đź“‹ Microsoft Entra Documentation Changes

Daily summary for changes since July 9th 2026, 10:20 PM PDT

Report generated on July 10th 2026, 10:20 PM PDT

📊 Summary

17
Total Commits
0
New Files
4
Modified Files
0
Deleted Files
8
Contributors

📝 Modified Documentation Files

+59 / -7 lines changed
Commit: Update title and description for managed identities article (#13816)
Changes:
Before
After
---
title: Configure assignment restriction for user-assigned managed identities
description: Learn how to configure assignment restriction for a user-assigned managed identity in the Azure portal to scope it to specific resource providers.
author: kengaderdus
ms.author: kengaderdus
ms.service: entra-id
ms.subservice: managed-identities
ms.topic: how-to
ms.custom: msecd-doc-authoring-10012
ms.date: 04/24/2026
ai-usage: ai-assisted
 
#customer intent: As an Azure administrator, I want to configure assignment restriction for a user-assigned managed identity so that the identity can only be assigned to source resources within an allowed resource provider scope.
 
---
 
# Configure assignment restriction for user-assigned managed identities
 
This article describes how to configure assignment restrictions (also referred to as resource restrictions) for a user-assigned managed identity by using the Azure portal.
 
---
title: Configure assignment restriction for user-assigned managed identities (preview)
description: Learn how to configure assignment restriction for a user-assigned managed identity in the Azure portal to scope it to specific resource providers.
author: mmacy-msft
ms.author: marshmacy
ms.service: entra-id
ms.subservice: managed-identities
ms.topic: how-to
ms.custom: msecd-doc-authoring-10012
ms.date: 07/10/2026
ai-usage: ai-assisted
 
#customer intent: As an Azure administrator, I want to configure assignment restriction for a user-assigned managed identity so that the identity can only be assigned to source resources within an allowed resource provider scope.
 
---
 
# Configure assignment restriction for user-assigned managed identities (preview)
 
This article describes how to configure assignment restrictions (also referred to as resource restrictions) for a user-assigned managed identity by using the Azure portal. This is a feature in preview.
 
+13 / -50 lines changed
Commit: Fix assignment restriction concept article structure
Changes:
Before
After
---
title: Assignment restriction for managed identities (Preview)
description: Learn how assignment restrictions scope a user-assigned managed identity to one or more resource providers to improve security and resilience.
author: mmacy-msft
ms.author: marshmacy
ms.subservice: managed-identities
ms.topic: concept-article
ms.custom: msecd-doc-authoring-10012
ms.date: 04/24/2026
ai-usage: ai-assisted
 
#customer intent: As an Azure administrator, I want to understand assignment restriction for user-assigned managed identities so that I can scope identity usage to one or more resource providers and reduce security and operational risk.
 
---
## Note about supported Resource Providers and Resource Types in the Azure portal
 
> [!NOTE]
> Selecting **None** for resource assignment restrictions leaves the identity unrestricted, allowing it to be assigned to resources from any resource provider that supports managed identities.
>
> Configure resource assignment restrictions only when you want to limit identity assignment to specific resource providers. Be aware that the **Select Resource Types** list in the Azure portal may not include all supported resource providers and resource types.
---
title: Assignment restriction for managed identities (preview)
description: Learn how assignment restrictions scope a user-assigned managed identity to one or more resource providers to improve security and resilience.
author: mmacy-msft
ms.author: marshmacy
ms.subservice: managed-identities
ms.topic: concept-article
ms.custom: msecd-doc-authoring-10012
ms.date: 07/10/2026
ai-usage: ai-assisted
 
#customer intent: As an Azure administrator, I want to understand assignment restriction for user-assigned managed identities so that I can scope identity usage to one or more resource providers and reduce security and operational risk.
 
---
 
# Assignment restriction for user-assigned managed identities (preview)
 
Assignment restrictions, also known as resource restrictions, are a security feature for user-assigned managed identities that limit the resource providers an identity can be assigned to. Assignment restrictions are currently in preview. They let you isolate a managed identity to one or more resource providers so that it can't be reused across unrelated services.
 
When you configure assignment restriction, managed identity usage stays tightly scoped. This scoping reduces the blast radius of a compromised or misconfigured identity and helps improve both security and resilience.
+6 / -0 lines changed
Commit: Enhance documentation for verifying permission grants
Changes:
Before
After
After creating a new application proxy application, grant admin consent for the **User.Read** delegated permission in the Microsoft Entra admin center or using the Microsoft Graph PowerShell.
 
