What's New in Entra ID for March 2024

Reading Time: 3 minutes

Microsoft Entra ID

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for March 2024:


What's Planned

Conditional Access location condition is moving up

Starting mid-April 2024, the Conditional Access Locations condition is moving up. Locations will become the Network assignment, with the new Global Secure Access assignment All compliant network locations.

This change will occur automatically, and admins won’t need to take any action.

  • The familiar Locations condition is unchanged, updating the policy in the Locations condition will be reflected in the Network assignment, and vice versa.
  • No functionality changes, so existing policies will continue to work without changes.


What's New

TLS 1.3 support for Microsoft Entra Generally Available

Service category: Other
Product capability: Platform

Microsoft is excited to announce that Microsoft Entra is rolling out support for Transport Layer Security (TLS) 1.3 for its endpoints to align with security best practices (NIST – SP 800-52 Rev. 2). With this change, the Microsoft Entra ID related endpoints will support both TLS 1.2 and TLS 1.3 protocols.


Changing Passwords in My Security Info Generally Available

Service category: My Security Info
Product capability: End User Experiences

The My Sign-Ins now supports end users changing their passwords inline. When a person authenticates with a password and a multi-factor authentication (MFA) credential, they're able to change their password without entering their existing password. Starting April 1st 2024, through a phased rollout, traffic from the Change password (windowsazure.com) portal will redirect to the new My Sign-Ins change experience. The Change password (windowsazure.com) portal will no longer be available after June 2024, but will continue to redirect to the new experience.


Service category: App Provisioning
Product capability: 3rd Party Integration

We added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:


API driven inbound provisioning Generally Available

Service category: Provisioning
Product capability: Inbound to Microsoft Entra ID

With API-driven inbound provisioning, Microsoft Entra ID provisioning service now supports integration with any system of record. Organizations can use any automation tool of their choice to retrieve workforce data from any system of record for provisioning into Microsoft Entra ID and connected on-premises Active Directory environments. The admin has full control on how the data is processed and transformed with attribute mappings. Once the workforce data is available in Microsoft Entra ID, the admin can configure appropriate joiner-mover-leaver (JML) business processes using Microsoft Entra ID Governance Lifecycle Workflows.


Just-in-time application access with PIM for Groups Generally Available

Service category: Privileged Identity Management (PIM)
Product capability: Privileged Identity Management (PIM)

Organizations can provide just-in-time access to non-Microsoft applications such as Amazon Web Services (AWS) & Google Cloud Platform (GCP). This capability integrates Privileged Identity Management (PIM) for groups, and application provisioning to reduce the activation time from 40+ minutes to roughly 2 minutes when requesting just-in-time access to a role in a non-Microsoft app.


Convert external users to internal Public Preview

Service category: User Management
Product capability: User Management

External user conversion enables customers to convert external users to internal members without needing to delete and create new user objects. Maintaining the same underlying object ensures the user’s account, and access to resources, isn’t disrupted and that their history of activities remains intact as their relationship with the host organization changes.

The external to internal user conversion feature includes the ability to convert on-premises synchronized users as well.


Azure Lockbox Approver Role for Subscription Scoped Requests Public Preview

Service category: Other
Product capability: Identity Governance

Customer Lockbox for Microsoft Azure is launching a new built-in Azure Role-based access control (RBAC) role that enables organizations to use a lesser privileged role for people responsible for approving/rejecting Customer Lockbox requests. This feature is targeted to the admin workflow where a Lockbox approver acts on the request from Microsoft Support engineer to access Azure resources in the Azure subscription.

In this first phase, Microsoft is launching a new built-in Azure RBAC role that helps scope down the access possible for an individual with Azure Customer Lockbox approver rights on a subscription and its resources. A similar role for tenant-scoped requests is available in subsequent releases.


Alternate Email Notifications for Lockbox Requests Public Preview

Service category: Other
Product capability: Access Control

Customer Lockbox for Microsoft Azure is launching a new feature that enables organizations to use alternate email IDs for getting Lockbox notifications. This enables organizations with Lockbox to receive notifications in scenarios where their Azure account isn't email enabled, or if they have a service principal defined as the tenant admin or subscription owner.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.