What's New in Entra ID (Azure Active Directory) for August 2023

Reading Time: 3 minutes

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for August 2023:

 

What's New

Tenant Restrictions v2 General Availability

Service category: Authentications (Sign-ins)
Product capability: Identity Security & Protection

v2 of the Tenant Restrictions functionality is now generally available for authentication plane via proxy. It allows organizations to enable safe and productive cross-company collaboration while containing data exfiltration risk. Admins can control what external tenants people in the organization can access from the organization's devices or network, using externally issued identities and provide granular access control on a per organisation, user, group, and application basis.

v2 of the Tenant Restrictions functionality uses the cross-tenant access policy, and offers both authentication and data plane protection. It enforces policies during user authentication, and on data plane access with:

  • Exchange Online
  • SharePoint Online
  • Teams
  • MSGraph

Note:
While data plane support with Windows Group Policy and Global Secure Access is still in public preview, authentication plane support with proxy is now generally available.

 

Continuous Access Evaluation for Workload Identities available in Public and Gov clouds General Availability

Service category: Continuous Access Evaluation
Product capability: Identity Security & Protection

Real-time enforcement of risk events, revocation events, and Conditional Access location policies are now generally available for workload identities. Service principals on line of business (LoB) applications are now protected on access requests to the Microsoft Graph.

 

Real-Time Strict Location Enforcement Public Preview

Service category: Continuous Access Evaluation
Product capability: Access Control

With real-time strict location enforcement, admins can strictly enforce Conditional Access policies in real-time using Continuous Access Evaluation towards services like Microsoft Graph, Exchange Online, and SharePoint Online to block access requests from disallowed locations as part of a layered defense against token replay and other unauthorized access.

 

Cross-tenant access settings supports custom RBAC roles and protected actions Public Preview

Service category: Business to Business (B2B)
Product capability: External  Collaboration

Cross-tenant access settings can be managed with custom roles defined by your organization. This enables admins to define finely-scoped roles to manage cross-tenant access settings instead of using one of the built-in roles for management. Admins can also now protect privileged actions inside of cross-tenant access settings using Conditional Access. For example, admins can require multi-factor authentication (MFA) before allowing changes to default settings for Business to Business (B2B) collaboration.

 

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Entra ID Application Gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

 

What's Changed

Additional settings in Entitlement Management auto-assignment policy General Availability

Service category: Entitlement Management
Product capability: Entitlement Management

In the Entra ID Governance entitlement management auto-assignment policy, there are three new settings. This allows an organization to select to:

  • not have the policy create assignments
  • not remove assignments
  • delay assignment removal

 

Setting for guest losing access Public Preview

Service category: Entitlement Management
Product capability: Entitlement Management

An admin can configure that when a guest brought in through entitlement management has lost their last access package assignment, they're deleted after a specified number of days.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.