Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for July 2023:

What's Planned

Conditional Access templates General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access templates are predefined set of conditions and controls that provide a convenient method to deploy new policies aligned with Microsoft recommendations. Organizations are assured that their policies reflect modern best practices for securing corporate assets, promoting secure, optimal access for their hybrid workforce.

What's New

Azure Active Directory (Azure AD) is being renamed General Availability

Service category: N/A
Product capability: End User Experiences

No action is required from you, but you may need to update some of your own documentation.

Azure AD is being renamed to Microsoft Entra ID. The name change rolls out across all Microsoft products and experiences throughout the second half of 2023.

Capabilities, licensing, and usage of the product isn't changing. To make the transition seamless for organizations, the pricing, terms, service level agreements, URLs, APIs, PowerShell cmdlets, Microsoft Authentication Library (MSAL) and developer tooling remain the same.

Conditional Access for Protected Actions General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Protected actions are high-risk operations, such as altering access policies or changing trust settings, that can significantly impact an organization's security. To add an extra layer of protection, Conditional Access for Protected Actions lets organizations define specific conditions for users to perform these sensitive tasks.

Lifecycle Workflows General Availability

Service category: Lifecycle Workflows
Product capability: Identity Governance

User identity lifecycle is a critical part of an organization’s security posture, and when managed correctly, can have a positive impact on their users’ productivity for Joiners, Movers, and Leavers. The ongoing digital transformation is accelerating the need for good identity lifecycle management.

However, IT and security teams face enormous challenges managing the complex, time-consuming, and error-prone manual processes necessary to execute the required onboarding and offboarding tasks for hundreds of employees at once. This is an ever present and complex issue IT admins continue to face with digital transformation across security, governance, and compliance.

Lifecycle Workflows, part of Entra ID Governance, helps organizations further optimize their user identity lifecycle.

Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities General Availability

Service category: User Experience and Management
Product capability: User Authentication

Update the Microsoft Entra ID and Microsoft 365 sign in experience with new Company Branding capabilities. You can apply your company’s brand guidance to authentication experiences with predefined templates.

Access Reviews for Inactive Users General Availability

Service category: Access Reviews
Product capability: Identity Governance

Access Reviews for Inactive Users, part of Entra ID Governance, allows admins to review and address stale accounts that haven’t been active for a specified period. Admins can set a specific duration to determine inactive accounts that weren't used for either interactive or non-interactive sign-in activities. As part of the review process, stale accounts can automatically be removed.

User-to-Group Affiliation recommendation for group Access Reviews  General Availability

Service category: Access Reviews
Product capability: Identity Governance

This feature provides Machine Learning based recommendations to the reviewers of Access Reviews to make the review experience easier and more accurate. The recommendation leverages machine learning based scoring mechanism and compares users’ relative affiliation with other users in the group, based on the organization’s reporting structure.

Custom Extensions in Entitlement Management General Availability

Service category: Entitlement Management
Product capability: Entitlement Management

Custom extensions in Entitlement Management are now generally available, and allow admins to extend the access lifecycle with organization-specific processes and business logic when access is requested or about to expire. With custom extensions admins can create tickets for manual access provisioning in disconnected systems, send custom notifications to additional stakeholders, or automate additional access-related configuration in business applications such as assigning the correct sales region in Salesforce. Admins can also leverage custom extensions to embed external governance, risk, and compliance (GRC) checks in the access request.

Microsoft Authentication Library for .NET 4.55.0 General Availability

Service category: Other
Product capability: User Authentication

Earlier this month, the Microsoft Authentication Library team announced the release of MSAL.NET 4.55.0, the latest version of the Microsoft Authentication Library for the .NET platform. The new version introduces support for:

• User-assigned managed identity being specified through object IDs,
• CIAM authorities in the WithTenantID API,
• Better error messages when dealing with cache serialization, and;
• Improved logging when using the Windows authentication broker.

