[ad_1]
Get notified about when to revisit this page for updates by copying and pasting this URL:
https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us
into your feed reader.
Microsoft Entra ID (previously known as Azure AD) receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:
- The latest releases
- Known issues
- Bug fixes
- Deprecated functionality
- Plans for changes
Note
If you’re currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you.
This page updates monthly, so revisit it regularly. If you’re looking for items older than six months, you can find them in Archive for What’s new in Azure Active Directory.
October 2023
Public Preview – Managing and Changing Passwords in My Security Info
Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences
My Sign Ins (My Sign-Ins (microsoft.com)) now supports end users managing and changing their passwords. Administrators are able to use Conditional Access registration policies with authentication strengths targeting My Security Info to control the end user experience for changing passwords. Based on the Conditional Access policy, users are able to change their password by entering their existing password, or if they authenticate with MFA and satisfy the Conditional Access policy, can change the password without entering the existing password.
For more information, see: Combined security information registration for Microsoft Entra overview.
Public Preview – Govern AD on-premises applications (Kerberos based) using Microsoft Entra Governance
Type: New feature
Service category: Provisioning
Product capability: AAD Connect Cloud Sync
Security groups provisioning to AD (also known as Group Writeback) is now publicly available through Microsoft Entra Cloud Sync. With this new capability, you can easily govern AD based on-premises applications (Kerberos based apps) using Microsoft Entra Governance.
For more information, see: Govern on-premises Active Directory based apps (Kerberos) using Microsoft Entra ID Governance
Public Preview – Microsoft Entra Permissions Management: Permissions Analytics Report PDF for multiple authorization systems
Type: Changed feature
Service category:
Product capability: Permissions Management
The Permissions Analytics Report (PAR) lists findings relating to permissions risks across identities and resources in Permissions Management. The PAR is an integral part of the risk assessment process where customers discover areas of highest risk in their cloud infrastructure. This report can be directly viewed in the Permissions Management UI, downloaded in Excel (XSLX) format, and exported as a PDF. The report is available for all supported cloud environments: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
The PAR PDF has been redesigned to enhance usability, align with the product UX redesign effort, and address various customer feature requests. You can download the PAR PDF for up to 10 authorization systems.
General Availability – Enhanced Devices List Management Experience
Type: Changed feature
Service category: Device Access Management
Product capability: End User Experiences
Several changes have been made to the All Devices list since announcing public preview, including:
- Prioritized consistency and accessibility across the different components
- Modernized the list and addressed top customer feedback
- Added infinite scrolling, column reordering, and the ability to select all devices
- Added filters for OS Version and Autopilot devices
- Created more connections between Microsoft Entra and Intune
- Added links to Intune in Compliant and MDM columns
- Added Security Settings Management column
For more information, see: View and filter your devices.
General Availability – Windows MAM
Type: New feature
Service category: Conditional Access
Product capability: Access Control
Windows MAM is the first step toward Microsoft management capabilities for unmanaged Windows devices. This functionality comes at a critical time when we need to ensure the Windows platform is on par with the simplicity and privacy promise we offer end users today on the mobile platforms. End users can access company resources without needing the whole device to be MDM managed.
For more information, see: Require an app protection policy on Windows devices.
General Availability – Microsoft Security email update and Resources for Azure AD rename to Microsoft Entra ID
Type: Plan for change
Service category: Other
Product capability: End User Experiences
Microsoft Entra ID is the new name for Azure Active Directory (Azure AD). The rename and new product icon are now being deployed across experiences from Microsoft. Most updates will be complete by mid-November of this year. As previously announced, this is just a new name, with no impact on deployments or daily work. There are no changes to capabilities, licensing, terms of service, or support.
From October 15 to November 15, Azure AD emails previously sent from azure-noreply@microsoft.com will start being sent from MSSecurity-noreply@microsoft.com. You may need to update your Outlook rules to match this.
Additionally, we’ll update email content to remove all references of Azure AD where relevant, and include an informational banner that announces this change.
Here are some resources to guide you rename your own product experiences or content where necessary:
General Availability – End users will no longer be able to add password SSO apps in My Apps.
Type: Deprecated
Service category: My Apps
Product capability: End User Experiences
Effective November 15, 2023, end users will no longer be able to add password SSO Apps to their gallery in My Apps. However, admins can still add password SSO apps following these instructions. Password SSO apps previously added by end users remain available in My Apps.
For more information, see: Discover applications.
