What's New in Microsoft Defender for Identity in July 2023

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

 

What's New

New security posture reports

Defender for Identity's identity security posture assessments proactively detect and recommend actions across your on-premises Active Directory configurations.

The following new security posture assessments are now available in Microsoft Secure Score:

 

Automatic redirection for the classic Defender for Identity portal

The Microsoft Defender for Identity portal experience and functionality have been converged into Microsoft’s extended detection and response (XDR) platform, Microsoft 365 Defender. As of July 6, 2023, customers using the classic Defender for Identity portal are automatically redirected to Microsoft 365 Defender, with no option to revert back to the classic portal.

 

Search for Active Directory groups in Microsoft 365 Defender Preview

The Microsoft 365 Defender global search now supports searching by Active Directory group name. Any groups found are shown in the results on a separate Groups tab. Select an Active Directory group from the search results to see more details, including:

  • Type
  • Scope
  • Domain
  • SAM name
  • SID
  • Group creation time
  • The first time an activity by the group was observed
  • Groups that contain the selected group
  • A list of all group members

 

Defender for Identity report downloads and scheduling in Microsoft 365 Defender Preview

Now, admins can download and schedule periodic Defender for Identity reports from the Microsoft 365 Defender portal, creating parity in report functionality with the classic Defender for Identity portal.

Download and schedule reports in Microsoft 365 Defender from the Settings > Identities > Report management page.

 

Defender for Identity release 2.209

This version includes improvements and bug fixes for cloud services and the Defender for Identity sensor.

 

Defender for Identity release 2.208

This version includes improvements and bug fixes for cloud services and the Defender for Identity sensor.

 

Defender for Identity release 2.207

This version provides the new AccessKeyFile installation parameter. Use the AccessKeyFile parameter during a silent installation of a Defender for Identity sensor, to set the workspace Access Key from a provided text path.

It also includes improvements and bug fixes for cloud services and the Defender for Identity sensor.

0  

What's New in Entra ID (Azure Active Directory) for July 2023

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for July 2023:

 

What's Planned

Conditional Access templates General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access templates are predefined set of conditions and controls that provide a convenient method to deploy new policies aligned with Microsoft recommendations. Organizations are assured that their policies reflect modern best practices for securing corporate assets, promoting secure, optimal access for their hybrid workforce.

 

What's New

Azure Active Directory (Azure AD) is being renamed General Availability

Service category: N/A
Product capability: End User Experiences

No action is required from you, but you may need to update some of your own documentation.

Azure AD is being renamed to Microsoft Entra ID. The name change rolls out across all Microsoft products and experiences throughout the second half of 2023.

Capabilities, licensing, and usage of the product isn't changing. To make the transition seamless for organizations, the pricing, terms, service level agreements, URLs, APIs, PowerShell cmdlets, Microsoft Authentication Library (MSAL) and developer tooling remain the same.

 

Conditional Access for Protected Actions General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Protected actions are high-risk operations, such as altering access policies or changing trust settings, that can significantly impact an organization's security. To add an extra layer of protection, Conditional Access for Protected Actions lets organizations define specific conditions for users to perform these sensitive tasks.

 

Lifecycle Workflows General Availability

Service category: Lifecycle Workflows
Product capability: Identity Governance

User identity lifecycle is a critical part of an organization’s security posture, and when managed correctly, can have a positive impact on their users’ productivity for Joiners, Movers, and Leavers. The ongoing digital transformation is accelerating the need for good identity lifecycle management.

However, IT and security teams face enormous challenges managing the complex, time-consuming, and error-prone manual processes necessary to execute the required onboarding and offboarding tasks for hundreds of employees at once. This is an ever present and complex issue IT admins continue to face with digital transformation across security, governance, and compliance.

Lifecycle Workflows, part of Entra ID Governance, helps organizations further optimize their user identity lifecycle.

 

Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities General Availability

Service category: User Experience and Management
Product capability: User Authentication

Update the Microsoft Entra ID and Microsoft 365 sign in experience with new Company Branding capabilities. You can apply your company’s brand guidance to authentication experiences with predefined templates.

 

Access Reviews for Inactive Users General Availability

Service category: Access Reviews
Product capability: Identity Governance

Access Reviews for Inactive Users, part of Entra ID Governance, allows admins to review and address stale accounts that haven’t been active for a specified period. Admins can set a specific duration to determine inactive accounts that weren't used for either interactive or non-interactive sign-in activities. As part of the review process, stale accounts can automatically be removed.

