What's New in Azure Active Directory for October 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for October 2020:

What’s Planned

Azure AD On-Premises Hybrid Agents Impacted by Azure TLS Certificate Changes

Product capability: Platform

Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). There will be an update because of the current CA certificates not following one of the CA/Browser Forum Baseline requirements. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates. These agents will need to be updated to trust the new certificate issuers.

This change will result in disruption of service in hardened environments if you don't take action immediately. These agents include:

If your organization runs an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download locations, you'll need to allow the following CRL and OCSP URLs:

Provisioning events will be removed from audit logs and published solely to provisioning logs

Service category: Reporting
Product capability: Monitoring & Reporting

Activity by the SCIM provisioning service is logged in both the audit logs and provisioning logs. This includes activity such as the creation of a user in ServiceNow, group in GSuite, or import of a role from AWS. In the future, these events will only be published in the provisioning logs. This change is being implemented to avoid duplicate events across logs, and additional costs incurred by customers consuming the logs in log analytics.

This does not impact any events in the audit logs outside of the synchronization events emitted by the provisioning service. Events such as the creation of an application, conditional access policy, a user in the directory, etc. will continue to be emitted in the audit logs.

TLS 1.0, TLS 1.1, and 3DES Deprecation in US Gov Cloud

Product capability: Standards

Azure Active Directory will deprecate the following protocols by March 31, 2021:

  • TLS 1.0
  • TLS 1.1
  • 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

All client-server and browser-server combinations should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services.

Affected environments are:

What’s New

Assign applications to roles on AU and object scope Generally Available

Service category: RBAC
Product capability: Access Control

This feature enables the ability to assign an application (SPN) to an administrator role on the Administrative Unit (AU) scope. As shared as part of the Ten things you should know about Azure AD Administrative Units blogpost, previously, only users and groups could be assigned to roles on an Administrative Unit (AU), now applications in the form of Service Principal Names (SPNs) can be added, too.

disable and delete guest users when they're denied access to a resource Generally Available

Service category: Access Reviews
Product capability: Identity Governance

Disable and delete is an advanced control in Azure AD Access Reviews to help organizations better manage external guests in Groups and Apps. If guests are denied in an access review, disable and delete will automatically block them from signing in for 30 days. After 30 days, then they'll be removed from the tenant altogether.

Access Review creators can add custom messages in emails to reviewers Generally Available

Service category: Access Reviews
Product capability: Identity Governance

In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers. Reviewers will see the message in the email they receive that prompts them to complete the review.

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps and services:

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2020, Microsoft has added following new applications in our App gallery with Federation support:

Integration assistant for Azure AD B2C Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

The Integration Assistant (preview) experience is now available for Azure AD B2C App registrations. This experience helps guide you in configuring your application for common scenarios.

API connectors for Azure AD B2C sign-up user flows public preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

API connectors are now available for use with Azure Active Directory B2C. API connectors enable organizations to use web APIs to customize sign-up user flows and integrate with external cloud systems. Admins can you can use API connectors to:

  • Integrate with custom approval workflows
  • Validate user input data
  • Overwrite user attributes
  • Run custom business logic

Azure Active Directory External Identities now has premium advanced security settings for B2C Generally Available

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Risk-based Conditional Access and risk detection features of Identity Protection are now available in Azure AD B2C. With these advanced security features, organizations can now:

  • Leverage intelligent insights to assess risk with B2C apps and end user accounts.
    Detections include atypical travel, anonymous IP addresses, malware-linked IP addresses, and Azure AD threat intelligence. Portal and API-based reports are also available.
  • Automatically address risks by configuring adaptive authentication policies for B2C users.
    App developers and administrators can mitigate real-time risk by requiring multi-factor authentication (MFA) or blocking access depending on the user risk level detected, with additional controls available based on location, group, and app.
  • Integrate with Azure AD B2C user flows and custom policies.
    Conditions can be triggered from built-in user flows in Azure AD B2C or can be incorporated into B2C custom policies. As with other aspects of the B2C user flow, end user experience messaging can be customized. Customization is according to the organization’s voice, brand, and mitigation alternatives.

State property for connected organizations in entitlement management Generally Available

Service category: Directory Management
Product capability: Entitlement Management

All connected organizations will now have an additional property called State. The state will control how the connected organization will be used in policies that refer to "all configured connected organizations". The value will be either:

  1. configured
    The organization is in the scope of policies that use the all clause
  2. proposed
    The organization is not in scope.

Manually created connected organizations will have a default setting of configured. Meanwhile, automatically created ones (created via policies that allow any user from the internet to request access) will default to proposed. Any connected organizations created before September 9 2020 will be set to configured. Admins can update this property as needed.

View role template ID in Azure portal UI Generally Available

Service category: Azure roles
Product capability: Access Control

You can now view the template ID of each Azure AD role in the Azure portal. In Azure AD, select description of the selected role.

It's recommended that customers use role template IDs in their PowerShell script and code, instead of the display name. Role template ID is supported for use to directoryRoles and roleDefinition objects.

Provisioning logs can now be streamed to log analytics

Service category: Reporting
Product capability: Monitoring & Reporting

Provisioning logs are now available to be streamed to a Log Analytics workspace. This way organizations can:

  • Store provisioning logs for more than 30 days
  • Define custom alerts and notifications
  • Build dashboards to visualize the logs
  • Execute complex queries to analyze the logs

What’s Changed

Provisioning logs can now be viewed by application owners

Service category: Reporting
Product capability: Monitoring & Reporting

Organizations can now allow application owners to monitor activity by the provisioning service and troubleshoot issues without providing them a privileged role or making IT a bottleneck.

Renaming 10 Azure Active Directory roles

Service category: Azure roles
Product capability: Access Control

Some Azure Active Directory (AD) built-in roles have names that differ from those that appear in the Microsoft 365 admin center, the Azure AD portal, and Microsoft Graph. This inconsistency can cause problems in automated processes. Microsoft has renamed 10 role names to make them consistent:

Changes to built-in roles (click for larger table)

Updates to Remember Multi-Factor Authentication (MFA) on a trusted device setting

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

Microsoft has recently updated the remember Multi-Factor Authentication (MFA) on a trusted device feature to extend authentication for up to 365 days from 60 days.

Azure Active Directory (Azure AD) Premium licenses, can also use the Conditional Access – Sign-in Frequency policy that provides more flexibility for reauthentication settings. For the optimal user experience, Microsoft recommends using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to the remember MFA on a trusted device setting.

Azure AD B2C support for auth code flow for SPAs using MSAL JS 2.x

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

MSAL.js version 2.x now includes support for the authorization code flow for single-page web apps (SPAs). Azure AD B2C will now support the use of the SPA app type on the Azure portal and the use of MSAL.js authorization code flow with PKCE for single-page apps. This will allow SPAs using Azure AD B2C to maintain SSO with newer browsers and abide by newer authentication protocol recommendations.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.