Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and on its blog, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for June 2020:
What’s Planned
User risk condition in Conditional Access policy
Service category: Conditional Access
Product capability: Identity Security & Protection
User risk support in Azure AD Conditional Access policy allows admins to create multiple user risk-based policies. Different minimum user risk levels can be required for different users and apps. Based on user risk, admins can create policies to block access, require multi-factor authentication, secure password change, or redirect to Microsoft Cloud App Security to enforce session policy, such as additional auditing.
The user risk condition requires Azure AD Premium P2 subscription licenses, because it uses Azure Identity Protection.
My Apps and My Account user portals default experience
Service category: Authentications (Logins)
Product capability: User Authentication
Earlier this year, Microsoft refreshed the My Apps and My Account portals, which provide a single point of discovery for end users to launch all of their applications and access self-service tools for their identity profile. Currently, these refreshed experiences have been optional, separated from their predecessors with unique URLs. Starting July 20, 2020, Microsoft will be making these refreshed portals the default experience to streamline touchpoints for organizations and their customers.
Access reviews user default experience
Service category: Access Reviews
Product capability: Entitlement Management
With the transition to the new My Apps experience, Access Reviews will soon transition to the refreshed My Access experience. The updated experience offers the same functionality as the legacy experience with an improved user interface and new capabilities to keep users productive. Access reviewers can already see a banner in My Access to try the new experience, which will become the default on July 27, 2020.
What’s New
Unified search on the Azure AD Overview blade General availability
Service category: Azure AD Portal
Product capability: Azure AD Management
Microsoft has redesigned the Azure AD overview blade. Previously, our search experience required admins and users to specify filters. In June, we launched a unified search experience that enables a quicker way to search within your tenants – across all categories. This is supported within Azure AD as well as Azure AD B2C tenants.
Tenant switching on the Azure AD Overview blade General availability
Service category: Azure AD Portal
Product capability: Azure AD Management
Microsoft has redesigned the Azure AD overview blade. Tenant switching enables customers to view all their Azure AD and Azure AD B2C directories in one place, switch between tenants, and view tenant details without leaving the Azure AD portal.
Azure AD B2B Collaboration supports inviting MSA and Google users in Azure Government tenants
Service category: Azure AD Business to Business (B2B)
Product capability: Azure AD B2B/B2C
Azure Government tenants using the Azure AD Business to Business collaboration features can now invite people that have a Microsoft or Google account.
User object in MS Graph v1 now includes externalUserState and externalUserStateChangedDateTime properties
Service category: Azure AD Business to Business (B2B)
Product capability: Azure AD B2B/B2C
The externalUserState and externalUserStateChangedDateTime properties can be used by admins to find invited B2B guests who have not accepted their invitations yet, as well as build automation such as deleting users who haven't accepted their invitations after some number of days. These properties are now available in MS Graph version 1.
Application proxy management API for Microsoft Graph (beta)
Service category: Enterprise Apps
Product capability: Application Proxy
With the API set in beta for Microsoft Graph, as well as for the EDU endpoint, you now have full coverage for all the App Proxy management actions available in the Azure AD portal or via PowerShell. The API set provides the ability to automate the following scenarios:
- Configure App Proxy properties for an app
- Configure single sign-on (SSO) for legacy authentication modes
- Manage connectors in connector groups
- Manage connector groups and apps assigned to connector groups
Manage authentication sessions in Azure AD Conditional Access General availability
Service category: Conditional Access
Product capability: Identity Security & Protection
Authentication session management capabilities allow organizations to configure how often people in the Azure AD tenant need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers to offer more security and flexibility in your environment.
Additionally, authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Now authentication session management will apply to Multi-Factor Authentication (MFA) as well.
