [Stream logs to an event hub](howto-stream-logs-to-event-hub.md)
 
 
 
 
 
 
title: Access activity logs in Microsoft Entra ID
description: How to choose the right method for accessing and integrating the activity logs in Microsoft Entra ID.
ms.topic: how-to
ms.date: 06/24/2026
ms.reviewer: egreenberg
ms.custom: msecd-doc-authoring-1016
ai-usage: ai-assisted
 
# Customer intent: As an IT admin, I want to learn about the different ways to access activity logs in Microsoft Entra ID so that I can choose the right method for my scenario and organization.
 
 
---
 
## Troubleshoot empty results or HTTP 429 errors when retrieving activity logs
 
You might not see any results when you query activity logs (sign-in, audit, or provisioning) in the Microsoft Entra admin center or through the Microsoft Graph API. If you capture a network trace, the underlying API calls return HTTP 429 (Too Many Requests) responses. Throttling depends on current system demand rather than on tenant size, so the same query that worked earlier might return no results later. Use the following workarounds if you see no results in the admin center or HTTP 429 responses in a trace.
 
### Reduce the query date range
 
Break the query into smaller date-range chunks and repeat the query for each chunk until you cover the time period you need. The date range that succeeds varies by tenant and by current system demand, so reduce the range incrementally until results return.
+4 / -4 lines changed
Commit: Update GSA Purview text content type docs (#13629)
Changes:
Before
After
- **HTTP method request filtering (preview)**: Block or allow specific HTTP methods, such as GET, POST, PUT, PATCH, and DELETE.
 
> [!TIP]
> For file type-based filtering (MIME types) and integration with Microsoft Purview for data loss prevention, see [Create a content policy to filter network file content](how-to-network-content-filtering.md).
 
## Prerequisites
 
1. In the **Enable policy** section, ensure **On** is selected.
1. Select **Create**.
 
> [!Note]
> Explicit Forward Proxy (EFP) preview is not currently included in the **All internet resources with Global Secure Access** group. If your users use Explicit Forward Proxy (preview), please follow [How to configure EFP Conditional Access Policies](how-to-configure-conditional-access-policy-for-explicit-forward-proxy.md)
 
## Enable web content filtering for remote network traffic
 
 
## Related content
 
- [Create a content policy to filter network file content](how-to-network-content-filtering.md)
- [Learn about the traffic dashboard](concept-traffic-dashboard.md)
- **HTTP method request filtering (preview)**: Block or allow specific HTTP methods, such as GET, POST, PUT, PATCH, and DELETE.
 
> [!TIP]
> For network content filtering based on file MIME types or Microsoft Purview inspection of file and text content, see [Create content policies for network content filtering](how-to-network-content-filtering.md).
 
## Prerequisites
 
1. In the **Enable policy** section, ensure **On** is selected.
1. Select **Create**.
 
> [!NOTE]
> Explicit Forward Proxy (EFP) preview is not currently included in the **All internet resources with Global Secure Access** group. If your users use Explicit Forward Proxy (preview), follow [How to configure EFP Conditional Access Policies](how-to-configure-conditional-access-policy-for-explicit-forward-proxy.md).
 
## Enable web content filtering for remote network traffic
 
 
## Related content
 
- [Create content policies for network content filtering](how-to-network-content-filtering.md)
- [Learn about the traffic dashboard](concept-traffic-dashboard.md)
Modified by shlipsey3 on Jun 30, 2026 5:12 PM
📖 View on learn.microsoft.com
+5 / -3 lines changed
Commit: idp-unified-risk-061726 (#13538)
Changes:
Before
After
 
To see risk sign-in events together with risky user events, select the **Aggregate risk signals by risky sign-ins** checkbox.
 
