What's New in Azure Active Directory for May 2023

Reading Time: 5 minutes

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May 2023:

 

What's New

Cross-tenant synchronization General Availability

Service category: Provisioning
Product capability: Identity Lifecycle Management

Cross-tenant synchronization allows admins to set up a scalable and automated solution for users to access applications across tenants in the organization. It builds upon the External ID functionality and automates creating, updating, and deleting External IDs within tenants in the organization.

 

Conditional Access authentication strength for members, external users and FIDO2 restrictions General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Authentication strength is a Conditional Access control that allows admins to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. Likewise, to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations such as password + SMS.

 

Conditional Access Granular control for external user types General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

When configuring a Conditional Access policy, organizations now have granular control over the types of external users they want to apply the policy to. External users are categorized based on how they authenticate (internally or externally) and their relationship to the organization (guest or member).

 

Authenticator Lite (In Outlook) General Availability

Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator Lite (in Outlook) is an authentication solution for users that haven't yet downloaded the Microsoft Authenticator app. Users are prompted in Outlook on their mobile device to register for multi-factor authentication. After they enter their password at sign-in, they'll have the option to send a push notification to their Android or iOS device.

Due to the security enhancement this feature provides users, the Microsoft managed value of this feature will be changed from ‘disabled’ to ‘enabled’ on June 9. We’ve made some changes to the feature configuration, so if admins made an update before GA, May 17, please validate that the feature is in the correct state for the tenant prior to June 9. If admins don't wish for this feature to be enabled on June 9, move the state to ‘disabled’, or set users to include and exclude groups.

 

Admins can restrict their users from creating tenants General Availability

Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings pane allows admins to restrict their users from being able to create new tenants.

 

Admins can now restrict users from self-service accessing their BitLocker keys General Availability

Service category: Device Access Management
Product capability: User Management

Admins can now restrict their users from self-service accessing their BitLocker keys through the Devices Settings page. Turning on this capability hides the BitLocker key(s) of all non-admin users. This helps to control BitLocker access management at the admin level.

 

Devices Self-Help Capability for Pending Devices General Availability

Service category: Device Access Management
Product capability: End User Experiences

In the All Devices view under the Registered column, people can now select any pending devices they have, and it opens a context pane to help troubleshoot why a device may be pending.

 

SAML/Ws-Fed based identity provider authentication for External IDs in US Sec and US Nat clouds General Availability

Service category: Business 2 Business collaboration
Product capability: External ID

SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in:

  • US Sec cloud
  • US Nat cloud
  • China cloud

 

Verified threat actor IP sign-in detection General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-ins performed from IP addresses of known nation state and cyber-crime actors and allow organizations to block these sign-ins by using risk-based conditional access policies.

 

PowerShell and Web Services connector support through the Azure AD provisioning agent General Availability

Service category: Provisioning
Product capability: Outbound to On-premises Applications

The Azure AD on-premises application provisioning feature now supports both the PowerShell and web services connectors. Admins can now provision user objects into a flat file using the PowerShell connector or an app such as SAP ECC using the web services connector.

 

Managed Identity in Microsoft Authentication Library for .NET General Availability

Service category: Authentications (Logins)
Product capability: User Authentication

The latest version of MSAL.NET graduates the Managed Identity APIs into the General Availability mode of support, which means that developers can integrate them safely in production workloads.

Managed identities are a part of the Azure infrastructure, simplifying how developers handle credentials and secrets to access cloud resources. With Managed Identities, developers don't need to manually handle credential retrieval and security. Instead, they can rely on an automatically managed set of identities to connect to resources that support Azure Active Directory authentication.

 

Microsoft Entra Permissions Management Azure Active Directory Insights General Availability

Service category: Other
Product capability: Permissions Management

The Azure Active Directory Insights tab in Microsoft Entra Permissions Management provides a view of all permanent role assignments assigned to Global Administrators, and a curated list of highly privileged roles. Administrators can then use the report to take further action within the Azure Active Directory console.

 

Custom Extensions in Entitlement Management Public Preview

Service category: Entitlement management
Product capability: Identity Governance

Last year Microsoft announced the public preview of custom extensions in Entitlement Management allowing admins to automate complex processes when access is requested or about to expire. Microsoft has recently expanded the public preview to allow for the access package assignment request to be paused while an external process is running. In addition, the external process can now provide feedback to Entitlement Management to either surface additional information to end users in MyAccess or even stop the access request. This expands the scenarios of custom extension from notifications to additional stakeholders or the generation of tickets to advanced scenarios such as external governance, risk and compliance checks. In the course of this update, Microsoft has also improved the audit logs, token security and the payload sent to the Logic App.

 

In portal guide to configure multi-factor authentication Public Preview

Service category: MFA
Product capability: Identity Security & Protection

The in portal guide to configure multi-factor authentication helps admins get started with Azure Active Directory's MFA capabilities. Admins can find this guide under the Tutorials tab in the Azure AD Overview.

 

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

 

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2023 Microsoft added the following new applications in the Azure AD App gallery with Federation support:

  1. INEXTRACK
  2. Valotalive Digital Signage Microsoft 365 integration
  3. Tailscale
  4. MANTL
  5. ServusConnect
  6. Jigx MS Graph Demonstrator
  7. Delivery Solutions
  8. Radiant IOT Portal
  9. Cosgrid Networks
  10. voya SSO
  11. Redocly
  12. Glaass Pro
  13. TalentLyftOIDC
  14. Cisco Expressway
  15. IBM TRIRIGA on Cloud
  16. Avionte Bold SAML Federated SSO
  17. InspectNTrack
  18. CAREERSHIP
  19. Cisco Unity Connection
  20. HSC-Buddy
  21. teamecho
  22. Uni-tel A/S
  23. AskFora
  24. Enterprise Bot
  25. CMD+CTRL Base Camp
  26. Debitia Collections
  27. EnergyManager
  28. Visual Workforce
  29. Uplifter
  30. AI2
  31. TES Cloud
  32. VEDA Cloud
  33. SOC SST
  34. Alchemer
  35. Cleanmail Swiss
  36. WOX
  37. WATS
  38. Data Quality Assistant
  39. Softdrive
  40. Fluence Portal
  41. Humbol
  42. Document360
  43. Engage by Local Measure
  44. Gate Property Management Software
  45. Locus
  46. Banyan Infrastructure
  47. Proactis Rego Invoice Capture
  48. SecureTransport
  49. Recnice

 

What's Changed

My Security-info now shows Microsoft Authenticator type General Availaibility

Service category: MFA
Product capability: Identity Security & Protection

Microsoft has improved My Sign-ins and My Security-Info to give admins more clarity on the types of Microsoft Authenticator or other Authenticator apps a user has registered. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI) and for other Authenticator apps (Software OATH) Microsoft now indicates they're registered as a Time-based One-time password method.

 

New My Groups Experience Public Preview

Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at myaccount.microsoft.com/groups. This experience replaces the existing My Groups experience at mygroups.microsoft.com in May.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.