Merge pull request #10646 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-01 23:06 UTC

Author: learn-build-service-prod[bot]

docs/fundamentals/licensing.md

@@ -5,7 +5,7 @@ author: barclayn
 manager: pmwongera
 ms.service: entra
 ms.topic: article
-ms.date: 06/20/2025
+ms.date: 12/01/2025
 ms.subservice: fundamentals
 ms.author: barclayn
 ---
@@ -14,6 +14,8 @@ ms.author: barclayn
 
 This article discusses licensing options for the Microsoft Entra product family. It's intended for security decision makers, identity and network access administrators, and IT professionals who are considering Microsoft Entra solutions for their organizations. 
 
+>[!NOTE]
+>If you are troubleshooting licensing assignment issues, review [Identify and resolve license assignment problems for a group in the Microsoft 365 Admin Portal](licensing-groups-resolve-problems.md).
 
 ## Microsoft Entra licensing options
 

docs/global-secure-access/reference-current-known-limitations.md

@@ -278,3 +278,12 @@ Known limitations for Internet Access include:
 ## B2B guest access (preview) limitations
 <a name="b2b-guest-access-limitations"></a>
 - The Global Secure Access client doesn't support multi-session Azure Virtual Desktop.
+
+## Global Secure Access In Government Cloud limitations
+Global Secure Access is not available in the US Government community cloud High (GCC-H), Department of Defense cloud and other Govt/Sovereign cloud environments.
+
+For usage in US Government community (GCC) cloud, known limitations/disclaimers include:
+
+- Non Federal Information Processing Standard (FIPS) 140-2 certified: Note that while the GSA service is FedRAMP High accredited, it is not yet FIPS 140-2 certified. Microsoft is actively working toward achieving FIPS accreditation/certification, and this process is currently underway. Customers should consider this status when evaluating compliance requirements. FIPS 140-2 is a US government standard that defines FedRAMP minimum security requirements for cryptographic modules in products and systems. For more information, see [Federal Information Processisng Standard (FIPS) 140](https://learn.microsoft.com/azure/compliance/offerings/offering-fips-140-2).
+- Data Residency Requirements: Customers should carefully consider data residency requirements when evaluating the GSA solution for their needs. When using GSA, there is a possibility that your data (up to and including customer content) may be Transport Layer Security (TLS) terminated and processed outside the United States esp. in cases where the users access GSA while traveling outside of the USA and its territories. Additionally, data may also be TLS terminated and processed outside of the USA when GSA routes traffic through the nearest available edge location, which may be outside USA borders depending on several factors. Factors for TLS termination and processing outside the US may include but not limited to: user’s physical location, proximity to edge locations, network latency, service availability, performance considerations, customer configurations and so on. As an example, a user near a USA border with a non-USA region may connect to a non-USA edge, where data inspection and policy enforcement take place.    
+

docs/id-governance/custom-data-resource-access-reviews.md

@@ -79,6 +79,8 @@ With a catalog created, you can add custom data provided resource to it by doing
 1. Select **Create**. 
 
 
+You can also create an access review programmatically using Microsoft Graph. For more information, see [Create a single stage access review on a catalog](/graph/api/accessreviewset-post-definitions?view=graph-rest-beta&tabs=http#example-6-create-a-single-stage-access-review-on-a-catalog).
+
 ## Get Access Review Object and Instance ID
 
 After creating the catalog access review, but before uploading your custom data, you must get both the Access Review object ID, and the Access Review instance object ID. To get this information, you'd do the following:
@@ -115,6 +117,7 @@ After copying both the Access review object, and access review instance object,
     > To confirm all CSVs were uploaded successfully, view the [audit logs](entitlement-management-logs-and-reporting.md).
 1. You have **up to two hours** from the time the review enters the *Initializing* state to complete the upload.
 
+You can also upload custom data via Graph, by creating an upload session and then uploading a CSV file. For more information, see [customDataProvidedResourceUploadSession](/graph/api/resources/customdataprovidedresourceuploadsession?view=graph-rest-beta).
 
