Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for August 2019:
What’s Planned
Deprecation of the Power BI content packs
Service category: Reporting
Product capability: Monitoring & Reporting
Starting on October 1st, 2019, Power BI will begin to deprecate all content packs, including the Azure AD Power BI content pack. As an alternative to this content pack, admins can use Azure AD Workbooks to gain insights into their Azure AD-related services. Additional workbooks are coming, including workbooks about Conditional Access policies in report-only mode, app consent-based insights, and more.
For more information about the workbooks, see How to use Azure Monitor workbooks for Azure Active Directory reports.
What’s New
New custom roles are available for app registration management Public Preview
Service category: Role-based Access Control
Product capability: Access Control
Custom roles (available with an Azure AD P1 and P2 subscriptions) can now help provide admins with fine-grained access, by letting them create role definitions with specific permissions and then assign those roles to specific resources. Currently, admins create custom roles by using permissions for managing app registrations and then assigning the role to a specific app. For more information about custom roles, see Custom administrator roles in Azure Active Directory (preview).
New provisioning logs can help admins monitor and troubleshoot app provisioning deployment Public Preview
Service category: App Provisioning
Product capability: Identity Lifecycle Management
New provisioning logs are available to help admins monitor and troubleshoot the user and group provisioning deployment. These new log files include information about:
- What groups were successfully created in ServiceNow
- What roles were imported from Amazon Web Services (AWS)
- What employees weren't imported from Workday
New security reports for all Azure AD administrators General Availability
Service category: Identity Protection
Product capability: Identity Security & Protection
By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, they will be able to use the banner at the top of the modern security reports to return to the old reports.
The modern security reports will provide additional capabilities from the older versions, including:
- Advanced filtering and sorting
- Bulk actions, such as dismissing user risk
- Confirmation of compromised or safe entities
- Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised
- New risk-related detections (available to Azure AD Premium subscribers)
User-assigned managed identity is available for Virtual Machines and Virtual Machine Scale Sets General Availability
Service category: Managed identities for Azure resources
Product capability: Developer Experience
User-assigned managed identities are now generally available for Virtual Machines and Virtual Machine Scale Sets. As part of this, Azure can create an identity in the Azure AD tenant that's trusted by the subscription in use, and can be assigned to one or more Azure service instances.
New Federated Apps available in Azure AD App gallery
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In August 2019, Microsoft has added these 26 new apps with Federation support to the app gallery:
- Civic Platform
- Amazon Business
- ProNovos Ops Manager
- Cognidox
- Viareport's Inativ Portal (Europe)
- Azure Databricks
- Robin
- Academy Attendance
- Priority Matrix
- Cousto MySpace
- Uploadcare
- Carbonite Endpoint Backup
- CPQSync by Cincom
- Chargebee
- deliver.media™ Portal
- Frontline Education
- F5
- stashcat AD connect
- Blink
- Vocoli
- ProNovos Analytics
- Sigstr
- Darwinbox
- Watch by Colors
- Harness
- EAB Navigate Strategic Care
What’s Changed
Users can reset their passwords using a mobile app or hardware token General Availability
Service category: Self Service Password Reset
Product capability: User Authentication
Users who have registered a mobile app with an organization can now reset their own password by approving a notification from the Microsoft Authenticator app or by entering a code from their mobile app or hardware token.
New versions of the AzureAD PowerShell and AzureADPreview PowerShell modules are available
Service category: Other
Product capability: Directory
New updates to the AzureAD and AzureAD Preview PowerShell modules are available:
- A new
-Filter
parameter was added to theGet-AzureADDirectoryRole
parameter in the AzureAD module. This parameter helps you filter on the directory roles returned by the cmdlet. - New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:
Get-AzureADMSRoleAssignment
Get-AzureADMSRoleDefinition
New-AzureADMSRoleAssignment
New-AzureADMSRoleDefinition
Remove-AzureADMSRoleAssignment
Remove-AzureADMSRoleDefinition
Set-AzureADMSRoleDefinition
Improvements to the UI of the dynamic group rule builder in the Azure Portal
Service category: Group Management
Product capability: Collaboration
Microsoft has made some User Interface (UI) improvements to the dynamic group rule builder, available in the Azure portal, to help admins more easily set up a new rule, or change existing rules. This design improvement allows them to create rules with up to five expressions, instead of just one. Microsoft has also updated the device property list to remove deprecated device properties.
New Microsoft Graph app permission available for use with access reviews
Service category: Access Reviews
Product capability: Identity Governance
Microsoft has introduced a new Microsoft Graph app permission, AccessReview.ReadWrite.Membership
, which allows apps to automatically create and retrieve access reviews for group memberships and app assignments. This permission can be used by scheduled jobs or as part of automation, without requiring a logged-in user context.
Azure AD activity logs are now available for government cloud instances in Azure Monitor
Service category: Reporting
Product capability: Monitoring & Reporting
Microsoft is excited to announce that Azure AD activity logs are now available for government cloud instances in Azure Monitor. Organizations can now send Azure AD logs to storage accounts or to an event hub to integrate with SIEM tools, like Sumologic, Splunk, and ArcSight.
Update users to the new, enhanced security info experience
Service category: Authentications (Logins)
Product capability: User Authentication
On September 25, 2019, Microsoft will be turning off the old, non-enhanced security info experience for registering and managing user security info and only turning on the new, enhanced version. This means that users in your organization will no longer be able to use the old experience.
Authentication requests using POST logins will be more strictly validated
Service category: Authentications (Logins)
Product capability: Standards
Starting on September 2, 2019, authentication requests using the POST method will be more strictly validated against the HTTP standards. Specifically, spaces and double-quotes (") will no longer be removed from request form values. These changes aren't expected to break any existing clients, and will help to make sure that requests sent to Azure AD are reliably handled every time.
What’s Fixed
ADAL.NET ignores the MSAL.NET shared cache for on-behalf-of scenarios
Service category: Authentications (Logins)
Product capability: User Authentication
Starting with Azure AD authentication library (ADAL.NET) version 5.0.0-preview, app developers must serialize one cache per account for web apps and web APIs. Otherwise, some scenarios using the on-behalf-of flow, along with some specific use cases of UserAssertion
, may result in an elevation of privilege. To avoid this vulnerability, ADAL.NET now ignores the Microsoft authentication library for dotnet (MSAL.NET) shared cache for on-behalf-of scenarios.
Thanks for the info regarding the Azure AD Content Pack. Do you know the plan for the "Microsoft 365 Usage Analytics" content pack? Replaced or also simply deprecated? https://docs.microsoft.com/en-us/office365/admin/usage-analytics/usage-analytics