Reset Password on Azure Mobile App General Availability

Service category: Other
Product capability: End User Experiences

The Azure mobile app has been enhanced to empower admins with specific permissions to conveniently reset their users' passwords. Self Service Password Reset will not be supported at this time. However, users can still more efficiently control and streamline their own sign-in and auth methods. The mobile app can be downloaded for each platform here:

• Android
• iOS

New Federated Apps available in Entra ID Application gallery General Availability

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2023, Microsoft added the following new applications in the Entra ID Application gallery with Federation support:

1. Gainsight SAML
2. Dataddo
3. Puzzel
4. Worthix App
5. iOps360 IdConnect
6. Airbase
7. Couchbase Capella – SSO
8. SSO for Jama Connect®
9. mediment (メディメント)
10. Netskope Cloud Exchange Administration Console
11. Uber
12. Plenda
13. Deem Mobile
14. 40SEAS
15. Vivantio
16. AppTweak
17. ioTORQ EMIS
18. Vbrick Rev Cloud
19. OptiTurn
20. Application Experience with Mist
21. クラウド勤怠管理システムKING OF TIME
22. Connect1
23. DB Education Portal for Schools
24. SURFconext
25. Chengliye Smart SMS Platform
26. CivicEye SSO
27. Colloquial
28. BigPanda
29. Foreman

New provisioning connectors in the Entra ID Application Gallery Public Preview

ervice category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Entra ID Application gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

1. Albert
2. Rhombus Systems
3. Axiad Cloud
4. Dagster Cloud
5. WATS
6. Funnel Leasing

Windows MAM Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Microsoft is excited to offer MAM Conditional Access capability in Public Preview for Microsoft Edge for Business on Windows.

Using MAM Conditional Access, Microsoft Edge for Business provides users with secure access to organizational data on personal Windows devices with a customizable user experience. Microsoft has combined the familiar security features of app protection policies (APP), Windows Defender client threat defense, and Conditional Access, all anchored to the Entra ID identity to ensure unmanaged devices are healthy and protected before granting data access. This can help organizations to improve their security posture and protect sensitive data from unauthorized access, without requiring full mobile device enrollment.

The new capability extends the benefits of app layer management to the Windows platform via Microsoft Edge for Business. Admins are empowered to configure the user experience and protect organizational data within Microsoft Edge for Business on unmanaged Windows devices.

Dynamic Groups based on EmployeeHireDate User attribute Public Preview

Service category: Group Management
Product capability: Directory

This feature enables admins to create dynamic group rules based on the user objects' employeeHireDate attribute.

Inactive guest insights Public Preview

Service category: Reporting
Product capability: Identity Governance

With Inactive guest insights, admins can monitor guest accounts at scale with intelligent insights into inactive guest users in the organization. Admins can customize the inactivity threshold depending on the organization’s needs, narrow down the scope of guest users they want to monitor and identify the guest users that may be inactive.

Just-in-time application access with PIM for Groups Public Preview

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Organizations can minimize the number of persistent administrators in applications such as AWS and GCP and get just-in-time access to groups in AWS and GCP. While PIM for Groups is publicly available, Microsoft has released a public preview that integrates PIM with provisioning and reduces the activation delay from 40+ minutes to 1 – 2 minutes.

Graph beta API for PIM security alerts on Azure AD roles Public Preview

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Microsoft announces API support (beta) for managing Privileged Identity Management (PIM) security alerts for Entra ID roles. PIM generates alerts when there's suspicious or unsafe activity in the organization in Entra ID (Azure AD). Admins can now manage these alerts using REST APIs.

Service category: Provisioning
Product capability: Inbound to Azure AD

With API-driven inbound provisioning,  the Entra ID provisioning service now supports integration with any system of record. Organizations and partners can use any automation tool of their choice to retrieve workforce data from any system of record for provisioning into Entra ID and connected on-premises Active Directory domains. Admins have full control on how data is processed and transformed with attribute mappings. Once the workforce data is available in Entra ID, admins can configure appropriate joiner-mover-leaver business processes using Entra ID Governance Lifecycle Workflows.

