Merge pull request #12236 from MicrosoftDocs/main

Auto Publish – main to live - 2026-03-25 11:00 UTC

Author: learn-build-service-prod[bot]

docs/external-id/tenant-restrictions-v2.md

@@ -447,7 +447,7 @@ For more information, see [Creating your App Control AppId tagging policies](/wi
 After you create your policy in the wizard, or create your own by using PowerShell, convert the .xml output to an app ID tagging policy. The tagging policy marks the apps for which you want to allow access to Microsoft resources. The GUID output is your new policy ID.
 
 ```powershell
-   Set-CIPolicyIdInfo -ResetPolicyID .\policy.xml -AppIdTaggingPolicy -AppIdTaggingKey "M365ResourceAccessEnforced" -AppIdTaggingValue "True" 
+   Set-CIPolicyIdInfo -ResetPolicyID .\policy.xml -AppIdTaggingPolicy -AppIdTaggingKey "M365ResourceAccessEnforcement" -AppIdTaggingValue "True" 
 ```
 
 #### Step 3: Compile and deploy the policy for testing

docs/id-governance/licensing-fundamentals.md

@@ -121,7 +121,7 @@ If a Microsoft Entra ID P2 or Microsoft Entra ID Governance license expires or t
 
 ### Will any IGA features and capabilities be added under the Microsoft Entra ID P2 License?
 
-All currently Generally Available features in Microsoft Entra ID P2 will remain, but no new IGA features or capabilities will be added to the Microsoft Entra ID P2 SKU.
+All currently Generally Available features in Microsoft Entra ID P2 will remain, but no new Identity Governance & Administration (IGA) features or capabilities will be added to the Microsoft Entra ID P2 SKU.
 
 ## Next steps
 

docs/id-governance/tenant-governance/overview.md

@@ -13,8 +13,6 @@ ms.date: 03/05/2026
 
 [!INCLUDE [entra-tenant-governance-preview-note](~/includes/entra-tenant-governance-preview-note.md)]
 
-[!INCLUDE [entra-entra-governance-license.md](~/includes/entra-entra-governance-license.md)]
-
 Most large organizations operate Microsoft services in multiple tenants because of mergers and acquisitions, requirements for partitioning security or privacy-sensitive workloads, test environments, and other reasons. Most organizations also have user-created "shadow IT" tenants that central IT doesn't administer and often doesn't know about. In many environments, it's not easy to verify that each of these tenants is configured properly, especially if you don't know that some tenants even exist. This creates risk for your organization's security and compliance objectives.
 
 Microsoft Entra Tenant Governance enables you to get visibility across all your tenants and ensure they are configured to meet your security and compliance requirements. This includes the tenants you administer today, "shadow IT" tenants that you don't administer but that create risks for your organization, and new tenants that your users create.

docs/identity-platform/custom-extension-attribute-collection.md

@@ -48,7 +48,7 @@ In this step, you create an HTTP trigger function API using Azure Functions. The
     | **Function App name** | Globally unique name | A name that identifies the new function app. Valid characters are `a-z` (case insensitive), `0-9`, and `-`.  |
     |**Publish**| Code | Option to publish code files or a Docker container. For this tutorial, select **Code**. |
     | **Runtime stack** | .NET | Your preferred programming language. For this tutorial, select **.NET**.  |
-    | **Version** | 6 (LTS) In-process | Version of the .NET runtime. In-process signifies that you can create and modify functions in the portal, which is recommended for this guide |
+    | **Version** | 6 (LTS) isolated (out-of-process) | Version of the .NET runtime. Isolated (out-of-process) signifies that you can create and run functions using the supported hosting model. |
     | **Region** | Preferred region | Select a [region](https://azure.microsoft.com/regions/) that's near you or near other services that your functions can access. |
     | **Operating System** | Windows | The operating system is preselected for you based on your runtime stack selection. |
     | **Plan type** | Consumption (Serverless) | Hosting plan that defines how resources are allocated to your function app.  |

docs/identity/enterprise-apps/configure-authentication-for-federated-users-portal.md

@@ -67,6 +67,9 @@ In this example, you create a policy such that when you assign it to an applicat
 - Auto-accelerates users to a federated identity provider sign-in screen if there's more than one federated domain in your tenant.
 - Enables non-interactive username/password sign-in directly to Microsoft Entra ID for federated users for the applications the policy is assigned to.
 
