What’s New in Azure Active Directory in April 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for April 2020:

 

What’s New

Combined security info registration experience generally available

Service category: Authentications (Logins)
Product capability: Identity Security & Protection

The combined registration experience for Azure Multi-Factor Authentication (MFA) and Azure AD Self-Service Password Reset (SSPR) is now generally available. This new registration experience enables users to register for MFA and SSPR in a single, step-by-step process. When admins deploy the new experience for their organizations, their colleagues can register in less time and with fewer hassles.

Continuous Access Evaluation

Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). Microsoft is rolling this feature out first for Teams and Outlook clients.

SMS Sign-in: First-line Workers can sign in to Azure AD-backed applications with their phone number and no password

Service category: Authentications (Logins)
Product capability: User Authentication

Office is launching a series of mobile-first business apps that cater to non-traditional organizations, and to employees in large organizations that don’t use email as their primary communication method. These apps target front-line employees, deskless workers, field agents, and/or retail employees that may not get an email address from their employer, have access to a computer, or to IT. This project will let these employees sign in to business applications by entering a phone number and roundtripping a code.

Invite internal users to use B2B collaboration

Service category: Azure AD Business to Business Collaboration (B2B)
Product capability: User management

Microsoft is expanding its Azure AD Business to Business Collaboration (B2B) invitation capability to allow existing internal accounts to be invited to use B2B collaboration credentials going forward.

This is done by passing the user object to the Invite API in addition to typical parameters like the invited email address. The user's object ID, UPN, group membership, app assignment, etc. remain intact, but going forward they'll use B2B to authenticate with their home tenant credentials rather than the internal credentials they used before the invitation.

 

Report-only mode for Conditional Access generally available

Service category: Conditional Access
Product capability: Identity Security & Protection

Report-only mode for Azure AD Conditional Access lets admins evaluate the result of a Conditional Access policy without enforcing access controls. Admins can test report-only policies across their organization(s) and understand the impact before enabling them, making deployment safer and easier.

Over the past few months, Microsoft has seen strong adoption of report-only mode, with over 26 million user objects already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode, by default.

  

Conditional Access insights and reporting workbook generally available

Service category: Conditional Access
Product capability: Identity Security & Protection

The Conditional Access insights and reporting workbook gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time.

Policy details blade for Conditional Access public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

The new policy details blade displays which assignments, conditions, and controls were satisfied during conditional access policy evaluation. Admins can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details.

   

New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2020, Microsoft has added these 31 new apps with Federation support to the app gallery:

 

Microsoft Graph delta query support for oAuth2PermissionGrant Public Preview

Service category: MS Graph
Product capability: Developer Experience

Delta query for oAuth2PermissionGrant is available for public preview! Admins can now track changes without having to continuously poll Microsoft Graph.

Microsoft Graph delta query support for organizational contact generally available

Service category: MS Graph
Product capability: Developer Experience

Delta query for organizational contacts is generally available! Admins can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls orgContact data by delta query to significantly improve performance.

Microsoft Graph delta query support for application generally available

Service category: MS Graph
Product capability: Developer Experience

Delta query for applications is generally available! Admins can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls application data by delta query to significantly improve performance.

  

Microsoft Graph delta query support for administrative units Public Preview

Service category: MS Graph
Product capability: Developer Experience

Delta query for administrative units is available for public preview! Admins can now track changes without having to continuously poll Microsoft Graph.

  

Manage authentication phone numbers and more in new Microsoft Graph beta APIs

Service category: MS Graph
Product capability: Developer Experience

These APIs are a key tool for managing your users’ authentication methods. Now you can programmatically pre-register and manage the authenticators used for Azure Multi-Factor Authentication (MFA) and Azure AD Self-Service Password Reset (SSPR). The new APIs that Microsoft released in this wave give admins the ability to:

  • Read, add, update, and remove a user’s authentication phones
  • Reset a user’s password
  • Turn on and off SMS-sign-in

  

Administrative Units Public Preview

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Azure AD Administrative Units (AUs) allow organizations to grant admin permissions that are restricted to a department, region, or other segment of the organization. Organizations can use administrative units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their administrative unit.

Using administrative units, a central administrator could:

  • Create an administrative unit for decentralized management of resources
  • Assign a role with administrative permissions over only Azure AD users in an administrative unit
  • Populate the administrative units with users and groups as needed

   

Printer Administrator and Printer Technician built-in roles

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Microsoft introduced two new delegated printer administrator roles:

  1. Printer Administrator: Users with this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports.
  2. Printer Technician: Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician cannot do are set user permissions on printers and sharing printers.

   

Hybrid Identity Admin built-in role

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Microsoft introduced a new delegated Hybrid Identity administrator role. Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to:

  • Configure Azure AD to one of the three supported authentication methods — Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider) — and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents
  • Enable Seamless Single Sign-On (S-SSO)
  • Enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers
  • See sign-in logs and to access health and analytics for monitoring and troubleshooting purposes

Network Administrator built-in role

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Microsoft introduced a new delegated network administrator role. Users with this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Network performance for Office 365 relies on careful enterprise customer network perimeter architecture, which is generally user location-specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations.

   

Bulk activity and downloads in the Azure AD admin portal experience

Service category: User Management
Product capability: Directory

Now admins can perform bulk activities on users and groups in Azure AD by uploading a CSV file in the Azure AD admin portal experience. They can create users, delete users, and invite guest users. And they can add and remove members from a group.

Admins can also download lists of Azure AD resources from the Azure AD admin portal experience. They can download the list of users in the directory, the list of groups in the directory, and the members of a particular group.

    

My Staff delegated user management

Service category: User Management
Product capability: Directory

My Staff enables first-line managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a first-line manager. With My Staff, a colleague who can’t access their account can re-gain access in just a couple of clicks, with no helpdesk or IT staff required.

    

What’s Changed

Users with default access role are now in scope for provisioning

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Historically, users with the default access role have been out of scope for provisioning. Microsoft heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually, Microsoft will change the behavior for existing provisioning configurations to support provisioning users with this role.

 

Updated provisioning User Interface

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Microsoft has refreshed the provisioning experience to create a more focused management view. When admins navigate to the provisioning blade for an enterprise application that has already been configured, they'll be able to easily monitor the progress of provisioning and manage actions such as starting, stopping, and restarting provisioning.

Dynamic Group rule validation is now available for Public Preview

Service category: Group Management
Product capability: Collaboration

Azure Active Directory (Azure AD) now provides the means to validate dynamic group rules. On the Validate rules tab, admins can validate their dynamic rule against sample group members to confirm the rule is working as expected. When creating or updating dynamic group rules, administrators want to know whether a user or a device will be a member of the group. This helps evaluate whether a user or device meets the rule criteria and aids in troubleshooting when membership is not expected.

Identity Secure Score – Security Defaults and MFA improvement action updates

Service category: N/A
Product capability: Identity Security & Protection

Supporting security defaults for Azure AD improvement actions

Microsoft Secure Score will be updating improvement actions to support security defaults in Azure AD, which make it easier to help protect organizations with pre-configured security settings for common attacks. This will affect the following improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access
  • Require MFA for administrative roles
  • Enable policy to block legacy authentication

MFA improvement action updates

To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multi-factor authentication and added two.

Removed improvement actions:

  • Register all users for multi-factor authentication
  • Require MFA for all users
  • Require MFA for Azure AD privileged roles

Added improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access
  • Require MFA for administrative roles

These new improvement actions require registering users or admins for multi-factor authentication (MFA) across the directory and establishing the right set of policies that fit the organizational needs. The main goal is to have flexibility while ensuring all users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for MFA.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.