What's New in Azure Active Directory for April 2022

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for April 2022:

What’s New

Microsoft Defender for Endpoint Signal in Identity Protection General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against Primary Refresh Token (PRT) theft detection.

A PRT is a JSON Web Token (JWT) that's specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices. Attackers can attempt to access this resource to move laterally into an organization or perform credential theft. This detection will move users to high risk and will only fire in organizations that have deployed MDE. This detection is low-volume and will be seen infrequently by most organizations. However, when it does occur it's high risk and users should be remediated.

Customer data storage for Japan customers in Japanese datacenters General Availability

Service category: App Provisioning
Product capability: GoLocal
Clouds impacted: Public (Microsoft 365, GCC)

From April 15, 2022, Microsoft began storing Azure AD’s Customer Data for new tenants with a Japan billing address within the Japanese datacenters.

Enabling customization capabilities for SSPR hyperlinks, footer hyperlinks and browser icons in Company Branding Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft updated the Company Branding functionality on the Azure AD and Microsoft 365 sign-in experience to allow customizing Self-service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon.

Integration of Microsoft 365 App Certification details into Azure AD UX and Consent Experiences Public Preview

Service category: User Access Management
Product capability: Authorization/Access Delegation
Clouds impacted: Public (Microsoft 365, GCC)

Microsoft 365 Certification status for an app is now available in Azure AD consent user experience (UX), and custom app consent policies. The status will later be displayed in several other Identity-owned interfaces such as enterprise apps.

Organizations can replace all references to Microsoft on the Azure AD authentication experience Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft updated the Company Branding functionality on the Azure AD and Microsoft 365 sign-in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon.

Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels Public Preview

Service category: Access Reviews
Product capability: Identity Governance

Use Azure AD Access Reviews to review access of B2B direct connect users in Teams shared channels.

New MS Graph APIs to configure federated settings when federated with Azure AD Public Preview

Service category: MS Graph
Product capability: Identity Security & Protection
Clouds impacted: Public (Microsoft 365, GCC)

Microsoft announced the public preview of following MS Graph APIs and PowerShell cmdlets for configuring federated settings when federated with Azure AD:

  1. Get settings for a federated domain: Get-MgDomainFederationConfiguration
  2. Create settings for a federated domain: New-MgDomainFederationConfiguration
  3. Remove settings for such a domain: Remove-MgDomainFederationConfiguration
  4. Update settings for such a domain: Update-MgDomainFederationConfiguration

Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users Public Preview

Service category: Role-based Access Control (RBAC)
Product capability: Authorization /Access Delegation
Clouds impacted: Public (Microsoft 365, GCC)

Microsoft added functionality to session controls allowing admins to reauthenticate a user on every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a device in Intune.

Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD Public Preview

Service category: MS Graph
Product capability: Identity Security & Protection
Clouds impacted: Public (Microsoft 365, GCC)

Microsoft announced a new security protection that prevents bypassing of cloud Azure AD multi-factor authentication (MFA) when federated with Azure AD. When enabled for a federated domain in an Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD MFA by imitating that MFA has already been performed by the identity provider. The protection can be enabled via the new  federatedIdpMfaBehavior security setting.

Microsoft highly recommends enabling this new protection when using Azure AD MFA  for federated users.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: Third Party Integration

In April 2022, Microsoft added the following new applications in the Azure AD App gallery with Federation support:

  1. X-1FBO
  2. select Armor
  3. Smint.io Portals for SharePoint
  4. Pluto
  5. ADEM
  6. Smart360
  7. MessageWatcher SSO
  8. Beatrust
  9. AeyeScan
  10. ABa Customer
  11. Twilio Sendgrid
  12. Vault Platform
  13. Speexx
  14. Clicksign
  15. Per Angusta
  16. EruditAI
  17. MetaMoJi ClassRoom
  18. Numici
  19. MCB.CLOUD
  20. DepositLink
  21. Last9
  22. ParkHere Corporate
  23. Keepabl
  24. Swit

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: Third Party Integration
Clouds impacted: Public (Microsoft 365, GCC)

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

What’s Changed

3 stages of approval in Entitlement management General Availability

Service category: Other
Product capability: Entitlement Management
Clouds impacted: Public (Microsoft 365, GCC)

This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This will be able to be configured via the Azure portal or Microsoft Graph.

Improvements to Azure AD Smart Lockout General Availability

Service category: Identity Protection
Product capability: User Management
Clouds impacted: Public (Microsoft 365, GCC), China, US Gov(GCC-H, DOD), US Nat, US Sec

With a recent improvement, Azure AD Smart Lockout now synchronizes the lockout state across Azure AD datacenters, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.