📋 Microsoft Entra Documentation Changes

Daily summary for changes since July 16th 2026, 8:10 PM PDT

Report generated on July 17th 2026, 8:10 PM PDT

📊 Summary

12
Total Commits
0
New Files
6
Modified Files
0
Deleted Files
7
Contributors

📝 Modified Documentation Files

+1 / -5 lines changed
Commit: Update title and header for Explicit Forward Proxy guide
Changes:
Before
After
ms.reviewer: alexpav
---
 
# Configure a Microsoft Entra Conditional Access policy for Explicit Forward Proxy (preview)
 
Explicit Forward Proxy for Microsoft Entra Internet Access relies on IP affinity, among other mechanisms, for session management. Although a Conditional Access policy isn't required, we recommend that you configure one that restricts the use of Explicit Forward Proxy to networks that your organization trusts. Additionally, you use Conditional Access policies to assign the Microsoft Entra Internet Access security profiles to users.
 
> [!IMPORTANT]
> The Explicit Forward Proxy feature is currently in preview. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## Prerequisites
 
- Administrators who configure and manage the Conditional Access policy for Explicit Forward Proxy must have at least the Conditional Access Administrator role.
ms.reviewer: alexpav
---
 
# Configure a Microsoft Entra Conditional Access policy for Explicit Forward Proxy
Explicit Forward Proxy for Microsoft Entra Internet Access relies on IP affinity, among other mechanisms, for session management. Although a Conditional Access policy isn't required, we recommend that you configure one that restricts the use of Explicit Forward Proxy to networks that your organization trusts. Additionally, you use Conditional Access policies to assign the Microsoft Entra Internet Access security profiles to users.
 
## Prerequisites
 
- Administrators who configure and manage the Conditional Access policy for Explicit Forward Proxy must have at least the Conditional Access Administrator role.
 
 
 
 
Modified by Alexander Pavlovsky on Jul 17, 2026 5:05 PM
📖 View on learn.microsoft.com
+1 / -4 lines changed
Commit: Update Explicit Forward Proxy documentation
Changes:
Before
After
ms.reviewer: alexpav
---
 
# Configure Explicit Forward Proxy (preview)
 
With Explicit Forward Proxy, you can use the secure web and AI gateway capabilities of Microsoft Entra Internet Access without installing the Global Secure Access client. Explicit Forward Proxy works with any browser that supports proxy automatic configuration (PAC).
 
> [!IMPORTANT]
> The Explicit Forward Proxy feature is currently in preview. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## Prerequisites
 
- Ensure that you have the following Microsoft Entra admin roles:
ms.reviewer: alexpav
---
 
# Configure Explicit Forward Proxy
 
With Explicit Forward Proxy, you can use the secure web and AI gateway capabilities of Microsoft Entra Internet Access without installing the Global Secure Access client. Explicit Forward Proxy works with any browser that supports proxy automatic configuration (PAC).
 
## Prerequisites
 
- Ensure that you have the following Microsoft Entra admin roles:
 
 
 
Modified by Celeste de Guzman on Jul 17, 2026 9:47 PM
📖 View on learn.microsoft.com
+2 / -2 lines changed
Commit: Fix formatting issues in access tokens documentation
Changes:
Before
After
 
# Access tokens in the Microsoft identity platform
 
Access tokens are a type of security token designed for authorization, granting access to specific resources on behalf on an authenticated user. Information in access tokens determines whether a user has the right to access a particular resource, similar to keys unlocking specific doors in a building. These individual pieces of information that make up tokens are called claims. Therefore, they are sensitive credentials and pose a security risk if not handled correctly. Access tokens differ from [ID tokens](./id-tokens.md) which serve as proof of authentication.
 
Access tokens enable clients to securely call protected web APIs. Although client applications can receive and use access tokens, they should be treated as opaque strings. The client application shouldn't attempt to validate access tokens. The resource server should validate the access token before accepting it as proof of authorization. The contents of the token are intended only for the API, which means that access tokens must be treated as opaque strings. For validation and debugging purposes *only*, developers can decode JWTs using a site like [jwt.ms](https://jwt.ms). Tokens that a Microsoft API receives might not always be a JWT that can be decoded.
 
