What's New in Azure Active Directory for November 2020

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for November 2020:

What’s Planned

Azure Active Directory TLS 1.0, TLS 1.1 and 3DES Deprecation

Service category: All Azure AD applications
Product capability: Standards

Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions by June 30, 2021:

  • TLS 1.0
  • TLS 1.1
  • 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

Affected environments are:

  • Azure Commercial Cloud
  • Office 365 GCC and WW

Related announcement All client-server and browser-server combinations should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services.

What’s New

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2020 Microsoft has added following 52 new applications in our App gallery with Federation support:

Azure AD B2C Phone Sign-up and Sign-in using Custom Policy General Availability

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

With phone number sign-up and sign-in, developers and enterprises can allow their organizations to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the person change their phone number if they lose access to their phone. With the power of custom policies, allow developers and enterprises to communicate their brand through page customization.

Azure AD Application Proxy natively supports single sign-on access to applications that use headers for authentication

Service category: App Proxy
Product capability: Access Control

Azure Active Directory (Azure AD) Application Proxy natively supports single sign-on (SSO) access to applications that use headers for authentication. Admins can configure header values required by their applications in Azure AD. The header values will be sent down to the application via Application Proxy.

Application Proxy support for Remote Desktop Services HTML5 Web Client General Availability

Service category: App Proxy
Product capability: Access Control

Azure AD Application Proxy support for Remote Desktop Services (RDS) Web Client is now in General Availability. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, and so on. Users can interact with remote apps or desktops like they would with a local device from anywhere.

By using Azure AD Application Proxy, admins can increase the security of their RDS deployments by enforcing pre-authentication and Conditional Access policies for all types of rich client apps.

Custom roles for enterprise apps Public Preview

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Custom RBAC roles for delegated enterprise application management is now in Public Preview. These new permissions build on the custom roles for app registration management, which allows fine-grained control over what access admins have. Over time, additional permissions to delegate management of Azure AD will be released.

Some common delegation scenarios:

  • assignment of user and groups that can access SAML based single sign-on applications
  • the creation of Azure AD Gallery applications
  • update and read of basic SAML Configurations for SAML based single sign-on applications
  • management of signing certificates for SAML based single sign-on applications
  • update of expiring sign in certificates notification email addresses for SAML based single sign-on applications
  • update of the SAML token signature and sign-in algorithm for SAML based single sign-on applications
  • create, delete, and update of user attributes and claims for SAML-based single sign-on applications
  • ability to turn on, off, and restart provisioning jobs
  • updates to attribute mapping
  • ability to read provisioning settings associated with the object
  • ability to read provisioning settings associated with service principals
  • ability to authorize application access for provisioning

Email Sign-In with ProxyAddresses now deployable via Staged Rollout Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Tenant administrators can now use Staged Rollout to deploy Email Sign-In with proxyAddresses to specific Azure AD groups. This can help while trying out the feature before deploying it to the entire tenant via the Home Realm Discovery policy.

Sign-in Diagnostic Limited Preview

Service category: Reporting
Product capability: Monitoring & Reporting

With the initial preview release of the Sign-in Diagnostic, admins can now review user sign-ins. Admins can receive contextual, specific, and relevant details and guidance on what happened during a sign-in and how to fix problems. The diagnostic is available in both the Azure AD level, and Conditional Access Diagnose and Solve blades. The diagnostic scenarios covered in this release are Conditional Access, Multi-Factor Authentication, and successful sign-in.

What’s Changed

Improved Unfamiliar Sign-in Properties

Service category: Identity Protection
Product capability: Identity Security & Protection

Unfamiliar sign-in properties detections has been updated. Organizations may notice more high-risk unfamiliar sign-in properties detections.

refresh of Cloud Provisioning agent now available (V1.1.281.0) Public Preview

Service category: Azure AD Cloud Provisioning
Product capability: Identity Lifecycle Management

Cloud provisioning agent has been released in Public Preview and is now available through the portal. This release contains several improvements including, support for GMSA for domains, which provides better security, improved initial sync cycles, and support for large groups.

BitLocker recovery key API endpoint now under /informationProtection

Service category: Device Access Management
Product capability: Device Lifecycle Management

Previously, admins could recover BitLocker keys via the /bitlocker endpoint. Microsoft will eventually be deprecating this endpoint, and organizations should begin consuming the API that now falls under /informationProtection.

New enhanced Dynamic Group service Public Preview

Service category: Group Management
Product capability: Collaboration

Enhanced dynamic group service is now in Public Preview. New organizations that create dynamic groups in their tenants will be using the new service. The time required to create a dynamic group will be proportional to the size of the group that is being created instead of the size of the tenant. This update will improve performance for large tenants significantly when organizations create smaller groups.

The new service also aims to complete member addition and removal because of attribute changes within a few minutes. Also, single processing failures won't block tenant processing.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.