Merge pull request #54327 from R-C-Stewart/refresh-ai-content-in-existing-modules

ai-content-updates-freshness-review

Author: JamesJBarnett

learn-pr/wwl-sci/introduction-entra-agent-id/includes/1-introduction.md

@@ -15,6 +15,11 @@ Each of these agents needs an identity to authenticate and access resources secu
 
 Microsoft Entra Agent ID addresses these challenges by providing specialized identity types designed for AI agents.
 
+## Availability
+
+> [!NOTE]
+> Microsoft Entra Agent ID is part of **Microsoft Agent 365**.
+
 ## Content description
 
 In this module, you learn about Microsoft Entra Agent ID and how it differs from other identity types like service principals and managed identities. You explore which Microsoft products automatically create agent identities and how to view and manage them through the Microsoft Entra admin center. You also learn about the roles required to manage agent identities and how to query them programmatically using Microsoft Graph.

learn-pr/wwl-sci/introduction-entra-agent-id/includes/4-navigate-admin-center-view-agents.md

@@ -1,5 +1,8 @@
 The Microsoft Entra admin center provides a centralized interface to view and manage your agent identities. This experience allows you to search, filter, sort, and take actions on agent identities across your organization.
 
+> [!IMPORTANT]
+> The **Agent ID** menu in the Microsoft Entra admin center is only visible if your tenant has Microsoft Entra Agent ID enabled through **Microsoft Agent 365**. This requires a Microsoft 365 Copilot license with the Frontier program enabled. If you don't see the Agent ID section, contact your administrator to verify licensing and Frontier access.
+
 ## Prerequisites for viewing agent identities
 
 To view agent identities in your Microsoft Entra tenant, you need:

learn-pr/wwl-sci/introduction-entra-agent-id/includes/5-understand-access-permissions.md

@@ -21,9 +21,11 @@ To manage agent identities (create, update, disable, delete), you need one of th
 
 ### Roles for creating agent identity blueprints
 
-To create agent identity blueprints, you need:
-- **Agent ID Developer** role or **Agent ID Administrator** role
-- **Privileged Role Administrator** role (required to grant certain permissions to blueprints)
+Creating agent identity blueprints requires different roles depending on the type of permissions being configured:
+
+- **Agent ID Developer** or **Agent ID Administrator** — to create blueprints and blueprint principals
+- **Privileged Role Administrator** — required to grant Microsoft Graph **application** permissions to the blueprint (used for autonomous, app-only agent scenarios)
+- **Cloud Application Administrator** or **Application Administrator** — required to grant Microsoft Graph **delegated** permissions to the blueprint (used for interactive agents acting on behalf of a user)
 
 ### Roles blocked from agent identities
 

learn-pr/wwl-sci/introduction-entra-agent-id/includes/6-understand-microsoft-graph-operations.md

@@ -15,13 +15,16 @@ The Microsoft Entra Agent ID APIs in Microsoft Graph help you create, secure, an
 
 The Agent ID platform introduces several Microsoft Graph resource types:
 
-| Component | Microsoft Graph Resource | Purpose |
-|-----------|-------------------------|---------|
-| **Blueprint** | `agentIdentityBlueprint` | Template defining the agent identity type and permissions |
-| **Blueprint principal** | `agentIdentityBlueprintPrincipal` | Record of blueprint's addition to a tenant |
-| **Agent identity** | `agentIdentity` | Primary identity for authentication |
-| **Agent user** | `agentUser` | Optional account for scenarios requiring a user object |
-| **Agent registry** | `agentRegistry` | Centralized repository for agent management |
+| Component | Microsoft Graph Resource | API Version | Purpose |
+|-----------|-------------------------|-------------|--------|
+| **Blueprint** | `agentIdentityBlueprint` | v1.0 (GA) | Template defining the agent identity type and permissions |
+| **Blueprint principal** | `agentIdentityBlueprintPrincipal` | v1.0 (GA) | Record of blueprint's addition to a tenant |
+| **Agent identity** | `agentIdentity` | v1.0 (GA) | Primary identity for authentication |
+| **Agent user** | `agentUser` | Beta only | Optional account for scenarios requiring a user object |
+| **Agent registry** | `agentRegistry` | Beta only | Centralized repository for agent management |
+
+> [!WARNING]
+> The `agentUser` and `agentRegistry` resources are only available under the Microsoft Graph `/beta` endpoint. Beta APIs are subject to change and are not supported for use in production applications.
 