Clients should use the token response data that's returned with the access token for details on what's inside it. When the client requests an access token, the Microsoft identity platform also returns some metadata about the access token for the consumption of the application. This information includes the expiry time of the access token and the scopes for which it's valid. This data allows the application to do intelligent caching of access tokens without having to parse the access token itself. This article explains essential information about access tokens, including formats, ownership, lifetimes and how APIs can validate and use the claims inside an access token.
 
 
# Access tokens in the Microsoft identity platform
 
Access tokens are a type of security token designed for authorization, granting access to specific resources on behalf of an authenticated user. Information in access tokens determines whether a user has the right to access a particular resource, similar to keys unlocking specific doors in a building. These individual pieces of information that make up tokens are called claims. Therefore, they are sensitive credentials and pose a security risk if not handled correctly. Access tokens differ from [ID tokens](./id-tokens.md) which serve as proof of authentication.
 
Access tokens enable clients to securely call protected web APIs. Although client applications can receive and use access tokens, they should treat them as opaque strings. The client application shouldn't attempt to validate access tokens. The resource server should validate the access token before accepting it as proof of authorization. The contents of the token are intended only for the API, which means that access tokens must be treated as opaque strings. For validation and debugging purposes *only*, developers can decode JWTs using a site like [jwt.ms](https://jwt.ms). Tokens that a Microsoft API receives might not always be a JWT that can be decoded.
 
Clients should use the token response data that's returned with the access token for details on what's inside it. When the client requests an access token, the Microsoft identity platform also returns some metadata about the access token for the consumption of the application. This information includes the expiry time of the access token and the scopes for which it's valid. This data allows the application to do intelligent caching of access tokens without having to parse the access token itself. This article explains essential information about access tokens, including formats, ownership, lifetimes and how APIs can validate and use the claims inside an access token.
 
+3 / -1 lines changed
Commit: Mark Tenant Governance Administrator as privileged
Changes:
Before
After
title: Tenant Governance Administrator
description: Tenant Governance Administrator
ms.topic: include
ms.date: 06/30/2026
ms.custom: include file
---
 
Assign the Tenant Governance Administrator role to users who need to do the following tasks:
 
- Manage all capabilities in the Microsoft Entra Tenant Governance service
 
 
title: Tenant Governance Administrator
description: Tenant Governance Administrator
ms.topic: include
ms.date: 07/17/2026
ms.custom: include file
---
 
[![Privileged label icon.](../media/permissions-reference/privileged-label.png)](../privileged-roles-permissions.md)
 
Assign the Tenant Governance Administrator role to users who need to do the following tasks:
 
