What’s New in Azure Active Directory for July 2018

Reading Time: 4 minutes

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for July 2018:


What’s New

Azure AD Activity Logs are now available through Azure Monitor

Service category: Reporting
Product capability: Monitoring & Reporting

The Azure AD Activity Logs are now available in public preview for the Azure Monitor (Azure's platform-wide monitoring service). Azure Monitor offers organizations long-term retention and seamless integration, in addition to these improvements:

  • Long-term retention by routing your log files to your own Azure storage account.
  • Seamless integration with Security Incident and Event Management (SIEM) solutions, without requiring to write or maintain custom scripts.
  • Seamless integration with own custom solutions, analytics tools, and/or incident management solutions.


Conditional access information added to the Azure AD sign-ins report

Service category: Reporting
Product capability: Identity Security & Protection

This update to the Azure AD Sign-ins Report lets admins see which policies are evaluated when a user signs in along with the policy outcome. In addition, the report now includes the type of client app used by the user, so admins can identify legacy protocol traffic. Report entries can also now be searched for a correlation ID, which can be found in the user-facing error message and can be used to identify and troubleshoot the matching sign-in request.


View legacy authentications through Sign-ins activity logs

Service category: Reporting
Product capability: Monitoring & Reporting

With the introduction of the Client App field in the Sign-in activity logs, organizations can now see users that are using legacy authentications. Admins will be able to access this information using the Sign-ins MS Graph API or through the Sign-in activity logs in the Azure AD portal, where admins can now use the Client App control to filter on legacy authentications.


New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2018, The Azure AD team has added these 16 new apps with Federation support to the app gallery:


New user provisioning SaaS app integrations

Service category: App Provisioning
Product capability: 3rd Party Integration

Azure AD allows organizations to automate the creation, maintenance, and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow, and more. For July 2018, Microsoft has added user provisioning support for the following applications in the Azure AD app gallery:


Converged security info management for self-service password reset and Multi-Factor Authentication

Service category: Self-Service Password Reset
Product capability: User Authentication

This new feature lets users manage their security info (for example, phone number, email address, mobile app, and so on) for self-service password reset (SSPR) and Multi-Factor Authentication (MFA) in a single experience. Users will no longer have to register the same security info for SSPR and MFA in two different experiences. This new experience also applies to users who have either SSPR or MFA.

This is an opt-in public preview. Admins can turn on the new experience (if desired) for a selected group of users or all users in a tenant.


What’s Changed

Improvements to Azure AD email notifications

Service category: Other
Product capability: Identity lifecycle management

Azure Active Directory (Azure AD) emails now feature an updated design, as well as changes to the sender email address and sender display name, when sent from the following services:

  • Azure AD Access Reviews
  • Azure AD Connect Health
  • Azure AD Identity Protection
  • Azure AD Privileged Identity Management
  • Enterprise App Expiring Certificate Notifications
  • Enterprise App Provisioning Service Notifications

The email notifications will be sent from azure-noreply@microsoft.com. Be sure to check the Junk Email folder of your (admin) mailbox, and to update any mail flow rules you might have.


Visual updates to the Azure AD and MSA sign-in experience

Service category: Azure AD
Product capability: User Authentication

Microsoft has updated the user interface for Microsoft's online services sign-in experience, such as for Office 365 and Azure. This change makes the screens less cluttered and more straightforward. For more information about this change, see the Upcoming improvements to the Azure AD sign-in experience blogpost, dated April 4th, 2018.


Updates to the Terms of Use (ToU) end-user interface

Service category: Terms of Use
Product capability: Governance

Microsoft has updated the acceptance string in the TOU end-user interface.

Current: In order to access [tenant] resources, you must accept the terms of use.
New: In order to access [tenant] resource, you must read the terms of use.

Current: Choosing to accept means that you agree to all of the above terms of use.
New: Please click Accept to confirm that you have read and understood the terms of use.


Pass-through Authentication supports legacy protocols and applications

Service category: Authentications (Logins)
Product capability: User Authentication

Pass-through Authentication (PTA) now supports legacy protocols and apps. These previous limitations are now fully supported:

  • User sign-ins to legacy Office client applications, Office 2010 and Office 2013, without requiring modern authentication.
  • Access to calendar sharing and free/busy information in Exchange hybrid environments on Office 2010 only.
  • User sign-ins to Skype for Business client applications without requiring modern authentication.
  • User sign-ins to PowerShell version 1.0.
  • The Apple Device Enrollment Program (Apple DEP), using the iOS Setup Assistant.


Use the Microsoft Authenticator app to verify your identity when you reset your password

Service category: Self-Service Password Reset
Product capability: User Authentication

This feature lets non-admins verify their identity while resetting a password using a notification or code from Microsoft Authenticator (or any other authenticator app). After admins turn this self-service password reset method on, colleagues who have registered a mobile app through aka.ms/mfasetup or aka.ms/setupsecurityinfo can use their mobile app as a verification method while resetting their password.

Mobile app notification can only be turned on as part of a policy that requires two methods to reset your password.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.