What's New in Azure Active Directory for May 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May 2021:

What’s New

Azure AD verifiable credentials Public Preview

Service category: Other
Product capability: User Authentication

Organizations using Azure AD can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim while respecting privacy.

build and test expressions for user provisioning Public Preview

Service category: App Provisioning
Product capability: Identity Lifecycle Management

When an admin configures provisioning to a SaaS application, one of the types of attribute mappings that can be specified is an expression mapping. For these, a script-like expression must be written that allows transformation of users' data into formats that are more acceptable for the SaaS application.

The expression builder allows admins to create and test expressions, without having to wait for the full sync cycle.

Enhanced audit logs for Conditional Access policy changes Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

An important aspect of managing Conditional Access is understanding changes to policies over time. Policy changes may cause disruptions for end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical.

In addition to showing who made a policy change and when, the audit logs will now also contain a modified properties value so that admins have greater visibility into what assignments, conditions, or controls changed. To revert to a previous version of a policy, admins can copy the JSON representation of the old version and use the Conditional Access APIs to quickly change the policy back to its previous state.

Sign-in logs include authentication methods used during sign-in Public Preview

Service category: Multi-factor Authentication (MFA)
Product capability: Monitoring & Reporting

Admins can now see the sequential steps users took to sign-in, including which authentication methods were used during sign-in.

To access these details, admins can select a sign-in from the Azure AD sign-in logs and then navigate to the Authentication Method Details tab. Here, information in included such as which method was used, details about the method (e.g. phone number, phone name), authentication requirement satisfied, and result details.

PIM adds support for ABAC conditions in Azure Storage roles Public Preview

Service category: Privileged Identity Management (PIM)
Product capability: Privileged Identity Management (PIM)

Along with the public preview of attributed-based access control (ABAC) for specific Azure role-based access control (RBAC) roles, admins can also add ABAC conditions inside Privileged Identity Management (PIM) for eligible assignments.

Conditional Access and Identity Protection Reports in B2C Generally Available

Service category: Consumer Identity Management
Product capability: Azure AD B2B/B2C

Azure AD now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables organizations to protect their users’ sign-ins with granular risk- and location-based access controls. With these features, organizations can now look at the signals and create a policy to provide more security and access to their customers.

Next generation Azure AD B2C user flows Generally Available

Service category: Consumer Identity Management
Product capability: Azure AD B2B/B2C

The new simplified user flow experience in Azure AD B2C offers feature parity with preview features and is the home for all new features. Organizations will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows.

KMSI and Password reset now in next generation of user flows Generally Available

Service category: Consumer Identity Management
Product capability: Azure AD B2B/B2C

The next generation of B2C user flows now supports keep me signed in (KMSI) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. Password reset allows users to reset their password from the Forgot your password link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory.

New Log Analytics workbook: Application role assignment activity Generally Available

Service category: User Access Management
Product capability: Entitlement Management

A new workbook has been added for surfacing audit events for application role assignment changes.

Azure Active Directory threat intelligence for sign-in risk Generally Available

Service category: Identity Protection
Product capability: Identity Security & Protection

This new detection serves as an ad-hoc method to allow Microsoft’s security teams to notify organizations and protect their users by raising their session risk to a High risk when Microsoft observes an attack happening, as well as marking the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams.

Conditional Access named locations improvements Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

Updates to Conditional Access named locations include:

  • Added the capability to define IPv6 address ranges
  • Increased the limit of named locations from 90 to 195
  • Increased the limit of IP ranges per named location from 1200 to 2000
  • Added capabilities to search and sort named locations and filter by location type and trust type
  • Added named locations a sign-in belonged to in the sign-in logs

Additionally, to prevent admins from defining problematic named locations, additional checks have been added to reduce the chance of misconfiguration.

Restricted guest access permissions in Azure AD Generally Available

Service category: User Management
Product capability: Directory

Directory level permissions for guest users have been updated. These permissions allow admins to require additional restrictions and controls on external guest user access.

Admins can now add additional restrictions for external guests' access to user and groups' profile and membership information. Also, organizations can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in.

NEW PROVISIONING CONNECTORS IN THE AZURE AD APPLICATION GALLERY

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

New Federated Apps available in the Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2021 Microsoft has added the following 29 new applications in the Azure AD App gallery with Federation support:

  1. InviteDesk
  2. Webrecruit ATS
  3. Workshop
  4. Gravity Sketch
  5. JustLogin
  6. Custellence
  7. WEVO
  8. AppTec360 MDM
  9. Filemail 
  10. Ardoq
  11. Leadfamly
  12. Documo
  13. Autodesk SSO
  14. Check Point Harmony Connect
  15. BrightHire
  16. Rescana
  17. Bluewhale
  18. AlacrityLaw
  19. Equisolve
  20. Zip
  21. Cognician
  22. Acra
  23. VaultMe
  24. TAP App Security
  25. Cavelo Office365 Cloud Connector
  26. Clebex
  27. Banyan Command Center
  28. Check Point Remote Access VPN
  29. LogMeIn

What’s Changed

Improved Conditional Access Messaging for Android, iOS and iPadOS

Service category: Device Registration and Management
Product capability: End User Experiences

Microsoft has updated the wording on the Conditional Access screen shown to users when they are blocked from accessing corporate resources until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed:

  • Help us keep your device secure has changed to Set up your device to get access.
  • Your sign-in was successful but your admin requires your device to be managed by Microsoft to access this resource. has changed to [Organization’s name] requires you to secure this device before you can access [organization’s name] email, files, and data..
  • Enroll Now has changed to Continue.

Azure Information Protection service will begin asking for consent

Service category: Authentications (Logins)
Product capability: User Authentication

The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June 2021, Azure AD will begin prompting the user for consent when this access is performed across organizations. This ensures that the person understands that the organization which owns the document will collect some information about the person as part of the document access.

Provisioning logs schema change impacting Graph API and Azure Monitor integration

The attributes Action and statusInfo will be changed to provisioningAction and provisoiningStatusInfo. Please update any scripts that you have created using the provisioning logs Graph API or Azure Monitor integrations.

New ARM API to manage PIM for Azure Resources and Azure AD roles

Service category: Privileged Identity Management (PIM)
Product capability: Privileged Identity Management (PIM)

An updated version of Privileged Identity Management (PIM)'s application programming interface (API) for Azure Resource roles and Azure AD roles has been released. The PIM API for Azure Resource roles is now released under the ARM API standard, which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under the Graph API, aligned with the unifiedRoleManagement APIs.

Some of the benefit of this change include:

  • Alignment of the PIM API with objects in ARM and Graph for role management.
  • Reducing the need to call PIM to onboard new Azure resources.
  • All Azure resources automatically work with new PIM API.
  • Reducing the need to call PIM for role definition or keeping a PIM resource ID
  • Supporting app-only API permissions in PIM for both Azure AD and Azure Resource roles

Previous version of PIM's API under /privilegedaccess will continue to function but we recommend you to move to this new API going forward.

Revision of roles in Azure AD entitlement management

Service category: Roles
Product capability: Entitlement Management

A new role Identity Governance Administrator has recently been introduced.

This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. User with the User Administrator role assigned or are eligible to activate this role to manage access packages in Azure AD entitlement management, the Identity Governance Administrator role now provides this functionality with the least administrative privilege. The User Administrator role will no longer be providing administrative rights to catalogs or access packages.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.