 ## Active review state
 
@@ -126,33 +129,38 @@ At the **Active** stage:
 ## Applying stage
 
 
-In the **Applying** stage, you manually get a list of denied users by making the following API call:
+In the **Applying** stage, you can get a list of denied users by making the [list decisions](/graph/api/accessreviewinstance-list-decisions?view=graph-rest-beta&tabs=http) API call:
 
 ``` http
-GET /identityGovernance/accessReviews/definitions/{access review object ID}/instances/{access review instance object ID}/decisions?$filter=(decision eq ‘Deny’ and resourceId eq ‘<custom data provided resource ID>’)
+GET https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions/{access review object ID}/instances/{access review instance object ID}/decisions?$filter=(decision eq 'Deny' and resourceId eq '<custom data provided resource ID>')
 ```
 
 For each decision item: 
 
-Remove access from your own system and Patch each decision item to indicate success or failure for removal by making the following API call:
+Remove access from your own system and then patch each decision item to indicate success or failure for removal by making the [update accessReviewInstanceDecisionItem](/graph/api/accessreviewinstancedecisionitem-update?view=graph-rest-beta&tabs=http) API call:
 
 ``` http
-PATCH /identityGovernance/accessReviews/definitions/{access review object ID}/instances/{access review instance object ID}/decisions/{decision ID}
-{ “applyResult” : “Success/Failure/PartialSuccess/NotSupported”, “applyDescription”: “ServiceNow ticket created” }
+PATCH https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions/{access review object ID}/instances/{access review instance object ID}/decisions/{decision ID}
+Content-Type: application/json
+
+{
+ "applyResult": "AppliedSuccessfully",
+ "applyDescription": "ServiceNow ticket created"
+}
 ```
 
-The review transition to the **Applied** state once all the custom data provided decisions have been applied. For example, if you have five decisions that must be made from the data, you must apply(PATCH) five decisions before the review transitions to **Applied**.
+The review transition to the **Applied** state once all the custom data provided decisions have been applied. For example, if you have five decisions that must be made from the data, you must apply using PATCH each of five decision items before the review transitions to **Applied**.
 
 
 
 
-## Complete and apply review decisions
+## Review status
 
 As reviewers take actions, the review progresses through several states:
 
 | Review Status | Description |
 |--------------------|-----------------|
-| Initializing | Review created; waiting for custom data upload. |
+| Initializing | Review instance created; waiting for custom data upload. |
 | Active | Reviewers can take decisions in the My Access portal. |
 | Applying | Review decisions are being remediated. |
 | Applied | All decisions are marked as applied. |

docs/id-governance/identity-governance-applications-existing-users.md

@@ -14,7 +14,7 @@ ms.custom: sfi-ga-blocked, sfi-ropc-nochange
 
 # Govern an application's existing users - Microsoft PowerShell
 
-There are three common scenarios in which it's necessary to populate Microsoft Entra ID with existing users of an application before you use the application with a Microsoft Entra ID Governance feature such as [access reviews](access-reviews-application-preparation.md).
+There are four common scenarios in which it's necessary to populate Microsoft Entra ID with existing access rights and users of an application before you use the application with a Microsoft Entra ID Governance feature such as [access reviews](access-reviews-application-preparation.md).
 
 ## License requirements
 [!INCLUDE [active-directory-entra-governance-license.md](~/includes/entra-entra-governance-license.md)]
@@ -57,6 +57,15 @@ For some legacy applications, it might not be feasible to remove other identity
 
 That scenario of an application which does not support provisioning protocols, is covered in a separate article, [Govern the existing users of an application that does not support provisioning](identity-governance-applications-not-provisioned-users.md).
 
