Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for June 2018:
Security fix to the delegated authorization flow for apps using Azure AD Activity Logs API
Service category: Monitoring & Reporting
Product capability: Reporting
Due to our stronger security enforcement, we’ve had to make a change to the permissions for apps that use a delegated authorization flow to access Azure AD Activity Logs APIs. This change will occur by June 26, 2018.
If any of your apps use Azure AD Activity Log APIs, update your app permissions to ensure the app doesn’t break after the change happens.
Configure TLS settings to connect to Azure AD services for PCI DSS compliance
Service category: New feature
Product capability: Platform
Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications and is the most widely deployed security protocol used today.
The PCI Security Standards Council has determined that early versions of TLS and Secure Sockets Layer (SSL) must be disabled in favor of enabling new and more secure app protocols, with compliance starting on June 30, 2018. This change means that if you connect to Azure AD services and require PCI DSS-compliance, you must disable TLS 1.0. Multiple versions of TLS are available, but TLS 1.2 is the latest version available for Azure Active Directory Services. Microsoft highly recommends moving directly to TLS 1.2 for both client/server and browser/server combinations.
Out-of-date browsers might not support newer TLS versions, such as TLS 1.2. To see which versions of TLS are supported by your browser, go to the Qualys SSL Labs site and click Test your browser. Microsoft recommends you upgrade to the latest version of your web browser and preferably enable only TLS 1.2.
New Federated Apps available in Azure AD app gallery
Service category: Enterprise Apps
Product capability: Third-party Integration
In June 2018, Microsoft has added these 15 new apps with Federation support to the Azure Active Directory app gallery:
- Settling music
- SAML 1.1 Token enabled LOB App
- Endpoint Backup
- Skyhigh Networks
- Zoho One
- SharePoint on-premises
- ForeSee CX Suite
Azure AD Password Protection is available in public preview
Service category: Identity Protection
Product capability: User Authentication
Use Azure AD Password Protection to help eliminate easily guessed passwords from your environment. Eliminating these passwords helps to lower the risk of compromise from a password spray type of attack.
Specifically, Azure AD Password Protection helps you:
- Protect your organization’s accounts in both Azure AD and Windows Server Active Directory (AD).
- Stops your users from using passwords on a list of more than 500 of the most commonly used passwords, and over 1 million character substitution variations of those passwords.
- Administer Azure AD Password Protection from a single location in the Azure AD portal, for both Azure AD and on-premises Windows Server AD.
Product capability: Governance
- A new conditional access policy template is also created for “all guests” and “all apps”. This new policy template applies the newly created ToU, streamlining the creation and enforcement process for guests.
- A new “custom” conditional access policy template is also created. This new policy template lets you create the ToU and then immediately go to the conditional access policy creation blade, without needing to manually navigate through the portal.
Azure AD delegated app management roles are in public preview
Type: New feature
Service category: Enterprise Apps
Admins can now delegate app management tasks without assigning the Global Administrator role. The new roles and capabilities are:
- New standard Azure AD admin roles:
- Application Administrator. Grants the ability to manage all aspects of all apps, including registration, SSO settings, app assignments and licensing, App proxy settings, and consent (except to Azure AD resources).
- Cloud Application Administrator. Grants all of the Application Administrator abilities, except for App proxy because it doesn’t provide on-premises access.
- Application Developer. Grants the ability to create app registrations, even if the allow users to register apps option is turned off.
- Ownership (set up per-app registration and per-enterprise app, similar to the group ownership process):
- App Registration Owner. Grants the ability to manage all aspects of owned app registration, including the app manifest and adding additional owners.
- Enterprise App Owner. Grants the ability to manage many aspects of owned enterprise apps, including SSO settings, app assignments, and consent (except to Azure AD resources).