What’s New in Azure Active Directory for August 2018

Reading Time: 4 minutes

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for August 2018:


What’s New

Converged security info management for SSPR and MFA (Preview)

Service category: Self-service Password Reset
Product capability: User Authentication

This new feature helps people manage their security info (such as, phone number, mobile app, and so on) for self-service password (SSPR) and Multi-Factor Authentication (MFA) in a single location and experience; as compared to previously, where it was done in two different locations.

This converged experience also works for people using either SSPR or MFA. Additionally, if your organization doesn't enforce MFA or SSPR registration, people can still register any MFA or SSPR security info methods, allowed by your organization, from the My Apps portal.

This is an opt-in public preview. Administrators can turn on the new experience (if desired) for a selected group or for all users in a tenant. For more information about the converged experience, see the Converged experience blog.


New HTTP-Only cookies setting in Azure AD Application proxy apps

Service category: App Proxy
Product capability: Access Control

There's a new setting called, HTTP-Only Cookies in your Application Proxy apps. This setting helps provide extra security by

  • Including the HTTPOnly flag in the HTTP response header for both Application Proxy access and session cookies,
  • Stopping access to the cookie from a client-side script
  • Further preventing actions like copying or modifying the cookie.

For more information about the HTTP-Only Cookies setting, see Publish applications using Azure AD Application Proxy.


PIM for Azure resources supports Management Group resource types

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Just-In-Time (JIT) activation and assignment settings can now be applied to Management Group resource types, just like you already do for Subscriptions, Resource Groups, and Resources (such as VMs, App Services, and more). In addition, anyone with a role that provides administrator access for a Management Group can discover and manage that resource in Azure AD Privileged Identity Management (PIM).

For more information about PIM and Azure resources, see Discover and manage Azure resources by using Privileged Identity Management.


Application access (preview) provides faster access to the Azure AD portal

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Today, when activating a role using PIM, it can take over 10 minutes for the permissions to take effect. If you choose to use Application access, which is currently in public preview, administrators can access the Azure AD portal as soon as the activation request completes.

Currently, Application access only supports the Azure AD portal experience and Azure resources. For more information about PIM and Application access, see What is Azure AD Privileged Identity Management? 


New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2018, Microsoft has added these 16 new apps with Federation support to the app gallery:


New support to add Google as an identity provider for B2B guest users in Azure Active Directory (preview)

Service category: B2B
Product capability: B2B/B2C

By setting up federation with Google in your organization, you can let invited Gmail users sign-in to your shared apps and resources using their existing Google account, without having to create a personal Microsoft Account (MSAs) or an Azure AD account.

This is an opt-in public preview. For more information about Google federation, see Add Google as an identity provider for B2B guest users.


What’s Planned

Changes to Azure Active Directory IP address ranges

Service category: Other
Product capability: Platform

Microsoft is introducing larger IP ranges to Azure AD, which means if you've configured Azure AD IP address ranges for your firewalls, routers, or Network Security Groups, you'll need to update them. Microsoft is making this update so you won't have to change your firewall, router, or Network Security Groups IP range configurations again when Azure AD adds new endpoints.

Network traffic is moving to these new ranges over the next two months. To continue with uninterrupted service, you must add these updated values to your IP Addresses before September 10, 2018:


Admins are strongly recommended to note remove the old IP Address ranges until all network traffic has moved to the new ranges.


Authorization codes will no longer be available for reuse

Service category: Authentications (Logins)
Product capability: User Authentication

Starting on October 10, 2018, Azure AD will stop accepting previously-used authentication codes for new apps. Any app created before October 10, 2018 will still be able to reuse authentication codes. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.


What’s Changed

Native Tableau support is now available in Azure AD App Proxy

Service category: App Proxy
Product capability: Access Control

With our update from the OpenID Connect to the OAuth 2.0 Code Grant protocol for our pre-authentication protocol, you no longer have to do any additional configuration to use Tableau with Application Proxy. This protocol change also helps Application Proxy better support more modern apps by using only HTTP redirects, which are commonly supported in JavaScript and HTML tags.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.