What's Changed

All Users and User Profile General Availability

Service category: User Management
Product capability: User Management

The All Users list now features an infinite scroll, and admins can now modify more properties on the User Profile blade.

Enhanced Create User and Invite User Experiences General Availability

Service category: User Management
Product capability: User Management

Microsoft has increased the number of properties admins are able to define when creating and inviting a user in the Entra admin portal, bringing the UX to parity with the Create User APIs. Additionally, admins can now add users to a group or Administrative Unit (AU), and assign roles.

Enabling customization capabilities for the Self-Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icons in Company Branding General Availability

Service category: User Experience and Management
Product capability: End User Experiences

Update the Company Branding functionality on the Microsoft Entra ID/Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks, and a browser icon.

Automatic assignments to access packages in Entra ID Governance General Availability

Service category: Entitlement Management
Product capability: Entitlement Management

Entra ID Governance includes the ability for an organization to configure an assignment policy in an entitlement management access package that includes an attribute-based rule, similar to dynamic groups, of the users who should be assigned access.

What's Fixed

Service category: Conditional Access
Product capability: End User Experiences

My Apps can now be targeted in Conditional Access policies. This solves a top blocker. The functionality is available in all clouds. General Availability also brings a new app launcher, that improves app launch performance for both SAML and other app types.

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for June 2023:

What's Planned

Modernizing Terms of Use Experiences

Service category: Terms of Use
Product capability: Authorization/Access Delegation

Recently, Microsoft announced the modernization of terms of use end-user experiences as part of ongoing service improvements. As previously communicated the end user experiences will be updated with a new PDF viewer and are moving from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com.

What's New

Support for Directory Extensions using Azure AD Cloud Sync General Availability

Service category: Provisioning
Product capability: Azure Active Directory Connect Cloud Sync

Hybrid IT Admins can now synchronize both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure Active Directory, thereby, allowing organizations to simply map the needed attributes using Cloud Sync's attribute mapping experience.

Privileged Identity Management for Groups General Availability

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

With Privileged Identity Management for Groups is now generally available, admins have the ability to grant users just-in-time membership in a group, which in turn provides access to Azure Active Directory roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, as well as third-party applications.

Privileged Identity Management and Conditional Access integration General Availability

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

The Privileged Identity Management (PIM) integration with Conditional Access authentication context is generally available. Admins can require users to meet a variety of requirements during role activation such as:

• Have specific authentication method through Authentication Strengths
• Activate from a compliant device
• Validate location, based on GPS
• Not have certain level of sign-in risk identified with Identity Protection
• Meet other requirements defined in Conditional Access policies

The integration is available for all providers:

• PIM for Azure AD roles
• PIM for Azure resources
• PIM for groups

Updated look and feel for Per-user MFA General Availability

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

As part of ongoing service improvements, we're making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change doesn't include any changes to the core functionality and will only include visual improvements.

Converged Authentication Methods in US Gov cloud General Availability

Service category: MFA
Product capability: User Authentication

The Converged Authentication Methods Policy enables admins to manage all authentication methods used for Multi-factor Authentication (MFA) and Self-service Password Reset (SSPR) in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant.

Organizations should migrate management of authentication methods off the legacy MFA and SSPR policies before September 30, 2024.

Include/exclude Entitlement Management in Conditional Access policies General Availability

Service category: Entitlement Management
Product capability: Entitlement Management

The Entitlement Management service can now be targeted in Conditional Access policies for inclusion or exclusion of applications. To target the Entitlement Management service, select Azure AD Identity Governance – Entitlement Management in the cloud apps picker. The Entitlement Management app includes the entitlement management part of My Access, the Entitlement Management part of the Entra and Azure portals, and the Entitlement Management part of MS Graph.

Azure Active Directory User and Group capabilities on Azure Mobile General Availability

Service category: Azure Mobile App
Product capability: End User Experiences

The Azure Mobile app now includes a section for Azure Active Directory. Within Azure Active Directory on mobile, user can search for and view more details about user and groups. Additionally, permitted users can invite guest users to their active tenant, assign group memberships and ownerships for users, and view user sign-in logs.

