What’s New in Azure Active Directory for July 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for July 2019:

 

What’s Planned

Application Proxy service update to support only TLS 1.2

Service category: App Proxy
Product capability: Access Control

To help use strongest encryption, Microsoft is going to begin limiting Application Proxy service access to only TLS 1.2 protocols. This limitation will initially be rolled out to organizations who are already using TLS 1.2 protocols, so admins won’t see the impact. Complete deprecation of the TLS 1.0 and TLS 1.1 protocols will be complete on August 31, 2019. Organizations still using TLS 1.0 and TLS 1.1 will receive advanced notice to prepare for this change.

To maintain the connection to the Application Proxy service throughout this change, Microsoft recommends that admins make sure their client-server and browser-server combinations are updated to use TLS 1.2. Microsoft also recommends that admins make sure to include any client systems used by employees to access apps published through the Application Proxy service.

Design updates are coming for the Application Gallery

Service category: Enterprise Apps
Product capability: SSO

New user interface changes are coming to the design of the Add from the gallery area of the Add an application blade. These changes will help admins more easily find apps that support automatic provisioning, OpenID Connect, Security Assertion Markup Language (SAML), and Password single sign-on (SSO).

Removal of the MFA server IP address from the Office 365 IP address

Service category: MFA
Product capability: Identity Security & Protection

Microsoft is removing the MFA server IP address from the Office 365 IP Address and URL Web service. If organizations currently rely on these pages to update their firewall settings, they must make sure they’re also including the list of IP addresses documented in the Azure Multi-Factor Authentication Server firewall requirements section of the Getting started with the Azure Multi-Factor Authentication Server article.

 

What’s New

New passwordless sign-in to Azure AD using FIDO2 security keys

Service category: Authentications (Logins)
Product capability: User Authentication

Organizations using Azure AD can now set policies to manage FIDO2 security keys for their organization’s users and groups. End-users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, as well as sign in to their Azure AD-joined Windows 10 devices.

New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2019, Microsoft has added these 18 new apps with Federation support to the app gallery:

  1. Ungerboeck Software
  2. Bright Pattern Omnichannel Contact Center
  3. Clever Nelly
  4. AcquireIO
  5. Looop
  6. productboard
  7. MS Azure SSO Access for Ethidex Compliance Office™
  8. Hype
  9. Abstract
  10. Ascentis
  11. Flipsnack
  12. Wandera
  13. TwineSocial
  14. Kallidus
  15. HyperAnna
  16. PharmID WasteWitness
  17. i2B Connect
  18. JFrog Artifactory

Automate user account provisioning for these newly supported SaaS apps

Service category: Enterprise Apps
Product capability: Monitoring & Reporting

Admins can now automate creating, updating, and deleting user accounts for these newly integrated apps:

New Azure AD Domain Services service tag for Network Security Group

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

If admins are tired of managing long lists of IP addresses and ranges, they can use the new AzureActiveDirectoryDomainServices network service tag in their Azure network security group to help secure inbound traffic to their Azure AD Domain Services virtual network subnet.

New Security Audits for Azure AD Domain Services Public Preview

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Microsoft is pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide admins with critical insight into authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hub, using the Azure AD Domain Service portal.

New Authentication methods usage & insights Public Preview

Service category: Self Service Password Reset
Product capability: Monitoring & Reporting

The new Authentication methods usage & insights reports can help admins understand how features like Azure Multi-Factor Authentication and self-service password reset are being registered and used in their organization, including the number of registered users for each feature, how often self-service password reset is used to reset passwords, and by which method the reset happens.

New security reports are available for all Azure AD administrators Public Preview

Service category: Identity Protection
Product capability: Identity Security & Protection

All Azure AD administrators can now select the banner at the top of existing security reports, such as the Users flagged for risk report, to start using the new security experience as shown in the Risky users and the Risky sign-ins reports. Over time, all of the security reports will move from the older versions to the new versions, with the new reports providing admins the following additional capabilities:

  • Advanced filtering and sorting
  • Bulk actions, such as dismissing user risk
  • Confirmation of compromised or safe entities
  • Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised

New Security Audits for Azure AD Domain Services Public Preview

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Microsoft is pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide admins with critical insight into their authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hub, using the Azure AD Domain Service portal.

New B2B direct federation using SAML/WS-Fed Public Preview

Service category: B2B
Product capability: B2B/B2C

Direct federation helps to make it easier for organizations to work with partners whose IT-managed identity solution is not Azure AD, by working with identity systems that support the SAML or WS-Fed standards. After admins set up a direct federation relationship with a partner, any new guest user invited from that domain can collaborate with users in their organization using their existing organizational account, making the user experience for guests more seamless.

New check for duplicate group names in the Azure AD portal

Service category: Group Management
Product capability: Collaboration

Now, when admins create or update a group name from the Azure AD portal, Microsoft will perform a check to see if they are duplicating an existing group name in their resource. If Microsoft determines that the name is already in use by another group, admins will be asked to modify the name.

Azure AD now supports static query parameters in reply (redirect) URIs

Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD apps can now register and use reply (redirect) URIs with static query parameters (for example, https://contoso.com/oauth2?idp=microsoft) for OAuth 2.0 requests. The static query parameter is subject to string matching for reply URIs, just like any other part of the reply URI. If there’s no registered string that matches the URL-decoded redirect-uri, the request is rejected. If the reply URI is found, the entire string is used to redirect the user, including the static query parameter.

Dynamic reply URIs are still forbidden because they represent a security risk and can’t be used to retain state information across an authentication request. For this purpose, use the state parameter.

Currently, the app registration screens of the Azure portal still block query parameters. However, admins can manually edit the app manifest to add and test query parameters in their app.

Activity logs (MS Graph APIs) for Azure AD are now available through PowerShell Cmdlets

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft is excited to announce that Azure AD activity logs (Audit and Sign-ins reports) are now available through the Azure AD PowerShell module. Previously, admins could create their own scripts using MS Graph API endpoints, and now Microsoft has extended that capability to PowerShell cmdlets.

Updated filter controls for Audit and Sign-in logs in Azure AD

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft has updated the Audit and Sign-in log reports so admins can now apply various filters without having to add them as columns on the report screens. Additionally, admins can now decide how many filters they want to show on the screen. These updates all work together to make reports easier to read and more scoped to needs.

 

What’s Fixed

App-only tokens now require the resource application (Web API) to exist in the resource tenant

Service category: Authentications (Logins)
Product capability: User Authentication

On July 26, 2019, Microsoft changed how they provide app-only tokens through the client credentials grant. Previously, apps could get tokens to call other apps, regardless of whether the client app was in the tenant. Microosft has updated this behavior so single-tenant resources, sometimes called Web APIs, can only be called by client apps that exist in the resource tenant.

If an app isn’t located in the resource tenant, you’ll get an error message:

The service principal named <app_name> was not found in the tenant named <tenant_name>. This can happen if the application has not been installed by the administrator of the tenant.

To fix this problem, admins must create the client app service principal in the tenant, using either the admin consent endpoint or through PowerShell, which ensures the tenant has given the app permission to operate within the tenant.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.