+### Application uses Microsoft Entra ID as its identity provider and has additional access rights for users
+
+Using custom data provided resources, you can include access rights from applications in Microsoft Entra ID access reviews by uploading their access data directly into a catalog.
+
+You can then run user Access Reviews (UARs) across both Microsoft Entra-connected resources and those access rights. Reviewers can easily review and certify users’ access in the My Access portal, helping ensure consistent governance, improved visibility, and compliance across all resources whether or not they’re connected to Microsoft Entra.
+
+This scenario is covered in a separate article, [include custom data provided resource in the catalog for catalog user Access Reviews (Preview)](custom-data-resource-access-reviews.md).
+
+
 ## Terminology
 
 This article illustrates the process for managing application role assignments by using the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph). It uses the following Microsoft Graph terminology.

docs/id-governance/identity-governance-applications-integrate.md

@@ -114,6 +114,8 @@ However, if the application was already in your environment, users may have gain
 1. If the application was using AD security groups, and those groups were created in AD, then once the review is complete, you need to manually update the AD groups to remove memberships of those users who were denied.  Subsequently, to have denied access rights removed automatically, you can either update the application to use an AD group that was created in Microsoft Entra ID and [written back to Microsoft Entra ID](~/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory.md), or move the membership from the AD group to the Microsoft Entra group, and [nest the written back group as the only member of the AD group](~/identity/hybrid/cloud-sync/govern-on-premises-groups.md).
 1. Once the review has been completed and the application access updated, or if no users have access, then continue on to the next steps to deploy Conditional Access and entitlement management policies for the application.
 
+Using custom data provided resources (preview), you can include access rights from applications in Microsoft Entra ID access reviews by uploading their access data directly prior to an access review. For more information, see [Include custom data provided resource in the catalog for catalog user Access Reviews (Preview)](custom-data-resource-access-reviews.md).
+
 Now that you have a baseline that ensures existing access has been reviewed, then you can [deploy the organization's policies](identity-governance-applications-deploy.md) for ongoing access and any new access requests.
 
 ## Next steps

docs/id-governance/identity-governance-applications-not-provisioned-users.md

@@ -14,15 +14,18 @@ ms.custom: sfi-ga-nochange
 
 # Govern the users of an application that does not support provisioning - Microsoft PowerShell
 
-There are three common scenarios in which it's necessary to populate Microsoft Entra ID with existing users of an application before you use the application with a Microsoft Entra ID Governance feature such as [access reviews](access-reviews-application-preparation.md).
+There are four common scenarios in which it's necessary to populate Microsoft Entra ID with existing users and their access rights of an application before you use the application with a Microsoft Entra ID Governance feature such as [access reviews](access-reviews-application-preparation.md).
 
  - Application migrated to Microsoft Entra ID after using its own identity provider
  - Application that doesn't use Microsoft Entra ID as its only identity provider
  - Application does not use Microsoft Entra ID as its identity provider nor does it support provisioning
+ - Application uses Microsoft Entra ID as its identity provider and has additional access rights for users
 
 For more information on those first two scenarios, where the application supports provisioning, or uses an LDAP directory, SQL database, has a SOAP or REST API or relies upon Microsoft Entra ID as its identity provider, see the article [govern an application's existing users](identity-governance-applications-existing-users.md). That article covers how to use identity governance features for existing users of those categories of applications.
 
-This article covers the third scenario. For some legacy applications it might not be feasible to remove other identity providers or local credential authentication from the application, or enable support for provisioning protocols for those applications. For those applications, if you want to use Microsoft Entra ID to review who has access to that application, or remove someone's access from that application, you'll need to create assignments in Microsoft Entra ID that represent application users.  This article covers that scenario of an application that does not use Microsoft Entra ID as its identity provider and does not support provisioning.
+This article covers the third scenario. For some legacy applications, it might not be feasible to remove other identity providers or local credential authentication from the application, or enable support for provisioning protocols for those applications. For those applications, if you want to use Microsoft Entra ID to review who has access to that application, or remove someone's access from that application, you'll need to create assignments in Microsoft Entra ID that represent application users. This article covers that scenario of an application that does not use Microsoft Entra ID as its identity provider and does not support provisioning.
+
+For more information on the fourth scenario, see [include custom data provided resource in the catalog for catalog user Access Reviews (Preview)](custom-data-resource-access-reviews.md).
 
