What's New in Azure Active Directory for March 2023

Reading Time: 4 minutes

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for March 2023:

 

What's Planned

Number Matching for Microsoft Authenticator notifications General Availability

Service category: Microsoft Authenticator App
Product capability: User Authentication

Microsoft Authenticator app’s number matching feature has been generally available since November 2022! If admins haven't already used the rollout controls (via Azure portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, Microsoft highly encourages admins to do so. Microsoft previously announced that the admin controls will be removed and the number match experience will be enforced tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to organizations, Microsoft has extended the availability of the rollout controls for a few more weeks. Admins can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8, 2023. Microsoft will also remove the rollout controls for number matching after that date.

If organizations don’t enable number match for all Microsoft Authenticator push notifications prior to May 8, 2023, Authenticator users may experience inconsistent sign-ins while the services are rolling out this change. To ensure consistent behavior for all users, Microsoft highly recommends admins enable number match for Microsoft Authenticator push notifications in advance.

 

IPv6 coming to Azure AD Public Preview

Service category: Identity Protection
Product capability: Platform

Earlier, Microsoft announced its plan to bring IPv6 support to Azure AD, enabling organization to reach the services over IPv4, IPv6 or dual stack endpoints. This is just a reminder that Microsoft has started introducing IPv6 support into Azure AD services in a phased approach in late March 2023.

If admins utilize Conditional Access or Identity Protection, and have IPv6 enabled on any of the organization's devices, admins likely must take action to avoid impacting users. For most organizations, IPv4 won't completely disappear from their digital landscape, so Microsoft isn't planning to require IPv6 or to deprioritize IPv4 in any Azure AD features or services.

 

Modernizing Terms of Use Experiences

Service category: Terms of use
Product capability: Authorization and Access Delegation

Starting July 2023, Microsoft is modernizing the following Terms of Use end user experiences with an updated PDF viewer, and moving the experiences from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com:

  • View previously accepted terms of use
  • Accept or decline terms of use as part of the sign-in flow

No functionalities will be removed. The new PDF viewer adds functionality and the limited visual changes in the end-user experiences will be communicated in a future update. If your organization has allow-listed only certain domains, you must ensure your allowlist includes the domains ‘myaccount.microsoft.com’ and ‘*.myaccount.microsoft.com’ for Terms of Use to continue working as expected.

 

What's New

Workload identity Federation for Managed Identities General Availability

Service category: Managed identities for Azure resources
Product capability: Developer Experience

Workload Identity Federation enables developers to use managed identities for their software workloads running anywhere and access Azure resources without needing secrets. Key scenarios include:

  • Accessing Azure resources from Kubernetes pods running in any cloud or on-premises
  • GitHub workflows to deploy to Azure, no secrets necessary
  • Accessing Azure resources from other cloud platforms that support OIDC, such as Google Cloud Platform.

 

Converged Authentication Methods General Availability

Service category: Multi-factor Authentication (MFA)
Product capability: User Authentication

The Converged Authentication Methods Policy enables admins to manage all authentication methods used for multi-factor authentication (MFA) and Self-service Password Reset (SSPR) in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in your tenant.

 

Provisioning Insights Workbook General Availability

Service category: Provisioning
Product capability: Monitoring & Reporting

The new Provisioning Insights workbook makes it easier to investigate and gain insights into provisioning workflows in a given Azure AD tenant. This includes HR-driven provisioning, cloud sync, app provisioning, and cross-tenant sync.

Some key questions this workbook can help answer are:

  • How many identities have been synced in a given time range?
  • How many create, delete, update, or other operations were performed?
  • How many operations were successful, skipped, or failed?
  • What specific identities failed? And what step did they fail on?
  • For any given user, what tenants / applications were they provisioned or deprovisioned to?

 

Microsoft cloud settings for Azure AD B2B General Availability

Service category: Business to Business (B2B)
Product capability: Business to Business (B2B) / Business to Consumer (B2C)

Microsoft cloud settings let organizations collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, admins can establish mutual business to business (B2B) collaboration between the following clouds:

  • Microsoft Azure commercial and Microsoft Azure Government
  • Microsoft Azure commercial and Microsoft Azure China 21Vianet

 

Customize tokens with Custom Claims Providers Public Preview

Service category: Authentications (Logins)
Product capability: Extensibility

A custom claims provider lets admins call an application programming interface (API) and map custom claims into the token during the authentication flow. The API call is made after the end user has completed all their authentication challenges, and a token is about to be issued to the app.

 

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Admins can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

 

What's Changed

New My Groups Experience Public Preview

Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at https://www.myaccount.microsoft.com/groups. My Groups enables end users to easily manage groups, such as finding groups to join, managing groups they own, and managing existing group memberships. Based on feedback, the new My Groups supports sorting and filtering on lists of groups and group members, a full list of group members in large groups, and an actionable overview page for membership requests. This experience replaces the existing My Groups experience at https://www.mygroups.microsoft.com in May 2023.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.