Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for April 2022:
What’s New
Microsoft Defender for Endpoint Signal in Identity Protection General Availability
Service category: Identity Protection
Product capability: Identity Security & Protection
Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against Primary Refresh Token (PRT) theft detection.
A PRT is a JSON Web Token (JWT) that's specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices. Attackers can attempt to access this resource to move laterally into an organization or perform credential theft. This detection will move users to high risk and will only fire in organizations that have deployed MDE. This detection is low-volume and will be seen infrequently by most organizations. However, when it does occur it's high risk and users should be remediated.
Customer data storage for Japan customers in Japanese datacenters General Availability
Service category: App Provisioning
Product capability: GoLocal
Clouds impacted: Public (Microsoft 365, GCC)
From April 15, 2022, Microsoft began storing Azure AD’s Customer Data for new tenants with a Japan billing address within the Japanese datacenters.
Enabling customization capabilities for SSPR hyperlinks, footer hyperlinks and browser icons in Company Branding Public Preview
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft updated the Company Branding functionality on the Azure AD and Microsoft 365 sign-in experience to allow customizing Self-service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon.
Integration of Microsoft 365 App Certification details into Azure AD UX and Consent Experiences Public Preview
Service category: User Access Management
Product capability: Authorization/Access Delegation
Clouds impacted: Public (Microsoft 365, GCC)
Microsoft 365 Certification status for an app is now available in Azure AD consent user experience (UX), and custom app consent policies. The status will later be displayed in several other Identity-owned interfaces such as enterprise apps.
Organizations can replace all references to Microsoft on the Azure AD authentication experience Public Preview
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft updated the Company Branding functionality on the Azure AD and Microsoft 365 sign-in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon.
Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels Public Preview
Service category: Access Reviews
Product capability: Identity Governance
Use Azure AD Access Reviews to review access of B2B direct connect users in Teams shared channels.
New MS Graph APIs to configure federated settings when federated with Azure AD Public Preview
Service category: MS Graph
Product capability: Identity Security & Protection
Clouds impacted: Public (Microsoft 365, GCC)
Microsoft announced the public preview of following MS Graph APIs and PowerShell cmdlets for configuring federated settings when federated with Azure AD:
- Get settings for a federated domain: Get-MgDomainFederationConfiguration
- Create settings for a federated domain: New-MgDomainFederationConfiguration
- Remove settings for such a domain: Remove-MgDomainFederationConfiguration
- Update settings for such a domain: Update-MgDomainFederationConfiguration
Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users Public Preview
Service category: Role-based Access Control (RBAC)
Product capability: Authorization /Access Delegation
Clouds impacted: Public (Microsoft 365, GCC)
Microsoft added functionality to session controls allowing admins to reauthenticate a user on every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a device in Intune.
Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD Public Preview
Service category: MS Graph
Product capability: Identity Security & Protection
Clouds impacted: Public (Microsoft 365, GCC)
Microsoft announced a new security protection that prevents bypassing of cloud Azure AD multi-factor authentication (MFA) when federated with Azure AD. When enabled for a federated domain in an Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD MFA by imitating that MFA has already been performed by the identity provider. The protection can be enabled via the new federatedIdpMfaBehavior security setting.
Microsoft highly recommends enabling this new protection when using Azure AD MFA for federated users.
New Federated Apps available in Azure AD Application gallery
Service category: Enterprise Apps
Product capability: Third Party Integration
In April 2022, Microsoft added the following new applications in the Azure AD App gallery with Federation support:
- X-1FBO
- select Armor
- Smint.io Portals for SharePoint
- Pluto
- ADEM
- Smart360
- MessageWatcher SSO
- Beatrust
- AeyeScan
- ABa Customer
- Twilio Sendgrid
- Vault Platform
- Speexx
- Clicksign
- Per Angusta
- EruditAI
- MetaMoJi ClassRoom
- Numici
- MCB.CLOUD
- DepositLink
- Last9
- ParkHere Corporate
- Keepabl
- Swit
New provisioning connectors in the Azure AD Application Gallery
Service category: App Provisioning
Product capability: Third Party Integration
Clouds impacted: Public (Microsoft 365, GCC)
Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:
What’s Changed
3 stages of approval in Entitlement management General Availability
Service category: Other
Product capability: Entitlement Management
Clouds impacted: Public (Microsoft 365, GCC)
This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This will be able to be configured via the Azure portal or Microsoft Graph.
Improvements to Azure AD Smart Lockout General Availability
Service category: Identity Protection
Product capability: User Management
Clouds impacted: Public (Microsoft 365, GCC), China, US Gov(GCC-H, DOD), US Nat, US Sec
With a recent improvement, Azure AD Smart Lockout now synchronizes the lockout state across Azure AD datacenters, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold.
Login