📋 Microsoft Entra Documentation Changes

Daily summary for changes since July 1st 2026, 11:01 PM PDT

Report generated on July 2nd 2026, 11:01 PM PDT

📊 Summary

18
Total Commits
0
New Files
5
Modified Files
0
Deleted Files
7
Contributors

📝 Modified Documentation Files

+142 / -30 lines changed
Commit: [Entra Connect Sync] Hard match security hardening and InvalidHardMatch troubleshooting updates (#13724)
Changes:
Before
After
---
title: 'Microsoft Entra Connect: When you already have Microsoft Entra ID'
description: This topic describes how to use Connect when you have an existing Microsoft Entra tenant.
ms.custom: has-azure-ad-ps-ref
ms.topic: how-to
ms.date: 04/09/2025
ms.subservice: hybrid-connect
---
 
# Microsoft Entra Connect: When you have an existing tenant
Most of the topics for how to use Microsoft Entra Connect assumes you start with a new Microsoft Entra tenant and that there are no users or other objects there. But if you started with a Microsoft Entra tenant, populated it with users and other objects, and now want to use Connect, then this topic is for you.
 
## The basics
An object in Microsoft Entra ID is either managed in the cloud or on-premises. For one single object, you can't manage some attributes on-premises and some other attributes in Microsoft Entra ID. Each object has a flag indicating where the object is managed.
 
You can manage some users on-premises and others in the cloud. A common scenario for this configuration is an organization with a mix of accounting workers and sales workers. The accounting workers have an on-premises AD account, but the sales workers don't, but both have an account in Microsoft Entra ID. You would manage some users on-premises and some in Microsoft Entra ID.
 
There are some extra concerns you need to consider when you started to manage users in Microsoft Entra ID that are also present on-premises, and later want to use Microsoft Entra Connect.
 
<a name='sync-with-existing-users-in-azure-ad'></a>
---
title: Configure Microsoft Entra Connect for an existing tenant
description: Learn how Microsoft Entra Connect matches and synchronizes on-premises objects with an existing Microsoft Entra tenant, and how to resolve hard match conflicts.
ms.custom: has-azure-ad-ps-ref, msecd-doc-authoring-1015
ms.topic: how-to
ms.date: 07/01/2026
ms.subservice: hybrid-connect
ai-usage: ai-assisted
#customer intent: As an IT administrator, I want to understand how Microsoft Entra Connect matches and synchronizes with existing Microsoft Entra ID objects so that I can onboard an existing tenant without data loss or blocked hard matches.
---
 
# Configure Microsoft Entra Connect for an existing tenant
Most of the articles about how to use Microsoft Entra Connect assume you start with a new Microsoft Entra tenant that has no users or other objects. But if you started with a Microsoft Entra tenant, populated it with users and other objects, and now want to use Connect, this article is for you.
 
## The basics
An object in Microsoft Entra ID is either managed in the cloud or on-premises. For one single object, you can't manage some attributes on-premises and some other attributes in Microsoft Entra ID. Each object has a flag indicating where the object is managed.
 
You can manage some users on-premises and others in the cloud. A common scenario for this configuration is an organization with a mix of accounting workers and sales workers. The accounting workers have an on-premises Active Directory (AD) account and the sales workers don't, but both have an account in Microsoft Entra ID. You would manage some users on-premises and some in Microsoft Entra ID.
 
There are some extra concerns you need to consider when you started to manage users in Microsoft Entra ID that are also present on-premises, and later want to use Microsoft Entra Connect.
Modified by Jackline Omondi on Jul 2, 2026 9:42 AM
📖 View on learn.microsoft.com
+53 / -19 lines changed
Commit: [Entra Connect Sync] Hard match security hardening and InvalidHardMatch troubleshooting updates (#13724)
Changes:
Before
After
ms.assetid: 2209d5ce-0a64-447b-be3a-6f06d47995f8
ms.tgt_pltfrm: na
ms.topic: troubleshooting
ms.date: 02/25/2026
ms.subservice: hybrid-connect
ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
---
# Understanding errors during Microsoft Entra synchronization
 
 
### InvalidHardMatch
 
#### Description
 
An InvalidHardMatch error occurs during synchronization when there's an attempt to [hard match](./how-to-connect-install-existing-tenant.md#hard-match-vs-soft-match) objects present in Microsoft Entra ID with a new incoming object that have the same sourceAnchor value, but one of the following conditions prevents the hard match:
 
* The *BlockCloudObjectTakeoverThroughHardMatchEnabled* feature is enabled on the tenant.
* The existing Microsoft Entra object has privileged roles assigned and contains an OnPremisesImmutableId value.
 
This security measure prevents risky hard matches between on-premises Active Directory users and privileged cloud users.
ms.assetid: 2209d5ce-0a64-447b-be3a-6f06d47995f8
ms.tgt_pltfrm: na
ms.topic: troubleshooting
ms.date: 07/01/2026
ms.subservice: hybrid-connect
ai-usage: ai-assisted
ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done, msecd-doc-authoring-1015
---
# Understanding errors during Microsoft Entra synchronization
 
 
### InvalidHardMatch
 
An `InvalidHardMatch` error occurs when Microsoft Entra ID blocks a [hard match](./how-to-connect-install-existing-tenant.md#hard-match-vs-soft-match) operation because the target cloud user is protected from takeover or reassociation. This protection helps prevent an on-premises Active Directory object from taking over a cloud account when the target account is privileged or already mapped to an on-premises object.
 
