What's New in Azure Active Directory for October 2022

Reading Time: 5 minutes

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for October 2022:

What’s Planned

Deprecation of older Azure AD Provisioning agent versions

Service category: Provisioning
Product capability: Azure AD Connect Cloud Sync

Microsoft will stop supporting Azure AD provisioning agent installations with versions 1.1.818.0 and below starting February 1, 2023. If you are using Azure AD Connect Cloud Sync, please make sure you use the latest version of the agent.

To find out which version of the agent you are using follow these steps:

  1. Go to the domain server which you have the agent installed
  2. Right-click on the Microsoft Azure AD Connect Provisioning Agent app
  3. Click on the Details tab

What’s New

Windows Hello for Business, Cloud Kerberos Trust deployment General availability

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft is excited to announce the general availability of hybrid cloud Kerberos trust, a Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, Microsoft has made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times.

Number Matching for Microsoft Authenticator notifications General availability

Service category: Microsoft Authenticator App
Product capability: User Authentication

To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving a multi-factor authentication (MFA) notification in the Microsoft Authenticator app.

Microsoft has also refreshed the Azure portal admin experience and Microsoft Graph APIs to make it easier for organizations to manage Authenticator app feature roll-outs. As part of this update Microsoft has also added the highly requested ability for admins to exclude user groups from each feature.

The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. Microsoft highly encourages organizations to adopt this feature leveraging the rollout controls. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting February 27th, 2023.

Additional context in Microsoft Authenticator notifications General availability

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Organizations can enhance notifications with the following:

  • Application Context
    This feature will show users which application they're signing into.
  • Geographic Location Context
    This feature will show users their sign-in location based on the IP address of the device they're signing into.

The feature is available for both multi-factor authentication (MFA) and Passwordless Phone Sign-in notifications and greatly increases the security posture of the Microsoft Authenticator app.

Microsoft has also refreshed the Azure portal admin experience and Microsoft Graph APIs to make it easier for organizations to manage Authenticator app feature roll-outs. As part of this update Microsoft has also added the highly requested ability for admins to exclude user groups from each feature.

Microsoft highly encourages organizations to adopt these critical security features to reduce accidental approvals of Authenticator notifications by end users.

Device-based conditional access on Linux Desktops General availability

Service category: Conditional Access
Product capability: Single Sign-on (SSO)

This feature empowers people on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

  • People can register their Linux devices with Azure AD
  • People can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions based upon policy definitions to allow device-based Conditional Access on Linux Desktops
  • If compliant, people can use Edge Browser to enable Single-Sign on to Microsoft 365 and Azure resources and satisfy device-based Conditional Access policies.

Add multiple domains to the same SAML/Ws-Fed based identity provider configuration for your external users General availability

Service category: Business to Business (B2B) collaboration
Product capability: Business to Business (B2B) / Business to Consumer (B2C)

Admins can now add multiple domains to a single SAML/WS-Fed identity provider configuration to invite people from multiple domains to authenticate from the same identity provider endpoint.

Limits on the number of configured API permissions for an application registration will be enforced General availability

Service category: Other
Product capability: Developer Experience

The total number of required permissions for any single application registration must not exceed 400 permissions across all APIs. Applications exceeding the limit won't be able to increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.

Change of Default User Consent Settings General availability

Service category: Enterprise Apps
Product capability: Developer Experience

From September 30th, 2022 onward, Microsoft requires all new Azure AD tenants to follow a new user consent configuration. While this won't impact any existing tenants that were created before September 30, 2022, all new tenants created after September 30, 2022, will have the default setting of Enable automatic updates (Recommendation) set on the User consent settings blade. This change reduces the risk of malicious applications attempting to trick users into granting them access to your organization's data.

Group assignment for SuccessFactors Writeback General availability

Service category: Provisioning
Product capability: Outbound to SaaS Applications

When configuring writeback of attributes from Azure AD to SAP SuccessFactors Employee Central, admins can now specify the scope of user accounts using Azure AD group assignment.

Lifecycle Workflows Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Governance

Lifecycle Workflows is a new Identity Governance capability that allows organizations to extend the user provisioning process, and adds enterprise grade user lifecycle management capabilities in Azure AD to modernize your identity lifecycle management process. With Lifecycle Workflows, admins can:

  • Confidently configure and deploy custom workflows to onboard and offboard cloud employees at scale replacing manual processes.
  • Automate out-of-the-box actions critical to required Joiner and Leaver scenarios and get rich reporting insights.
  • Extend workflows via Logic Apps integrations with custom tasks extensions for more complex scenarios.

User-to-Group Affiliation recommendation for group Access Reviews Public Preview

Service category: Access Reviews
Product capability: Identity Governance

This feature provides Machine Learning-based recommendations to reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation detects user affiliation with other users within the group, and leverages the scoring mechanism by computing the user’s average distance with other users in the group.

Conditional access Authentication strengths Public Preview

Service category: Conditional Access
Product capability: User Authentication

Authentication strengths is a Conditional Access control that allows admins to specify which authentication methods can be used to access a resource.

Admins can use custom authentication strengths to restrict access by requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and apply this through Conditional Access policies.

Conditional access authentication strengths for external identities Public Preview

Service category: Business to Business (B2B) collaboration
Product capability: Business to Business (B2B) / Business to Consumer (B2C)

Admins can now require business partner (B2B) guests across all Microsoft clouds to use specific authentication methods to access resources with Conditional Access Authentication Strength policies.

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2022, Microsoft added the following new applications in the Azure AD App gallery with Federation support:

  1. Unifii
  2. WaitWell Staff App
  3. AuthParency
  4. Oncospark Code Interceptor
  5. Thread Legal Case Management
  6. e2open CM-Global
  7. OpenText XM Fax and XM SendSecure
  8. Contentkalender
  9. Evovia
  10. Parmonic
  11. mailto.wiki
  12. JobDiva Azure SSO
  13. Mapiq
  14. IVM Smarthub
  15. Span.zone – SSO and Read-only
  16. UISolutions
  17. RecruiterPal
  18. Broker groupe Achat Solutions
  19. Philips SpeechLive
  20. Crayon
  21. Cytric
  22. Notate
  23. ControlDocumentario
  24. Intuiflow
  25. Valence Security Platform
  26. Skybreathe® Analytics

New provisioning connectors in Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Admins can now automate creating, updating, and deleting user accounts for these newly integrated apps:

What’s Deprecated

Deprecation of Azure Multi-Factor Authentication Server

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail.

To ensure uninterrupted authentication services, and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure AD Multi-Factor Authentication service using the Migration Utility included in the most recent Azure AD Multi-Factor Authentication Server update.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.