### [Microsoft Entra admin center](#tab/microsoft-entra-admin-center)
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator).
2. Browse to **Identity** > **Applications** > **Enterprise applications**.
3. Select the newly created application proxy application.
6. Review the permissions and select **Accept**.
 
### [Microsoft Graph PowerShell](#tab/microsoft-graph-powershell)
```powershell
# Connect with the required scope
Connect-MgGraph -Scopes "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"
-Scope "User.Read"
```
 
### Verify the permission was granted
 
1. In the Microsoft Entra admin center, navigate to your enterprise application.
 
 
After creating a new application proxy application, grant admin consent for the **User.Read** delegated permission in the Microsoft Entra admin center or using the Microsoft Graph PowerShell.
 
### [Microsoft Entra admin center](#tab/microsoft-entra-admin-center)
 
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator).
2. Browse to **Identity** > **Applications** > **Enterprise applications**.
3. Select the newly created application proxy application.
6. Review the permissions and select **Accept**.
 
### [Microsoft Graph PowerShell](#tab/microsoft-graph-powershell)
 
```powershell
# Connect with the required scope
Connect-MgGraph -Scopes "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"
-Scope "User.Read"
```
 
---
 
 
Modified by learn-build-service-prod[bot] on Jul 10, 2026 4:49 PM
đź“– View on learn.microsoft.com
+2 / -1 lines changed
Commit: Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/entra-docs (branch main) (#13814)
Changes:
Before
After
description: Learn how Microsoft Entra ID is licensed for guest users.
ms.subservice: entitlement-management
ms.topic: reference
ms.date: 04/27/2026
ms.reviewer: jercon
#Customer Intent: As an IT admin, I want to understand how Microsoft Entra ID Governance is licensed for guest users so that I can ensure proper licensing for external collaborators.
---
| Lifecycle Workflows  | [Workflow is run for guest](what-are-lifecycle-workflows.md) | Bill on workflow execution.<br>**API**<br> https://graph.microsoft.com/v1.0/identityGovernance/lifecycleWorkflows/workflows/{workflowId}/activate | Workflow execution started for user. |
| Access Reviews  | [Access Review – machine learning assisted access reviews](review-recommendations-access-reviews.md#user-to-group-affiliation) | Bill when guest user is included in review. <br><br>**API**<br> https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions where recommendation settings are enabled in a group review. | Decision item summary. |
| Access Reviews  | [Access Review – inactive users](../identity/users/clean-up-stale-guest-accounts.md#monitor-guest-accounts-at-scale-with-inactive-guest-insights) | Bill when guest user is included in review.<br><br>**API**<br> https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions where inactive guest reviews are included in the policy for a group resource. | Decision item summary. |
 
 
## Guest billing in multitenant organizations
 
description: Learn how Microsoft Entra ID is licensed for guest users.
ms.subservice: entitlement-management
ms.topic: reference
ms.date: 07/09/2026
ms.reviewer: jercon
#Customer Intent: As an IT admin, I want to understand how Microsoft Entra ID Governance is licensed for guest users so that I can ensure proper licensing for external collaborators.
---
| Lifecycle Workflows  | [Workflow is run for guest](what-are-lifecycle-workflows.md) | Bill on workflow execution.<br>**API**<br> https://graph.microsoft.com/v1.0/identityGovernance/lifecycleWorkflows/workflows/{workflowId}/activate | Workflow execution started for user. |
| Access Reviews  | [Access Review – machine learning assisted access reviews](review-recommendations-access-reviews.md#user-to-group-affiliation) | Bill when guest user is included in review. <br><br>**API**<br> https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions where recommendation settings are enabled in a group review. | Decision item summary. |
| Access Reviews  | [Access Review – inactive users](../identity/users/clean-up-stale-guest-accounts.md#monitor-guest-accounts-at-scale-with-inactive-guest-insights) | Bill when guest user is included in review.<br><br>**API**<br> https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions where inactive guest reviews are included in the policy for a group resource. | Decision item summary. |
| Access Reviews | [Access Review – Catalog Access Reviews](catalog-access-reviews.md) | Bill when guest user is included in review.<br><br>**API**<br> https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/unified/definitions/ | Decision item summary. |
 
 
## Guest billing in multitenant organizations