What's New in Azure Active Directory for April 2023

Reading Time: 5 minutes

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for April 2023:


What's Planned

Updated look and feel for Per-user MFA General Availability

Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection

As part of ongoing service improvements, Microsoft is making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change does not include any changes to the core functionality and will only include visual improvements.


New limits on number and size of group secrets General Availability

Service category: Group Management
Product capability: Directory

Group secrets are typically created when a group is assigned credentials to an app using Password-based single sign-on (SSO).

Starting in June 2023, the secrets stored on a single group can't exceed 48 individual secrets, or have a total size greater than 10KB across all secrets on a single group.

  • Groups with more than 10KB of secrets will immediately stop working in June 2023.
  • Groups exceeding 48 secrets are unable to increase the number of secrets they have, though they may still update or delete those secrets.

Microsoft highly recommends reducing to fewer than 48 secrets by January 2024.  To reduce the number of secrets assigned to a group, Microsoft recommends creating additional groups, and splitting up group assignments to Password-based SSO applications across those new groups.


What's New

Enablement of combined security information registration for MFA and SSPR General Availability

Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection

Last year Microsoft announced the combined registration user experience for multi-factor authentication (MFA) and self-service password reset (SSPR) was rolling out as the default experience for all organizations. Microsoft is happy to announce that the combined security information registration experience is now fully rolled out. This change doesn't affect tenants located in the China region.


Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2023, Microsoft has added the following new applications in the Azure AD App gallery with Federation support:

  1. iTel Alert
  2. goFLUENT
  3. StructureFlow
  4. StructureFlow AU
  5. StructureFlow CA
  6. StructureFlow EU
  7. StructureFlow USA
  8. Predict360 SSO
  9. Cegid Cloud
  10. HashiCorp Cloud Platform (HCP)
  11. O'Reilly learning platform
  12. LeftClick Web Services – RoomGuide
  13. LeftClick Web Services – Sharepoint
  14. LeftClick Web Services – Presence
  15. LeftClick Web Services – Single Sign-On
  16. InterPrice Technologies
  17. WiggleDesk SSO
  18. Application Experience with Mist
  19. Connect Plans 360
  20. Proactis Rego Source-to-Contract
  21. Danomics
  22. Fountain
  23. Theom
  24. DDC Web
  25. Dozuki


Authenticator Lite in Outlook Public Preview

Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator Lite is an additional surface for Azure AD users to complete multi-factor authentication (MFA) using push notifications on their Android or iOS device. With Authenticator Lite, users can satisfy an MFA requirement from the convenience of a familiar app.

Authenticator Lite is currently enabled in the Outlook mobile app. Users may receive a notification in their Outlook mobile app to approve or deny, or use the Outlook app to generate an OATH verification code that can be entered during sign-in.

The Microsoft managed setting for this feature will be set to enabled on May 26th, 2023. This will enable the feature for all users in tenants where the feature is set to Microsoft managed. If admins wish to change the state of this feature, they need to do so before May 26th, 2023.


Token Protection for Sign-in Sessions Public Preview

Service category: Conditional Access
Product capability: User Authentication

Token Protection for sign-in sessions is Microsoft's first release on a roadmap to combat attacks involving token theft and replay. It provides Conditional Access enforcement of token proof-of-possession for supported clients and services that ensure that access to specified resources is only from a device to which the user has signed in.


Custom attributes for Azure Active Directory Domain Services Public Preview

Service category: Azure Active Directory Domain Services
Product capability: Azure Active Directory Domain Services

Azure Active Directory Domain Services will now support synchronizing custom attributes from Azure AD for on-premises accounts.


New provisioning connectors in the Azure AD Application Gallery Public Preview

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

  1. Alvao
  2. Better Stack
  3. BIS
  4. Connecter
  5. Howspace
  6. Kno2fy
  7. Netsparker Enterprise
  8. uniFLOW Online


What's Changed

System-preferred MFA method General Availability

Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Currently, organizations and users rely on a range of authentication methods, each offering varying degrees of security. While multi-factor authentication (MFA) is crucial, some MFA methods are more secure than others. Despite having access to more secure MFA options, users frequently choose less secure methods for various reasons.

To address this challenge, Microsoft introduces a new system-preferred authentication method for MFA. When users sign in, the system will determine and display the most secure MFA method that the user has registered. This prompts users to switch from the default method to the most secure option. While users may still choose a different MFA method, they'll always be prompted to use the most secure method first for every session that requires MFA.


SSPR now supports PIM eligible users and indirect group role assignment General Availability

Service category: Self Service Password Reset
Product capability: Identity Security & Protection

Self Service Password Reset (SSPR) can now PIM eligible users, and evaluate group-based memberships, along with direct memberships when checking if a user is in a particular administrator role. This capability provides more accurate SSPR policy enforcement by validating if users are in scope for the default SSPR admin policy or your organization's SSPR user policy.


Enhanced Create User and Invite User Experiences Public Preview

Service category: User Management
Product capability: User Management

Admins can now define more properties when creating and inviting a user in the Entra admin portal. These improvements bring Microsoft's user experience to parity with its Create User APIs. Additionally, admins can now add users to a group or Administrative Unit (AU), and assign roles.


Azure AD Conditional Access Protected actions Public Preview

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

The 'Protected actions' feature introduces the ability to apply Conditional Access to select Graph API permissions. When a user performs a protected action, they must satisfy Conditional Access policy requirements.


New PIM Azure resource picker Public Preview

Service category: Privileged Identity Management
Product capability: End User Experiences

With this new experience, Azure AD Privileged Identity Management (PIM) now automatically manages any type of resource in a tenant, so discovery and activation is no longer required. With the new resource picker, admins can directly choose the scope they want to manage from the Management Group down to the resources themselves, making it faster and easier to locate the resources they need to manage.


What's Fixed

Additional terms of use audit logs will be turned off General Availability

Service category: Terms of Use
Product capability: Authorization/Access Delegation

Due to a technical issue, Microsoft has recently started to emit additional audit logs for Terms of Use. The additional audit logs will be turned off by the first of May and are tagged with the core directory service and the agreement category. If the organization has built a dependency on the additional audit logs, admins must switch to the regular audit logs tagged with the Terms of Use service.


Alert on active-permanent role assignments in Azure or assignments made outside of PIM General Availability

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

The 'Alert on Azure subscription role assignments made outside of Privileged Identity Management (PIM)' feature provides an alert in PIM for Azure subscription assignments made outside of PIM. An owner or User Access Administrator for the azure subscription can take a quick remediation action to remove those assignments.


Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.