### Unified risk signals (Preview)
 
Microsoft Entra ID Protection now correlates signals from Microsoft Defender and other sources to provide unified risk signals for user risk detections. This preview feature enhances your risk detection capabilities by calculating a comprehensive Identity Risk Score based on multiple identity signals. This option must be enabled in [settings](id-protection-dashboard.md#unified-risk-signals-for-id-protection-user-risk-preview).
 
You can view unified risk signals in both the standard view and agent view of the Risky user report. Select a user from the list to see details for each linked account associated with a risky user, helping you understand the full scope of risk across a user's identity, including linked accounts. When the Identity Risk Score is raised, the Microsoft Entra score is also raised using the unified risk signals, which can automatically trigger your risk-based Conditional Access policies.
 
The Identity Risk Score appears within the context of a selected user from the risky user report. The score, risk summary, and links to investigate further are provided to help you understand the risk and take appropriate action. Select the **View full report in Microsoft Defender** link to see the correlated signals in Microsoft Defender for Identity and investigate the risky user further.
 
## Take action on a risky user
 
[!INCLUDE [id-protection-admin-action-user](../includes/id-protection-admin-action-user.md)]
 
 
 
To see risk sign-in events together with risky user events, select the **Aggregate risk signals by risky sign-ins** checkbox.
 
### Unified risk signals
 
Microsoft Entra ID Protection correlates signals from Microsoft Defender and other sources to provide unified risk signals for user risk detections. This capability calculates a comprehensive Identity Risk Score based on multiple identity signals from across your identity fabric, including linked accounts and account sets.
 
You can view unified risk signals in both the standard view and agent view of the Risky user report. Select a user from the list to see details for each linked account associated with a risky user, helping you understand the full scope of risk across a user's identity. When the Identity Risk Score is raised, the Microsoft Entra score is also raised, which can automatically trigger your risk-based Conditional Access policies.
 
The Identity Risk Score appears within the context of a selected user from the risky user report. The score, risk summary, and links to investigate further are provided to help you understand the risk and take appropriate action. Select the **View full report in Microsoft Defender** link to see the correlated signals in Microsoft Defender for Identity and investigate the risky user further.
 
For full details on how unified risk works, prerequisites, how to enable the feature, and troubleshooting, see [Unified risk signals in Microsoft Entra ID Protection](concept-identity-protection-unified-risk.md).
 
## Take action on a risky user
 
[!INCLUDE [id-protection-admin-action-user](../includes/id-protection-admin-action-user.md)]
Modified by shlipsey3 on Jun 30, 2026 5:12 PM
📖 View on learn.microsoft.com
+3 / -5 lines changed
Commit: idp-unified-risk-061726 (#13538)
Changes:
Before
After
 
[![Screenshot showing recent activities in the dashboard.](./media/id-protection-dashboard/microsoft-entra-id-protection-dashboard-recent-activities.png)](./media/id-protection-dashboard/microsoft-entra-id-protection-dashboard-recent-activities.png)
 
## Unified risk signals for ID Protection user risk (Preview)
 
Microsoft Entra ID Protection now provides unified risk signals for user risk detections. This feature, currently in preview, uses signals from Microsoft Defender and even non-Microsoft signals for an enhanced risk detection experience. This new identity fabric provides comprehensive signals to calculate the Identity Risk Score. When the Identity Risk Score is raised, the Microsoft Entra score is also raised using the unified risk signals, which can automatically trigger your risk-based Conditional Access policies.
 
To configure this new capability, browse to the **Identity Protection Dashboard** > **Settings**. Select the option to either enable unified risk for all users or select users and groups. Once enabled, the Identity Risk Score and the details associated with the unified risk appear in the [Risky user report](concept-risky-user-report.md).
 
