Merge pull request #10663 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-02 23:07 UTC

Author: learn-build-service-prod[bot]

docs/id-governance/create-access-review-pim-for-groups.md

@@ -33,6 +33,9 @@ This article describes how to create one or more access reviews for PIM for Grou
 
     ![Screenshot that shows the Access reviews pane in Identity Governance.](./media/create-access-review/access-reviews.png)
 
+1. On the Access reviews template screen, select **Review access to a resource type**.
+    :::image type="content" source="media/catalog-access-reviews/access-review-templates.png" alt-text="Screenshot of the access review templates page.":::
+
 1. In the **Select what to review** box, select **Teams + Groups**.
 
     ![Screenshot that shows creating an access review.](./media/create-access-review/select-what-review.png)

docs/id-governance/create-access-review.md

@@ -28,6 +28,7 @@ This article describes how to create one or more access reviews for group member
 - To review access package assignments, see [configure an access review in entitlement management](entitlement-management-access-reviews-create.md).
 - To review Azure resource or Microsoft Entra roles, see [Create an access review of Azure resource and Microsoft Entra roles in Privileged Identity Management](privileged-identity-management/pim-create-roles-and-resource-roles-review.md). 
 - For reviews of PIM for Groups, see [create an access review of PIM for Groups](create-access-review-pim-for-groups.md).
+- For reviews across multiple groups, applications and custom data providers, see [catalog access reviews (preview)](catalog-access-reviews.md).
 
 
 
@@ -55,6 +56,9 @@ If you're reviewing access to an application, then before you create the review,
 
     ![Screenshot that shows the Access reviews pane in Identity Governance.](./media/create-access-review/access-reviews.png)
 
+1. On the Access reviews template screen, select **Review access to a resource type**.
+    :::image type="content" source="media/catalog-access-reviews/access-review-templates.png" alt-text="Screenshot of the access review templates page.":::
+
 4. In the **Select what to review** box, select which resource you want to review.
 
     ![Screenshot that shows creating an access review.](./media/create-access-review/select-what-review.png)
@@ -73,19 +77,19 @@ If you're reviewing access to an application, then before you create the review,
 > [!NOTE]
 > Selecting multiple groups or applications results in the creation of multiple access reviews. For example, if you select five groups to review, the result is five separate access reviews.
 
-7. Now you can select a scope for the review. Your options are:
+8. Now you can select a scope for the review. Your options are:
     - **Guest users only**: This option limits the access review to only the Microsoft Entra B2B guest users in your directory.
     - **Everyone**: This option scopes the access review to all user objects associated with the resource.
 
     > [!NOTE]  
     > If you selected **All Microsoft 365 groups with guest users**, your only option is to review **Guest users only**.
 
-8. Or if you're conducting group membership review, you can create access reviews for only the inactive users in the group. In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review focuses on inactive users only, those who haven't signed in either interactively or non-interactively to the tenant. Then, specify **Days inactive**  with many days inactive up to 730 days (two years). Users in the group inactive for the specified number of days are the only users in the review.
+9. Or if you're conducting group membership review, you can create access reviews for only the inactive users in the group. In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review focuses on inactive users only, those who haven't signed in either interactively or non-interactively to the tenant. Then, specify **Days inactive**  with many days inactive up to 730 days (two years). Users in the group inactive for the specified number of days are the only users in the review.
 
     > [!NOTE]  
     > Recently created users aren't affected when configuring the inactivity time. The Access Review checks if a user has been created in the time frame configured and disregard users who haven’t existed for at least that amount of time. For example, if you set the inactivity time as 90 days and a guest user was created or invited less than 90 days ago, the guest user won't be in scope of the Access Review. This ensures that a user can sign in at least once before being removed.
 
-9. Select **Next: Reviews**.
+10. Select **Next: Reviews**.
 
 ### Next: Reviews
 

docs/id-governance/delegate-approvals-my-access.md

@@ -15,7 +15,7 @@ ms.date: 08/26/2025
 Approval delegation in My Access allows approvers to assign another individual to respond to access package approval requests on their behalf. This feature helps maintain productivity when approvers are unavailable due to leave, travel, or other commitments.
 
 > [!NOTE]
-> This feature currently applies only to access package approvals and will be expanded to support access reviews in November 2025.
+> This feature currently applies only to access package approvals and will be expanded to support access reviews.
 