General Availability – Restrict Microsoft Entra ID Tenant Creation To Only Paid Subscription
Type: Changed feature
Service category: Managed identities for Azure resources
Product capability: End User Experiences
The ability to create new tenants from the Microsoft Entra admin center allows users in your organization to create test and demo tenants from your Microsoft Entra ID tenant, Learn more about creating tenants. When used incorrectly this feature can allow the creation of tenants that aren’t managed or viewable by your organization. We recommend that you restrict this capability so that only trusted admins can use this feature, Learn more about restricting member users’ default permissions. We also recommend you use the Microsoft Entra audit log to monitor for the Directory Management: Create Company event that signals a new tenant has been created by a user in your organization.
To further protect your organization, Microsoft is now limiting this functionality to only paid customers. Customers on trial subscriptions won’t be able to create additional tenants from the Microsoft Entra admin center. Customers in this situation who need a new trial tenant can sign up for a Free Azure Account.
General Availability – Users can’t modify GPS location when using location based access control
Type: Plan for change
Service category: Conditional Access
Product capability: User Authentication
In an ever-evolving security landscape, the Microsoft Authenticator is updating its security baseline for Location Based Access Control (LBAC) conditional access policies to disallow authentications where the user may be using a different location than the actual GPS location of the mobile device. Today, it’s possible for users to modify the location reported by the device on iOS and Android devices. The Authenticator app will start to deny LBAC authentications where we detect that the user isn’t using the actual location of the mobile device where the Authenticator is installed.
In the November 2023 release of the Authenticator app, users who are modifying the location of their device will see a denial message in the app when doing an LBAC authentication. To ensure that users aren’t using older app versions to continue authenticating with a modified location, beginning January 2024, any users that are on Android Authenticator 6.2309.6329 version or prior and iOS Authenticator version 6.7.16 or prior will be blocked from using LBAC. To determine which users are using older versions of the Authenticator app, you may use our MSGraph APIs.
Public Preview – Overview page in My Access portal
Type: New feature
Service category: Entitlement Management
Product capability: Identity Governance
Today, when users navigate to myaccess.microsoft.com, they land on a list of available access packages in their organization. The new Overview page provides a more relevant place for users to land. The Overview page points them to the tasks they need to complete and helps familiarize users with how to complete tasks in My Access.
Admins can enable/disable the Overview page preview by signing into the Entra portal and navigating to Entitlement management > Settings > Opt-in Preview Features and locating My Access overview page in the table.
For more information, see: My Access Overview page (preview).
Public Preview – New provisioning connectors in the Azure AD Application Gallery – October 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration
We’ve added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:
For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.
Public Preview – Microsoft Graph Activity Logs
Type: New feature
Service category: Microsoft Graph
Product capability: Monitoring & Reporting
The MicrosoftGraphActivityLogs provides administrators full visibility into all HTTP requests accessing your tenant’s resources through the Microsoft Graph API. These logs can be used to find activity from compromised accounts, identify anomalous behavior, or investigate application activity. For more information, see: Access Microsoft Graph activity logs (preview).
Public Preview – Microsoft Entra Verified ID quick setup
Type: New feature
Service category: Other
Product capability: Identity Governance
Quick Microsoft Entra Verified ID setup, available in preview, removes several configuration steps an admin needs to complete with a single click on a Get started button. The quick setup takes care of signing keys, registering your decentralized ID, and verifying your domain ownership. It also creates a Verified Workplace Credential for you. For more information, see: Quick Microsoft Entra Verified ID setup.
September 2023
Public Preview – Device-bound passkeys as an authentication method
Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication
Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We’ll expand the existing FIDO2 authentication methods policy, and end user experiences, to support this preview release. For your organization to opt in to this preview, you’ll need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Learn more about FIDO2 key restrictions here.
In addition, the existing end user sign-in option for Windows Hello and FIDO2 security keys will be renamed to “Face, fingerprint, PIN, or security key”. The term “passkey” will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.
General Availability – Recovery of deleted application and service principals is now available
Type: New feature
Service category: Enterprise Apps
Product capability: Identity Lifecycle Management
With this release, you can now recover applications along with their original service principals, eliminating the need for extensive reconfiguration and code changes (Learn more). It significantly improves the application recovery story and addresses a long-standing customer need. This change is beneficial to you on:
- Faster Recovery: You can now recover their systems in a fraction of the time it used to take, reducing downtime and minimizing disruptions.
- Cost Savings: With quicker recovery, you can save on operational costs associated with extended outages and labor-intensive recovery efforts.
- Preserved Data: Previously lost data, such as SMAL configurations, is now retained, ensuring a smoother transition back to normal operations.
- Improved User Experience: Faster recovery times translate to improved user experience and customer satisfaction, as applications are back up and running swiftly.
Public Preview – New provisioning connectors in the Azure AD Application Gallery – September 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration
We’ve added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:
For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.
General Availability – Web Sign-In for Windows
Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication
We’re thrilled to announce that as part of the Windows 11 September moment, we’re releasing a new Web Sign-In experience that will expand the number of supported scenarios and greatly improve security, reliability, performance, and overall end-to-end experience for our users.
