Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for October 2022:
What’s Planned
Deprecation of older Azure AD Provisioning agent versions
Service category: Provisioning
Product capability: Azure AD Connect Cloud Sync
Microsoft will stop supporting Azure AD provisioning agent installations with versions 1.1.818.0 and below starting February 1, 2023. If you are using Azure AD Connect Cloud Sync, please make sure you use the latest version of the agent.
To find out which version of the agent you are using follow these steps:
- Go to the domain server which you have the agent installed
- Right-click on the Microsoft Azure AD Connect Provisioning Agent app
- Click on the Details tab
What’s New
Windows Hello for Business, Cloud Kerberos Trust deployment General availability
Service category: Authentications (Logins)
Product capability: User Authentication
Microsoft is excited to announce the general availability of hybrid cloud Kerberos trust, a Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, Microsoft has made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times.
Number Matching for Microsoft Authenticator notifications General availability
Service category: Microsoft Authenticator App
Product capability: User Authentication
To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving a multi-factor authentication (MFA) notification in the Microsoft Authenticator app.
Microsoft has also refreshed the Azure portal admin experience and Microsoft Graph APIs to make it easier for organizations to manage Authenticator app feature roll-outs. As part of this update Microsoft has also added the highly requested ability for admins to exclude user groups from each feature.
The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. Microsoft highly encourages organizations to adopt this feature leveraging the rollout controls. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting February 27th, 2023.
Additional context in Microsoft Authenticator notifications General availability
Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication
Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Organizations can enhance notifications with the following:
- Application Context
This feature will show users which application they're signing into. - Geographic Location Context
This feature will show users their sign-in location based on the IP address of the device they're signing into.
The feature is available for both multi-factor authentication (MFA) and Passwordless Phone Sign-in notifications and greatly increases the security posture of the Microsoft Authenticator app.
Microsoft has also refreshed the Azure portal admin experience and Microsoft Graph APIs to make it easier for organizations to manage Authenticator app feature roll-outs. As part of this update Microsoft has also added the highly requested ability for admins to exclude user groups from each feature.
Microsoft highly encourages organizations to adopt these critical security features to reduce accidental approvals of Authenticator notifications by end users.
Device-based conditional access on Linux Desktops General availability
Service category: Conditional Access
Product capability: Single Sign-on (SSO)
This feature empowers people on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.
- People can register their Linux devices with Azure AD
- People can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions based upon policy definitions to allow device-based Conditional Access on Linux Desktops
- If compliant, people can use Edge Browser to enable Single-Sign on to Microsoft 365 and Azure resources and satisfy device-based Conditional Access policies.
Add multiple domains to the same SAML/Ws-Fed based identity provider configuration for your external users General availability
Service category: Business to Business (B2B) collaboration
Product capability: Business to Business (B2B) / Business to Consumer (B2C)
Admins can now add multiple domains to a single SAML/WS-Fed identity provider configuration to invite people from multiple domains to authenticate from the same identity provider endpoint.
Limits on the number of configured API permissions for an application registration will be enforced General availability
Service category: Other
Product capability: Developer Experience
The total number of required permissions for any single application registration must not exceed 400 permissions across all APIs. Applications exceeding the limit won't be able to increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.
Change of Default User Consent Settings General availability
Service category: Enterprise Apps
Product capability: Developer Experience
From September 30th, 2022 onward, Microsoft requires all new Azure AD tenants to follow a new user consent configuration. While this won't impact any existing tenants that were created before September 30, 2022, all new tenants created after September 30, 2022, will have the default setting of Enable automatic updates (Recommendation) set on the User consent settings blade. This change reduces the risk of malicious applications attempting to trick users into granting them access to your organization's data.
Group assignment for SuccessFactors Writeback General availability
Service category: Provisioning
Product capability: Outbound to SaaS Applications
When configuring writeback of attributes from Azure AD to SAP SuccessFactors Employee Central, admins can now specify the scope of user accounts using Azure AD group assignment.
Lifecycle Workflows Public Preview
Service category: Lifecycle Workflows
Product capability: Identity Governance
Lifecycle Workflows is a new Identity Governance capability that allows organizations to extend the user provisioning process, and adds enterprise grade user lifecycle management capabilities in Azure AD to modernize your identity lifecycle management process. With Lifecycle Workflows, admins can:
- Confidently configure and deploy custom workflows to onboard and offboard cloud employees at scale replacing manual processes.
- Automate out-of-the-box actions critical to required Joiner and Leaver scenarios and get rich reporting insights.
- Extend workflows via Logic Apps integrations with custom tasks extensions for more complex scenarios.
User-to-Group Affiliation recommendation for group Access Reviews Public Preview
Service category: Access Reviews
Product capability: Identity Governance
This feature provides Machine Learning-based recommendations to reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation detects user affiliation with other users within the group, and leverages the scoring mechanism by computing the user’s average distance with other users in the group.
Conditional access Authentication strengths Public Preview
Service category: Conditional Access
Product capability: User Authentication
Authentication strengths is a Conditional Access control that allows admins to specify which authentication methods can be used to access a resource.
Admins can use custom authentication strengths to restrict access by requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and apply this through Conditional Access policies.
Conditional access authentication strengths for external identities Public Preview
Service category: Business to Business (B2B) collaboration
Product capability: Business to Business (B2B) / Business to Consumer (B2C)
Admins can now require business partner (B2B) guests across all Microsoft clouds to use specific authentication methods to access resources with Conditional Access Authentication Strength policies.
New Federated Apps available in Azure AD Application gallery
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In October 2022, Microsoft added the following new applications in the Azure AD App gallery with Federation support:
- Unifii
- WaitWell Staff App
- AuthParency
- Oncospark Code Interceptor
- Thread Legal Case Management
- e2open CM-Global
- OpenText XM Fax and XM SendSecure
- Contentkalender
- Evovia
- Parmonic
- mailto.wiki
- JobDiva Azure SSO
- Mapiq
- IVM Smarthub
- Span.zone – SSO and Read-only
- UISolutions
- RecruiterPal
- Broker groupe Achat Solutions
- Philips SpeechLive
- Crayon
- Cytric
- Notate
- ControlDocumentario
- Intuiflow
- Valence Security Platform
- Skybreathe® Analytics
New provisioning connectors in Azure AD Application Gallery
Service category: App Provisioning
Product capability: 3rd Party Integration
Admins can now automate creating, updating, and deleting user accounts for these newly integrated apps:
What’s Deprecated
Deprecation of Azure Multi-Factor Authentication Server
Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection
Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail.
To ensure uninterrupted authentication services, and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure AD Multi-Factor Authentication service using the Migration Utility included in the most recent Azure AD Multi-Factor Authentication Server update.
Login