ai-content-updates-freshness-review

Author: R-C-Stewart

learn-pr/wwl-sci/introduction-entra-agent-id/includes/1-introduction.md

@@ -15,6 +15,11 @@ Each of these agents needs an identity to authenticate and access resources secu
 
 Microsoft Entra Agent ID addresses these challenges by providing specialized identity types designed for AI agents.
 
+## Availability
+
+> [!NOTE]
+> Microsoft Entra Agent ID is part of **Microsoft Agent 365**, which reaches general availability on May 1, 2026.
+
 ## Content description
 
 In this module, you learn about Microsoft Entra Agent ID and how it differs from other identity types like service principals and managed identities. You explore which Microsoft products automatically create agent identities and how to view and manage them through the Microsoft Entra admin center. You also learn about the roles required to manage agent identities and how to query them programmatically using Microsoft Graph.

learn-pr/wwl-sci/introduction-entra-agent-id/includes/4-navigate-admin-center-view-agents.md

@@ -1,5 +1,8 @@
 The Microsoft Entra admin center provides a centralized interface to view and manage your agent identities. This experience allows you to search, filter, sort, and take actions on agent identities across your organization.
 
+> [!IMPORTANT]
+> The **Agent ID** menu in the Microsoft Entra admin center is only visible if your tenant has Microsoft Entra Agent ID enabled through **Microsoft Agent 365**. This requires a Microsoft 365 Copilot license with the Frontier program enabled. If you don't see the Agent ID section, contact your administrator to verify licensing and Frontier access.
+
 ## Prerequisites for viewing agent identities
 
 To view agent identities in your Microsoft Entra tenant, you need:

learn-pr/wwl-sci/introduction-entra-agent-id/includes/5-understand-access-permissions.md

@@ -21,9 +21,11 @@ To manage agent identities (create, update, disable, delete), you need one of th
 
 ### Roles for creating agent identity blueprints
 
-To create agent identity blueprints, you need:
-- **Agent ID Developer** role or **Agent ID Administrator** role
-- **Privileged Role Administrator** role (required to grant certain permissions to blueprints)
+Creating agent identity blueprints requires different roles depending on the type of permissions being configured:
+
+- **Agent ID Developer** or **Agent ID Administrator** — to create blueprints and blueprint principals
+- **Privileged Role Administrator** — required to grant Microsoft Graph **application** permissions to the blueprint (used for autonomous, app-only agent scenarios)
+- **Cloud Application Administrator** or **Application Administrator** — required to grant Microsoft Graph **delegated** permissions to the blueprint (used for interactive agents acting on behalf of a user)
 
 ### Roles blocked from agent identities
 

learn-pr/wwl-sci/introduction-entra-agent-id/includes/6-understand-microsoft-graph-operations.md

@@ -15,13 +15,16 @@ The Microsoft Entra Agent ID APIs in Microsoft Graph help you create, secure, an
 
 The Agent ID platform introduces several Microsoft Graph resource types:
 
-| Component | Microsoft Graph Resource | Purpose |
-|-----------|-------------------------|---------|
-| **Blueprint** | `agentIdentityBlueprint` | Template defining the agent identity type and permissions |
-| **Blueprint principal** | `agentIdentityBlueprintPrincipal` | Record of blueprint's addition to a tenant |
-| **Agent identity** | `agentIdentity` | Primary identity for authentication |
-| **Agent user** | `agentUser` | Optional account for scenarios requiring a user object |
-| **Agent registry** | `agentRegistry` | Centralized repository for agent management |
+| Component | Microsoft Graph Resource | API Version | Purpose |
+|-----------|-------------------------|-------------|--------|
+| **Blueprint** | `agentIdentityBlueprint` | v1.0 (GA) | Template defining the agent identity type and permissions |
+| **Blueprint principal** | `agentIdentityBlueprintPrincipal` | v1.0 (GA) | Record of blueprint's addition to a tenant |
+| **Agent identity** | `agentIdentity` | v1.0 (GA) | Primary identity for authentication |
+| **Agent user** | `agentUser` | Beta only | Optional account for scenarios requiring a user object |
+| **Agent registry** | `agentRegistry` | Beta only | Centralized repository for agent management |
+
+> [!WARNING]
+> The `agentUser` and `agentRegistry` resources are only available under the Microsoft Graph `/beta` endpoint. Beta APIs are subject to change and are not supported for use in production applications.
 
