What’s New in Azure Active Directory in March 2020

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for March 2020:


What’s New

Disaster recovery: Download and store provisioning configuration

Service category: App provisioning
Product capability: Identity lifecycle management

The Azure AD provisioning service provides a rich set of configuration capabilities. Organizations need to be able to save their configuration so that they can refer to it later or roll back to a known good version. Microsoft has added the ability for Azure AD administrators to download their provisioning configuration as a JSON file and upload it when they need it.


Azure AD B2B Collaboration available in Azure Government

Service category: Business to Business (B2B)
Product capability: B2B/B2C

The Azure AD Business to Business (B2B) collaboration features are now available between some Azure Government tenants. To find out if your tenant is able to use these capabilities, follow the instructions at How can I tell if B2B collaboration is available in my Azure US Government tenant?.

Azure AD B2B is planned for Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants.


Azure Monitor integration for Azure Logs available in Azure Government

Service category: Reporting
Product capability: Monitoring and reporting

Azure Monitor integration with Azure AD logs is now available in Azure Government. You can route Azure AD Logs (Audit and Sign-in Logs) to a storage account, Event Hub and Log Analytics.


Identity Protection Refresh in Azure Government

Service category: Identity protection
Product capability: Identity security and protection

Microsoft is excited to share that they have now rolled out the refreshed Azure AD Identity Protection experience in the Microsoft Azure Government portal.


What’s Changed

Azure AD sign-in logs are now available for all free tenants through the Azure portal

Service category: Reporting
Product capability: Monitoring and reporting

Starting now, organizations who have free tenants can access the Azure AD sign-in logs from the Azure portal for up to 7 days. Previously, sign-in logs were available only for customers with Azure Active Directory Premium licenses. With this change, all tenants can access these logs through the portal.

Organizations still need a premium license (Azure Active Directory Premium P1 or P2) to access the sign-in logs through Microsoft Graph API and Azure Monitor.


Password length is limited to 256 characters

Service category: Authentications (Logins)
Product capability: User authentication

To ensure the reliability of the Azure AD service, user passwords are now limited in length to 256 characters. Users with passwords longer than this will be asked to change their password on subsequent sign in, either by contacting their admin or by using the self-service password reset feature.

This change was enabled on March 13th, 2020, at 10AM PST (18:00 UTC), and the error is AADSTS 50052, InvalidPasswordExceedsMaxLength.


HomeRealmDiscovery policy changes appear in the audit logs

Service category: Audit
Product capability: Monitoring and reporting

Microsoft fixed a bug where changes to the HomeRealmDiscovery policy were not included in the audit logs. Admins can now see when and how the policy was changed, and by whom.


SSPR now requires two gates for admins in Azure China 21Vianet

Service category: Self-Service Password Reset
Product capability: Identity security and protection

Previously in Microsoft Azure operated by 21Vianet (Azure China 21Vianet), admins using self-service password reset (SSPR) to reset their own passwords needed only one "gate" (challenge) to prove their identity. In public and other national clouds, admins generally must use two gates to prove their identity when using SSPR. But because Microsoft didn't support SMS or phone calls in Azure China 21Vianet, Microsoft allowed one-gate password reset by admins.

Microsoft has created SSPR feature parity between Azure China 21Vianet and the public cloud. Going forward, admins must use two gates when using SSPR. SMS, phone calls, and Authenticator app notifications and codes are supported.


What’s deprecated

Deprecation of Directory-wide groups option from Groups General Settings on Azure portal

Service category: Group management
Product capability: Collaboration

To provide a more flexible way for organizations to create directory-wide groups that best meet their needs, Microsoft has replaced the Directory-wide Groups option from the Groups > General settings in the Azure portal with a link to dynamic group documentation. Microsoft has improved its documentation to include more instructions so administrators can create all-user groups that include or exclude guest users.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.