 ## Common Microsoft Graph operations
 

learn-pr/wwl-sci/introduction-entra-agent-id/index.yml

@@ -4,7 +4,7 @@ metadata:
   title: Introduction to Microsoft Entra Agent ID
   description: "Learn about Microsoft Entra Agent ID, a specialized identity type designed for AI agents. Understand how agent identities differ from other identity types, which Microsoft products use them, and how to view and manage them in the Microsoft Entra admin center."
   ms.date: 02/09/2026
-  author: wwlpublish
+  author: r-c-stewart
   ms.author: roberts
   ms.topic: module
   ms.service: entra-id

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/1-introduction.md

@@ -1,4 +1,4 @@
-Conditional Access gives a fine granularity of control over which users can perform specific activities, access resources, and ensure data and systems are safe.
+Conditional Access gives a fine granularity of control over which users and identities can perform specific activities, access resources, and ensure data and systems are safe. With the introduction of Microsoft Entra Agent ID control, now extends to AI agents—you apply the same Zero Trust principles to agent identities that you apply to users and workload identities.
 
 ## Learning objectives
 
@@ -11,3 +11,4 @@ In this module, you will:
  -  Implement application controls.
  -  Implement session management.
  -  Configure continuous access evaluation.
+ -  Identify how agent identities are protected using Conditional Access.

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/13-summary-resources.md

@@ -23,3 +23,4 @@ To learn more about the technology in this module, check out the following links
  - [Introducing security defaults](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414)
  - [Plan a Conditional Access deployment](/entra/identity/conditional-access/plan-conditional-access)
  - [Continuous Access Evaluation (CAE](/entra/identity/conditional-access/concept-continuous-access-evaluation))
+ - [Conditional Access for agent identities (Microsoft Entra Agent ID)](/entra/identity/conditional-access/concept-conditional-access-policy-common)

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/2-plan-security-defaults.md

@@ -1,4 +1,4 @@
-Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more and more popular. Security defaults provide secure default settings that Microsoft manages on behalf of organizations to keep customers safe until organizations are ready to manage their own identity security story. Security defaults provide preconfigured security settings, such as:
+Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more popular. Security defaults provide secure default settings that Microsoft manages on behalf of organizations to keep customers safe until organizations are ready to manage their own identity security story. Security defaults provide preconfigured security settings, such as:
 
  - Requiring all users to register for multifactor authentication.
  - Requiring administrators to perform multifactor authentication.
@@ -10,53 +10,62 @@ Managing security can be difficult with common identity-related attacks like pas
 
 ## Availability
 
-Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You turn on security defaults in the Azure portal. If your tenant was created on or after October 22, 2019, it is possible security defaults are already enabled in your tenant. To protect all of our users, the security defaults feature is being rolled out to all new tenants created.
+Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. If your tenant was created on or after October 22, 2019, security defaults might already be enabled. To protect all users, security defaults are enabled on all new tenants at creation.
+
+To enable or disable security defaults, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a Conditional Access Administrator, then browse to **Entra ID** > **Overview** > **Properties**, and select **Manage security defaults**.
 
 ### Who's it for?
 
 | **Who should use security defaults?**                                                           | **Who shouldn't use security defaults?**                                                                                                 |
 | ----------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
 | Organizations that want to increase their security posture but don't know how or where to start | Organizations currently using Conditional Access policies to bring signals together, make decisions, and enforce organizational policies |
-| Organizations utilizing the free tier of Microsoft Entra ID Licensing                           | Organizations with Microsoft Entra ID Premium licenses                                                                                   |
+| Organizations utilizing the free tier of Microsoft Entra ID Licensing                           | Organization with Microsoft Entra ID Premium licenses                                                                                   |
 |                                                                                                 | Organizations with complex security requirements that warrant using Conditional Access                                                   |
 
 ## Policies enforced
 
 ### Unified multifactor authentication registration
 
-All users in your tenant must register for multifactor authentication (MFA) in the form of the Multifactor Authentication. Users have 14 days to register for multifactor authentication within Microsoft Entra ID by using the Microsoft Authenticator app. After the 14 days have passed, the user won't be able to sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.
+All users in your tenant must register for multifactor authentication (MFA) using the Microsoft Authenticator app. Registration is required immediately—there's no grace period. When users sign in after security defaults are enabled, they're prompted to register before they can access any resources. The MFA prompt uses number matching, where users enter a number displayed on screen into the Microsoft Authenticator app, which helps prevent MFA fatigue attacks.
 