 ## Common Microsoft Graph operations
 

learn-pr/wwl-sci/introduction-entra-agent-id/index.yml

@@ -4,7 +4,7 @@ metadata:
   title: Introduction to Microsoft Entra Agent ID
   description: "Learn about Microsoft Entra Agent ID, a specialized identity type designed for AI agents. Understand how agent identities differ from other identity types, which Microsoft products use them, and how to view and manage them in the Microsoft Entra admin center."
   ms.date: 02/09/2026
-  author: wwlpublish
+  author: r-c-stewart
   ms.author: roberts
   ms.topic: module
   ms.service: entra-id

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/1-introduction.md

@@ -1,4 +1,4 @@
-Conditional Access gives a fine granularity of control over which users can perform specific activities, access resources, and ensure data and systems are safe.
+Conditional Access gives a fine granularity of control over which users and identities can perform specific activities, access resources, and ensure data and systems are safe. With the introduction of Microsoft Entra Agent ID, that control now extends to AI agents — you apply the same Zero Trust principles to agent identities that you apply to users and workload identities.
 
 ## Learning objectives
 
@@ -11,3 +11,4 @@ In this module, you will:
  -  Implement application controls.
  -  Implement session management.
  -  Configure continuous access evaluation.
+ -  Identify how agent identities are protected using Conditional Access.

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/13-summary-resources.md

@@ -23,3 +23,4 @@ To learn more about the technology in this module, check out the following links
  - [Introducing security defaults](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414)
  - [Plan a Conditional Access deployment](/entra/identity/conditional-access/plan-conditional-access)
  - [Continuous Access Evaluation (CAE](/entra/identity/conditional-access/concept-continuous-access-evaluation))
+ - [Conditional Access for agent identities (Microsoft Entra Agent ID)](/entra/identity/conditional-access/concept-conditional-access-policy-common)

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/2-plan-security-defaults.md

@@ -10,7 +10,9 @@ Managing security can be difficult with common identity-related attacks like pas
 
 ## Availability
 
-Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You turn on security defaults in the Azure portal. If your tenant was created on or after October 22, 2019, it is possible security defaults are already enabled in your tenant. To protect all of our users, the security defaults feature is being rolled out to all new tenants created.
+Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. If your tenant was created on or after October 22, 2019, security defaults might already be enabled. To protect all users, security defaults are enabled on all new tenants at creation.
+
+To enable or disable security defaults, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a Conditional Access Administrator, then browse to **Entra ID** > **Overview** > **Properties**, and select **Manage security defaults**.
 
 ### Who's it for?
 
@@ -24,23 +26,30 @@ Microsoft security defaults are available to everyone. The goal is to ensure tha
 
 ### Unified multifactor authentication registration
 
-All users in your tenant must register for multifactor authentication (MFA) in the form of the Multifactor Authentication. Users have 14 days to register for multifactor authentication within Microsoft Entra ID by using the Microsoft Authenticator app. After the 14 days have passed, the user won't be able to sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.
+All users in your tenant must register for multifactor authentication (MFA) using the Microsoft Authenticator app. Registration is required immediately — there is no grace period. When users sign in after security defaults are enabled, they're prompted to register before they can access any resources. The MFA prompt uses number matching, where users enter a number displayed on screen into the Microsoft Authenticator app, which helps prevent MFA fatigue attacks.
 
 ### Protecting administrators
 
 Users with privileged access have increased access to your environment. Due to the power these accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in. In Microsoft Entra ID, you can get a stronger account verification by requiring multifactor authentication.
 
