What's New in Azure Active Directory for September 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2021:

What's Planned

Limits on the number of configured API permissions for an application registration enforced starting in October 2021

Service category: Other
Product capability: Developer Experience

Occasionally, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, Microsoft is enforcing a limit on the total number of required permissions which can be configured for an app registration: 400 permissions, accross all APIs.

The change to enforce this limit starts mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and can't exceed 50 APIs.

Single Page Apps using the spa redirect URI type must use a CORS enabled browser for authentication

Service category: Authentications (Logins)
Product capability: Developer Experience

The modern Edge browser is now included in the requirement to provide an Origin header when redeeming a single page app authorization code. A compatibility fix accidentally exempted the modern Edge browser from Cross-Origin Resource Sharing (CORS) controls. That bug is being fixed during October.

A subset of applications depend on CORS being disabled in the browser, which has the side effect of removing the Origin header from traffic. This is an unsupported configuration for using Azure AD, and these specific apps can no longer use modern Edge as a security workaround. All modern browsers must now include the Origin header per HTTP spec, to ensure CORS is enforced.

What's New

Access packages can expire after a number of hours General Availability

Service category: User Access Management
Product capability: Entitlement Management

There is now an additional option for advanced expiration settings in entitlement management. It's possible to configure an access package that'll expire in hours, in addition to prior settings.

On the My Apps portal, users can choose to view their apps in a list General Availability

Service category: My Apps
Product capability: End User Experiences

By default, My Apps displays apps in a grid view. Users can now toggle their My Apps view to display apps in a list.

New and enhanced device-related audit logs General Availability

Service category: Audit
Product capability: Device Lifecycle Management

Admins can now see various new and improved device-related audit logs. The new audit logs include:

  • create and delete passwordless credentials (Phone sign-in, FIDO2 key and Windows Hello for Business)
  • register/unregister device
  • pre-create/delete pre-create device

Additionally, there have been minor improvements to existing device-related audit logs that include adding more device details.

Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator General Availability

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. They can report any suspicious or unfamiliar activity based on the sign-in history and activity if necessary. Users will also be able to change their Azure AD account passwords and update the account's security information.

New MS Graph APIs for role management General Availability

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

The new APIs for role management to MS Graph v1.0 endpoint are generally available. Instead of the old directory roles, use unifiedRoleDefinition and unifiedRoleAssignment.

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

New Federated Apps available in Azure AD Application gallery

In September 2021, Microsoft has added following 44 new applications in the Azure AD App gallery with Federation support:

What's Changed

Gmail users signing in on Microsoft Teams mobile and desktop clients sign in with device login flow

Service category: Azure AD B2B
Product capability: B2B/B2C

Since September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts have an extra login step. Users are now prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients.

Improved Conditional Access Messaging for Non-compliant Device

Service category: Conditional Access
Product capability: End User Experiences

The text and design on the Conditional Access blocking screen shown to users when their device is marked as non-compliant has been updated. Users will be blocked until they take the necessary actions to meet their company's device compliance policies. Additionally, Microsoft has streamlined the flow for a user to open their device management portal. These improvements apply to all Conditional Access-supported Operating System (OS) platforms.

What's Fixed

My Apps performance improvements

Service category: My Apps
Product capability: End User Experiences

The load time of My Apps has been improved. Users going to myapps.microsoft.com load My Apps directly, rather than being redirected through another service.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.