 ## License requirements
 
@@ -25,9 +25,9 @@ Approval delegation in My Access allows approvers to assign another individual t
 
 When an approver sets a delegate, the following happens:
 
-- All approvals assigned after the delegation are routed to the delegate.
+- All approvals explicitly assigned to an approver (not through a group) after delegation are routed to the specified delegate.
 - The original approver can still respond to approvals during the delegation period.
-- Delegations, prior to November 1 2025, are time-bound. After November 1, 2025, they can be time-bound or indefinite.
+- Delegations can be time-bound or indefinite.
 - Delegates are notified when they're assigned.
 - Requestors are notified when their request is approved by a delegate.
 - Delegation is always bulk; approvers can't delegate specific types of approvals.
@@ -50,6 +50,7 @@ When an approver sets a delegate, the following happens:
 
 - Delegation is limited to one level. If User A delegates to User B, and User B delegates to User C, User C won't receive approvals from User A.
 - Delegation isn't restricted. Any user can be selected as a delegate.
+- Delegation only applies to approvals explicitly assigned to an approver, not those assigned through a group.
 - Delegation applies only to approvals assigned after the delegation is configured.
 
 

docs/identity/multi-tenant-organizations/multi-tenant-organization-known-issues.md

@@ -6,7 +6,7 @@ manager: dougeby
 ms.service: entra-id
 ms.subservice: multitenant-organizations
 ms.topic: troubleshooting
-ms.date: 07/05/2024
+ms.date: 11/21/2025
 ms.author: kenwith
 ms.custom: it-pro
 #Customer intent: As a dev, devops, or it admin, I want to
@@ -25,7 +25,7 @@ The limitations described in this article have the following scope.
 | In scope | - Microsoft Entra administrator limitations related to multitenant organizations to support seamless collaboration experiences in new Microsoft Teams, with reciprocally provisioned B2B members<br/>- Microsoft Entra administrator limitations related to multitenant organizations to support seamless collaboration experiences in Microsoft Viva Engage, with centrally provisioned B2B members |
 | Related scope | - Microsoft 365 admin center limitations related to multitenant organizations<br/>- Microsoft 365 multitenant organization people search experiences<br/>- Cross-tenant synchronization limitations related to Microsoft 365 |
 | Out of scope | - Cross-tenant synchronization unrelated to Microsoft 365<br/>- End user experiences in Viva Engage<br/>- Tenant migration or consolidation |
-| Unsupported scenarios | - Multitenant organizations across education tenants involving student scenarios<br/>- Multitenant organizations in Microsoft 365 Government<br/>- Seamless collaboration experience across multitenant organizations in classic Teams<br/>- Self-service for multitenant organizations larger than 100 tenants<br/>- Multitenant organizations in Azure Government or Microsoft Azure operated by 21Vianet<br/>- Cross-cloud multitenant organizations |
+| Unsupported scenarios | - Multitenant organizations across education tenants involving student scenarios<br/>- Multitenant organizations in Microsoft 365 Government<br/>- Seamless collaboration experience across multitenant organizations in classic Teams<br/>- Self-service for multitenant organizations larger than 100 tenants<br/>- Multitenant organizations in Azure Government or Microsoft Azure operated by 21Vianet<br/>- Multitenant organizations is available within GCC, GCC-H, and DOD clouds. However, the multitenant organizations tenants can ONLY have tenants which are within the same cloud. Cross-cloud multitenant organizations isn't supported. |
 
 ## Create or join a multitenant organization using the Microsoft 365 admin center
 
@@ -113,7 +113,7 @@ The limitations described in this article have the following scope.
 
 - In Microsoft 365 admin center, [Microsoft Forms](/office365/servicedescriptions/microsoft-forms-service-description), Microsoft OneNote, and Microsoft Planner, B2B member users might not be supported.
 
-- In [Microsoft Power BI](/power-bi/enterprise/service-admin-azure-ad-b2b#who-can-you-invite), B2B member support is currently in preview. B2B guest users can continue to access Power BI dashboards.
+- In [Microsoft Power BI](/fabric/enterprise/powerbi/service-admin-entra-b2b#who-can-you-invite), B2B member support is currently in preview. B2B guest users can continue to access Power BI dashboards.
 
 - In [Microsoft Power Apps](/power-platform/), [Microsoft Dynamics 365](/dynamics365/), and related workloads, B2B member users might have restricted functionality. For more information, see [Invite users with Microsoft Entra B2B collaboration](/power-platform/admin/invite-users-azure-active-directory-b2b-collaboration).
 
