Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May 2020, on top of the announcements made at Build 2020:
What’s Planned
New email address for MFA admin notifications
Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection
Microsoft is planning changes to the multi-factor authentication (MFA) email notifications for both cloud MFA and MFA server. E-mail notifications will be sent from azure-noreply@microsoft.com.
Additionally, Microsoft is updating the content of fraud alert emails to better indicate the required steps to unblock uses.
New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't synced to Azure AD
Service category: Authentications (Logins)
Product capability: User Authentication
Currently, users who are in domains federated in Azure AD, but who are not synced into the tenant, can't access Microsoft Teams.
Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Microsoft Teams. Their user object will be marked as "self-service sign up."
The OIDC discovery document for the Azure Government cloud is being updated to reference the correct Graph endpoints
Service category: Sovereign Clouds
Product capability: User Authentication
Starting in June, the OIDC discovery document Microsoft identity platform and OpenID Connect protocol on the Azure Government cloud endpoint, will begin to return the correct National cloud graph endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently provides the incorrect Graph endpoint msgraph_host field.
This bug fix will be rolled out gradually over approximately 2 months.
Azure Government users will no longer be able to sign in on login.microsoftonline.com
Service category: Sovereign Clouds
Product capability: User Authentication
On 1 June 2018, the official Azure Active Directory Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the .us endpoint.
Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint. Impacted apps will begin seeing the following error:
AADSTS900439 USGClientNotSupportedOnPublicEndpoint
There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020.
What’s New
Report-only mode for Conditional Access generally available
Service category: Conditional Access
Product capability: Identity Security & Protection
Report-only mode lets admins evaluate the result of a Conditional Access policy without enforcing access controls. Admins can test report-only policies across their organization and understand the impact of policies before enabling them, making deployment safer and easier.
Over the past few months, Microsoft has seen strong adoption of report-only mode—over 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode, by default. This means admins can monitor the impact of policies from the moment they’re created.
Conditional Access Insights and Reporting workbook generally available
Service category: Conditional Access
Product capability: Identity Security & Protection
The insights and reporting workbook gives admins a summary view of Azure AD Conditional Access in their organization’s tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real-time. The workbook streams data stored in Azure Monitor. To make the dashboard more discoverable, Microsoft has moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.
Policy details blade for Conditional Access public preview
Service category: Conditional Access
Product capability: Identity Security & Protection
The new policy details blade displays the assignments, conditions, and controls satisfied during conditional access policy evaluation. Admins can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details.
SAML Token Encryption Generally Available
Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)
SAML token encryption allows applications to be configured to receive encrypted SAML assertions. The feature is now generally available in all clouds.
Group name claims in application tokens Generally Available
Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)
The group claims issued in a token can now be limited to just those groups assigned to the application. This is especially important when users are members of large numbers of groups and there was a risk of exceeding token size limits. With this new capability in place, the ability to add group names to tokens is generally available.
Self-service sign up for guest users public preview
Service category: Business to Business (B2B)
Product capability: Azure AD B2B/B2C
With External Identities in Azure AD, you can allow people outside the organization to access your organization’s apps and resources while letting them sign in using whatever identity they prefer.
When sharing an application with external users, admins might not always know in advance who will need access to the application. With self-service sign-up, admins can enable guest users to sign up and gain a guest account for line of business (LOB) apps. The sign-up flow can be created and customized to support Azure AD and social identities. Your organization can also collect additional information about the user during sign-up.
The Hybrid Identity Administrator role is now available with Cloud Provisioning
Service category: Azure AD Cloud Provisioning
Product capability: Identity Lifecycle Management
Azure AD admins can start using the new Hybrid Administrator role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, admins no longer have to use the Global Admin role to setup and configure Cloud Provisioning.
New Federated Apps available in Azure AD Application gallery
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In May 2020, Microsoft has added the following 36 new applications in the Azure AD App gallery with Federation support:
- Moula
- Surveypal
- Kbot365
- TackleBox
- Powell Teams
- Talentsoft Assistant
- ASC Recording Insights
- GO1
- B-Engaged
- Competella Contact Center Workgroup
- Asite
- ImageSoft Identity
- My IBISWorld
- insuite
- Change Process Management
- Cyara CX Assurance Platform
- Smart Global Governance
- Prezi
- Mapbox
- Datava Enterprise Service Platform
- Whimsical
- Trelica
- EasySSO for Confluence
- EasySSO for BitBucket
- EasySSO for Bamboo
- Torii
- Axiad Cloud
- Humanage
- ColorTokens ZTNA
- CCH Tagetik
- ShareVault
- Vyond
- TextExpander
- Anyone Home CRM
- askSpoke
- ice Contact Center
New provisioning connectors in the Azure AD Application Gallery – May 2020
Service category: App Provisioning
Product capability: 3rd Party Integration
Admins can now automate creating, updating, and deleting user accounts for these five newly integrated apps:
Workday Writeback now supports setting work phone number attributes
Service category: App Provisioning
Product capability: Identity Lifecycle Management
Microsoft has enhanced the Workday Writeback provisioning app to now support writeback of work phone number and mobile number attributes. In addition to email and username, admins can now configure the Workday Writeback provisioning app to flow phone number values from Azure AD to Workday.
Publisher Verification Public preview
Service category: Other
Product capability: Developer Experience
Publisher verification (preview) helps admins and end-users understand the authenticity of application developers integrating with the Microsoft identity platform.
New query capabilities for Directory Objects in Microsoft Graph Public Preview
Service category: Microsoft Graph
Product capability: Developer Experience
New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter, and Sort operations. This will give developers the ability to quickly query Microsoft’s Directory Objects without workarounds such as in-memory filtering and sorting.
Configure SAML-based single sign-on using Microsoft Graph API Beta
Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)
Support for creating and configuring an application from the Azure AD Gallery using Microsoft Graph APIs in Beta is now available. If an admin or developer needs to set up SAML-based single sign-on for multiple instances of an application, time can be saved by using the Microsoft Graph APIs to automate the configuration of SAML-based single sign-on.
What’s Changed
Authorization Code Flow for Single-page apps
Service category: Authentication
Product capability: Developer Experience
Because of modern browser 3rd party cookie restrictions such as Safari ITP, single-page apps (SPAs) will have to use the authorization code flow rather than the implicit flow to maintain single sign-on (SSO). MSAL.js version 2.x will now support the authorization code flow.
Improved Filtering for Devices Public Preview
Service category: Device Management
Product capability: Device Lifecycle Management
Previously, the only filters admins could use were Enabled and Activity date. In this public preview, admins can filter the list of devices on more properties, including OS type, Join type, Compliance, and more. These additions should simplify locating a particular device.
The new App registrations experience for Azure AD B2C generally available
Service category: Consumer Identity Management (B2C)
Product capability: Identity Lifecycle Management
The new App registrations experience for Azure AD B2C is now generally available.
Previously, admins had to manage their B2C consumer-facing applications separately from the rest of their apps using the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure. The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. Whether admins need to manage a customer-facing app or an app that has access to Microsoft Graph to programmatically manage Azure AD B2C resources, they only need to learn one way to do things.
What’s Fixed
SAML Single Logout request now sends NameID in the correct format
Service category: Authentications (Logins)
Product capability: User Authentication
When a user clicks on sign-out (e.g., in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.
If the original SAML sign-in token used a different format for NameID (e.g. email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.
Login