What's New in Azure Active Directory for January 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for January 2021:

 

What’s planned

Secret token will be a mandatory field when configuring provisioning

Service category: App Provisioning
Product capability: Identity Lifecycle Management

In the past, the secret token field could be kept empty when setting up provisioning on a custom / Bring your own App (BYOA) application. This function was intended to solely be used for testing. Microsoft will update the user interface (UI) to make the field required. Organizations can work around this requirement for testing purposes by using a feature flag in the browser URL.

 

What’s New

Customize and configure Android shared devices for First-line Workers at scale Public Preview

Service category: Device Registration and Management
Product capability: Identity Security & Protection

Azure AD and Microsoft Endpoint Manager teams have worked together to bring the capability to customize, scale, and secure first-line workers’ devices.

The following preview capabilities will allow organizations to:

  • Provision Android shared devices at scale with Microsoft Endpoint Manager
  • Secure access for shift workers using device-based Conditional Access
  • Customize sign-in experiences for shift workers with Managed Home Screen

 

Provisioning logs can now be downloaded as CSV or JSON Public Preview

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Organization can download the provisioning logs as a *.csv or *.json file through the user interface (UI) and via the Graph API.

 

Assign cloud groups to Azure AD custom roles and admin unit scoped roles Public Preview

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Organizations can assign a cloud group to Azure AD custom roles and to roles that are scoped to Administrative Units (AUs).

 

Azure AD Connect cloud sync Generally Available

Service category: Azure AD Connect cloud sync
Product capability: Identity Lifecycle Management

Azure AD Connect Cloud Sync, previously known as Azure AD Connect Cloud Provisioning) is now generally available.

Azure AD Connect cloud moves the heavy lifting of transform logic to the cloud, reducing the on-premises footprint of Hybrid Identity implementations. Additionally, multiple light-weight agent deployments are available for higher sync availability.

 

Attack Simulation Administrator and Attack Payload Author built-in roles Generally Available

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Two new roles in Role-Based Access Control are available to assign to users:

  1. Attack simulation Administrator
  2. Attack Payload author

Users in the Attack Simulation Administrator role have access for all simulations in the tenant and can:

  • create and manage all aspects of attack simulation creation
  • launch/scheduling of a simulation
  • review simulation results.

Users in the Attack Payload Author role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation.

 

Usage Summary Reports Reader built-in role Generally Available

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Users with the Usage Summary Reports Reader role can access tenant level-aggregated data and associated insights in Microsoft 365 Admin Center for Usage and Productivity Score. However, they cannot access any user level details or insights.

In the Microsoft 365 Admin Center for the two reports, Microsoft now differentiates between tenant level aggregated data and user level details. This role adds an extra layer of protection to individual user identifiable data.

 

Require App protection policy grant in Azure AD Conditional Access Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

The Azure AD Conditional Access grant for "Require App Protection policy" is now generally available. The policy provides the following capabilities:

  • Allows access only when using a mobile application that supports Intune App protection
  • Allows access only when a user has an Intune app protection policy delivered to the mobile application

 

Email One-Time Passcode Generally Available

Service category: Business to Business Collaboration (B2B)
Product capability: B2B/B2C

Email OTP enables organizations to collaborate with anyone by sending a link or invitation via email. Invited people can verify their identities with the one-time passcode sent to their email to access resources in the inviting organization’s tenant.

 

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

 

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2021, Microsoft has added the following new applications in the App gallery with Federation support:

 

What’s Changed

Second level manager can be set as alternate approver Public Preview

Service category: User Access Management
Product capability: Entitlement Management

An extra option when you select approvers is now available in Entitlement Management. If you select Manager as approver for the First Approver field, a second option, labeled Second level manager as alternate approver, is now available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.

 

Navigate to Teams directly from My Access portal Generally Available

Service category: User Access Management
Product capability: Entitlement Management

You can now launch Teams directly from the My Access portal.

To do so, sign-in to My Access, navigate to Access packages, then go to the Active tab to see all of the access packages you already have access to. When you expand the selected access package and hover on Teams, you can launch it by clicking the Open button.

 

Improved Logging & End-User Prompts for Risky Guest Users

Service category: Identity Protection
Product capability: Identity Security & Protection

The Logging and End-User Prompts for Risky Guest Users have been updated.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.