:::image type="content" source="media/id-protection-dashboard/unified-risk-settings.png" alt-text="Screenshot of the unified risk settings options." lightbox="media/id-protection-dashboard/unified-risk-settings.png":::
 
## Known issues
 
 
[![Screenshot showing recent activities in the dashboard.](./media/id-protection-dashboard/microsoft-entra-id-protection-dashboard-recent-activities.png)](./media/id-protection-dashboard/microsoft-entra-id-protection-dashboard-recent-activities.png)
 
## Unified risk signals
 
Microsoft Entra ID Protection provides unified risk signals that aggregate correlated risk signals from Microsoft Entra ID Protection, Microsoft Defender, and other Microsoft security products. Instead of evaluating alerts in isolation, this capability correlates identity-related signals across products and evaluates them together within the same time window to calculate a compounded user risk score.
 
This requires Microsoft Defender for Identity to be configured. For full details on how unified risk works, how to enable it, and how to troubleshoot common issues, see [Unified risk signals in Microsoft Entra ID Protection](concept-identity-protection-unified-risk.md).
 
## Known issues
 
 
 
Modified by Jennifer Fields on Jun 30, 2026 9:01 PM
📖 View on learn.microsoft.com
+3 / -1 lines changed
Commit: Add OIDC API reference and OIDC extensibility reference (#12865)
Changes:
Before
After
title: OAuth 2.0 and OpenID Connect protocols
description: Learn about OAuth 2.0 and OpenID Connect in Microsoft identity platform. Explore authentication flows, endpoints, and secure user authentication.
manager: pmwongera
ms.date: 05/14/2025
ms.reviewer: nickludwig
ms.service: identity-platform
 
 
**Entra ID** > **App registrations** > \<YOUR-APPLICATION\> > **Endpoints**
 
## Next steps
 
Next, learn about the OAuth 2.0 authentication flows used by each application type and the libraries you can use in your apps to perform them:
 
 
title: OAuth 2.0 and OpenID Connect protocols
description: Learn about OAuth 2.0 and OpenID Connect in Microsoft identity platform. Explore authentication flows, endpoints, and secure user authentication.
manager: pmwongera
ms.date: 06/23/2026
ms.reviewer: nickludwig
ms.service: identity-platform
 
 
**Entra ID** > **App registrations** > \<YOUR-APPLICATION\> > **Endpoints**
 
For a consolidated reference of every OIDC endpoint (discovery, authorize, token, UserInfo, JWKS, logout), see [OpenID Connect on the Microsoft identity platform](v2-protocols-oidc.md).
 
## Next steps
 
Next, learn about the OAuth 2.0 authentication flows used by each application type and the libraries you can use in your apps to perform them:
+2 / -2 lines changed
Commit: Update date and fix link in optimization review suggestions
Changes:
Before
After
title: Review suggestions from the Conditional Access Optimization Agent
description: Learn how to review and apply suggestions provided by the Security Copilot for Microsoft Entra optimization agent.
ms.reviewer: jodah
ms.date: 06/23/2026
ms.update-cycle: 180-days
ms.service: entra-id
ms.subservice: conditional-access
 
When you open a Defender-linked suggestion in the Conditional Access Optimization Agent, the details include a **Defender insight** section that explains the Defender context that contributed to the suggestion. Administrators with the [Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator) role can navigate directly to the related alerts and incidents in Microsoft Defender. Without those permissions, you can still review and act on the Conditional Access suggestion.
 
For more information about how Microsoft Defender threat insights are used by the agent, see [Microsoft Defender integration](conditional-access-agent-optimization#microsoft-defender-integration).
 
## Microsoft Teams agent suggestion notifications
 
title: Review suggestions from the Conditional Access Optimization Agent
description: Learn how to review and apply suggestions provided by the Security Copilot for Microsoft Entra optimization agent.
ms.reviewer: jodah
ms.date: 06/30/2026
ms.update-cycle: 180-days
ms.service: entra-id
ms.subservice: conditional-access
 
When you open a Defender-linked suggestion in the Conditional Access Optimization Agent, the details include a **Defender insight** section that explains the Defender context that contributed to the suggestion. Administrators with the [Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator) role can navigate directly to the related alerts and incidents in Microsoft Defender. Without those permissions, you can still review and act on the Conditional Access suggestion.
 