New Federated Apps available in Azure AD Application gallery
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In June 2020, Microsoft has added the following 29 new applications in the App gallery with Federation support:
- Shopify Plus
- Ekarda
- MailGates
- BullseyeTDP
- Raketa
- Segment
- Ai Auditor
- Pobuca Connect
- Proto.io
- Gatekeeper
- Hub Planner
- Ansira-Partner Go-to-Market Toolbox
- IBM Digital Business Automation on Cloud
- Kisi Physical Security
- ViewpointOne
- IntelligenceBank
- pymetrics
- Zero
- InStation
- edX for Business SAML 2.0 Integration
- MOOC Office 365
- SmartKargo
- PKIsigning platform
- SiteIntel
- Field iD
- Curricula SAML
- Perforce Helix Core – Helix Authentication Service
- MyCompliance Cloud
- Smallstep SSH
API connectors for External Identities self-service sign-up Public Preview
Type: New feature
Service category: B2B
Product capability: B2B/B2C
External Identities API connectors enable organizations to leverage web APIs to integrate self-service sign-up with external cloud systems. This means admins can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows. For example, you can use API connectors to:
- Integrate with a custom approval workflows.
- Perform identity proofing
- Validate user input data
- Overwrite user attributes
- Run custom business logic
Provision on-demand and get users into apps in seconds
Service category: App Provisioning
Product capability: Identity Lifecycle Management
The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The on-demand provisioning capability allows admins to pick a user and provision them in seconds. This capability allows admins to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again.
New permission for using Azure AD entitlement management in Graph
Service category: Other
Product capability: Entitlement Management
A new delegated permission EntitlementManagement.Read.All is now available for use with the Entitlement Management API in Microsoft Graph beta.
Identity Protection APIs available in v1.0 General Availability
Service category: Identity Protection
Product capability: Identity Security & Protection
The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they are available at the v1.0 endpoint, Microsoft invites everyone to use them in production.
Sensitivity labels to apply policies to Microsoft 365 groups General Availability
Service category: Group Management
Product capability: Collaboration
Admins can now create sensitivity labels and use the label settings to apply policies to Microsoft 365 groups, including privacy (Public or Private) and external user access policy. admins can create a label with the privacy policy to be Private, and external user access policy to not allow to add guest users. When a user applies this label to a group, the group will be private, and no guest users are allowed to be added to the group.
Sensitivity labels are important to protect business-critical data and enable organizations to manage groups at scale, in a compliant and secure fashion.
What’s Changed
SAML SSO now supports apps that require SPNameQualifier to be set when requested
Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)
Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow.
The use of group membership conditions in SSO claims configuration is increased
Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)
Previously, the number of groups admins could use when they conditionally change claims based on group membership within any single application configuration was limited to 10. The use of group membership conditions in SSO claims configuration has now increased to a maximum of 50 groups.
Updates to support for Microsoft Identity Manager for Azure AD Premium customers
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management
Azure Support is now available for Azure AD integration components of Microsoft Identity Manager 2016, through the end of Extended Support for Microsoft Identity Manager 2016.
Refreshed Azure AD and Microsoft 365 sign-in background design
Service category: Authentications (Logins)
Product capability: User Authentication
In March, Microsoft announced plans to roll out a new default background image on Azure AD and Microsoft 365 sign-in screens. The new image (rolled out to all customers in early May) helps reduce bandwidth requirements and improve perceived page load times, especially on slower networks.
Enabling basic formatting on the Sign In Page Text component in Company Branding.
Service category: Authentications (Logins)
Product capability: User Authentication
The Company Branding functionality on the Azure AD/Microsoft 365 sign-in experience has been updated to allow admins to add hyperlinks and simple formatting, including bold font, underline, and italics.
Provisioning performance improvements
Service category: App Provisioning
Product capability: Identity Lifecycle Management
The provisioning service has been updated to reduce the time for an incremental cycle to complete. This means that users and groups will be provisioned into their applications faster than they were previously. All new provisioning jobs created after June 10th, 2020, will automatically benefit from the performance improvements. Any applications configured for provisioning before June 10th, 2020, will need to restart once after June 10th, 2020, to take advantage of the performance improvements.
What’s Deprecated
Announcing the deprecation of ADAL
Service category: N/A
Product capability: Device Lifecycle Management
Microsoft will no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. New functionality will be added to the Microsoft Authentication Library (MSAL), only, starting June 30th, 2020.
Announcing the deprecation of Azure AD Graph
Service category: N/A
Product capability: Device Lifecycle Management
Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. New functionality will be added to the Microsoft Graph API, only, starting June 30th, 2020.
Login