From c5e14c0dff01255e167341a699a029c666417157 Mon Sep 17 00:00:00 2001
From: Luisina Santos <70584186+luisina-santos@users.noreply.github.com>
Date: Mon, 26 Jan 2026 10:14:39 -0300
Subject: [PATCH] CX-876 Clarify provisioning capabilities for Exchange groups

Updated limitations and instructions for Exchange groups provisioning.

@mindymo please update if you think it needs more clarification.

main change:
- Exchange groups provisioning and sync owners is ONLY available using *Client secret* auth method. Using OAuth you are not able to manage exchange groups
---
 baton/microsoft-entra.mdx | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/baton/microsoft-entra.mdx b/baton/microsoft-entra.mdx
index 7dc7271..58d0990 100644
--- a/baton/microsoft-entra.mdx
+++ b/baton/microsoft-entra.mdx
@@ -21,7 +21,7 @@ The Entra ID connector supports [automatic account provisioning and deprovisioni
 
 When a new account is created by ConductorOne, the account's password will be sent to a [vault](/product/admin/vaults).
 
-*Due to limitations of the Microsoft Graph API, the connector cannot provision Mail Enabled Security groups or Distribution groups. 
+*Due to limitations of the Microsoft Graph API and Office 365 Exchange Online API, the connector cannot provision Mail Enabled Security groups or Distribution groups using OAuth. 
 
 ## Gather Entra ID credentials 
 
@@ -144,13 +144,10 @@ Locate your new **ConductorOne** app.
 </Steps>
 **That's it!** Next, move on to the connector configuration instructions. 
 
-## Optional: Configure Exchange groups provisioning 
+## Optional: Configure Exchange groups provisioning with **Client secret** based auth
 
-To set up the connector to support provisioning members to Exchange groups, which are distribution lists and mailed security groups, follow these steps:
+To set up the connector to support provisioning owners and members to Exchange groups, which are distribution lists and mailed security groups, follow these steps:
 
-<Tip>
-Note: Provisioning users as owners of Exchange groups is not supported; users can only be added as members.
-</Tip>
 <Steps>
 <Step>
 In the Microsoft Entra Admin Center, navigate to **App registrations** and click the name of the app you created for this connector. 
@@ -194,7 +191,7 @@ Check **Permanently assigned** and add a justification, such as:
 Click **Assign**. 
 </Step>
 </Steps>
-**That's it!** Your connector is now ready to allow the provisioning of users as members in Exchange groups.
+**That's it!** Your connector is now ready to allow the provisioning of users as owners and members in Exchange groups.
    
 ## Configure the Entra ID connector