- Manage all capabilities in the Microsoft Entra Tenant Governance service
+2 / -2 lines changed
Commit: Mark Tenant Governance Administrator as privileged
Changes:
Before
After
title: Microsoft Entra built-in roles
description: Describes the Microsoft Entra built-in roles and permissions.
ms.topic: reference
ms.date: 07/01/2026
ms.reviewer: abhijeetsinha
ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
---
> | [Teams Reader](#teams-reader) | Read everything in the Teams admin center, but not update anything. | 1076ac91-f3d9-41a7-a339-dcdf5f480acc |
> | [Teams Telephony Administrator](#teams-telephony-administrator) | Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service. | aa38014f-0993-46e9-9b45-30501a20909d |
> | [Tenant Creator](#tenant-creator) | Create new Microsoft Entra or Azure AD B2C tenants. | 112ca1a2-15ad-4102-995e-45b0bc479a6a |
> | [Tenant Governance Administrator](#tenant-governance-administrator) | Manage all capabilities in the Microsoft Entra Tenant Governance service. | 1981f584-96e9-4a6f-95b0-f522373f8fae |
> | [Tenant Governance Reader](#tenant-governance-reader) | Can read all tenant governance data. | e0a4caa6-fe82-443f-b92f-d87341d17b2e |
> | [Tenant Governance Relationship Administrator](#tenant-governance-relationship-administrator) | Can initiate governance relationships and terminate them. | b8e31d83-1534-480f-9b10-0338ded51b7e |
> | [Tenant Governance Relationship Reader](#tenant-governance-relationship-reader) | Can read tenant governance relationships and relevant objects. | 124577f8-48ed-456a-839f-13b419002e33 |
title: Microsoft Entra built-in roles
description: Describes the Microsoft Entra built-in roles and permissions.
ms.topic: reference
ms.date: 07/17/2026
ms.reviewer: abhijeetsinha
ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange
---
> | [Teams Reader](#teams-reader) | Read everything in the Teams admin center, but not update anything. | 1076ac91-f3d9-41a7-a339-dcdf5f480acc |
> | [Teams Telephony Administrator](#teams-telephony-administrator) | Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service. | aa38014f-0993-46e9-9b45-30501a20909d |
> | [Tenant Creator](#tenant-creator) | Create new Microsoft Entra or Azure AD B2C tenants. | 112ca1a2-15ad-4102-995e-45b0bc479a6a |
> | [Tenant Governance Administrator](#tenant-governance-administrator) | Manage all capabilities in the Microsoft Entra Tenant Governance service.<br/>[![Privileged label icon.](./media/permissions-reference/privileged-label.png)](privileged-roles-permissions.md) | 1981f584-96e9-4a6f-95b0-f522373f8fae |
> | [Tenant Governance Reader](#tenant-governance-reader) | Can read all tenant governance data. | e0a4caa6-fe82-443f-b92f-d87341d17b2e |
> | [Tenant Governance Relationship Administrator](#tenant-governance-relationship-administrator) | Can initiate governance relationships and terminate them. | b8e31d83-1534-480f-9b10-0338ded51b7e |
> | [Tenant Governance Relationship Reader](#tenant-governance-relationship-reader) | Can read tenant governance relationships and relevant objects. | 124577f8-48ed-456a-839f-13b419002e33 |
Modified by marshmacy on Jul 17, 2026 7:59 PM
📖 View on learn.microsoft.com
+2 / -1 lines changed
Commit: Mark Tenant Governance Administrator as privileged
Changes:
Before
After
title: What's new in Microsoft Entra RBAC documentation
description: Learn about the new features and documentation improvements in Microsoft Entra role-based access control (RBAC).
ms.topic: whats-new
ms.date: 06/24/2026
 
---
 
 
| Date | Area | Description |
| --- | --- | --- |
| June 2026 | Roles | Updated [AI Administrator](permissions-reference.md#ai-administrator) role and [AI Reader](permissions-reference.md#ai-reader) roles.|
| June 2026 | Roles | Updated [Agent ID Administrator](permissions-reference.md#agent-id-administrator) and [Agent ID Developer](permissions-reference.md#agent-id-developer) roles. |
| May 2026 | Roles | Updated [Identity Governance Administrator](permissions-reference.md#identity-governance-administrator) role to a privileged role. |
 
title: What's new in Microsoft Entra RBAC documentation
description: Learn about the new features and documentation improvements in Microsoft Entra role-based access control (RBAC).
ms.topic: whats-new
ms.date: 07/17/2026
 
---
 
 
| Date | Area | Description |
| --- | --- | --- |
| July 2026 | Roles | Updated [Tenant Governance Administrator](permissions-reference.md#tenant-governance-administrator) role to a privileged role. |
| June 2026 | Roles | Updated [AI Administrator](permissions-reference.md#ai-administrator) role and [AI Reader](permissions-reference.md#ai-reader) roles.|
| June 2026 | Roles | Updated [Agent ID Administrator](permissions-reference.md#agent-id-administrator) and [Agent ID Developer](permissions-reference.md#agent-id-developer) roles. |
| May 2026 | Roles | Updated [Identity Governance Administrator](permissions-reference.md#identity-governance-administrator) role to a privileged role. |