Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for April 2023:
What's Planned
Updated look and feel for Per-user MFA General Availability
Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection
As part of ongoing service improvements, Microsoft is making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change does not include any changes to the core functionality and will only include visual improvements.
New limits on number and size of group secrets General Availability
Service category: Group Management
Product capability: Directory
Group secrets are typically created when a group is assigned credentials to an app using Password-based single sign-on (SSO).
Starting in June 2023, the secrets stored on a single group can't exceed 48 individual secrets, or have a total size greater than 10KB across all secrets on a single group.
- Groups with more than 10KB of secrets will immediately stop working in June 2023.
- Groups exceeding 48 secrets are unable to increase the number of secrets they have, though they may still update or delete those secrets.
Microsoft highly recommends reducing to fewer than 48 secrets by January 2024. To reduce the number of secrets assigned to a group, Microsoft recommends creating additional groups, and splitting up group assignments to Password-based SSO applications across those new groups.
What's New
Enablement of combined security information registration for MFA and SSPR General Availability
Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection
Last year Microsoft announced the combined registration user experience for multi-factor authentication (MFA) and self-service password reset (SSPR) was rolling out as the default experience for all organizations. Microsoft is happy to announce that the combined security information registration experience is now fully rolled out. This change doesn't affect tenants located in the China region.
New Federated Apps available in the Azure AD Application gallery General Availability
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In April 2023, Microsoft has added the following new applications in the Azure AD App gallery with Federation support:
- iTel Alert
- goFLUENT
- StructureFlow
- StructureFlow AU
- StructureFlow CA
- StructureFlow EU
- StructureFlow USA
- Predict360 SSO
- Cegid Cloud
- HashiCorp Cloud Platform (HCP)
- O'Reilly learning platform
- LeftClick Web Services – RoomGuide
- LeftClick Web Services – Sharepoint
- LeftClick Web Services – Presence
- LeftClick Web Services – Single Sign-On
- InterPrice Technologies
- WiggleDesk SSO
- Application Experience with Mist
- Connect Plans 360
- Proactis Rego Source-to-Contract
- Danomics
- Fountain
- Theom
- DDC Web
- Dozuki
Authenticator Lite in Outlook Public Preview
Service category: Microsoft Authenticator App
Product capability: User Authentication
Authenticator Lite is an additional surface for Azure AD users to complete multi-factor authentication (MFA) using push notifications on their Android or iOS device. With Authenticator Lite, users can satisfy an MFA requirement from the convenience of a familiar app.
Authenticator Lite is currently enabled in the Outlook mobile app. Users may receive a notification in their Outlook mobile app to approve or deny, or use the Outlook app to generate an OATH verification code that can be entered during sign-in.
The Microsoft managed setting for this feature will be set to enabled on May 26th, 2023. This will enable the feature for all users in tenants where the feature is set to Microsoft managed. If admins wish to change the state of this feature, they need to do so before May 26th, 2023.
Token Protection for Sign-in Sessions Public Preview
Service category: Conditional Access
Product capability: User Authentication
Token Protection for sign-in sessions is Microsoft's first release on a roadmap to combat attacks involving token theft and replay. It provides Conditional Access enforcement of token proof-of-possession for supported clients and services that ensure that access to specified resources is only from a device to which the user has signed in.
Custom attributes for Azure Active Directory Domain Services Public Preview
Service category: Azure Active Directory Domain Services
Product capability: Azure Active Directory Domain Services
Azure Active Directory Domain Services will now support synchronizing custom attributes from Azure AD for on-premises accounts.
New provisioning connectors in the Azure AD Application Gallery Public Preview
Service category: App Provisioning
Product capability: 3rd Party Integration
Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:
What's Changed
System-preferred MFA method General Availability
Service category: Authentications (Logins)
Product capability: Identity Security & Protection
Currently, organizations and users rely on a range of authentication methods, each offering varying degrees of security. While multi-factor authentication (MFA) is crucial, some MFA methods are more secure than others. Despite having access to more secure MFA options, users frequently choose less secure methods for various reasons.
To address this challenge, Microsoft introduces a new system-preferred authentication method for MFA. When users sign in, the system will determine and display the most secure MFA method that the user has registered. This prompts users to switch from the default method to the most secure option. While users may still choose a different MFA method, they'll always be prompted to use the most secure method first for every session that requires MFA.
SSPR now supports PIM eligible users and indirect group role assignment General Availability
Service category: Self Service Password Reset
Product capability: Identity Security & Protection
Self Service Password Reset (SSPR) can now PIM eligible users, and evaluate group-based memberships, along with direct memberships when checking if a user is in a particular administrator role. This capability provides more accurate SSPR policy enforcement by validating if users are in scope for the default SSPR admin policy or your organization's SSPR user policy.
Enhanced Create User and Invite User Experiences Public Preview
Service category: User Management
Product capability: User Management
Admins can now define more properties when creating and inviting a user in the Entra admin portal. These improvements bring Microsoft's user experience to parity with its Create User APIs. Additionally, admins can now add users to a group or Administrative Unit (AU), and assign roles.
Azure AD Conditional Access Protected actions Public Preview
Service category: Role-based Access Control (RBAC)
Product capability: Access Control
The 'Protected actions' feature introduces the ability to apply Conditional Access to select Graph API permissions. When a user performs a protected action, they must satisfy Conditional Access policy requirements.
New PIM Azure resource picker Public Preview
Service category: Privileged Identity Management
Product capability: End User Experiences
With this new experience, Azure AD Privileged Identity Management (PIM) now automatically manages any type of resource in a tenant, so discovery and activation is no longer required. With the new resource picker, admins can directly choose the scope they want to manage from the Management Group down to the resources themselves, making it faster and easier to locate the resources they need to manage.
What's Fixed
Additional terms of use audit logs will be turned off General Availability
Service category: Terms of Use
Product capability: Authorization/Access Delegation
Due to a technical issue, Microsoft has recently started to emit additional audit logs for Terms of Use. The additional audit logs will be turned off by the first of May and are tagged with the core directory service and the agreement category. If the organization has built a dependency on the additional audit logs, admins must switch to the regular audit logs tagged with the Terms of Use service.
Alert on active-permanent role assignments in Azure or assignments made outside of PIM General Availability
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
The 'Alert on Azure subscription role assignments made outside of Privileged Identity Management (PIM)' feature provides an alert in PIM for Azure subscription assignments made outside of PIM. An owner or User Access Administrator for the azure subscription can take a quick remediation action to remove those assignments.
Login