Web Sign-In (WSI) is a credential provider on the Windows lock/sign-in screen for AADJ joined devices that provide a web experience used for authentication and returns an auth token back to the operating system to allow the user to unlock/sign-in to the machine.
Web Sign-In was initially intended to be used for a wide range of auth credential scenarios; however, it was only previously released for limited scenarios such as: Simplified EDU Web Sign-In and recovery flows via Temporary Access Password (TAP).
The underlying provider for Web Sign-In has been re-written from the ground up with security and improved performance in mind. This release moves the Web Sign-in infrastructure from the Cloud Host Experience (CHX) WebApp to a newly written Login Web Host (LWH) for the September moment. This release provides better security and reliability to support previous EDU & TAP experiences and new workflows enabling using various Auth Methods to unlock/login to the desktop.
General Availability – Support for Microsoft admin portals in Conditional Access
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:
- Azure portal
- Exchange admin center
- Microsoft 365 admin center
- Microsoft 365 Defender portal
- Microsoft Entra admin center
- Microsoft Intune admin center
- Microsoft Purview compliance portal
For more information, see: Microsoft Admin Portals.
August 2023
General Availability – Tenant Restrictions V2
Type: New feature
Service category: Authentications (Logins)
Product capability: Identity Security & Protection
Tenant Restrictions V2 (TRv2) is now generally available for authentication plane via proxy.
TRv2 allows organizations to enable safe and productive cross-company collaboration while containing data exfiltration risk. With TRv2, you can control what external tenants your users can access from your devices or network using externally issued identities and provide granular access control on a per org, user, group, and application basis.
TRv2 uses the cross-tenant access policy, and offers both authentication and data plane protection. It enforces policies during user authentication, and on data plane access with Exchange Online, SharePoint Online, Teams, and MSGraph. While the data plane support with Windows GPO and Global Secure Access is still in public preview, authentication plane support with proxy is now generally available.
Visit https://aka.ms/tenant-restrictions-enforcement for more information on tenant restriction V2 and Global Secure Access client-side tagging for TRv2 at Universal tenant restrictions.
Public Preview – Cross-tenant access settings supports custom RBAC roles and protected actions
Type: New feature
Service category: B2B
Product capability: B2B/B2C
Cross-tenant access settings can be managed with custom roles defined by your organization. This enables you to define your own finely-scoped roles to manage cross-tenant access settings instead of using one of the built-in roles for management. Learn more about creating your own custom roles.
You can also now protect privileged actions inside of cross-tenant access settings using Conditional Access. For example, you can require MFA before allowing changes to default settings for B2B collaboration. Learn more about Protected actions.
General Availability – Additional settings in Entitlement Management auto-assignment policy
Type: Changed feature
Service category: Entitlement Management
Product capability: Entitlement Management
In the Entra ID Governance entitlement management auto-assignment policy, there are three new settings. This allows a customer to select to not have the policy create assignments, not remove assignments, and to delay assignment removal.
Public Preview – Setting for guest losing access
Type: Changed feature
Service category: Entitlement Management
Product capability: Entitlement Management
An administrator can configure that when a guest brought in through entitlement management has lost their last access package assignment, they’re deleted after a specified number of days. For more information, see: Govern access for external users in entitlement management.
Public Preview – Real-Time Strict Location Enforcement
Type: New feature
Service category: Continuous Access Evaluation
Product capability: Access Control
Strictly enforce Conditional Access policies in real-time using Continuous Access Evaluation. Enable services like Microsoft Graph, Exchange Online, and SharePoint Online to block access requests from disallowed locations as part of a layered defense against token replay and other unauthorized access. For more information, see blog: Public Preview: Strictly Enforce Location Policies with Continuous Access Evaluation and documentation:
Strictly enforce location policies using continuous access evaluation (preview).
Public Preview – New provisioning connectors in the Azure AD Application Gallery – August 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration
We’ve added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:
For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.
General Availability – Continuous Access Evaluation for Workload Identities available in Public and Gov clouds
Type: New feature
Service category: Continuous Access Evaluation
Product capability: Identity Security & Protection
Real-time enforcement of risk events, revocation events, and Conditional Access location policies is now generally available for workload identities.
Service principals on line of business (LOB) applications are now protected on access requests to Microsoft Graph. For more information, see: Continuous access evaluation for workload identities (preview).
July 2023
General Availability: Azure Active Directory (Azure AD) is being renamed.
Type: Changed feature
Service category: N/A
Product capability: End User Experiences
No action is required from you, but you may need to update some of your own documentation.
Azure AD is being renamed to Microsoft Entra ID. The name change rolls out across all Microsoft products and experiences throughout the second half of 2023.
