What’s New in Azure Active Directory in May 2020

Reading Time: 6 minutes

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May 2020, on top of the announcements made at Build 2020:

                   

What’s Planned

New email address for MFA admin notifications

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

Microsoft is planning changes to the multi-factor authentication (MFA) email notifications for both cloud MFA and MFA server. E-mail notifications will be sent from  azure-noreply@microsoft.com.

Additionally, Microsoft is updating the content of fraud alert emails to better indicate the required steps to unblock uses.

                  

New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't synced to Azure AD

Service category: Authentications (Logins)
Product capability: User Authentication

Currently, users who are in domains federated in Azure AD, but who are not synced into the tenant, can't access Microsoft Teams.

Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Microsoft Teams. Their user object will be marked as "self-service sign up."

                

The OIDC discovery document for the Azure Government cloud is being updated to reference the correct Graph endpoints

Service category: Sovereign Clouds
Product capability: User Authentication

Starting in June, the OIDC discovery document Microsoft identity platform and OpenID Connect protocol on the Azure Government cloud endpoint, will begin to return the correct National cloud graph endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently provides the incorrect Graph endpoint msgraph_host field.

This bug fix will be rolled out gradually over approximately 2 months.

        

Azure Government users will no longer be able to sign in on login.microsoftonline.com

Service category: Sovereign Clouds
Product capability: User Authentication

On 1 June 2018, the official Azure Active Directory Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the .us endpoint.

Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint. Impacted apps will begin seeing the following error:

AADSTS900439 USGClientNotSupportedOnPublicEndpoint

There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020.

               

What’s New

Report-only mode for Conditional Access generally available

Service category: Conditional Access
Product capability: Identity Security & Protection

Report-only mode lets admins evaluate the result of a Conditional Access policy without enforcing access controls. Admins can test report-only policies across their organization and understand the impact of policies before enabling them, making deployment safer and easier.

Over the past few months, Microsoft has seen strong adoption of report-only mode—over 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode, by default. This means admins can monitor the impact of policies from the moment they’re created.

        

Conditional Access Insights and Reporting workbook  generally available

Service category: Conditional Access
Product capability: Identity Security & Protection

The insights and reporting workbook gives admins a summary view of Azure AD Conditional Access in their organization’s tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real-time. The workbook streams data stored in Azure Monitor. To make the dashboard more discoverable, Microsoft has moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.

                    

Policy details blade for Conditional Access public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

The new policy details blade displays the assignments, conditions, and controls satisfied during conditional access policy evaluation. Admins can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details.

                   

SAML Token Encryption Generally Available

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

SAML token encryption allows applications to be configured to receive encrypted SAML assertions. The feature is now generally available in all clouds.

                      

Group name claims in application tokens Generally Available

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

The group claims issued in a token can now be limited to just those groups assigned to the application. This is especially important when users are members of large numbers of groups and there was a risk of exceeding token size limits. With this new capability in place, the ability to add group names to tokens is generally available.

             

Self-service sign up for guest users public preview

Service category: Business to Business (B2B)
Product capability: Azure AD B2B/B2C

With External Identities in Azure AD, you can allow people outside the organization to access your organization’s apps and resources while letting them sign in using whatever identity they prefer.

When sharing an application with external users, admins might not always know in advance who will need access to the application. With self-service sign-up, admins can enable guest users to sign up and gain a guest account for line of business (LOB) apps. The sign-up flow can be created and customized to support Azure AD and social identities. Your organization can also collect additional information about the user during sign-up.

                          

The Hybrid Identity Administrator role is now available with Cloud Provisioning

Service category: Azure AD Cloud Provisioning
Product capability: Identity Lifecycle Management

Azure AD admins can start using the new Hybrid Administrator role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, admins no longer have to use the Global Admin role to setup and configure Cloud Provisioning.

          

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2020, Microsoft has added the following 36 new applications in the Azure AD App gallery with Federation support:

       

New provisioning connectors in the Azure AD Application Gallery – May 2020

Service category: App Provisioning
Product capability: 3rd Party Integration

Admins can now automate creating, updating, and deleting user accounts for these five newly integrated apps:

               

Workday Writeback now supports setting work phone number attributes

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Microsoft has enhanced the Workday Writeback provisioning app to now support writeback of work phone number and mobile number attributes. In addition to email and username, admins can now configure the Workday Writeback provisioning app to flow phone number values from Azure AD to Workday.

                   

Publisher Verification Public preview

Service category: Other
Product capability: Developer Experience

Publisher verification (preview) helps admins and end-users understand the authenticity of application developers integrating with the Microsoft identity platform.

        

New query capabilities for Directory Objects in Microsoft Graph Public Preview

Service category: Microsoft Graph
Product capability: Developer Experience

New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter, and Sort operations. This will give developers the ability to quickly query Microsoft’s Directory Objects without workarounds such as in-memory filtering and sorting.

              

Configure SAML-based single sign-on using Microsoft Graph API Beta

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Support for creating and configuring an application from the Azure AD Gallery using Microsoft Graph APIs in Beta is now available. If an admin or developer needs to set up SAML-based single sign-on for multiple instances of an application, time can be saved by using the Microsoft Graph APIs to automate the configuration of SAML-based single sign-on.

                  

What’s Changed

Authorization Code Flow for Single-page apps

Service category: Authentication
Product capability: Developer Experience

Because of modern browser 3rd party cookie restrictions such as Safari ITP, single-page apps (SPAs) will have to use the authorization code flow rather than the implicit flow to maintain single sign-on (SSO). MSAL.js version 2.x will now support the authorization code flow.

                  

Improved Filtering for Devices Public Preview

Service category: Device Management
Product capability: Device Lifecycle Management

Previously, the only filters admins could use were Enabled and Activity date. In this public preview, admins can filter the list of devices on more properties, including OS type, Join type, Compliance, and more. These additions should simplify locating a particular device.

         

The new App registrations experience for Azure AD B2C generally available

Service category: Consumer Identity Management (B2C)
Product capability: Identity Lifecycle Management

The new App registrations experience for Azure AD B2C is now generally available.

Previously, admins had to manage their B2C consumer-facing applications separately from the rest of their apps using the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure. The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. Whether admins need to manage a customer-facing app or an app that has access to Microsoft Graph to programmatically manage Azure AD B2C resources, they only need to learn one way to do things.

                 

What’s Fixed

SAML Single Logout request now sends NameID in the correct format

Service category: Authentications (Logins)
Product capability: User Authentication

When a user clicks on sign-out (e.g., in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.

If the original SAML sign-in token used a different format for NameID (e.g. email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.