Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for December 2018:

What’s New

Administrators can require users to accept a Terms of use on each device

Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Require users to consent on every device option to require their users to accept the Terms of use on every device they're using on the Azure AD tenant.

Administrators can configure a Terms of use to expire based on a recurring schedule

Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Expire consents option to make a Terms of use expire for all users, based on the specified recurring schedule. The schedule can be annually, bi-annually, quarterly, or monthly. After the Terms of use expires, users must reaccept.

Administrators can configure a Terms of use to expire based on each user’s schedule

Service category: Terms of Use
Product capability: Governance

Administrators can now specify a duration that user must reaccept a Terms of use. For example, administrators can specify that users must reaccept a Terms of use every 90 days.

What’s Fixed

Users removed from synchronization scope no longer switch to cloud-only accounts

Service category: User Management
Product capability: Directory

The team has fixed a bug in which the DirSyncEnabled flag of a user would be erroneously switched to False when the Active Directory Domain Services (AD DS) object was excluded from synchronization scope and then moved to the Recycle Bin in Azure AD on the following sync cycle. As a result of this fix, if the user is excluded from sync scope and afterwards restored from Azure AD Recycle Bin, the user account remains as synchronized from on-premises AD, as expected, and cannot be managed in the cloud since its source of authority (SoA) remains on-premises AD.

Prior to this fix, there was an issue when the DirSyncEnabled flag was switched to False. It gave the wrong impression that these accounts were converted to cloud-only objects and that the accounts could be managed in the cloud. However, the accounts still retained their source of authority (SoA) as on-premises and all synchronized properties (shadow attributes) coming from on-premises AD. This condition caused multiple issues in Azure AD and other cloud workloads (like Exchange Online) that expected to treat these accounts as synchronized from AD but were now behaving like cloud-only accounts.

At this time, the only way to truly convert a synchronized-from-AD account to cloud-only account is by disabling DirSync at the tenant level, which triggers a backend operation to transfer the source of authority (SoA). This type of SoA change requires (but is not limited to) cleaning all the on-premises related attributes (such as LastDirSyncTime and shadow attributes) and sending a signal to other cloud workloads to have its respective object converted to a cloud-only account too.

What’s Changed

Updates to the audit and sign-in logs schema through Azure Monitor Breaking Change

Service category: Reporting
Product capability: Monitoring & Reporting

The team is currently publishing both the Audit and Sign-in log streams through Azure Monitor, so admins can seamlessly integrate the log files with Security Incident and Event Monitoring (SIEM) tools or with Log Analytics.

Based on feedback, and in preparation for this feature's general availability (GA)announcement, the team is making changes to the schema. These schema changes and its related documentation updates will happen by the first week of January.

Identity Protection improvements to the supervised machine learning model and the risk score engine

Service category: Identity Protection
Product capability: Risk Scores

Improvements to the Identity Protection-related user and sign-in risk assessment engine can help to improve user risk accuracy and coverage. Administrators may notice that user risk level is no longer directly linked to the risk level of specific detections, and that there's an increase in the number and level of risky sign-in events.

Risk detections are now evaluated by the supervised machine learning model, which calculates user risk by using additional features of the user’s sign-ins and a pattern of detections. Based on this model, administrators might find users with high risk scores, even if detections associated with that user are of low or medium risk. 

Administrators can reset their own password using the Microsoft Authenticator app (Public preview)

Service category: Self Service Password Reset
Product capability: User Authentication

Azure AD administrators can now reset their own password using the Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. To reset their own password, administrators will now be able to use two of the following methods:

• Microsoft Authenticator app notification
• Other mobile authenticator app / Hardware token code
• Email
• Phone call
• Text message