Capabilities, licensing, and usage of the product isn’t changing. To make the transition seamless for you, the pricing, terms, service level agreements, URLs, APIs, PowerShell cmdlets, Microsoft Authentication Library (MSAL) and developer tooling remain the same.
Learn more and get renaming details: New name for Azure Active Directory.
General Availability – Include/exclude My Apps in Conditional Access policies
Type: Fixed
Service category: Conditional Access
Product capability: End User Experiences
My Apps can now be targeted in Conditional Access policies. This solves a top customer blocker. The functionality is available in all clouds. GA also brings a new app launcher, which improves app launch performance for both SAML and other app types.
Learn More about setting up Conditional Access policies here: Azure AD Conditional Access documentation.
General Availability – Conditional Access for Protected Actions
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
Protected actions are high-risk operations, such as altering access policies or changing trust settings, that can significantly impact an organization’s security. To add an extra layer of protection, Conditional Access for Protected Actions lets organizations define specific conditions for users to perform these sensitive tasks. For more information, see: What are protected actions in Azure AD?.
General Availability – Access Reviews for Inactive Users
Type: New feature
Service category: Access Reviews
Product capability: Identity Governance
This new feature, part of the Microsoft Entra ID Governance SKU, allows admins to review and address stale accounts that haven’t been active for a specified period. Admins can set a specific duration to determine inactive accounts that weren’t used for either interactive or non-interactive sign-in activities. As part of the review process, stale accounts can automatically be removed. For more information, see: Microsoft Entra ID Governance Introduces Two New Features in Access Reviews.
General Availability – Automatic assignments to access packages in Microsoft Entra ID Governance
Type: Changed feature
Service category: Entitlement Management
Product capability: Entitlement Management
Microsoft Entra ID Governance includes the ability for a customer to configure an assignment policy in an entitlement management access package that includes an attribute-based rule, similar to dynamic groups, of the users who should be assigned access. For more information, see: Configure an automatic assignment policy for an access package in entitlement management.
General Availability – Custom Extensions in Entitlement Management
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
Custom extensions in Entitlement Management are now generally available, and allow you to extend the access lifecycle with your organization-specific processes and business logic when access is requested or about to expire. With custom extensions you can create tickets for manual access provisioning in disconnected systems, send custom notifications to additional stakeholders, or automate additional access-related configuration in your business applications such as assigning the correct sales region in Salesforce. You can also leverage custom extensions to embed external governance, risk, and compliance (GRC) checks in the access request.
For more information, see:
General Availability – Conditional Access templates
Type: Plan for change
Service category: Conditional Access
Product capability: Identity Security & Protection
Conditional Access templates are predefined set of conditions and controls that provide a convenient method to deploy new policies aligned with Microsoft recommendations. Customers are assured that their policies reflect modern best practices for securing corporate assets, promoting secure, optimal access for their hybrid workforce. For more information, see: Conditional Access templates.
General Availability – Lifecycle Workflows
Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance
User identity lifecycle is a critical part of an organization’s security posture, and when managed correctly, can have a positive impact on their users’ productivity for Joiners, Movers, and Leavers. The ongoing digital transformation is accelerating the need for good identity lifecycle management. However, IT and security teams face enormous challenges managing the complex, time-consuming, and error-prone manual processes necessary to execute the required onboarding and offboarding tasks for hundreds of employees at once. This is an ever present and complex issue IT admins continue to face with digital transformation across security, governance, and compliance.
Lifecycle Workflows, one of our newest Microsoft Entra ID Governance capabilities is now generally available to help organizations further optimize their user identity lifecycle. For more information, see: Lifecycle Workflows is now generally available!
General Availability – Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities.
Type: New feature
Service category: User Experience and Management
Product capability: User Authentication
Update the Microsoft Entra ID and Microsoft 365 sign in experience with new Company Branding capabilities. You can apply your company’s brand guidance to authentication experiences with predefined templates. For more information, see: Company Branding
General Availability – Enabling customization capabilities for the Self-Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icons in Company Branding.
Type: Changed feature
Service category: User Experience and Management
Product capability: End User Experiences
Update the Company Branding functionality on the Microsoft Entra ID/Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks, and a browser icon. For more information, see: Company Branding
General Availability – User-to-Group Affiliation recommendation for group Access Reviews
Type: New feature
Service category: Access Reviews
Product capability: Identity Governance
This feature provides Machine Learning based recommendations to the reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation leverages machine learning based scoring mechanism and compares users’ relative affiliation with other users in the group, based on the organization’s reporting structure. For more information, see: Review recommendations for Access reviews and Introducing Machine Learning based recommendations in Azure AD Access reviews
Public Preview – Inactive guest insights
Type: New feature
Service category: Reporting
Product capability: Identity Governance
Monitor guest accounts at scale with intelligent insights into inactive guest users in your organization. Customize the inactivity threshold depending on your organization’s needs, narrow down the scope of guest users you want to monitor and identify the guest users that may be inactive. For more information, see: Monitor and clean up stale guest accounts using access reviews.
