Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for October 2021:
What’s Planned
Limits on the number of configured API permissions for an application registration will be enforced
Service category: Other
Product capability: Developer Experience
Sometimes, application developers configure their apps to require more permissions than is possible to grant. To prevent this from happening, a limit on the total number of required permissions that can be configured for an app registration will be enforced.
The total number of required permissions for any single application registration mustn't exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out mid-October 2021. Applications exceeding the limit can't increase the number of permissions they are configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.
In the Azure portal, the required permissions are listed under API permissions for the application you wish to configure. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity.
Email one-time passcode on by default change
Service category: Azure AD Business to Business (B2B)
Product capability: B2B/B2C
Previously, Microsoft announced that starting October 31, 2021, Microsoft Azure Active Directory email one-time passcode (Email OTP) authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. However, because of deployment schedules, Microsoft will begin rolling out on November 1, 2021. Most of the tenants will see the change rolled out in January 2022 to minimize disruptions during the holidays and deployment lock downs. After this change, Microsoft will no longer allow redemption of invitations using Azure Active Directory accounts that are unmanaged.
What’s New
New claims transformation capabilities Public preview
Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)
The following new capabilities have been added to the claims transformations available for manipulating claims in tokens issued from Azure AD:
- Join() on NameID
This capability used to be restricted to joining an email format address with a verified domain. Now Join() can be used on the NameID claim in the same way as any other claim, so NameID transforms can be used to create Windows account style NameIDs or any other string. For now if the result is an email address, the Azure AD will still validate that the domain is one that is verified in the tenant. - Substring()
A new transformation in the claims configuration UI allows extraction of defined position substrings such as five characters starting at character three – substring(3,5) - Claims transformations
These transformations can now be performed on multi-valued attributes, and can emit multi-valued claims. Microsoft Graph can now be used to read/write multi-valued directory schema extension attributes.
Flagged Sign-ins Public preview
Service category: Reporting
Product capability: Monitoring & Reporting
Flagged sign-ins is a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. It also helps admins and service desk personnel find the right sign-in events quickly and efficiently.
Device overview Public preview
Service category: Device Registration and Management
Product capability: Device Lifecycle Management
The new Device Overview feature provides actionable insights about devices in the tenant.
Azure Active Directory workload identity federation Public preview
Service category: Enterprise Apps
Product capability: Developer Experience
Azure AD workload identity federation frees developers from handling application secrets or certificates. This includes secrets in scenarios such as using GitHub Actions and building applications on Kubernetes. Rather than creating an application secret and using that to get tokens for that application, developers can instead use tokens provided by the respective platforms such as GitHub and Kubernetes without having to manage any secrets manually.
New app indicator in My Apps General Availability
Service category: My Apps
Product capability: End User Experiences
Apps that have been recently assigned to the user show up with a new indicator. When the app is launched or the page is refreshed, this indicator disappears.
Custom domain support in Azure AD B2C General Availability
Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C
Organizations using Azure AD B2C can now enable custom domains so their end-users are redirected to a custom URL domain for authentication. This is done via integration with Azure Front Door's custom domains capability.
Edge Administrator built-in role General Availability
Service category: Role-based Access Control (RBAC)
Product capability: Access Control
Users in the Edge Administrator role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets.
Windows 365 Administrator built-in role General Availability
Service category: Role-based Access Control (RBAC)
Product capability: Access Control
Users with the Windows 365 Administrator role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices to associate a policy, and create and manage groups.
New Federated Apps available in Azure AD Application gallery
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In October 2021 Microsoft has added the following 10 new applications in the Azure AD App gallery with Federation support:
- Adaptive Shield
- SocialChorus Search
- Hiretual-SSO
- TeamSticker by Communitio
- embed signage
- JoinedUp
- VECOS Releezme Locker management system
- Altoura
- Dagster Cloud
- Qualaroo
What’s Changed
Updates to Sign-in Diagnostic Public preview
Service category: Reporting
Product capability: Monitoring & Reporting
With this update, the diagnostic covers more scenarios and is made more easily available to admins.