#### Symptoms
 
You might see one of the following errors during export or synchronization:
 
| Scenario | Error code or family | Error message |
Modified by Jackline Omondi on Jul 2, 2026 5:13 PM
📖 View on learn.microsoft.com
+15 / -7 lines changed
Commit: July whatsnew updates (#13748)
Changes:
Before
After
---
title: What's new in Microsoft Entra application management
description: This article shows the new and updated documentation for the Microsoft Entra application management.
ms.date: 06/16/2026
ms.topic: whats-new
 
#customer intent: As an IT admin responsible for managing applications in Microsoft Entra ID, I want to stay updated on new documentation and significant updates, so that I can effectively manage and troubleshoot application-related issues in the platform.
 
Welcome to what's new in Microsoft Entra application management documentation. This article lists new docs and those articles that had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Microsoft Entra ID](~/fundamentals/whats-new.md).
 
## May 2026
 
No updates for this month.
- [Submit a request to publish your application in Microsoft Entra application gallery](v2-howto-app-gallery-listing.md) - Added SSO checklist to the app publishing doc
 
## March 2026
 
### Updated articles
 
---
title: What's new in Microsoft Entra application management
description: This article shows the new and updated documentation for the Microsoft Entra application management.
ms.date: 07/02/2026
ms.topic: whats-new
 
#customer intent: As an IT admin responsible for managing applications in Microsoft Entra ID, I want to stay updated on new documentation and significant updates, so that I can effectively manage and troubleshoot application-related issues in the platform.
 
Welcome to what's new in Microsoft Entra application management documentation. This article lists new docs and those articles that had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Microsoft Entra ID](~/fundamentals/whats-new.md).
 
## June 2026
 
### New articles
 
- [Plan your SSO integration with Microsoft Entra ID (ISVs)](plan-sso-integration-isv.md)
- [SAML versus OpenID Connect: Choose the right SSO protocol](saml-vs-oidc-decision-guide.md)
- [Understand Microsoft's SSO model](understand-microsoft-sso-model.md)
 
### Updated articles
 
Modified by Abhijeet Kumar Sinha on Jul 2, 2026 4:34 PM
📖 View on learn.microsoft.com
+8 / -6 lines changed
Commit: Update deployment status for various regions
Changes:
Before
After
| South India | Chennai, India | ✅ | ✅ |
| Australia Southeast | Melbourne, Australia | ✅ | ✅ |
| Japan West | Osaka, Japan | ✅ | ✅ |
| Central India | Pune, India | ✅ | |
| Korea Central | Seoul, South Korea | ✅ | ✅ |
| Southeast Asia | Singapore, Singapore | ✅ | |
| Australia East | Sydney, Australia | ✅ | ✅ |
| Taiwan North | Taipei, Taiwan | ✅ | |
| Japan East | Tokyo, Japan | ✅ | ✅ |
 
 
| Sweden Central | Gavle, Sweden | ✅ | ✅ |
| South Africa North | Johannesburg, South Africa | ✅ | ✅ |
| UK South | London, UK | ✅ | ✅ |
| Spain Central | Madrid, Spain | ✅ | |
| Italy North | Milan, Italy | ✅ | ✅ |
| France South | Marseille, France | ✅ | ✅ |
| France Central | Paris, France | ✅ | ✅ |
 
|Azure Region | Physical Location | Global Secure Access service deployed | Remote network connectivity gateways |
| South India | Chennai, India | ✅ | ✅ |
| Australia Southeast | Melbourne, Australia | ✅ | ✅ |
| Japan West | Osaka, Japan | ✅ | ✅ |
| Australia West | Perth, Australia | ✅ | |
| Central India | Pune, India | ✅ | ✅ |
| Korea Central | Seoul, South Korea | ✅ | ✅ |
| Southeast Asia | Singapore, Singapore | ✅ | ✅ |
| Australia East | Sydney, Australia | ✅ | ✅ |
| Taiwan North | Taipei, Taiwan | ✅ | ✅ |
| Japan East | Tokyo, Japan | ✅ | ✅ |
 
 
| Sweden Central | Gavle, Sweden | ✅ | ✅ |
| South Africa North | Johannesburg, South Africa | ✅ | ✅ |
| UK South | London, UK | ✅ | ✅ |
| Spain Central | Madrid, Spain | ✅ | ✅ |
| Italy North | Milan, Italy | ✅ | ✅ |
| France South | Marseille, France | ✅ | ✅ |
| France Central | Paris, France | ✅ | ✅ |
 
+3 / -1 lines changed
Commit: Update cross-tenant synchronization overview (#13235)
Changes:
Before
After
For example, if a group is synchronized from tenant A to tenant B and an administrator makes a change to the group in tenant B, that change persists in tenant B. The synchronization engine doesn't detect the change made to the group in the target tenant, so it doesn't override the change.
 
- If a group is created outside cross-tenant synchronization, it isn't included in cross-tenant synchronization.
 
### Structure
 
 
 
For example, if a group is synchronized from tenant A to tenant B and an administrator makes a change to the group in tenant B, that change persists in tenant B. The synchronization engine doesn't detect the change made to the group in the target tenant, so it doesn't override the change.
 
- If a group is created outside cross-tenant synchronization, it isn't included in cross-tenant synchronization.
 
- Synchronization performance depends on the total number of objects (users, groups) and references (such as group memberships and manager relationships) being processed by a sync job. As the overall volume of objects and references increases, the time required to evaluate and synchronize changes can also increase. In environments with high scale, this can result in longer synchronization cycles and increased latency for updates to be reflected in the target tenant. To optimize performance, scope synchronization to only the users, groups, and relationships that are necessary.
 
### Structure