What’s New in Azure Active Directory for September 2018

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for September 2018:

       

What’s New

Simplified SSO configuration settings for some third-party apps

Service category: Enterprise Apps
Product capability: Single Sign-On

Setting up Single Sign-On (SSO) for Software as a Service (SaaS) apps can be challenging due to the unique nature of each apps configuration. The Azure Active Directory team has built a simplified configuration experience to auto-populate the SSO configuration settings for the following third-party SaaS apps:

  • Zendesk
  • ArcGis Online
  • Jamf Pro

           

Support for additional claims transformations methods

Service category: Enterprise Apps
Product capability: Single Sign-On

We’ve introduced new claim transformation methods, ToLower() and ToUpper(), which can be applied to SAML tokens from the SAML-based Single Sign-On Configuration page.

          

New deployment plan available for the My Apps Access panel

Service category: My Apps
Product capability: Single Sign-On

Deployment plans walk through the business value, planning considerations, design, and operational procedures needed to successfully roll a few of the more common Azure AD capabilities.

Check out the new deployment plan that’s available for the My Apps Access panel. The My Apps Access panel provides users with a single place to find and access their apps. This portal also provides users with self-service opportunities, such as requesting access to apps and groups, or managing access to these resources on behalf of others.

           

Troubleshooting and Support tab on the Sign-ins Logs page

Service category: Reporting
Product capability: Monitoring & Reporting

The new Troubleshooting and Support tab on the Sign-ins page of the Azure portal, is intended to help admins and support engineers troubleshoot issues related to Azure AD sign-ins. This new tab provides the error code, error message, and remediation recommendations (if any) to help solve the problem. If you’re unable to resolve the problem, the portal also gives you a new way to create a support ticket using the Copy to clipboard experience, which populates the Request ID and Date (UTC) fields for the log file in your support ticket.

         

Support for SSPR from the Windows 7/8/8.1 Lock screen

Service category: Self-Service Password Reset
Product capability: User Authentication

After you enable password reset from Windows 7, 8, and 8.1, your users will see a link to reset their password from the Lock screen of a device running Windows 7, Windows 8, or Windows 8.1. By clicking that link, the user is guided through the same password reset flow as through the web browser.

          

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2018, the Azure AD team added these new apps with Federation support to the app gallery:

         

Azure Active Directory – Where is your data located? page

Service category: Other
Product capability: GoLocal

Select your company’s region from the Azure Active Directory – Where is your data located page to view which Azure datacenter houses your Azure AD data at rest for all Azure AD services. You can filter the information by specific Azure AD services for your company’s region. Based on Microsoft Power BI, this new experience provides the information you need per geography and per Azure AD service.

        

What’s Planned

Authorization codes will no longer be available for reuse

Service category: Authentications (Logins)
Product capability: User Authentication

Starting on October 10, 2018, Azure AD will stop accepting previously used authentication codes for apps. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.

If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code to get a refresh token, and then use that refresh token to acquire additional tokens for other resources. Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple resources. Any app that attempts to reuse an authentication code during the OAuth code flow will get an invalid_grant error.

        

New approved client apps for Azure AD app-based conditional access

Service category: Conditional access
Product capability: Identity security and protection

The following apps are on the list of approved client apps:

  • Microsoft To-Do
  • Microsoft Stream

        

What’s Changed

Updated administrator role permissions for dynamic groups

Service category: Group Management
Product capability: Collaboration

The Azure Active Directory team fixed an issue, so specific administrator roles can now create and update dynamic group membership rules, without needing to be the owner of the group.

The roles in scope for this change are:

  • Global administrator or Company administrator
  • Intune Service Administrator
  • User Account Administrator

      

Enhanced support for custom extension properties used to create dynamic membership rules

Service category: Group Management
Product capability: Collaboration

With this update, you can now click the Get custom extension properties link from the dynamic user group rule builder, enter your unique app ID, and receive the full list of custom extension properties to use when creating a dynamic membership rule for users. This list can also be refreshed to get any new custom extension properties for that app.

      

Updated SAML-based app configuration UI (preview)

Service category: Enterprise Apps
Product capability: Single Sign-On

The Azure AD Team created an Updated SAML-based app configuration user interface (UI). As part of this UI, you’ll get:

  • An updated walkthrough experience for configuring your SAML-based apps.
  • More visibility about what’s missing or incorrect in your configuration.
  • The ability to add multiple email addresses for expiration certificate notification.
  • New claim transformation methods, ToLower() and ToUpper(), and more.
  • A way to upload your own token signing certificate for your enterprise apps.
  • A way to set the NameID Format for SAML apps, and a way to set the NameID value as Directory Extensions.

To turn on this updated view, click the Try out our new experience link from the top of the Single Sign-On page.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.