What’s New in Azure Active Directory in July 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and on its blog, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for July 2020:

What’s Planned

Targeting client apps using Conditional Access

Service category: Conditional Access
Product capability: Identity Security & Protection

With the General Availability of the client apps condition in Conditional Access, new policies will now apply by default to all client applications, including legacy authentication clients. Existing policies will remain unchanged, but the Configure Yes/No toggle will be removed from existing policies to easily see which client apps are applied to by the policy.

When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they will be blocked.

Upcoming SCIM compliance fixes

Service category: App Provisioning
Product capability: Identity Lifecycle Management

The Azure AD provisioning service leverages the SCIM standard for integrating with applications. Microsoft’s implementation of the SCIM standard is evolving. Microsoft expects to make changes to the behavior around how PATCH operations are performed as well as setting the property "active" on a resource.

Group owner setting on Azure Admin portal will be changed

Service category: Group Management
Product capability: Collaboration

Owner settings on the Groups general settings page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. Microsoft will soon offer the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph.

Microsoft will start to disable the current setting for organizations who are not using it and will offer an option to scope users for group owner privilege in the next few months.

Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1

Service category: Device Registration and Management
Product capability: Platform

Servers and clients will soon require to support Transport layer security (TLS) 1.2 to communicate with the Azure Active Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device Registration service will retire:

  • On August 31, 2020, in all sovereign clouds (GCC High, DoD, etc.)
  • On October 30, 2020, in all commercial clouds

What’s New

Admins can now add custom content in the email to reviewers when creating an access review Public Preview

Service category: Access Reviews
Product capability: Identity Governance

When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many organizations asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer.

Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the Advanced section of the Azure AD Access Reviews blade.

Authorization Code Flow for Single-page apps Generally available

Service category: Authentications (Logins)
Product capability: Developer Experience

Because of modern browser 3rd party cookie restrictions such as Safari ITP, single page applications (SPAs) will have to use the authorization code flow rather than the implicit flow to maintain single sign-on (SSO). Therefore, MSAL.js v 2.x now supports the authorization code flow.

There are corresponding updates to the Azure portal so developers can update their single page app (SPA) to be type spa and use the auth code flow.

Azure AD Application Proxy now supports the Remote Desktop Services Web Client Generally Available

Service category: App Proxy
Product capability: Access Control

Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc.

People can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy organizations can increase the security of their Remote Desktop Services (RDS) deployments by enforcing pre-authentication and Conditional Access policies for all types of rich client apps.

Next generation Azure AD B2C user flows public preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows. Try it now by creating a user flow.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2020 Microsoft has added the following 55 new applications in the Azure AD App gallery with Federation support:

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Admins can now automate creating, updating, and deleting user accounts for the newly integrated app LinkedIn Learning.

What’s Fixed

Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs

Service category: Reporting
Product capability: Monitoring & Reporting

Windows Hello for Business (WHfB) allows people to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication.

Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD Sign-Ins blade in the Azure Portal. Windows Hello for Business authentications will include WindowsHelloForBusiness in the Authentication Method field.

Fixes to group deletion behavior and performance improvements

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object was not being deleted. Now the group object will be deleted from the target application when it goes out of scope (disabled, deleted, unassigned, or did not pass scoping filter).

What’s Changed

View role assignments across all scopes and ability to download them to a csv file

Service category: RBAC
Product capability: Access Control

Admins can now view role assignments across all scopes for a role in the Roles and administrators tab in the Azure AD portal. You can also download those role assignments for each role into a CSV file.

What’s Deprecated

Azure Multi-Factor Authentication Software Development (Azure MFA SDK)

Service category: MFA
Product capability: Identity Security & Protection

The Azure Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.