What's New in Azure Active Directory for February 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for February 2021:

What’s Planned

Email one-time passcode authentication on by default

Service category: B2B
Product capability: B2B/B2C

Starting October 31, 2021, Azure AD email one-time passcode authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. At this time, Microsoft will no longer allow the redemption of invitations using unmanaged Azure Active Directory accounts.

Unrequested but consented permissions will no longer be added to tokens if they would trigger Conditional Access

Service category: Authentications (Logins)
Product capability: Platform

Currently, applications using dynamic permissions are given all of the permissions they're consented to access. This includes applications that are unrequested and even if they trigger conditional access. For example, this can cause an app requesting only user.read that also has consent for files.read to be forced to pass the Conditional Access assigned for the files.read permission.

To reduce the number of unnecessary Conditional Access prompts, Azure AD is changing the way that unrequested scopes are provided to applications. Apps will only trigger conditional access for permission they explicitly request.

What’s New

Authentication Policy Administrator built-in role General availability

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

People with this privileged Azure AD role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.

Domain Name Administrator built-in role General availability

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

People with this privileged Azure AD role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects have domain dependencies.

For on-premises environments, people with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Federation settings need to be synchronized via Azure AD Connect, so users also have permissions to manage Azure AD Connect.

User collections on My Apps General availability

Service category: My Apps
Product capability: End User Experiences

People can now create their own groupings of apps on the My Apps app launcher. They can also reorder and hide collections shared with them by their administrator.

Autofill in Authenticator General availability

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

Microsoft Authenticator provides multi-factor authentication (MFA) and account management capabilities, and now also will autofill passwords on sites and apps people visit on their mobile devices running iOS or Android.

To use autofill on Authenticator, people need to add their personal Microsoft account to Authenticator and use it to synchronize their passwords. Work or school accounts cannot be used to synchronize passwords at this time.

Invite internal users to B2B collaboration General availability

Service category: B2B
Product capability: B2B/B2C

Organizations can now invite internal guests to use B2B collaboration instead of sending an invitation to an existing internal account. This allows organizations to keep that user's object ID, userPrincipalName, group memberships, and app assignments.

Use a Temporary Access Pass to register Passwordless credentials Public Preview

Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection

Temporary Access Pass is a time-limited passcode that serves as strong credentials and allows onboarding of passwordless credentials and recovery when a person has lost or forgotten their strong authentication factor (for example, FIDO2 security key or Microsoft Authenticator app) and needs to sign in to register new strong authentication methods.

Keep me signed in (KMSI) in next generation of user flows Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

The next generation of B2C user flows now supports the keep me signed in (KMSI) functionality that allows customers to extend the session lifetime for the people of their web and native applications by using a persistent cookie. This feature keeps the session active even when the person closes and reopens the browser, and is revoked when the person signs out.

External Identities Self-Service Sign-up in AAD using Microsoft accounts Public Preview

Service category: B2B
Product capability: B2B/B2C

External people will now be able to use Microsoft Accounts (MSAs) to sign in to Azure AD first party and line of business (LOB) apps.

Reset redemption status for a guest user Public Preview

Service category: B2B
Product capability: B2B/B2C

Organizations can now reinvite existing external guests to reset their redemption status, which allows the guest user account to remain without them losing any access.

/synchronization (provisioning) APIs now support application permissions Public Preview

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. This is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It is currently not supported for HR-provisioning (Workday / Successfactors) or Azure AD Connect Cloud Sync.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2021, Microsoft has added following new applications in the Azure AD App gallery with Federation support:

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

What’s Changed

10 Azure Active Directory roles now renamed

Ten Azure AD built-in roles have been renamed so that they're aligned across the Microsoft 365 admin center, Azure AD portal, and Microsoft Graph.

New Company Branding in MFA/SSPR Combined Registration

Service category: User Experience and Management
Product capability: End User Experiences

In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of MFA/SSPR Combined Registration. Company branding is also included on My Sign-Ins and the Security Info page.

Second level manager can be set as alternate approver

Service category: User Access Management
Product capability: Entitlement Management

An extra option when admins select approvers is now available in Entitlement Management. If you select Manager as approver for the First Approver field, they will have another option, Second level manager as alternate approver, available to choose in the alternate approver field. If admins select this option, they need to add a fallback approver to forward the request to in case the system can't find the second level manager.

Authentication Methods Activity Dashboard

Service category: Reporting
Product capability: Monitoring & Reporting

The refreshed Authentication Methods Activity dashboard gives admins an overview of authentication method registration and usage activity in their tenant(s). The report summarizes the number of users registered for each method, and also which methods are used during sign-in and password reset.

What’s Deprecated

Refresh and session token lifetimes configurability in Configurable Token Lifetime (CTL) are retired

Service category: Other
Product capability: User Authentication

Refresh and session token lifetimes configurability in CTL are retired. Azure AD no longer honors refresh and session token configuration in existing policies.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.