What's New in Azure Active Directory for March 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for March 2021:

What’s Planned

Guidance on how to enable support for TLS 1.2 in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation

Service category: N/A
Product capability: Standards

Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021:

  • TLS 1.0
  • TLS 1.1
  • 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

What’s New

Staged rollout to cloud authentication General Availability

Service category: AD Connect
Product capability: User Authentication

Staged rollout to cloud authentication is now generally available. The staged rollout feature allows organizations to selectively test groups of users with cloud authentication methods, such as Passthrough Authentication (PTA) or Password Hash Sync (PHS). Meanwhile, all other user objects in the federated domains continue to use federation services, such as AD FS or any other federation service to authenticate.

User Type attribute can now be updated in the Azure admin portal General Availability

Service category: User Experience and Management
Product capability: User Management

Organizations can now update the user type of Azure AD user objects when admins update user profile information from the Azure admin portal. The user type can be updated from Microsoft Graph also.

Replica Sets for Azure Active Directory Domain Services General Availability

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

The capability of replica sets in Azure AD DS is now generally available.

Collaborate with partners using Email One-Time Passcode in the Azure Government cloud General Availability

Service category: B2B
Product capability: B2B/B2C

Organizations in the Microsoft Azure Government cloud can now enable their guests to redeem invitations with Email One-Time Passcode (OTP). This ensures that any guest users with no Azure AD, Microsoft, or Gmail accounts in the Azure Government cloud can still collaborate with their partners by requesting and entering a temporary code to sign in to shared resources.

Header-based authentication SSO with Application Proxy General Availability

Service category: App Proxy
Product capability: Access Control

Azure AD Application Proxy native support for header-based authentication is now in general availability. With this feature, admins can configure the user attributes required as HTTP headers for applications without needing to deploy additional components.

Azure AD Entitlement management now supports multi-geo SharePoint Online Public Preview

Service category: Other
Product capability: Entitlement Management

For organizations using multi-geo SharePoint Online, admins can now include sites from specific multi-geo environments to Entitlement management access packages.

Restore deleted apps from App registrations Public Preview

Service category: Other
Product capability: Developer Experience

Admins can now view, restore, and permanently remove deleted app registrations from the Azure portal. This applies only to applications associated to a directory, not applications from a personal Microsoft account.

New "User action" in Conditional Access for registering or joining devices Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

A Register or join devices user action in Conditional access is available. This user action allows organizations to control Multi-factor authentication (MFA) policies for Azure AD device registration.

Currently, this user action only allows organizations to enable MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action.

Optimize connector groups to use the closest Application Proxy cloud service Public Preview

Service category: App Proxy
Product capability: Access Control

With this new capability, connector groups can be assigned to the closest regional Azure AD Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenant’s region.

External Identities Self-Service Sign-up in AAD using Email One-Time Passcode accounts Public Preview

Service category: B2B
Product capability: B2B/B2C

External users will now be able to use Email One-Time Passcode (OTP) accounts to sign up in to Azure AD 1st party and Line-of-Business (LoB) apps.

Availability of AD FS Sign-Ins in Azure AD Public Preview

Service category: Authentications (Logins)
Product capability: Monitoring & Reporting

AD FS sign-in activity can now be integrated with Azure AD activity reporting, providing a unified view of hybrid identity infrastructure. Using the Azure AD Sign-Ins report, Log Analytics, and Azure Monitor Workbooks, it's possible to perform in-depth analysis for both Azure AD and AD FS sign-in scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2021 Microsoft has added the following new applications in the Azure AD App gallery with Federation support:

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

What’s Changed

Introducing MS Graph API for Company Branding

Service category: MS Graph
Product capability: B2B/B2C

MS Graph API management for the Company Branding is available for the Azure AD or Microsoft 365 login experience to allow the management of the branding parameters programmatically.

What’s Deprecated

Two-way SMS for MFA Server is no longer supported

Service category: MFA Server
Product capability: Identity Security & Protection

Two-way SMS for MFA Server was originally deprecated in 2018, and will not be supported after February 24, 2021. Administrators should enable another method for users who still use two-way SMS.

One Response to What's New in Azure Active Directory for March 2021


    I wonder if Adding "Register or join devices user action in Conditional access" is because they will remove the choice to require MFA for joining a device in the Devices > Device Settings some time in the future.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.