What’s New in Azure Active Directory in June 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and on its blog, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for June 2020:

 

What’s Planned

User risk condition in Conditional Access policy

Service category: Conditional Access
Product capability: Identity Security & Protection

User risk support in Azure AD Conditional Access policy allows admins to create multiple user risk-based policies. Different minimum user risk levels can be required for different users and apps. Based on user risk, admins can create policies to block access, require multi-factor authentication, secure password change, or redirect to Microsoft Cloud App Security to enforce session policy, such as additional auditing.

The user risk condition requires Azure AD Premium P2 subscription licenses, because it uses Azure Identity Protection.

My Apps and My Account user portals default experience

Service category: Authentications (Logins)
Product capability: User Authentication

Earlier this year, Microsoft refreshed the My Apps and My Account portals, which provide a single point of discovery for end users to launch all of their applications and access self-service tools for their identity profile. Currently, these refreshed experiences have been optional, separated from their predecessors with unique URLs. Starting July 20, 2020, Microsoft will be making these refreshed portals the default experience to streamline touchpoints for organizations and their customers.

Access reviews user default experience

Service category: Access Reviews
Product capability: Entitlement Management

With the transition to the new My Apps experience, Access Reviews will soon transition to the refreshed My Access experience. The updated experience offers the same functionality as the legacy experience with an improved user interface and new capabilities to keep users productive. Access reviewers can already see a banner in My Access to try the new experience, which will become the default on July 27, 2020.

                                                                                                                             

What’s New

Unified search on the Azure AD Overview blade General availability

Service category: Azure AD Portal
Product capability: Azure AD Management

Microsoft has redesigned the Azure AD overview blade. Previously, our search experience required admins and users to specify filters. In June, we launched a unified search experience that enables a quicker way to search within your tenants – across all categories. This is supported within Azure AD as well as Azure AD B2C tenants.

Tenant switching on the Azure AD Overview blade General availability

Service category: Azure AD Portal
Product capability: Azure AD Management

Microsoft has redesigned the Azure AD overview blade. Tenant switching enables customers to view all their Azure AD and Azure AD B2C directories in one place, switch between tenants, and view tenant details without leaving the Azure AD portal.

Azure AD B2B Collaboration supports inviting MSA and Google users in Azure Government tenants

Service category: Azure AD Business to Business (B2B)
Product capability: Azure AD B2B/B2C

Azure Government tenants using the Azure AD Business to Business collaboration features can now invite people that have a Microsoft or Google account.

User object in MS Graph v1 now includes externalUserState and externalUserStateChangedDateTime properties

Service category: Azure AD Business to Business (B2B)
Product capability: Azure AD B2B/B2C

The externalUserState and externalUserStateChangedDateTime properties can be used by admins to find invited B2B guests who have not accepted their invitations yet, as well as build automation such as deleting users who haven't accepted their invitations after some number of days. These properties are now available in MS Graph version 1.

Application proxy management API for Microsoft Graph (beta)

Service category: Enterprise Apps
Product capability: Application Proxy

With the API set in beta for Microsoft Graph, as well as for the EDU endpoint, you now have full coverage for all the App Proxy management actions available in the Azure AD portal or via PowerShell. The API set provides the ability to automate the following scenarios:

  1. Configure App Proxy properties for an app
  2. Configure single sign-on (SSO) for legacy authentication modes
  3. Manage connectors in connector groups
  4. Manage connector groups and apps assigned to connector groups

Manage authentication sessions in Azure AD Conditional Access General availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Authentication session management capabilities allow organizations to configure how often people in the Azure AD tenant need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers to offer more security and flexibility in your environment.