-After registration with Multifactor Authentication is finished, the following nine Microsoft Entra administrator roles will be required to perform additional authentication every time they sign in:
+After registration with multifactor authentication is finished, the following Microsoft Entra administrator roles are required to perform additional authentication every time they sign in:
 
  - Global Administrator
- - SharePoint Administrator
- - Exchange Administrator
+ - Application Administrator
+ - Authentication Administrator
+ - Authentication Policy Administrator
+ - Billing Administrator
+ - Cloud Application Administrator
  - Conditional Access Administrator
- - Security Administrator
+ - Exchange Administrator
  - Helpdesk Administrator
- - Billing Administrator
+ - Identity Governance Administrator
+ - Password Administrator
+ - Privileged Authentication Administrator
+ - Privileged Role Administrator
+ - Security Administrator
+ - SharePoint Administrator
  - User Administrator
- - Authentication Administrator
 
 ### Protecting all users
 

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/4-plan-conditional-access-policies.md

@@ -34,6 +34,8 @@ Some common questions about assignments, access controls, and session controls:
  - Access controls: Do you want to grant access to resources by implementing requirements such as MFA, devices marked as compliant, or Microsoft Entra hybrid joined devices?
  - Session controls: Do you want to control access to cloud apps by implementing requirements such as app enforced permissions or Conditional Access App Control?
 
+With the introduction of Microsoft Entra Agent ID, agent identities are now first-class principals in Microsoft Entra ID. Like users or service principals, agents can be targeted by Conditional Access policies — allowing you to apply the same Zero Trust controls to AI agents that you apply to human identities. You treat agent identities similarly to how you treat workload identities: scope policies by identity type, enforce appropriate access controls, and exclude emergency or trusted agents where necessary.
+
 ### Access token issuance
 
 Access tokens enable clients to securely call protected web APIs, and they're used by web APIs to perform authentication and authorization. Per the OAuth specification, access tokens are opaque strings without a set format. Some identity providers (IDPs) use GUIDs; others use encrypted blobs. The Microsoft identity platform uses a variety of access token formats depending on the configuration of the API that accepts the token.

learn-pr/wwl-sci/plan-implement-administer-conditional-access/includes/5-implement-conditional-access-policies-controls-assignments.md

@@ -1,18 +1,22 @@
-Visual Studio App Center supports Microsoft Entra Conditional Access, an advanced feature of Microsoft Entra ID that enables you to specify detailed policies that control who can access your resources. Using Conditional Access, you can protect your applications by limiting users' access based on things like group, device type, location, and role.
+Conditional Access is an advanced capability of Microsoft Entra ID that enables you to specify detailed policies that control who can access your resources. Using Conditional Access, you can protect your applications by limiting users' access based on signals like group membership, device compliance, network location, and sign-in risk.
 
-## Setting up Conditional Access
+## Create a Conditional Access policy
 
-This is an abbreviated guide to setting up Conditional Access. Full documentation is available at [What is Conditional Access?](/entra/identity/conditional-access/overview).
+This is an abbreviated guide to creating a Conditional Access policy. Full documentation is available at [What is Conditional Access?](/entra/identity/conditional-access/overview).
 
-In the Azure portal, open your Active Directory tenant, then open the **Security** settings, and select **Conditional Access**.
+To create a new policy:
 
-In **Conditional Access** settings, select **New policy** to create a policy.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a Conditional Access Administrator.
+2. Browse to **Protection** > **Conditional Access**.
+3. Select **+ New policy**.
+4. Give the policy a meaningful name.
+5. Configure **Assignments** — select the users, groups, or roles the policy applies to.
+6. Configure **Target resources** — select the cloud apps or user actions the policy covers.
+7. Configure any additional **Conditions** such as sign-in risk, device platform, or location.
+8. Under **Access controls**, configure the **Grant** or **Session** controls to apply.
+9. Set **Enable policy** to **Report-only** to test impact before enabling, then select **Create**.
 