 

User-to-Group Affiliation recommendation for group Access Reviews  General Availability

Service category: Access Reviews
Product capability: Identity Governance

This feature provides Machine Learning based recommendations to the reviewers of Access Reviews to make the review experience easier and more accurate. The recommendation leverages machine learning based scoring mechanism and compares users’ relative affiliation with other users in the group, based on the organization’s reporting structure.

 

Custom Extensions in Entitlement Management General Availability

Service category: Entitlement Management
Product capability: Entitlement Management

Custom extensions in Entitlement Management are now generally available, and allow admins to extend the access lifecycle with organization-specific processes and business logic when access is requested or about to expire. With custom extensions admins can create tickets for manual access provisioning in disconnected systems, send custom notifications to additional stakeholders, or automate additional access-related configuration in business applications such as assigning the correct sales region in Salesforce. Admins can also leverage custom extensions to embed external governance, risk, and compliance (GRC) checks in the access request.

 

Microsoft Authentication Library for .NET 4.55.0 General Availability

Service category: Other
Product capability: User Authentication

Earlier this month, the Microsoft Authentication Library team announced the release of MSAL.NET 4.55.0, the latest version of the Microsoft Authentication Library for the .NET platform. The new version introduces support for:

  • User-assigned managed identity being specified through object IDs,
  • CIAM authorities in the WithTenantID API,
  • Better error messages when dealing with cache serialization, and;
  • Improved logging when using the Windows authentication broker.

 

Microsoft Authentication Library for Python 1.23.0 General Availability

Service category: Other
Product capability: User Authentication

Earlier this month, the Microsoft Authentication Library team announced the release of MSAL for Python version 1.23.0. The new version of the library adds support for better caching when using client credentials, eliminating the need to request new tokens repeatedly when cached tokens exist.

 

Reset Password on Azure Mobile App General Availability

Service category: Other
Product capability: End User Experiences

The Azure mobile app has been enhanced to empower admins with specific permissions to conveniently reset their users' passwords. Self Service Password Reset will not be supported at this time. However, users can still more efficiently control and streamline their own sign-in and auth methods. The mobile app can be downloaded for each platform here:

 

New Federated Apps available in Entra ID Application gallery General Availability

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2023, Microsoft added the following new applications in the Entra ID Application gallery with Federation support:

  1. Gainsight SAML
  2. Dataddo
  3. Puzzel
  4. Worthix App
  5. iOps360 IdConnect
  6. Airbase
  7. Couchbase Capella – SSO
  8. SSO for Jama Connect®
  9. mediment (メディメント)
  10. Netskope Cloud Exchange Administration Console
  11. Uber
  12. Plenda
  13. Deem Mobile
  14. 40SEAS
  15. Vivantio
  16. AppTweak
  17. ioTORQ EMIS
  18. Vbrick Rev Cloud
  19. OptiTurn
  20. Application Experience with Mist
  21. クラウド勤怠管理システムKING OF TIME
  22. Connect1
  23. DB Education Portal for Schools
  24. SURFconext
  25. Chengliye Smart SMS Platform
  26. CivicEye SSO
  27. Colloquial
  28. BigPanda
  29. Foreman

 

New provisioning connectors in the Entra ID Application Gallery Public Preview

ervice category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Entra ID Application gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

  1. Albert
  2. Rhombus Systems
  3. Axiad Cloud
  4. Dagster Cloud
  5. WATS
  6. Funnel Leasing

 

Windows MAM Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Microsoft is excited to offer MAM Conditional Access capability in Public Preview for Microsoft Edge for Business on Windows.

Using MAM Conditional Access, Microsoft Edge for Business provides users with secure access to organizational data on personal Windows devices with a customizable user experience. Microsoft has combined the familiar security features of app protection policies (APP), Windows Defender client threat defense, and Conditional Access, all anchored to the Entra ID identity to ensure unmanaged devices are healthy and protected before granting data access. This can help organizations to improve their security posture and protect sensitive data from unauthorized access, without requiring full mobile device enrollment.

The new capability extends the benefits of app layer management to the Windows platform via Microsoft Edge for Business. Admins are empowered to configure the user experience and protect organizational data within Microsoft Edge for Business on unmanaged Windows devices.