Public Preview – Just-in-time application access with PIM for Groups
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
You can minimize the number of persistent administrators in applications such as AWS/GCP and get JIT access to groups in AWS and GCP. While PIM for Groups is publicly available, we’ve released a public preview that integrates PIM with provisioning and reduces the activation delay from 40+ minutes to 1 – 2 minutes.
Public Preview – Graph beta API for PIM security alerts on Azure AD roles
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
Announcing API support (beta) for managing PIM security alerts for Azure AD roles. Azure Privileged Identity Management (PIM) generates alerts when there’s suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. You can now manage these alerts using REST APIs. These alerts can also be managed through the Azure portal. For more information, see: unifiedRoleManagementAlert resource type.
General Availability – Reset Password on Azure Mobile App
Type: New feature
Service category: Other
Product capability: End User Experiences
The Azure mobile app has been enhanced to empower admins with specific permissions to conveniently reset their users’ passwords. Self Service Password Reset will not be supported at this time. However, users can still more efficiently control and streamline their own sign-in and auth methods. The mobile app can be downloaded for each platform here:
Public Preview – API-driven inbound user provisioning
Type: New feature
Service category: Provisioning
Product capability: Inbound to Azure AD
With API-driven inbound provisioning, Microsoft Entra ID provisioning service now supports integration with any system of record. Customers and partners can use any automation tool of their choice to retrieve workforce data from any system of record for provisioning into Entra ID and connected on-premises Active Directory domains. The IT admin has full control on how the data is processed and transformed with attribute mappings. Once the workforce data is available in Entra ID, the IT admin can configure appropriate joiner-mover-leaver business processes using Entra ID Governance Lifecycle Workflows. For more information, see: API-driven inbound provisioning concepts (Public preview).
Public Preview – Dynamic Groups based on EmployeeHireDate User attribute
Type: New feature
Service category: Group Management
Product capability: Directory
This feature enables admins to create dynamic group rules based on the user objects’ employeeHireDate attribute. For more information, see: Properties of type string.
General Availability – Enhanced Create User and Invite User Experiences
Type: Changed feature
Service category: User Management
Product capability: User Management
We have increased the number of properties admins are able to define when creating and inviting a user in the Entra admin portal, bringing our UX to parity with our Create User APIs. Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: Add or delete users using Azure Active Directory.
General Availability – All Users and User Profile
Type: Changed feature
Service category: User Management
Product capability: User Management
The All Users list now features an infinite scroll, and admins can now modify more properties in the User Profile. For more information, see: How to create, invite, and delete users.
Public Preview – Windows MAM
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
“When will you have MAM for Windows?” is one of our most frequently asked customer questions. We’re happy to report that the answer is: “Now!” We’re excited to offer this new and long-awaited MAM Conditional Access capability in Public Preview for Microsoft Edge for Business on Windows.
Using MAM Conditional Access, Microsoft Edge for Business provides users with secure access to organizational data on personal Windows devices with a customizable user experience. We’ve combined the familiar security features of app protection policies (APP), Windows Defender client threat defense, and Conditional Access, all anchored to Azure AD identity to ensure un-managed devices are healthy and protected before granting data access. This can help businesses to improve their security posture and protect sensitive data from unauthorized access, without requiring full mobile device enrollment.
The new capability extends the benefits of app layer management to the Windows platform via Microsoft Edge for Business. Admins are empowered to configure the user experience and protect organizational data within Microsoft Edge for Business on un-managed Windows devices.
For more information, see: Require an app protection policy on Windows devices (preview).
General Availability – New Federated Apps available in Azure AD Application gallery – July 2023
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In July 2023 we’ve added the following 10 new applications in our App gallery with Federation support:
Gainsight SAML, Dataddo, Puzzel, Worthix App, iOps360 IdConnect, Airbase, Couchbase Capella – SSO, SSO for Jama Connect®, mediment (メディメント), Netskope Cloud Exchange Administration Console, Uber, Plenda, Deem Mobile, 40SEAS, Vivantio, AppTweak, Vbrick Rev Cloud, OptiTurn, Application Experience with Mist, クラウド勤怠管理システムKING OF TIME, Connect1, DB Education Portal for Schools, SURFconext, Chengliye Smart SMS Platform, CivicEye SSO, Colloquial, BigPanda, Foreman
You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.
For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest
Public Preview – New provisioning connectors in the Azure AD Application Gallery – July 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration
We’ve added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:
For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.