@@ -137,6 +137,7 @@ The limitations described in this article have the following scope.
 
 - Currently, [SkipOutOfScopeDeletions](../app-provisioning/skip-out-of-scope-deletions.md?toc=/entra/identity/multi-tenant-organizations/toc.json&pivots=cross-tenant-synchronization) works for application provisioning jobs, but not for cross-tenant synchronization. To avoid soft deletion of users taken out of scope of cross-tenant synchronization, set [Target Object Actions for Delete](cross-tenant-synchronization-configure.md#step-8-optional-define-who-is-in-scope-for-provisioning-with-scoping-filters) to disabled.
 
-## Next steps
+## Related content
 
 - [Known issues for provisioning in Microsoft Entra ID](../app-provisioning/known-issues.md?toc=/entra/identity/multi-tenant-organizations/toc.json&pivots=cross-tenant-synchronization)
+- [Multitenant org FAQ](/microsoft-365/enterprise/multitenant-org-faq)

docs/security-copilot/entra-agents.md

@@ -34,6 +34,12 @@ Each agent works a little differently, but at their core, they first analyze you
 
 Administrators can configure the agent to run automatically or trigger the agent to run manually. 
 
+Because each of the agents perform a specific set of tasks, they need a specific set of configurations to operate within the boundaries of that task. The administrator also needs certain Microsoft Entra roles to set up and manage the agent.
+
+- **Agent identity**: A unique agent identity is created when the agent is turned on. Learn more about [agent identities](/entra/agent-id/identity-platform/what-is-agent-id).
+- **Permissions**: The agent identity is granted specific read and write permissions needed to perform its tasks.
+- **Role-based access**: The administrator needs specific roles to set up, manage, and use the agent.
+
 ## Available Microsoft Entra agents
 
 The following agents are currently available for Microsoft Entra. Due to the fast pace at which these agents are released and updated, each agent might have features at various stages of availability. Preview features are added frequently.
@@ -44,7 +50,7 @@ Empower your reviewers to make fast and accurate access decisions. The [Access R
 
 | Attribute           | Description |
 |---------------------|------------ |
-| Identity            | Uses [Microsoft Entra Agent ID](../agent-id/identity-professional/authorization-agent-id.md) for authorization. A unique agent identity is created when the agent is turned on. Learn more about [agent identities]().<br><br>The agent uses this identity to scan your tenant for active access reviews, gather additional insights, and save its recommendations and justifications for the reviewer. For more information, see: [How it works](access-review-agent.md#how-it-works).<br><br>Final decisions, submitted through the Microsoft Teams conversation, use the reviewer's identity.  |
+| Identity            | A unique [agent identity](../agent-id/identity-professional/authorization-agent-id.md) for authorization is created when the agent is turned on.<br><br>The agent uses this identity to scan your tenant for active access reviews, gather additional insights, and save its recommendations and justifications for the reviewer. For more information, see: [How it works](access-review-agent.md#how-it-works).<br><br>Final decisions, submitted through the Microsoft Teams conversation, use the reviewer's identity.  |
 | Licenses            | [Microsoft Entra ID Governance or Microsoft Entra Suite](../id-governance/licensing-fundamentals.md) |
 | Permissions         | Get details for access reviews<br>Read details and lifecycle workflow history for users, groups, apps, and access packages. Save access review recommendations and justifications |
 | Plugins             | [Microsoft Entra](/entra/fundamentals/copilot-security-entra) |
@@ -54,24 +60,24 @@ Empower your reviewers to make fast and accurate access decisions. The [Access R
 
 ### Application Lifecycle Management Agent (Preview)
 
-Identify, onboard, and monitor applications in your environment with the Application Lifecycle Management Agent. This agent uses application discovery capabilities of Microsoft Entra Internet Access and Microsoft Entra Private Access to find unmanaged applications, recommend onboarding actions, and monitor application security posture over time. This agent is currently being deployed and might not be available in all tenants.
+The App Lifecycle Management Agent (Preview) helps you manage the full lifecycle of apps in Microsoft Entra, from discovery and onboarding to risk remediation and decommissioning. It correlates identity and network signals from Global Secure Access telemetry data to surface unmanaged private apps and Microsoft Entra application data. It provides clear, AI-driven recommendations to reduce app sprawl and enforce governance at scale. This agent is currently being deployed and might not be available in all tenants.
 
