What’s New in Azure Active Directory for August 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for August 2019:

 

What’s Planned

Deprecation of the Power BI content packs

Service category: Reporting
Product capability: Monitoring & Reporting

Starting on October 1st, 2019, Power BI will begin to deprecate all content packs, including the Azure AD Power BI content pack. As an alternative to this content pack, admins can use Azure AD Workbooks to gain insights into their Azure AD-related services. Additional workbooks are coming, including workbooks about Conditional Access policies in report-only mode, app consent-based insights, and more.

For more information about the workbooks, see How to use Azure Monitor workbooks for Azure Active Directory reports.

 

What’s New

New custom roles are available for app registration management Public Preview

Service category: Role-based Access Control
Product capability: Access Control

Custom roles (available with an Azure AD P1 and P2 subscriptions) can now help provide admins with fine-grained access, by letting them create role definitions with specific permissions and then assign those roles to specific resources. Currently, admins create custom roles by using permissions for managing app registrations and then assigning the role to a specific app. For more information about custom roles, see Custom administrator roles in Azure Active Directory (preview).

New provisioning logs can help admins monitor and troubleshoot app provisioning deployment Public Preview

Service category: App Provisioning
Product capability: Identity Lifecycle Management

New provisioning logs are available to help admins monitor and troubleshoot the user and group provisioning deployment. These new log files include information about:

New security reports for all Azure AD administrators General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, they will be able to use the banner at the top of the modern security reports to return to the old reports.

The modern security reports will provide additional capabilities from the older versions, including:

  • Advanced filtering and sorting
  • Bulk actions, such as dismissing user risk
  • Confirmation of compromised or safe entities
  • Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised
  • New risk-related detections (available to Azure AD Premium subscribers)

User-assigned managed identity is available for Virtual Machines and Virtual Machine Scale Sets General Availability

Service category: Managed identities for Azure resources
Product capability: Developer Experience

User-assigned managed identities are now generally available for Virtual Machines and Virtual Machine Scale Sets. As part of this, Azure can create an identity in the Azure AD tenant that’s trusted by the subscription in use, and can be assigned to one or more Azure service instances.

New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2019, Microsoft has added these 26 new apps with Federation support to the app gallery:

  1. Civic Platform
  2. Amazon Business
  3. ProNovos Ops Manager
  4. Cognidox
  5. Viareport’s Inativ Portal (Europe)
  6. Azure Databricks
  7. Robin
  8. Academy Attendance
  9. Priority Matrix
  10. Cousto MySpace
  11. Uploadcare
  12. Carbonite Endpoint Backup
  13. CPQSync by Cincom
  14. Chargebee
  15. deliver.media™ Portal
  16. Frontline Education
  17. F5
  18. stashcat AD connect
  19. Blink
  20. Vocoli
  21. ProNovos Analytics
  22. Sigstr
  23. Darwinbox
  24. Watch by Colors
  25. Harness
  26. EAB Navigate Strategic Care

 

What’s Changed

Users can reset their passwords using a mobile app or hardware token General Availability

Service category: Self Service Password Reset
Product capability: User Authentication

Users who have registered a mobile app with an organization can now reset their own password by approving a notification from the Microsoft Authenticator app or by entering a code from their mobile app or hardware token.

New versions of the AzureAD PowerShell and AzureADPreview PowerShell modules are available

Service category: Other
Product capability: Directory

New updates to the AzureAD and AzureAD Preview PowerShell modules are available:

  • A new -Filter parameter was added to the Get-AzureADDirectoryRole parameter in the AzureAD module. This parameter helps you filter on the directory roles returned by the cmdlet.
  • New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:
    • Get-AzureADMSRoleAssignment
    • Get-AzureADMSRoleDefinition
    • New-AzureADMSRoleAssignment
    • New-AzureADMSRoleDefinition
    • Remove-AzureADMSRoleAssignment
    • Remove-AzureADMSRoleDefinition
    • Set-AzureADMSRoleDefinition

Improvements to the UI of the dynamic group rule builder in the Azure Portal

Service category: Group Management
Product capability: Collaboration

Microsoft has made some User Interface (UI) improvements to the dynamic group rule builder, available in the Azure portal, to help admins more easily set up a new rule, or change existing rules. This design improvement allows them to create rules with up to five expressions, instead of just one. Microsoft has also updated the device property list to remove deprecated device properties.

New Microsoft Graph app permission available for use with access reviews

Service category: Access Reviews
Product capability: Identity Governance

Microsoft has introduced a new Microsoft Graph app permission, AccessReview.ReadWrite.Membership, which allows apps to automatically create and retrieve access reviews for group memberships and app assignments. This permission can be used by scheduled jobs or as part of automation, without requiring a logged-in user context.

Azure AD activity logs are now available for government cloud instances in Azure Monitor

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft is excited to announce that Azure AD activity logs are now available for government cloud instances in Azure Monitor. Organizations can now send Azure AD logs to storage accounts or to an event hub to integrate with SIEM tools, like Sumologic, Splunk, and ArcSight.

Update users to the new, enhanced security info experience

Service category: Authentications (Logins)
Product capability: User Authentication

On September 25, 2019, Microsoft will be turning off the old, non-enhanced security info experience for registering and managing user security info and only turning on the new, enhanced version. This means that users in your organization will no longer be able to use the old experience.

Authentication requests using POST logins will be more strictly validated

Service category: Authentications (Logins)
Product capability: Standards

Starting on September 2, 2019, authentication requests using the POST method will be more strictly validated against the HTTP standards. Specifically, spaces and double-quotes (“) will no longer be removed from request form values. These changes aren’t expected to break any existing clients, and will help to make sure that requests sent to Azure AD are reliably handled every time.

 

What’s Fixed

ADAL.NET ignores the MSAL.NET shared cache for on-behalf-of scenarios

Service category: Authentications (Logins)
Product capability: User Authentication

Starting with Azure AD authentication library (ADAL.NET) version 5.0.0-preview, app developers must serialize one cache per account for web apps and web APIs. Otherwise, some scenarios using the on-behalf-of flow, along with some specific use cases of UserAssertion, may result in an elevation of privilege. To avoid this vulnerability, ADAL.NET now ignores the Microsoft authentication library for dotnet (MSAL.NET) shared cache for on-behalf-of scenarios.

One Response to What’s New in Azure Active Directory for August 2019

  1.  

    Thanks for the info regarding the Azure AD Content Pack. Do you know the plan for the “Microsoft 365 Usage Analytics” content pack? Replaced or also simply deprecated? https://docs.microsoft.com/en-us/office365/admin/usage-analytics/usage-analytics

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.