General Availability – Microsoft Authentication Library for .NET 4.55.0
Type: New feature
Service category: Other
Product capability: User Authentication
Earlier this month we announced the release of MSAL.NET 4.55.0, the latest version of the Microsoft Authentication Library for the .NET platform. The new version introduces support for user-assigned managed identity being specified through object IDs, CIAM authorities in the WithTenantId
API, better error messages when dealing with cache serialization, and improved logging when using the Windows authentication broker.
General Availability – Microsoft Authentication Library for Python 1.23.0
Type: New feature
Service category: Other
Product capability: User Authentication
Earlier this month, the Microsoft Authentication Library team announced the release of MSAL for Python version 1.23.0. The new version of the library adds support for better caching when using client credentials, eliminating the need to request new tokens repeatedly when cached tokens exist.
To learn more about MSAL for Python, see: Microsoft Authentication Library (MSAL) for Python.
June 2023
Public Preview – New provisioning connectors in the Azure AD Application Gallery – June 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration
We’ve added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:
For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.
General Availability – Include/exclude Entitlement Management in Conditional Access policies
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
The Entitlement Management service can now be targeted in the Conditional Access policy for inclusion or exclusion of applications. To target the Entitlement Management service, select “Azure AD Identity Governance – Entitlement Management” in the cloud apps picker. The Entitlement Management app includes the entitlement management part of My Access, the Entitlement Management part of the Entra and Azure portals, and the Entitlement Management part of MS Graph. For more information, see: Review your Conditional Access policies.
General Availability – Azure Active Directory User and Group capabilities on Azure Mobile are now available
Type: New feature
Service category: Azure Mobile App
Product capability: End User Experiences
The Azure Mobile app now includes a section for Azure Active Directory. Within Azure Active Directory on mobile, user can search for and view more details about user and groups. Additionally, permitted users can invite guest users to their active tenant, assign group memberships and ownerships for users, and view user sign-in logs. For more information, see: Get the Azure mobile app.
Plan for change – Modernizing Terms of Use Experiences
Type: Plan for change
Service category: Terms of Use
Product capability: AuthZ/Access Delegation
Recently we announced the modernization of terms of use end-user experiences as part of ongoing service improvements. As previously communicated the end user experiences will be updated with a new PDF viewer and are moving from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com.
Starting today the modernized experience for viewing previously accepted terms of use is available via https://myaccount.microsoft.com/termsofuse/myacceptances. We encourage you to check out the modernized experience, which follows the same updated design pattern as the upcoming modernization of accepting or declining terms of use as part of the sign-in flow. We would appreciate your feedback before we begin to modernize the sign-in flow.
General Availability – Privileged Identity Management for Groups
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
Privileged Identity Management for Groups is now generally available. With this feature, you have the ability to grant users just-in-time membership in a group, which in turn provides access to Azure Active Directory roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications. Through one activation, you can conveniently assign a combination of permissions across different applications and RBAC systems.
PIM for Groups offers can also be used for just-in-time ownership. As the owner of the group, you can manage group properties, including membership. For more information, see: Privileged Identity Management (PIM) for Groups.
General Availability – Privileged Identity Management and Conditional Access integration
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
The Privileged Identity Management (PIM) integration with Conditional Access authentication context is generally available. You can require users to meet various requirements during role activation such as:
- Have specific authentication method through Authentication Strengths
- Activate from a compliant device
- Validate location based on GPS
- Not have certain level of sign-in risk identified with Identity Protection
- Meet other requirements defined in Conditional Access policies
The integration is available for all providers: PIM for Azure AD roles, PIM for Azure resources, PIM for groups. For more information, see:
General Availability – Updated look and feel for Per-user MFA
Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection
As part of ongoing service improvements, we’re making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change doesn’t include any changes to the core functionality and will only include visual improvements. For more information, see: Enable per-user Azure AD Multi-Factor Authentication to secure sign-in events.
General Availability – Converged Authentication Methods in US Gov cloud
Type: New feature
Service category: MFA
Product capability: User Authentication
The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant. Customers should migrate management of authentication methods off the legacy MFA and SSPR policies before September 30, 2024. For more information, see: Manage authentication methods for Azure AD.
General Availability – Support for Directory Extensions using Azure AD cloud sync
Type: New feature
Service category: Provisioning
Product capability: Azure AD Connect cloud sync
Hybrid IT Admins can now sync both Active Directory and Azure AD Directory Extensions using Azure AD Connect cloud sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure Active Directory, thereby, allowing customers to map the needed attributes using the attribute mapping experience of cloud sync. For more information, see Directory extensions and custom attribute mapping in cloud sync.
