What’s New in Azure Active Directory for January 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for January 2019:


What’s New

Active Directory B2B collaboration using one-time passcode authentication Public preview

Service category: B2B
Product capability: B2B/B2C

Microsoft has introduced one-time passcode authentication (OTP) for B2B guest users who can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. This new authentication method means that guest users don't have to create a new Microsoft account. Instead, while redeeming an invitation or accessing a shared resource, a guest user can request a temporary code to be sent to an email address. Using this temporary code, the guest user can continue to sign in.


New Azure AD Application Proxy cookie settings

Service category: App Proxy
Product capability: Access Control

The identity team at Microsoft introduced three new cookie settings, available for apps that are published through Application Proxy:

  • Use HTTP-Only cookie.
    Sets the HTTPOnly flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, such as helping to prevent copying or modifying of cookies through client-side scripting. Microsoft recommends you turn on this flag (choose Yes) for the added benefits.
  • Use secure cookie.
    Sets the Secure flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, by making sure cookies are only transmitted over TLS secure channels, such as HTTPS. Microsoft recommends you turn on this flag (choose Yes) for the added benefits.
  • Use persistent cookie.
    Prevents access cookies from expiring when the web browser is closed. These cookies last for the lifetime of the access token. However, the cookies are reset if the expiration time is reached or if the user manually deletes the cookie. Microsoft recommends you keep the default setting No, only turning on the setting for older apps that don't share cookies between processes.

For more information about the new cookies, see Cookie settings for accessing on-premises applications in Azure Active Directory.


New Federated Apps available in Azure AD app gallery

In January 2019, Microsoft has added these new apps with Federation support to the app gallery:


App Lock feature for the Microsoft Authenticator app on iOS and Android devices

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

To keep your one-time passcodes, app information, and app settings more secure, you can turn on the App Lock feature in the Microsoft Authenticator app. Turning on App Lock means you’ll be asked to authenticate using your PIN or biometric every time you open the Microsoft Authenticator app.

For more information, see the Microsoft Authenticator app FAQ.


Enhanced Azure AD Privileged Identity Management (PIM) export capabilities

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management (PIM) administrators can now export all active and eligible role assignments for a specific resource, which includes role assignments for all child resources. Previously, it was difficult for administrators to get a complete list of role assignments for a subscription and they had to export role assignments for each specific resource.

For more information, see View activity and audit history for Azure resource roles in PIM.


What’s Changed

New Azure AD Identity Protection enhancements Public preview

Service category: Identity Protection
Product capability: Identity Security & Protection

Microsoft is excited to announce that it has added the following enhancements to the Azure AD Identity Protection public preview offering, including:

  • An updated and more integrated user interface
  • Additional APIs
  • Improved risk assessment through machine learning
  • Product-wide alignment across risky users and risky sign-ins

For more information about the enhancements, see What is Azure Active Directory Identity Protection (refreshed)? to learn more and to share your thoughts through the in-product prompts.


Users removed from synchronization scope no longer switch to cloud-only accounts

Service category: User Management
Product capability: Directory

Microsoft has heard and understood our frustration because of this fix. Therefore, Microsoft has reverted this change until such time that they can make the fix easier for admins to implement in organizations.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.