New scenarios covered when using the Sign-in Diagnostic:
- Pass Through Authentication sign-in failures
- Seamless Single-Sign On sign-in failures
Other changes include:
- Flagged Sign-ins will automatically appear for investigation when using the Sign-in Diagnostic from Diagnose and Solve.
- Sign-in Diagnostic is now available from the Diagnose and Solve blade in Enterprise Apps.
- The Sign-in Diagnostic is now available in the Basic Info tab of the Sign-in Log event view for all sign-in events.
Continuous Access Evaluation migration with Conditional Access
Service category: Conditional Access
Product capability: User Authentication
A new user experience is available for tenants using Continuous Access Evaluation. Tenants will now access Continuous Access Evaluation as part of Conditional Access.
Any tenants that were previously using Continuous Access Evaluation for some (but not all) user accounts under the old user experience (UX) or had previously disabled the old UX will now be required to undergo a one-time migration experience.
Improved group list blade
Service category: Group Management
Product capability: Directory
The new group list blade offers more sort and filtering capabilities, infinite scrolling, and better performance.
Google deprecation of Gmail sign-in support on embedded webviews on September 30, 2021 General Availability
Service category: Business to Business collaboration (B2B)
Product capability: B2B/B2C
Google has deprecated Gmail sign-ins on Microsoft Teams mobile and custom apps that run Gmail authentications on embedded webviews on September 30th, 2021.
If an admin or developer would like to request an extension, impacted organizations with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by January 31st, 2022.
To continue allowing Gmail users to sign in and redeem, Microsoft strongly recommends that you refer to the Embedded vs System Web UI in the MSAL.NET documentation and modify your apps to use the system browser for sign-ins. All MSAL software development kits (SDKs) use the system web-view, by default.
As a workaround, Microsoft is deploying the device login flow by October 8th, 2021. Between today and until then, it is likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to the end-users’ region.)
Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications
Service category: Access Reviews
Product capability: Identity Governance
Users with the Identity Governance Administrator role can create and manage Azure AD access reviews of groups and applications.
What’s Fixed
Conditional Access Guest Access Blocking Screen
Service category: Conditional Access
Product capability: End User Experiences
If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, Microsoft has created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user.
50105 Errors will now result in a UX error message instead of an error response to the application
Service category: Authentications (Logins)
Product capability: Developer Experience
Azure AD has fixed a bug in an error response that occurs when a user isn't assigned to an app that requires a user assignment. Previously, Azure AD would return error 50105 with the OIDC error code interaction_required even during interactive authentication. This would cause well-coded applications to loop indefinitely, as they do interactive authentication and receive an error telling them to do interactive authentication, which they would then do.
The bug has been fixed, so that during non-interactive authentication an interaction_required error will still be returned. Also, during interactive authentication an error page will be directly displayed to the user.
Privileged Role Administrators can now create Azure AD access reviews on role-assignable groups General Availability
Service category: Access Reviews
Product capability: Identity Governance
Privileged Role Administrators can now create Azure AD access reviews on Azure AD role-assignable groups, in addition to Azure AD roles.
Could you clarify the news regarding "email one-time passcode" that I'm trying to understand. Does it men that inviting other Azure AD/Outlook/hotmail will continue as today but if you invite someone random email without Azure AD, Microsoft will no longer create State4 Guest accounts with a password but rather just let them login using email OTP?
Let me clarify.
When you invite someone who is a member of an existing Azure AD tenant or Outlook.com/Hotmail.com, etc. the Email OTP feature does not play a role.
When you invite someone who is not a member of an existing tenant, and the Email OTP feature is disabled, a guest account in your tenant and a user account in a Microsoft-managed tenant are created.
When When you invite someone who is not a member of an existing tenant, and the Email OTP feature is enabled, a guest account in your tenant is created.