-:::image type="content" source="../media/conditional-access-2.png" alt-text="Screenshot of the Microsoft Entra Conditional Access screen, listing policies that currently exist.":::
-
-In **New policy** settings, select **Cloud apps or actions** and select **Visual Studio App Center** as the target of the policy. Then select the other conditions that you want to apply, enable the policy, and select **Create** to save it.
-
-:::image type="content" source="../media/conditional-access-1.png" alt-text="Screenshot of the Microsoft Entra Conditional Access: Cloud apps or actions page for configuration.":::
+Microsoft recommends starting all new policies in report-only mode. Monitor sign-in logs to verify expected behavior before switching the policy to **On**.
 
 ## Sign-in risk-based Conditional Access
 
@@ -36,14 +40,17 @@ Securing when and how users register for multifactor authentication and self-ser
 
 The following policy applies to all selected users who attempt to register using the combined registration experience, and it blocks access unless they are connecting from a location marked as a trusted network.
 
-1. In the **Microsoft Entra admin center**, browse to **Identity**, then **Protection**, and then **Conditional Access**.
+1. In the **Microsoft Entra admin center**, browse to **Protection**, then **Conditional Access**.
 2. Select **+ Create new policy**.
 3. In **Name**, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**.
 4. Under **Assignments**, select **Users and groups**, and select the users and groups you want this policy to apply to.
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
    2. Select **Done**.
 
+   > [!NOTE]
+   > If you were targeting AI agents instead of users, you would select **Workload identities** in the Assignments area and choose your agent identity from Microsoft Entra Agent ID at this step. The rest of the policy structure remains the same.
+
 5.  Under **Cloud apps or actions**, select **User actions**, check **Register security information**.
 6.  Under **Conditions**, select **Locations**.
 
@@ -80,7 +87,7 @@ With the location condition in Conditional Access, you can control access to you
 ### Define locations
 
 1. Sign in to the **Microsoft Entra admin portal** as a Security Administrator, or Conditional Access Administrator.
-2. Browse to **Identity**, then **Protection**, then **Conditional Access**, and then **Named locations**.
+2. Browse to **Protection**, then **Conditional Access**, then **Named locations**.
 3. Choose **New location**.
 4. Give your location a name.
 5. Choose **IP ranges** if you know the specific externally accessible IPv4 address ranges that make up that location or **Countries/Regions**.
@@ -94,7 +101,7 @@ With the location condition in Conditional Access, you can control access to you
 ### Create a Conditional Access policy
 
 1. Sign in to the **Microsoft Entra admin center** as a Security Administrator, or Conditional Access Administrator.
-2. Browse to **Identity**, then **Protection**, and then **Conditional Access**.
+2. Browse to **Protection**, then **Conditional Access**.
 3. Select **+ Create new policy**.
 4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
 5. Under **Assignments**, select **Users and groups.**
@@ -131,7 +138,7 @@ This policy compliance information is forwarded to Microsoft Entra ID where Cond
 The following steps will help create a Conditional Access policy to require devices accessing resources be marked as compliant with your organization's Intune compliance policies.
 
 1. Sign in to the **Microsoft Entra admin center** as a Security Administrator, or Conditional Access Administrator.
-2. Browse to **Identity**, then **Protection**, and then **Conditional Access**.
+2. Browse to **Protection**, then **Conditional Access**.
 3. Select **+ Create new policy**.
 4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
 5. Under **Assignments**, select **Users and groups.**
@@ -178,6 +185,8 @@ Conditional Access policies are powerful tools. We recommend excluding the follo
 
    - If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.
 
+ - **Agent identities**: AI agents registered in Microsoft Entra Agent ID can be targeted by or excluded from Conditional Access policies just like service principals. Ensure any trusted agents that require uninterrupted access are explicitly excluded, and review agent-targeted policies alongside your workload identity policies.
+
 ## Conditional Access Terms of Use (TOU)
 
 :::image type="content" source="../media/create-terms-identity-governance.png" alt-text="Screenshot of the Identity Governance dialog to create new Terms of Use for your cloud solutions.":::