 ### Protecting administrators
 
-Users with privileged access have increased access to your environment. Due to the power these accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in. In Microsoft Entra ID, you can get a stronger account verification by requiring multifactor authentication.
+Users with privileged access often increase access to your environment. Due to the power these accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in. In Microsoft Entra ID, you can get a stronger account verification by requiring multifactor authentication.
 
-After registration with Multifactor Authentication is finished, the following nine Microsoft Entra administrator roles will be required to perform additional authentication every time they sign in:
+After registration with multifactor authentication is finished, the following Microsoft Entra administrator roles are required to perform other authentication every time they sign in:
 
  - Global Administrator
- - SharePoint Administrator
- - Exchange Administrator
+ - Application Administrator
+ - Authentication Administrator
+ - Authentication Policy Administrator
+ - Billing Administrator
+ - Cloud Application Administrator
  - Conditional Access Administrator
- - Security Administrator
+ - Exchange Administrator
  - Helpdesk Administrator
- - Billing Administrator
+ - Identity Governance Administrator
+ - Password Administrator
+ - Privileged Authentication Administrator
+ - Privileged Role Administrator
+ - Security Administrator
+ - SharePoint Administrator
  - User Administrator
- - Authentication Administrator
 
 ### Protecting all users
 
 We tend to think that administrator accounts are the only accounts that need extra layers of authentication. Administrators have broad access to sensitive information and can make changes to subscription-wide settings. But attackers frequently target end users.
 
 After these attackers gain access, they can request access to privileged information on behalf of the original account holder. They can even download the entire directory to perform a phishing attack on your whole organization.
 
-One common method to improve protection for all users is to require a stronger form of account verification, such as multifactor authentication, for everyone. After users complete Multifactor Authentication registration, they'll be prompted for additional authentication whenever necessary. This functionality protects all applications registered with Microsoft Entra ID, including SaaS applications.
+One common method to improve protection for all users is to require a stronger form of account verification, such as multifactor authentication, for everyone. After users complete Multifactor Authentication registration, they'll be prompted for extra authentication whenever necessary. This functionality protects all applications registered with Microsoft Entra ID, including SaaS applications.
 
 ### Blocking legacy authentication
 
-To give your users easy access to your cloud apps, Microsoft Entra ID supports a variety of authentication protocols, including legacy authentication. *Legacy authentication* is an authentication request made by:
+To give your users easy access to your cloud apps, Microsoft Entra ID supports various authentication protocols, including legacy authentication. *Legacy authentication* is an authentication request made by:
 
  - Clients that don't use modern authentication (for example, an Office 2010 client). Modern authentication encompasses clients that implement protocols, such as OAuth 2.0, to support features like multifactor authentication and smart cards. Legacy authentication typically only supports less secure mechanisms like passwords.
  - Client that uses mail protocols such as IMAP, SMTP, or POP3.
 
-Today, the majority of compromising sign-in attempts come from legacy authentication. Legacy authentication does not support multifactor authentication. Even if you have a multifactor authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass multifactor authentication.
+Today, most compromising sign-in attempts come from legacy authentication. Legacy authentication doesn't support multifactor authentication. Even if you have a multifactor authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass multifactor authentication.
 
 After security defaults are enabled in your tenant, all authentication requests made by an older protocol will be blocked. Security defaults blocks Exchange Active Sync basic authentication.

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/4-plan-conditional-access-policies.md

@@ -34,6 +34,8 @@ Some common questions about assignments, access controls, and session controls:
  - Access controls: Do you want to grant access to resources by implementing requirements such as MFA, devices marked as compliant, or Microsoft Entra hybrid joined devices?
  - Session controls: Do you want to control access to cloud apps by implementing requirements such as app enforced permissions or Conditional Access App Control?
 
+With the introduction of Microsoft Entra Agent ID, agent identities are now first-class principals in Microsoft Entra ID. Like users or service principals, agents can be targeted by Conditional Access policies — allowing you to apply the same Zero Trust controls to AI agents that you apply to human identities. You treat agent identities similarly to how you treat workload identities: scope policies by identity type, enforce appropriate access controls, and exclude emergency or trusted agents where necessary.
+
 ### Access token issuance
 
 Access tokens enable clients to securely call protected web APIs, and they're used by web APIs to perform authentication and authorization. Per the OAuth specification, access tokens are opaque strings without a set format. Some identity providers (IDPs) use GUIDs; others use encrypted blobs. The Microsoft identity platform uses a variety of access token formats depending on the configuration of the API that accepts the token.