 | Attribute           | Description |
 |---------------------|------------ |
-| Identity            | Uses [Microsoft Entra Agent ID](../agent-id/identity-professional/authorization-agent-id.md) for authorization. A unique agent identity is created when the agent is turned on that provides read-only permissions. Agent authentication will expire according to your policies and need to be renewed. |
-| Licenses            |  [Microsoft Entra ID P2 or Workload Identity Premium P2](/entra/fundamentals/licensing) for **App Risk Remediation** suggestions and/or Microsoft Entra Suite or [Microsoft Entra Private Access](../global-secure-access/overview-what-is-global-secure-access.md#licensing-overview) licenses for **Application Discovery & Onboarding** suggestions |
+| Identity            | A unique [agent identity](../agent-id/identity-professional/authorization-agent-id.md) for authorization is created when the agent is turned on.<br><br>The agent uses this identity to scan your tenant with specific **permissions** to review network logs and application data to provide insights and suggestions for application management. The agent identity includes **role-based access** used for any write actions, such as creating and disabling applications, dismissing suggestions, and sending emails or Teams notifications. |
+| Licenses            | [Microsoft Entra ID P2 or Workload Identity Premium P2](/entra/fundamentals/licensing) for **App Risk Remediation** suggestions and/or Microsoft Entra Suite or [Microsoft Entra Private Access](../global-secure-access/overview-what-is-global-secure-access.md#licensing-overview) licenses for **Application Discovery & Onboarding** suggestions |
 | Permissions         | Read access for Global Secure Access network logs.<br>Read access for users, applications, and service principals.<br>Read access for Microsoft Entra recommendations. |
 | Plugins             | [Microsoft Entra](/entra/fundamentals/copilot-security-entra) |
 | Products            | [Global Secure Access](../global-secure-access/overview-what-is-global-secure-access.md)<br>[Microsoft Entra recommendations](../identity/monitoring-health/overview-recommendations.md)<br>[Enterprise Applications](/entra/identity/enterprise-apps/)<br>[App Management](/entra/identity/enterprise-apps/) |
-| Role requirements   | Use any of the following:<br>[Cloud Application Administrator](../identity/role-based-access-control/permissions-reference.md#cloud-application-administrator)<br>[Application Administrator](../identity/role-based-access-control/permissions-reference.md#application-administrator)<br>[Global Secure Access Administrator](../identity/role-based-access-control/permissions-reference.md#global-secure-access-administrator)<br>[Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator) |
+| Role-based access   | Set up the agent and manage the agent:<br>[Cloud Application Administrator](../identity/role-based-access-control/permissions-reference.md#cloud-application-administrator)<br>[Application Administrator](../identity/role-based-access-control/permissions-reference.md#application-administrator)<br>[Global Secure Access Administrator](../identity/role-based-access-control/permissions-reference.md#global-secure-access-administrator)<br>[Security Administrator](../identity/role-based-access-control/permissions-reference.md#security-administrator)<br> View the output suggestions from the agent:<br>[Reports Reader](../identity/role-based-access-control/permissions-reference.md#reports-reader)<br>[Security Reader](../identity/role-based-access-control/permissions-reference.md#security-reader)<br>[Globl Reader](../identity/role-based-access-control/permissions-reference.md#global-reader) |
 
 ### Conditional Access Optimization Agent
 
 The [Conditional Access Optimization Agent](./conditional-access-agent-optimization.md) ensures comprehensive user protection by analyzing your Conditional Access policies and recommending improvements. The agent evaluates your current policy configuration against Microsoft best practices and Zero Trust principles.
 
 | Attribute           | Description |
 |---------------------|------------ |
-| Identity            | Uses [Microsoft Entra Agent ID](../agent-id/identity-professional/authorization-agent-id.md) for authorization |
+| Identity            | A unique [agent identity](../agent-id/identity-professional/authorization-agent-id.md) for authorization is created when the agent is turned on.<br><br>The agent uses this identity to scan your tenant's Conditional Access policies and configurations for gaps, overlap, and misconfigurations. |
 | Licenses            | [Microsoft Entra ID P1](../fundamentals/licensing.md) |
 | Permissions         | Review policy configuration<br>Create new policies in report-only mode<br>Suggest policy changes requiring approval |
 | Plugins             | [Microsoft Entra](/entra/fundamentals/copilot-security-entra) |