What’s New in Azure Active Directory for March 2018

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for March 2018:

 

What’s New

Twitter and GitHub identity providers in Azure AD B2C

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

You can now add Twitter or GitHub as an identity provider in Azure AD B2C. Twitter is moving from public preview to General Availability (GA). GitHub is being released in public preview.

 

Restrict browser access using Intune Managed Browser with Azure AD application-based conditional access for iOS and Android

Service category: Conditional Access
Product capability: Identity Security & Protection

The Intune Managed Browser SSO is now in preview. Employees can use single sign-on across native clients (like Microsoft Outlook) and the Intune Managed Browser for all Azure AD-connected apps.

Intune Managed Browser Conditional Access Support is now in preview. Admins can now require employees to use the Intune Managed browser using application-based conditional access policies.

 

App Proxy Cmdlets in Powershell GA Module

Service category: App Proxy
Product capability: Access Control

The Application Proxy PowerShell Cmdlets are now part of the generally available (GA) Azure Active Directory Powershell Module.

  

Office 365 native clients are supported by Seamless SSO using a non-interactive protocol

Service category: Authentications (Logins)
Product capability: User Authentication

People using Office 365 native clients get a silent sign-on experience using Seamless SSO. This support is provided by the addition of WS-Trust (a non-interactive protocol) to Azure Active Directory.

This applies to Office installation versions 16.0.8730.xxxx and above, so basically people in organizations using the targeted Semi-Annual Channel since January 17, 2018 or Monthly Channel releases of Office since March 13, 2018.

   

Users get a silent sign-on experience, with Seamless SSO, if an application sends sign-in requests to Azure AD’s tenanted endpoints

Service category: Authentications (Logins)
Product capability: User Authentication

People get a silent sign-on experience, with Seamless SSO, if an application (for example, https://contoso.sharepoint.com) sends sign-in requests to Azure AD’s tenanted endpoints – that is, https://login.microsoftonline.com/contoso.com/ or https://login.microsoftonline.com/<tenant_ID>/ – instead of Azure AD’s common endpoint (https://login.microsoftonline.com/common/).

 

Adding Optional Claims to your apps tokens (public preview)

Service category: Authentications (Logins)
Product capability: User Authentication

Your Azure AD app can now request custom or optional claims in JWTs or SAML tokens. These are claims about the user or tenant that are not included by default in the token, due to size or applicability constraints. This is currently in public preview for Azure AD apps on the v1.0 and v2.0 endpoints. See the documentation for information on what claims can be added and how to edit your application manifest to request them.

 

Azure AD supports PKCE for more secure OAuth flow

Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD docs have been updated to note support for Proof Key for Code Exchange (PKCE) as described in RFC7636, which allows for more secure communication during the OAuth 2.0 Authorization Code grant flow. Both S256 and plaintext code_challenges are supported on the v1.0 and v2.0 endpoints.

 

New Federated Apps available in Azure AD App gallery

In March 2018, the Active Directory team has added following 15 new apps in the Azure Active Directory App gallery with Federation support:

 

PIM for Azure Resources is generally available (GA)

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

If you are using Azure AD Privileged Identity Management (PIM) for directory roles, you can now use PIM’s time-bound access and assignment capabilities for Azure Resource roles such as Subscriptions, Resource Groups, Virtual Machines, and any other resource supported by Azure Resource Manager. Enforce Multi-Factor Authentication when activating roles Just-In-Time, and schedule activations in coordination with approved change windows.

In addition, this release adds enhancements not available during public preview including an updated UI, approval workflows, and the ability to extend roles expiring soon and renew expired roles.

 

Support for provisioning all user attribute values available in the Workday Get_Workers API

Service category: App Provisioning
Product capability: 3rd Party Integration

The public preview of inbound provisioning from Workday to Active Directory and Azure AD now supports the ability to extract and provisioning of all attribute values available in the Workday Get_Workers API. This adds supports for hundreds of additional standard and custom attributes beyond the ones shipped with the initial version of the Workday inbound provisioning connector.

  

Changing group membership from dynamic to static, and vice versa

Service category: Group Management
Product capability: Collaboration

It is now possible to change how membership is managed in a group. This is useful when you want to keep the same group name and ID in the system, so any existing references to the group are still valid; creating a new group would require updating those references. We’ve updated the Azure AD Admin center to add support for this functionality. Now, customers can convert existing groups from dynamic membership to assigned membership and vice-versa. The existing PowerShell Cmdlets are also still available.

What’s Changed

Improved sign-out behavior with Seamless SSO

Service category: Authentications (Logins)
Product capability: User Authentication

Previously, even if users explicitly signed out of an application secured by Azure AD, they would be automatically signed back in using Seamless SSO if they were trying to access an Azure AD application again within their corpnet from their domain joined devices. With this change, sign out is supported. This allows users to choose the same or different Azure AD account to sign back in with, instead of being automatically signed in using Seamless SSO.

   

Application Proxy Connector Version 1.5.402.0

Service category: App Proxy
Product capability: Identity Security & Protection

Application Proxy Connector Version 1.5.402.0 is gradually being rolled out. This new connector version includes the following changes:

  • The connector now sets domain level cookies instead of cookies on the sub-domain level. This ensures a smoother SSO experience and avoids redundant authentication prompts.
  • Support for chunked encoding requests
  • Improved connector health monitoring
  • Several bug fixes and stability improvements

   

What’s Fixed

Certificate expire notification

Service category: Enterprise Apps
Product capability: SSO

Azure Active Directory sends a notification when a certificate for a gallery or non-gallery application is about to expire.

Some organizations did not receive notifications for enterprise applications, configured for SAML-based single sign-on. This issue was resolved. Azure Active Directory sends notification for certificates expiring in 7, 30 and 60 days. You are able to see this event in the audit logs.

One Response to What’s New in Azure Active Directory for March 2018

  1.  

    With ‘Seamless SSO’ i presume you/ms means the Seamless SSO option we can select in the ad Connect wizard? Do you perhaps if PTA with Seamless SSO now supports sso activation of Office 365 proplus when shared activation is used? This only worked real sso with adfs.

leave your comment