Restricted Management Administrative Units Public Preview

Service category: Directory Management
Product capability: Access Control

Restricted Management Administrative Units (AUs) allow you to restrict modification of users, security groups, and device in Azure AD so that only designated administrators can make changes. Global Administrators and other tenant-level administrators can't modify the users, security groups, or devices that are added to a restricted management AU.

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Admins can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

• Headspace
• Humbol
• LUSID
• Markit Procurement Service
• Moqups
• Notion
• OpenForms
• SafeGuard Cyber
• Uni-tel A/S
• Vault Platform
• V-Client
• Veritas Enterprise Vault.cloud SSO-SCIM

What's Changed

Report suspicious activity integrated with Identity Protection General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Report suspicious activity is an updated implementation of the MFA fraud alert, where users can report a voice or phone app MFA prompt as suspicious. If enabled, users reporting prompts have their user risk set to high, enabling admins to use Identity Protection risk based policies or risk detection APIs to take remediation actions. Report suspicious activity operates in parallel with the legacy MFA fraud alert at this time.

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May 2023:

What's New

Cross-tenant synchronization General Availability

Service category: Provisioning
Product capability: Identity Lifecycle Management

Cross-tenant synchronization allows admins to set up a scalable and automated solution for users to access applications across tenants in the organization. It builds upon the External ID functionality and automates creating, updating, and deleting External IDs within tenants in the organization.

Conditional Access authentication strength for members, external users and FIDO2 restrictions General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Authentication strength is a Conditional Access control that allows admins to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. Likewise, to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations such as password + SMS.

Conditional Access Granular control for external user types General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

When configuring a Conditional Access policy, organizations now have granular control over the types of external users they want to apply the policy to. External users are categorized based on how they authenticate (internally or externally) and their relationship to the organization (guest or member).

Authenticator Lite (In Outlook) General Availability

Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator Lite (in Outlook) is an authentication solution for users that haven't yet downloaded the Microsoft Authenticator app. Users are prompted in Outlook on their mobile device to register for multi-factor authentication. After they enter their password at sign-in, they'll have the option to send a push notification to their Android or iOS device.

Due to the security enhancement this feature provides users, the Microsoft managed value of this feature will be changed from ‘disabled’ to ‘enabled’ on June 9. We’ve made some changes to the feature configuration, so if admins made an update before GA, May 17, please validate that the feature is in the correct state for the tenant prior to June 9. If admins don't wish for this feature to be enabled on June 9, move the state to ‘disabled’, or set users to include and exclude groups.

Admins can restrict their users from creating tenants General Availability

Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings pane allows admins to restrict their users from being able to create new tenants.

Admins can now restrict users from self-service accessing their BitLocker keys General Availability

Service category: Device Access Management
Product capability: User Management

Admins can now restrict their users from self-service accessing their BitLocker keys through the Devices Settings page. Turning on this capability hides the BitLocker key(s) of all non-admin users. This helps to control BitLocker access management at the admin level.

Devices Self-Help Capability for Pending Devices General Availability

Service category: Device Access Management
Product capability: End User Experiences

In the All Devices view under the Registered column, people can now select any pending devices they have, and it opens a context pane to help troubleshoot why a device may be pending.

SAML/Ws-Fed based identity provider authentication for External IDs in US Sec and US Nat clouds General Availability

Service category: Business 2 Business collaboration
Product capability: External ID

SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in:

• US Sec cloud
• US Nat cloud
• China cloud

Verified threat actor IP sign-in detection General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-ins performed from IP addresses of known nation state and cyber-crime actors and allow organizations to block these sign-ins by using risk-based conditional access policies.

PowerShell and Web Services connector support through the Azure AD provisioning agent General Availability

Service category: Provisioning
Product capability: Outbound to On-premises Applications

The Azure AD on-premises application provisioning feature now supports both the PowerShell and web services connectors. Admins can now provision user objects into a flat file using the PowerShell connector or an app such as SAP ECC using the web services connector.

