What's New in Azure Active Directory for June 2023

Reading Time: 4 minutes

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for June 2023:


What's Planned

Modernizing Terms of Use Experiences

Service category: Terms of Use
Product capability: Authorization/Access Delegation

Recently, Microsoft announced the modernization of terms of use end-user experiences as part of ongoing service improvements. As previously communicated the end user experiences will be updated with a new PDF viewer and are moving from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com.


What's New

Support for Directory Extensions using Azure AD Cloud Sync General Availability

Service category: Provisioning
Product capability: Azure Active Directory Connect Cloud Sync

Hybrid IT Admins can now synchronize both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure Active Directory, thereby, allowing organizations to simply map the needed attributes using Cloud Sync's attribute mapping experience.


Privileged Identity Management for Groups General Availability

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

With Privileged Identity Management for Groups is now generally available, admins have the ability to grant users just-in-time membership in a group, which in turn provides access to Azure Active Directory roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, as well as third-party applications.


Privileged Identity Management and Conditional Access integration General Availability

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

The Privileged Identity Management (PIM) integration with Conditional Access authentication context is generally available. Admins can require users to meet a variety of requirements during role activation such as:

  • Have specific authentication method through Authentication Strengths
  • Activate from a compliant device
  • Validate location, based on GPS
  • Not have certain level of sign-in risk identified with Identity Protection
  • Meet other requirements defined in Conditional Access policies

The integration is available for all providers:

  • PIM for Azure AD roles
  • PIM for Azure resources
  • PIM for groups


Updated look and feel for Per-user MFA General Availability

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

As part of ongoing service improvements, we're making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change doesn't include any changes to the core functionality and will only include visual improvements.


Converged Authentication Methods in US Gov cloud General Availability

Service category: MFA
Product capability: User Authentication

The Converged Authentication Methods Policy enables admins to manage all authentication methods used for Multi-factor Authentication (MFA) and Self-service Password Reset (SSPR) in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant.

Organizations should migrate management of authentication methods off the legacy MFA and SSPR policies before September 30, 2024.


Include/exclude Entitlement Management in Conditional Access policies General Availability

Service category: Entitlement Management
Product capability: Entitlement Management

The Entitlement Management service can now be targeted in Conditional Access policies for inclusion or exclusion of applications. To target the Entitlement Management service, select Azure AD Identity Governance – Entitlement Management in the cloud apps picker. The Entitlement Management app includes the entitlement management part of My Access, the Entitlement Management part of the Entra and Azure portals, and the Entitlement Management part of MS Graph.


Azure Active Directory User and Group capabilities on Azure Mobile General Availability

Service category: Azure Mobile App
Product capability: End User Experiences

The Azure Mobile app now includes a section for Azure Active Directory. Within Azure Active Directory on mobile, user can search for and view more details about user and groups. Additionally, permitted users can invite guest users to their active tenant, assign group memberships and ownerships for users, and view user sign-in logs.


Restricted Management Administrative Units Public Preview

Service category: Directory Management
Product capability: Access Control

Restricted Management Administrative Units (AUs) allow you to restrict modification of users, security groups, and device in Azure AD so that only designated administrators can make changes. Global Administrators and other tenant-level administrators can't modify the users, security groups, or devices that are added to a restricted management AU.


Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Admins can now automate creating, updating, and deleting of user accounts for these newly integrated apps:


What's Changed

Report suspicious activity integrated with Identity Protection General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Report suspicious activity is an updated implementation of the MFA fraud alert, where users can report a voice or phone app MFA prompt as suspicious. If enabled, users reporting prompts have their user risk set to high, enabling admins to use Identity Protection risk based policies or risk detection APIs to take remediation actions. Report suspicious activity operates in parallel with the legacy MFA fraud alert at this time.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.