Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for November 2017:

What’s Planned

Retiring ACS

Service Category: ACS
Product Capability: Access Control Service

Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) will be retired in late 2018. Further information, including a detailed schedule & high-level migration guidance, will be provided in the next few weeks. In the meantime, leave comments on this page with any questions regarding ACS, and a member of our team will help to answer.

Restrict browser access to the Intune managed browser

Service Category: Conditional Access
Product Capability: Identity Security & Protection

With this behavior, you will be able to restrict browser access to Office 365 and other Azure AD-connected cloud apps using the Intune Managed Browser as an approved app. Today, access is blocked when using this condition. When the preview of this behavior is available, all access will require the use of the managed browser application.

New approved client apps for Azure AD app-based conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The following apps are planned to be added to the list of approved client apps:

• Microsoft Kaizala
• Microsoft StaffHub

What’s New

Terms of Use support for multiple languages

Service Category: Terms of Use (ToU)
Product Capability: Governance/Compliance

Administrators can now create new terms of use (ToU) that contains multiple Portable Document Format (PDF) documents. You can tag these documents with a corresponding language. Users that fall in scope are shown the PDF with the matching language based on their preferences. If there is no match, the default language is shown.

Real-time password write-back client status

Service Category: Self-service Password Reset (SSPR)
Product Capability: User Authentication

You can now review the status of your on-premises password write-back client. This option is available in the On-premises integration section of the Password reset blade in the Azure Portal.

Azure AD app-based conditional access

Service Category: Azure AD
Product Capability: Identity Security & Protection

You can now restrict access to Office 365 and other Azure AD-connected cloud apps to approved client apps that support Intune App Protection policies using Azure AD app-based conditional access. Intune app protection policies are used to configure and protect company data on these client applications.

By combining app-based with device-based conditional access policies, you have the flexibility to protect data for personal and company devices.

Managing Azure AD devices in the Azure portal

Service Category: Device Registration and Management
Product Capability: Identity Security & Protection

You can now find all your devices connected to Azure AD and the device-related activities in one place. There is a new administration experience to manage all your device identities and settings in the Azure portal.

Support for macOS as device platform for Azure AD conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

You can now include (or exclude) macOS as device platform condition in your Azure AD conditional access policy. With the addition of macOS to the supported device platforms, you can:

• Enroll and manage MacOS devices using Intune
• Ensure MacOS devices adhere to your organization’s compliance policies defined in Intune
• Restrict access to applications in Azure AD to only compliance MacOS devices

NPS Extension for Azure MFA

Service Category: MFA
Product Capability: User Authentication

The Network Policy Server (NPS) extension for Azure MFA adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers. With the NPS extension, you can add phone call, text message, or phone app verification to your existing authentication flow without having to install, configure, and maintain new servers.

Restore or permanently remove deleted users

Service Category: User Management
Product Capability: Directory

In the Azure AD admin center, you can now:

• Restore a deleted user
• Permanently delete a user

You are no longer required to use PowerShell to this purpose.

What’s Changed

New approved client apps for Azure AD app-based conditional access

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The following apps have been added to the list of approved client apps:

• Microsoft Planner
• Microsoft Azure Information Protection

Ability to 'OR' between controls in a conditional access policy

Service Category: Conditional Access
Product Capability: Identity Security & Protection

The ability to 'OR' (Require one of the selected controls) conditional access controls has been released. This feature enables you to create policies with an OR between access controls. For example, you can use this feature to create a policy that requires a user to sign in using multi-factor authentication OR to be on a compliant device.

Aggregation of real-time risk events

Service Category: Identity Protection
Product Capability: Identity Security & Protection

To improve your administration experience, in Azure AD Identity Protection, all real-time risk events that were originated from the same IP address on a given day are now aggregated for each risk event type. This change limits the volume of risk events shown without any change in the user security.

The underlying real-time detection works each time the user logs in. If you have a sign-in risk security policy setup to MFA or block access, it is still triggered during each risky sign-in.