Managed Identity in Microsoft Authentication Library for .NET General Availability

Service category: Authentications (Logins)
Product capability: User Authentication

The latest version of MSAL.NET graduates the Managed Identity APIs into the General Availability mode of support, which means that developers can integrate them safely in production workloads.

Managed identities are a part of the Azure infrastructure, simplifying how developers handle credentials and secrets to access cloud resources. With Managed Identities, developers don't need to manually handle credential retrieval and security. Instead, they can rely on an automatically managed set of identities to connect to resources that support Azure Active Directory authentication.

Microsoft Entra Permissions Management Azure Active Directory Insights General Availability

Service category: Other
Product capability: Permissions Management

The Azure Active Directory Insights tab in Microsoft Entra Permissions Management provides a view of all permanent role assignments assigned to Global Administrators, and a curated list of highly privileged roles. Administrators can then use the report to take further action within the Azure Active Directory console.

Custom Extensions in Entitlement Management Public Preview

Service category: Entitlement management
Product capability: Identity Governance

Last year Microsoft announced the public preview of custom extensions in Entitlement Management allowing admins to automate complex processes when access is requested or about to expire. Microsoft has recently expanded the public preview to allow for the access package assignment request to be paused while an external process is running. In addition, the external process can now provide feedback to Entitlement Management to either surface additional information to end users in MyAccess or even stop the access request. This expands the scenarios of custom extension from notifications to additional stakeholders or the generation of tickets to advanced scenarios such as external governance, risk and compliance checks. In the course of this update, Microsoft has also improved the audit logs, token security and the payload sent to the Logic App.

In portal guide to configure multi-factor authentication Public Preview

Service category: MFA
Product capability: Identity Security & Protection

The in portal guide to configure multi-factor authentication helps admins get started with Azure Active Directory's MFA capabilities. Admins can find this guide under the Tutorials tab in the Azure AD Overview.

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

• Sign In Enterprise Host Provisioning

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2023 Microsoft added the following new applications in the Azure AD App gallery with Federation support:

1. INEXTRACK
2. Valotalive Digital Signage Microsoft 365 integration
3. Tailscale
4. MANTL
5. ServusConnect
6. Jigx MS Graph Demonstrator
7. Delivery Solutions
8. Radiant IOT Portal
9. Cosgrid Networks
10. voya SSO
11. Redocly
12. Glaass Pro
13. TalentLyftOIDC
14. Cisco Expressway
15. IBM TRIRIGA on Cloud
16. Avionte Bold SAML Federated SSO
17. InspectNTrack
18. CAREERSHIP
19. Cisco Unity Connection
20. HSC-Buddy
21. teamecho
22. Uni-tel A/S
23. AskFora
24. Enterprise Bot
25. CMD+CTRL Base Camp
26. Debitia Collections
27. EnergyManager
28. Visual Workforce
29. Uplifter
30. AI2
31. TES Cloud
32. VEDA Cloud
33. SOC SST
34. Alchemer
35. Cleanmail Swiss
36. WOX
37. WATS
38. Data Quality Assistant
39. Softdrive
40. Fluence Portal
41. Humbol
42. Document360
43. Engage by Local Measure
44. Gate Property Management Software
45. Locus
46. Banyan Infrastructure
47. Proactis Rego Invoice Capture
48. SecureTransport
49. Recnice

What's Changed

My Security-info now shows Microsoft Authenticator type General Availaibility

Service category: MFA
Product capability: Identity Security & Protection

Microsoft has improved My Sign-ins and My Security-Info to give admins more clarity on the types of Microsoft Authenticator or other Authenticator apps a user has registered. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI) and for other Authenticator apps (Software OATH) Microsoft now indicates they're registered as a Time-based One-time password method.

New My Groups Experience Public Preview

Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at myaccount.microsoft.com/groups. This experience replaces the existing My Groups experience at mygroups.microsoft.com in May.