Additionally, authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Now authentication session management will apply to Multi-Factor Authentication (MFA) as well.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2020, Microsoft has added the following 29 new applications in the App gallery with Federation support:

  1. Shopify Plus
  2. Ekarda
  3. MailGates
  4. BullseyeTDP
  5. Raketa
  6. Segment
  7. Ai Auditor
  8. Pobuca Connect
  9. Proto.io
  10. Gatekeeper
  11. Hub Planner
  12. Ansira-Partner Go-to-Market Toolbox
  13. IBM Digital Business Automation on Cloud
  14. Kisi Physical Security
  15. ViewpointOne
  16. IntelligenceBank
  17. pymetrics
  18. Zero
  19. InStation
  20. edX for Business SAML 2.0 Integration
  21. MOOC Office 365
  22. SmartKargo
  23. PKIsigning platform
  24. SiteIntel
  25. Field iD
  26. Curricula SAML
  27. Perforce Helix Core – Helix Authentication Service
  28. MyCompliance Cloud
  29. Smallstep SSH

API connectors for External Identities self-service sign-up Public Preview

Type: New feature
Service category: B2B
Product capability: B2B/B2C

External Identities API connectors enable organizations to leverage web APIs to integrate self-service sign-up with external cloud systems. This means admins can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows. For example, you can use API connectors to:

  1. Integrate with a custom approval workflows.
  2. Perform identity proofing
  3. Validate user input data
  4. Overwrite user attributes
  5. Run custom business logic

Provision on-demand and get users into apps in seconds

Service category: App Provisioning
Product capability: Identity Lifecycle Management

The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The on-demand provisioning capability allows admins to pick a user and provision them in seconds. This capability allows admins to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again.

New permission for using Azure AD entitlement management in Graph

Service category: Other
Product capability: Entitlement Management

A new delegated permission EntitlementManagement.Read.All is now available for use with the Entitlement Management API in Microsoft Graph beta.

Identity Protection APIs available in v1.0 General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they are available at the v1.0 endpoint, Microsoft invites everyone to use them in production.

Sensitivity labels to apply policies to Microsoft 365 groups General Availability

Service category: Group Management
Product capability: Collaboration

Admins can now create sensitivity labels and use the label settings to apply policies to Microsoft 365 groups, including privacy (Public or Private) and external user access policy. admins can create a label with the privacy policy to be Private, and external user access policy to not allow to add guest users. When a user applies this label to a group, the group will be private, and no guest users are allowed to be added to the group.

Sensitivity labels are important to protect business-critical data and enable organizations to manage groups at scale, in a compliant and secure fashion.

 

What’s Changed

SAML SSO now supports apps that require SPNameQualifier to be set when requested

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow.

The use of group membership conditions in SSO claims configuration is increased

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Previously, the number of groups admins could use when they conditionally change claims based on group membership within any single application configuration was limited to 10. The use of group membership conditions in SSO claims configuration has now increased to a maximum of 50 groups.

Updates to support for Microsoft Identity Manager for Azure AD Premium customers

Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

Azure Support is now available for Azure AD integration components of Microsoft Identity Manager 2016, through the end of Extended Support for Microsoft Identity Manager 2016.

Refreshed Azure AD and Microsoft 365 sign-in background design

Service category: Authentications (Logins)
Product capability: User Authentication

In March, Microsoft announced plans to roll out a new default background image on Azure AD and Microsoft 365 sign-in screens. The new image (rolled out to all customers in early May) helps reduce bandwidth requirements and improve perceived page load times, especially on slower networks.

Enabling basic formatting on the Sign In Page Text component in Company Branding.

Service category: Authentications (Logins)
Product capability: User Authentication

The Company Branding functionality on the Azure AD/Microsoft 365 sign-in experience has been updated to allow admins to add hyperlinks and simple formatting, including bold font, underline, and italics.

Provisioning performance improvements

Service category: App Provisioning
Product capability: Identity Lifecycle Management

The provisioning service has been updated to reduce the time for an incremental cycle to complete. This means that users and groups will be provisioned into their applications faster than they were previously. All new provisioning jobs created after June 10th, 2020, will automatically benefit from the performance improvements. Any applications configured for provisioning before June 10th, 2020, will need to restart once after June 10th, 2020, to take advantage of the performance improvements.

 

What’s Deprecated

Announcing the deprecation of ADAL

Service category: N/A
Product capability: Device Lifecycle Management

Microsoft will no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. New functionality will be added to the Microsoft Authentication Library (MSAL), only, starting June 30th, 2020.

Announcing the deprecation of Azure AD Graph

Service category: N/A
Product capability: Device Lifecycle Management

Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. New functionality will be added to the Microsoft Graph API, only, starting June 30th, 2020.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.