What’s New in Azure Active Directory in September 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2020, on top of the announcements from Microsoft Ignite 2020:


What’s New

New provisioning connectors in the Azure AD Application Gallery Generally Available

Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:


Audited BitLocker Recovery in Azure AD Public Preview

Service category: Device Access Management
Product capability: Device Lifecycle Management

When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.

End users can access their recovery keys via My Account. IT admins can access recovery keys via the BitLocker recovery key API in beta or via the Azure AD Portal.


Teams Devices Administrator built-in role

Service category: RBAC
Product capability: Access Control

Users with the Teams Devices Administrator role can manage Teams-certified devices from the Teams Admin Center.

This role allows the user to view all devices at single glance, with the ability to search and filter devices. The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device.


Advanced query capabilities for Directory Objects Generally Available

Service category: MS Graph
Product capability: Developer Experience

All the new query capabilities introduced for Directory Objects in Azure AD APIs are now available in the v1.0 endpoint and production-ready. Developers can Count, Search, Filter, and Sort Directory Objects and related links using the standard OData operators.


Continuous access evaluation for tenants who configured Conditional Access policies Public Preview

Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Continuous access evaluation (CAE) is now available in public preview for Azure AD tenants with Conditional Access policies. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change.


Ask users requesting an access package additional questions to improve approval decisions

Service category: User Access Management
Product capability: Entitlement Management

Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision.


Enhanced user management Public Preview

Service category: User Management
Product capability: User Management

The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:

  • More visible user properties including object ID, directory sync status, creation type, and identity issuer.
  • Search now allows combined search of names, emails, and object IDs.
  • Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.
  • New sorting capabilities on properties like name, user principal name and deletion date.
  • A new total users count that updates with any searches or filters.


Notes field for Enterprise applications

Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)

Admins can add free text notes to Enterprise applications. They can add any relevant information that will help them manage applications under Enterprise applications.


Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2020 Microsoft has added following new applications in the Azure AD App gallery with Federation support:

  1. VMware Horizon – Unified Access Gateway
  2. Pulse Secure PCS
  3. Inventory360
  4. Frontitude
  5. BookWidgets
  6. ZVD_Server
  7. HashData for Business
  8. SecureLogin
  9. CyberSolutions MAILBASEΣ/CMSS
  10. CyberSolutions CYBERMAILΣ
  11. LimbleCMMS
  12. Glint Inc
  13. zeroheight
  14. Gender Fitness
  15. Coeo Portal
  16. Grammarly
  17. Fivetran
  18. Kumolus
  19. RSA Archer Suite
  20. TeamzSkill
  21. raumfürraum
  22. Saviynt
  23. BizMerlinHR
  24. Mobile Locker
  25. Zengine
  26. CloudCADI
  27. Simfoni Analytics
  28. Priva Identity & Access Management
  29. Nitro Pro
  30. Eventfinity
  31. Fexa
  32. Secured Signing Enterprise Portal
  33. Secured Signing Enterprise Portal AAD Setup
  34. Wistec Online
  35. Oracle PeopleSoft – Protected by F5 BIG-IP APM


New delegation role in Azure AD entitlement management: Access package assignment manager

Service category: User Access Management
Product capability: Entitlement Management

A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. Admins can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators.

With this new role, organizations benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations.


What’s Changed

Changes to Privileged Identity Management's onboarding flow

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Previously, onboarding to Azure AD Privileged Identity Management (PIM) required user consent and an onboarding flow in PIM's blade that included enrollment in Azure MFA. With the recent integration of the PIM experience into the Azure AD roles and administrators blade, Microsoft is removing this experience. Any tenant with a valid Azure AD Premium P2 license will be auto-onboarded to PIM.

Onboarding to PIM does not have any direct adverse effect on a tenant. Organizations can expect the following changes:

  1. Additional assignment options such as active vs. eligible with start and end time when admins make an assignment in either PIM or Azure AD roles and administrators blade.
  2. Additional scoping mechanisms, like Administrative Units (AUs) and custom roles, introduced directly into the assignment experience.
  3. If you are a global administrator or privileged role administrator, you may start getting a few additional emails like the PIM weekly digest.
  4. Admins might also see a ms-pim service principal in the audit log related to role assignment. This expected change shouldn't affect your regular workflow.


Azure AD Entitlement Management: The Select pane of access package resources now shows the resources currently in the selected catalog by default

Service category: User Access Management
Product capability: Entitlement Management

In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog.

This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog. The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.