Public Preview – Restricted Management Administrative Units
Type: New feature
Service category: Directory Management
Product capability: Access Control
Restricted Management Administrative Units allow you to restrict modification of users, security groups, and device in Azure AD so that only designated administrators can make changes. Global Administrators and other tenant-level administrators can’t modify the users, security groups, or devices that are added to a restricted management admin unit. For more information, see: Restricted management administrative units in Azure Active Directory (Preview).
General Availability – Report suspicious activity integrated with Identity Protection
Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection
Report suspicious activity is an updated implementation of the MFA fraud alert, where users can report a voice or phone app MFA prompt as suspicious. If enabled, users reporting prompts have their user risk set to high, enabling admins to use Identity Protection risk based policies or risk detection APIs to take remediation actions. Report suspicious activity operates in parallel with the legacy MFA fraud alert at this time. For more information, see: Configure Azure AD Multi-Factor Authentication settings.
May 2023
General Availability – Conditional Access authentication strength for members, external users and FIDO2 restrictions
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. Likewise, to access a nonsensitive resource, they can allow less secure multifactor authentication (MFA) combinations such as password + SMS.
Authentication strength is now in General Availability for members and external users from any Microsoft cloud and FIDO2 restrictions. For more information, see: Conditional Access authentication strength.
General Availability – SAML/Ws-Fed based identity provider authentication for Azure Active Directory B2B users in US Sec and US Nat clouds
Type: New feature
Service category: B2B
Product capability: B2B/B2C
SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in US Sec, US Nat and China clouds. For more information, see: Federation with SAML/WS-Fed identity providers for guest users.
Generally Availability – Cross-tenant synchronization
Type: New feature
Service category: Provisioning
Product capability: Identity Lifecycle Management
Cross-tenant synchronization allows you to set up a scalable and automated solution for users to access applications across tenants in your organization. It builds upon the Azure Active Directory B2B functionality and automates creating, updating, and deleting B2B users within tenants in your organization. For more information, see: What is cross-tenant synchronization?.
Public Preview(Refresh) – Custom Extensions in Entitlement Management
Type: New feature
Service category: Entitlement management
Product capability: Identity Governance
Last year we announced the public preview of custom extensions in Entitlement Management allowing you to automate complex processes when access is requested or about to expire. We have recently expanded the public preview to allow for the access package assignment request to be paused while your external process is running. In addition, the external process can now provide feedback to Entitlement Management to either surface additional information to end users in MyAccess or even stop the access request. This expands the scenarios of custom extension from notifications to additional stakeholders or the generation of tickets to advanced scenarios such as external governance, risk and compliance checks. In the course of this update, we have also improved the audit logs, token security and the payload sent to the Logic App. To learn more about the preview refresh, see:
General Availability – Managed Identity in Microsoft Authentication Library for .NET
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication
The latest version of MSAL.NET graduates the Managed Identity APIs into the General Availability mode of support, which means that developers can integrate them safely in production workloads.
Managed identities are a part of the Azure infrastructure, simplifying how developers handle credentials and secrets to access cloud resources. With Managed Identities, developers don’t need to manually handle credential retrieval and security. Instead, they can rely on an automatically managed set of identities to connect to resources that support Azure Active Directory authentication. You can learn more in What are managed identities for Azure resources?
With MSAL.NET 4.54.0, the Managed Identity APIs are now stable. There are a few changes that we added that make them easier to use and integrate that might require tweaking your code if you’ve used our experimental implementation:
- When using Managed Identity APIs, developers need to specify the identity type when creating an ManagedIdentityApplication.
- When acquiring tokens with Managed Identity APIs and using the default HTTP client, MSAL retries the request for certain exception codes.
- We added a new MsalManagedIdentityException class that represents any Managed Identity-related exceptions. It includes general exception information, including the Azure source from which the exception originates.
- MSAL will now proactively refresh tokens acquired with Managed Identity.
To get started with Managed Identity in MSAL.NET, you can use the Microsoft.Identity.Client package together with the ManagedIdentityApplicationBuilder class.
Public Preview – New My Groups Experience
Type: Changed feature
Service category: Group Management
Product capability: End User Experiences
A new and improved My Groups experience is now available at myaccount.microsoft.com/groups. This experience replaces the existing My Groups experience at mygroups.microsoft.com in May. For more information, see: Update your Groups info in the My Apps portal.
General Availability – Admins can restrict their users from creating tenants
Type: New feature
Service category: User Access Management
Product capability: User Management
The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings pane allows admins to restrict their users from being able to create new tenants. There’s also a new Tenant Creator role to allow specific users to create tenants. For more information, see Default user permissions.
General Availability – Devices Self-Help Capability for Pending Devices
Type: New feature
Service category: Device Access Management
Product capability: End User Experiences
In the All Devices view under the Registered column, you can now select any pending devices you have, and it opens a context pane to help troubleshoot why a device may be pending. You can also offer feedback on if the summarized information is helpful or not. For more information, see: Pending devices in Azure Active Directory.