 ## License requirements
 [!INCLUDE [active-directory-entra-governance-license.md](~/includes/entra-entra-governance-license.md)]
@@ -59,7 +62,7 @@ In some environments, the application might be located on a network segment or s
 
 If your application has an LDAP directory or SQL database, then see [Collect existing users from an application](identity-governance-applications-existing-users.md#collect-existing-users-from-an-application) for recommendations on how to extract the user collection.
 
-Otherwise, if the application does not have a directory or database, you will need to contact the owner of the application and have them supply a list of users.  This could be in a format such as a CSV file, with one line per user.  Ensure that one field of each user in the file contains a unique identifier, such as an email address, that is also present on users in Microsoft Entra ID.
+Otherwise, if the application does not have a directory or database, you will need to contact the owner of the application and have them supply a list of users. This could be in a format such as a CSV file, with one line per user. Ensure that one field of each user in the file contains a unique identifier, such as an email address, that is also present on users in Microsoft Entra ID.
 
 If this system doesn't have the Microsoft Graph PowerShell cmdlets installed or doesn't have connectivity to Microsoft Entra ID, transfer the CSV file that contains the list of users to a system that has the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph) installed.
 
@@ -239,7 +242,7 @@ Follow the instructions in the [guide for creating an access review of groups or
 
 ## Configure entitlement management integration with ServiceNow for ticketing (optional)
 
-If you have ServiceNow then you can optionally configure automated ServiceNow ticket creation, using the [entitlement management integration](entitlement-management-ticketed-provisioning.md) via Logic Apps.  In that scenario, entitlement management can automatically create ServiceNow tickets for manual provisioning of users who have received access package assignments.
+If you have ServiceNow, then you can optionally configure automated ServiceNow ticket creation, using the [entitlement management integration](entitlement-management-ticketed-provisioning.md) via Logic Apps. In that scenario, entitlement management can automatically create ServiceNow tickets for manual provisioning of users who have received access package assignments.
 
 ## Next steps
 

docs/id-protection/concept-risky-user-report.md

@@ -13,7 +13,7 @@ ms.reviewer: chuqiaoshi
 
 Knowing which users are at risk and *why* they're at risk is a key responsibility of security and identity administrators. The Risky user report in Microsoft Entra ID Protection provides the full report, along with a risk data summary, and an activity timeline.
 
-The Risky user report is also integrated with the Identity Risk Management Agent for enhanced agent suggestions and insights. If you have the Identity Risk Management Agent enabled, you can switch between the standard view and the agent view of the report.
+The Risky user report is also integrated with the Identity Risk Management Agent (Preview) for enhanced agent suggestions and insights. If you have the Identity Risk Management Agent enabled, you can switch between the standard view and the agent view of the report.
 
 This article provides an overview of the information and actions available in the Risky user report.
 
@@ -24,7 +24,7 @@ To access this report, you need:
 - Microsoft Entra ID Free, Microsoft Entra ID P1 for limited data on users.
 - Microsoft Entra ID P2 licenses for full access to the risky user data.
 - [Security Reader](../identity/role-based-access-control/permissions-reference.md#security-reader) and [Security Operator](../identity/role-based-access-control/permissions-reference.md#security-operator) are the least privileged roles required to use the *standard view* of the report.
-- [Security Administrator](../identity/role-based-access-control/permissions-reference.md#search-administrator) is required to use the *agent view* of the report and access the Risk Management Agent features.
+- [Security Administrator](../identity/role-based-access-control/permissions-reference.md#search-administrator) is required to use the *agent view* of the report and access the Identity Risk Management Agent features.
 - [User Administrator](../identity/role-based-access-control/permissions-reference.md#user-administrator) is required to reset passwords.
 
 ## Risky user report