+[!Note]
+Enabling `"AccelerateToFederatedDomain": true` in the policy may prevent guest users from signing in, even if the policy isn’t explicitly applied to any service principals. Review this setting carefully before applying the policy to avoid unintended access issues.
+
 The following policy auto-accelerates users to a federated identity provider sign-in screen when they're signing in to an application when there's a single domain in your tenant.
 
 1. Run the Connect command to sign in to Microsoft Entra ID with at least the [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) role:

docs/identity/enterprise-apps/restore-application.md

@@ -99,7 +99,7 @@ Alternatively, if you want to get the specific enterprise application that was d
    $deletedServicePrincipal = Get-EntraDeletedServicePrincipal -Filter "DisplayName eq 'test-App1-Deleted'"
    
    #assign the value returned to a variable and restore the deleted service principal
-   Id = $deletedServicePrincipal.Id
+   $Id = $deletedServicePrincipal.Id
    Restore-EntraDeletedDirectoryObject -Id $deletedServicePrincipal.Id
    ```
 

docs/identity/hybrid/cloud-sync/how-to-install-pshell.md

@@ -36,7 +36,7 @@ The Windows server must have TLS 1.2 enabled before you install the Microsoft En
  6. For the purposes of these instructions, the agent was downloaded to the C:\temp folder.
  7. Install ProvisioningAgent in quiet mode.
        ```
-      $installerProcess = Start-Process 'c:\temp\AADConnectProvisioningAgentSetup.exe' /quiet -NoNewWindow -PassThru 
+      $installerProcess = Start-Process 'c:\temp\ProvisioningAgentSetup.exe' /quiet -NoNewWindow -PassThru 
       $installerProcess.WaitForExit()
 
        ```

docs/identity/hybrid/connect/how-to-bypassdirsyncoverrides.md

@@ -55,6 +55,7 @@ By default, *BypassDirSyncOverridesEnabled* feature is turned off. Enabling *Byp
 To enable BypassDirSyncOverridesEnabled feature, use the [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) module.
 
 ```powershell
+Connect-MgGraph -Scopes "Directory.ReadWrite.All"
 $directorySynchronization = Get-MgDirectoryOnPremiseSynchronization
 $directorySynchronization.Features.BypassDirSyncOverridesEnabled = $true
 Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $directorySynchronization.Id -Features $directorySynchronization.Features
@@ -109,4 +110,4 @@ Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com'
 
 ## Next Steps
 
-Learn more about [Microsoft Entra Connect: `ADSyncTools` PowerShell module](reference-connect-adsynctools.md)
+Learn more about [Microsoft Entra Connect: `ADSyncTools` PowerShell module](reference-connect-adsynctools.md)

docs/identity/hybrid/connect/how-to-connect-password-hash-synchronization.md

@@ -211,7 +211,7 @@ With password hash synchronization enabled, this AD password hash is synced with
 >
 > Previously, when SCRIL was re-enabled and a new randomized AD password was generated, the user was still able to use their old password to authenticate to Microsoft Entra ID. Now, Connect Sync has been updated so that new randomized AD password is synced to Microsoft Entra ID and the old password cannot be used once smart card login is enabled. 
 >
-> We recommend that admins person any of the below actions if they have users with a SCRIL bit in their AD Domain
+> We recommend that admins perform any of the below actions if they have users with a SCRIL bit in their AD Domain
 > 1.	Perform a full password hash sync as per [this guide](tshoot-connect-password-hash-synchronization.md) to ensure the passwords of all SCRIL users are scrambled
 > 2.	Scramble the password of an individual user by toggling SCRIL settings off then back on or directly changing the user's password
 > 3.	Periodically rotate the passwords for SCRIL users. Eventually all such users will have their passwords scrambled

docs/identity/monitoring-health/reference-reports-data-retention.md

@@ -51,6 +51,9 @@ Log storage within Microsoft Entra varies by report type and license type. You c
 | Risky users    | No limit      | No limit            | No limit            |
 | Risky sign-ins | 7 days        | 30 days             | 90 days             |
 
+> [!NOTE]
+> Organizations with Microsoft 365 E5, Office 365 E5, Microsoft Purview Suite, or E5 eDiscovery and Audit add-on licenses can also use Microsoft Purview Audit (Premium) to retain Microsoft Entra ID audit logs beyond the default period, providing an alternative to exporting logs to Azure Storage. For more information, see [Manage audit log retention policies with Microsoft Purview](/purview/audit-log-retention-policies).
+
 > [!NOTE]
 > Risky users and workload identities are not deleted until the risk has been remediated.