What's New in Azure Active Directory for July 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for July 2021:

What’s Planned

New Google sign-in integration for Azure AD B2C and B2B self-service sign-up and invited external users will stop working

Service category: Azure AD B2B
Product capability: Azure AD B2B/B2C

Previously, Microsoft announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021. Some of these restrictions will apply starting July 12, 2021.

Organizations using Azure AD B2B and/or Azure AD B2C, who set up a new Google ID sign-in in their custom or line of business applications to invite external users or enable self-service sign-up will have the restrictions applied immediately. As a result, end-users will be met with an error screen that blocks their Gmail sign-in if the authentication is not moved to a system webview.

Note:
Most apps use system web-view by default, and will not be impacted by this change.

What's Fixed

Bug fixes in My Apps

Service category: My Apps
Product capability: End User Experiences

Previously, the presence of the banner recommending the use of collections caused content to scroll behind the header. This issue has been resolved.

Previously, there was another issue when adding apps to a collection, the order of apps in All Apps collection would get randomly reordered. This issue has also been resolved.

What's New

Application authentication method policies Public Preview

Service category: MS Graph
Product capability: Developer Experience

Application authentication method policies in MS Graph allow IT admins to enforce lifetimes on application password secret credentials or block the use of secrets altogether. Policies can be enforced for an entire tenant as a default configuration and it can be scoped to specific applications or service principals.

Authentication Methods nudge to download Microsoft Authenticator Public Preview

Service category: Microsoft Authenticator App
Product capability: User Authentication

The Authenticator nudge policy helps admins to move people in their organization to a more secure posture by prompting them to adopt the Microsoft Authenticator app. Prior to this feature, there was no way for an admin to push people to set up the Authenticator app.

The Nudge comes with the ability for an admin to scope users and groups by including and excluding them from the Nudge to ensure a smooth adoption across the organization.

Separation of duties check Public Preview

Service category: User Access Management
Product capability: Entitlement Management

In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will then be unable to request additional access.

Identity Protection logs in Log Analytics, Storage Accounts, and Event Hubs Public Preview

Service category: Identity Protection
Product capability: Identity Security & Protection

Admins can now send the risky users and risk detections logs to Azure Monitor, Storage Accounts, and/or Log Analytics using Diagnostic Settings in Azure AD.

Application Proxy API addition for backend SSL certificate validation Public Preview

Service category: App Proxy
Product capability: Access Control

The onPremisesPublishing resource type now includes the  isBackendCertificateValidationEnabled property that indicates if backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property will be set to true by default. For all existing apps, the property will be set to false.

Improved Authenticator setup experience for add Azure AD account in Microsoft Authenticator app by directly signing into the app Generally Available

Service category: Microsoft Authenticator App
Product capability: User Authentication

People can now use their existing authentication methods to directly sign into the Microsoft Authenticator app to set up their credentials. People don't need to scan a QR code anymore and can use a Temporary Access Pass (TAP), Password with text message or other authentication method to configure their account in the Authenticator app.

This improves the user credential provisioning process for the Microsoft Authenticator app and gives the end user a self-service method to provision the app.

Set manager as reviewer in Azure AD entitlement management access packages Generally Available

Service category: User Access Management
Product capability: Entitlement Management

Access packages in Azure AD entitlement management now support setting the user's manager as the reviewer for regularly occurring access reviews.

Enable external users to self-service sign-up in Azure AD using MSA accounts Generally Available

Service category: Azure AD B2B
Product capability: Azure AD B2B/B2C

Organizations can now enable external users to self-service sign-up in Azure Active Directory using Microsoft accounts (MSAs).

External Identities Self-Service Sign-Up with Email One-time Passcode Generally Available

Service category: Azure AD B2B
Product capability: Azure AD B2B/B2C

Organizations can now enable external users to self-service sign-up in Azure Active Directory using their email and one-time passcode.

Anomalous token detection Generally Available

Service category: Identity Protection
Product capability: Identity Security & Protection

Anomalous token detection is now available in Azure AD Identity Protection. This feature can detect that there are abnormal characteristics in the token such as time active and authentication from unfamiliar IP address.

Register or join devices user action in Conditional access Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

The Register or join devices user action in Conditional access is now generally available. This user action allows admins to control multi-factor authentication (MFA) policies for Azure AD device registration.

Currently, this user action only allows admins to enable MFA as a control when people register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action.

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Admins can now automate creating, updating, and deleting user objects for these newly integrated apps:

What's Changed

Changes to security and Microsoft 365 group settings in Azure portal

Service category: Group Management
Product capability: Directory

In the past, users could create security groups and Microsoft 365 groups in the Azure portal. Now users will have the ability to create groups across Azure portals, PowerShell, and API.

Organizations are required to verify and update the new settings have been configured for their organization.

"All Apps" collection has been renamed to "Apps"

Service category: My Apps
Product capability: End User Experiences

In the My Apps portal, the collection that was called All Apps has been renamed to be called Apps. As the product evolves, Apps is a more fitting name for this default collection.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.