General Availability – Admins can now restrict users from self-service accessing their BitLocker keys
Type: New feature
Service category: Device Access Management
Product capability: User Management
Admins can now restrict their users from self-service accessing their BitLocker keys through the Devices Settings page. Turning on this capability hides the BitLocker key(s) of all non-admin users. This helps to control BitLocker access management at the admin level. For more information, see: Restrict member users’ default permissions.
Public Preview – New provisioning connectors in the Azure AD Application Gallery – May 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration
We’ve added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:
For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.
General Availability – Microsoft Entra Permissions Management Azure Active Directory Insights
Type: New feature
Service category: Other
Product capability: Permissions Management
The Azure Active Directory Insights tab in Microsoft Entra Permissions Management provides a view of all permanent role assignments assigned to Global Administrators, and a curated list of highly privileged roles. Administrators can then use the report to take further action within the Azure Active Directory console. For more information, see View privileged role assignments in your organization (Preview).
Public Preview – In portal guide to configure multi-factor authentication
Type: New feature
Service category: MFA
Product capability: Identity Security & Protection
The in portal guide to configure multi-factor authentication helps you get started with Azure Active Directory’s MFA capabilities. You can find this guide under the Tutorials tab in the Azure AD Overview. For more information, see: Configure multi-factor authentication using the portal guide.
General Availability – Authenticator Lite (In Outlook)
Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication
Authenticator Lite (in Outlook) is an authentication solution for users that haven’t yet downloaded the Microsoft Authenticator app. Users are prompted in Outlook on their mobile device to register for multi-factor authentication. After they enter their password at sign-in, they’ll have the option to send a push notification to their Android or iOS device.
Due to the security enhancement this feature provides users, the Microsoft managed value of this feature will be changed from ‘disabled’ to ‘enabled’ on June 9. We’ve made some changes to the feature configuration, so if you made an update before GA, May 17, please validate that the feature is in the correct state for your tenant prior to June 9. If you don’t wish for this feature to be enabled on June 9, move the state to ‘disabled’, or set users to include and exclude groups.
For more information, see: How to enable Microsoft Authenticator Lite for Outlook mobile (preview).
General Availability – PowerShell and Web Services connector support through the Azure AD provisioning agent
Type: New feature
Service category: Provisioning
Product capability: Outbound to On-premises Applications
The Azure AD on-premises application provisioning feature now supports both the PowerShell and web services connectors. you can now provision users into a flat file using the PowerShell connector or an app such as SAP ECC using the web services connector. For more information, see: Provisioning users into applications using PowerShell.
General Availability – Verified threat actor IP sign-in detection
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection
Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-ins performed from IP addresses of known nation state and cyber-crime actors and allow customers to block these sign-ins by using risk-based Conditional Access policies. For more information, see: Sign-in risk.
General Availability – Conditional Access Granular control for external user types
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
When configuring a Conditional Access policy, customers now have granular control over the types of external users they want to apply the policy to. External users are categorized based on how they authenticate (internally or externally) and their relationship to your organization (guest or member). For more information, see: Assigning Conditional Access policies to external user types.
General Availability – New Federated Apps available in Azure AD Application gallery – May 2023
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In May 2023 we added the following 51 new applications in our App gallery with Federation support
INEXTRACK, Valotalive Digital Signage Microsoft 365 integration, Tailscale, MANTL, ServusConnect, Jigx MS Graph Demonstrator, Delivery Solutions, Radiant IOT Portal, Cosgrid Networks, voya SSO, Redocly, Glaass Pro, TalentLyftOIDC, Cisco Expressway, IBM TRIRIGA on Cloud, Avionte Bold SAML Federated SSO, InspectNTrack, CAREERSHIP, Cisco Unity Connection, HSC-Buddy, teamecho, AskFora, Enterprise Bot,CMD+CTRL Base Camp, Debitia Collections, EnergyManager, Visual Workforce, Uplifter, AI2, TES Cloud,VEDA Cloud, SOC SST, Alchemer, Cleanmail Swiss, WOX, WATS, Data Quality Assistant, Softdrive, Fluence Portal, Humbol, Document360, Engage by Local Measure,Gate Property Management Software, Locus, Banyan Infrastructure, Proactis Rego Invoice Capture, SecureTransport, Recnice
You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,
For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest
General Availability – My Security-info now shows Microsoft Authenticator type
Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection
We have improved My Sign-ins and My Security-Info to give you more clarity on the types of Microsoft Authenticator or other Authenticator apps a user has registered. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI) and for other Authenticator apps (Software OATH) we now indicate they’re registered as a Time-based One-time password method. For more information, see: Set up the Microsoft Authenticator app as your verification method.
Source link