For more information about how Microsoft Defender threat insights are used by the agent, see [Microsoft Defender integration](conditional-access-agent-optimization.md#microsoft-defender-integration).
 
## Microsoft Teams agent suggestion notifications
 
Modified by Chetan Desai on Jun 30, 2026 4:10 PM
📖 View on learn.microsoft.com
+3 / -0 lines changed
Commit: Added US Gov related changes
Changes:
Before
After
- **Cost:** See [API call pricing](https://aka.ms/EntraSCIMAPIPricing).
- **Billing:** Monthly, through a linked Azure subscription.
 
## Enable the SCIM Provisioning API
 
Use the following steps to turn on the SCIM Provisioning API from the Microsoft Entra admin center.
 
 
 
- **Cost:** See [API call pricing](https://aka.ms/EntraSCIMAPIPricing).
- **Billing:** Monthly, through a linked Azure subscription.
 
> [!NOTE]
> Billing for customers in the US Government cloud will be enforced starting August 2026.
 
## Enable the SCIM Provisioning API
 
Use the following steps to turn on the SCIM Provisioning API from the Microsoft Entra admin center.
+1 / -1 lines changed
Commit: Update GSA Purview text content type docs (#13629)
Changes:
Before
After
## Related content
 
- [Global Secure Access traffic forwarding profiles](concept-traffic-forwarding.md)
- [Create a content policy to filter network file content](how-to-network-content-filtering.md)
- [Apply Conditional Access policies to Global Secure Access traffic](how-to-target-resource-microsoft-profile.md)
- [Azure AI Content Safety](/azure/ai-services/content-safety/concepts/jailbreak-detection)
## Related content
 
- [Global Secure Access traffic forwarding profiles](concept-traffic-forwarding.md)
- [Create content policies for network content filtering](how-to-network-content-filtering.md)
- [Apply Conditional Access policies to Global Secure Access traffic](how-to-target-resource-microsoft-profile.md)
- [Azure AI Content Safety](/azure/ai-services/content-safety/concepts/jailbreak-detection)
Modified by Ken Withee on Jun 30, 2026 5:33 PM
📖 View on learn.microsoft.com
+1 / -1 lines changed
Commit: Update troubleshooting section for clarity
Changes:
Before
After
 
### Possible causes
 
- The object or property isn't supported in the current release.
- The object didn't change between the backup state and the current state.
- The difference report is processing a large number of objects or changes.
- Only one difference report or recovery job can run at a time.
 
### Possible causes
 
- The object or property isn't supported for preview in the current release.
- The object didn't change between the backup state and the current state.
- The difference report is processing a large number of objects or changes.
- Only one difference report or recovery job can run at a time.
+2 / -0 lines changed
Commit: Added US Gov related changes
Changes:
Before
After
 
Before you can call the SCIM API endpoints described in this article, you must enable the SCIM Provisioning API feature, configure billing, set up credentials, and obtain an access token. For step-by-step instructions, see [Enable the SCIM Provisioning API in Microsoft Entra ID](enable-scim-api.md).
 
> [!NOTE]
> SCIM APIs operate exclusively in application context (app-only token) and do not support delegated, user-on-behalf-of scenarios.
 
 
 
 
Before you can call the SCIM API endpoints described in this article, you must enable the SCIM Provisioning API feature, configure billing, set up credentials, and obtain an access token. For step-by-step instructions, see [Enable the SCIM Provisioning API in Microsoft Entra ID](enable-scim-api.md).
 
If you're using the Microsoft Graph endpoint in the US Government cloud, use `https://graph.microsoft.us/rp/scim` as the base URL for SCIM API requests. The examples in this article use `https://graph.microsoft.com` to illustrate the global cloud endpoint.
 
> [!NOTE]
> SCIM APIs operate exclusively in application context (app-only token) and do not support delegated, user-on-behalf-of scenarios.