 

Dynamic Groups based on EmployeeHireDate User attribute Public Preview

Service category: Group Management
Product capability: Directory

This feature enables admins to create dynamic group rules based on the user objects' employeeHireDate attribute.

 

Inactive guest insights Public Preview

Service category: Reporting
Product capability: Identity Governance

With Inactive guest insights, admins can monitor guest accounts at scale with intelligent insights into inactive guest users in the organization. Admins can customize the inactivity threshold depending on the organization’s needs, narrow down the scope of guest users they want to monitor and identify the guest users that may be inactive.

 

Just-in-time application access with PIM for Groups Public Preview

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Organizations can minimize the number of persistent administrators in applications such as AWS and GCP and get just-in-time access to groups in AWS and GCP. While PIM for Groups is publicly available, Microsoft has released a public preview that integrates PIM with provisioning and reduces the activation delay from 40+ minutes to 1 – 2 minutes.

 

Graph beta API for PIM security alerts on Azure AD roles Public Preview

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Microsoft announces API support (beta) for managing Privileged Identity Management (PIM) security alerts for Entra ID roles. PIM generates alerts when there's suspicious or unsafe activity in the organization in Entra ID (Azure AD). Admins can now manage these alerts using REST APIs.

 

API-driven inbound user provisioning Public Preview

Service category: Provisioning
Product capability: Inbound to Azure AD

With API-driven inbound provisioning,  the Entra ID provisioning service now supports integration with any system of record. Organizations and partners can use any automation tool of their choice to retrieve workforce data from any system of record for provisioning into Entra ID and connected on-premises Active Directory domains. Admins have full control on how data is processed and transformed with attribute mappings. Once the workforce data is available in Entra ID, admins can configure appropriate joiner-mover-leaver business processes using Entra ID Governance Lifecycle Workflows.

 

What's Changed

All Users and User Profile General Availability

Service category: User Management
Product capability: User Management

The All Users list now features an infinite scroll, and admins can now modify more properties on the User Profile blade.

 

Enhanced Create User and Invite User Experiences General Availability

Service category: User Management
Product capability: User Management

Microsoft has increased the number of properties admins are able to define when creating and inviting a user in the Entra admin portal, bringing the UX to parity with the Create User APIs. Additionally, admins can now add users to a group or Administrative Unit (AU), and assign roles.

 

Enabling customization capabilities for the Self-Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icons in Company Branding General Availability

Service category: User Experience and Management
Product capability: End User Experiences

Update the Company Branding functionality on the Microsoft Entra ID/Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks, and a browser icon.

 

Automatic assignments to access packages in Entra ID Governance General Availability

Service category: Entitlement Management
Product capability: Entitlement Management

Entra ID Governance includes the ability for an organization to configure an assignment policy in an entitlement management access package that includes an attribute-based rule, similar to dynamic groups, of the users who should be assigned access.

 

What's Fixed

Include/exclude My Apps in Conditional Access policies General Availability

Service category: Conditional Access
Product capability: End User Experiences

My Apps can now be targeted in Conditional Access policies. This solves a top blocker. The functionality is available in all clouds. General Availability also brings a new app launcher, that improves app launch performance for both SAML and other app types.

 

0  

On-premises Identity-related updates and fixes for July 2023

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for July 2023:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5028169 July 11, 2023

The July 11, 2023, update for Windows Server 2016 (KB5028169), updating the OS build number to 14393.6085, is a monthly cumulative update and includes one Identity-related improvement. This update addresses an issue that affects all the registry settings under the Policies paths. They might be deleted. This occurs when you do not rename the local temporary user policy file during Group Policy processing.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5028168 July 11, 2023

The July 11, 2023, update for Windows Server 2019 (KB5028168), updating the OS build number to 17763.4645, is a monthly cumulative update and includes two Identity-related improvements:

  • This update addresses an issue that affects all the registry settings under the Policies paths. They might be deleted. This occurs when you do not rename the local temporary user policy file during Group Policy processing.
  • This update addresses an issue that affects the Active Directory Users and Computers MMC Snap-in (dsa.msc). It stops responding. This occurs when you use TaskPad view to enable or disable many objects at the same time.

 

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5018171 July 11, 2023

The July 11, 2023, update for Windows Server 2022 (KB5028171), updating the OS build number to 20348.1850, is a monthly cumulative update and includes two Identity-related improvements:

  • This update addresses an issue that affects all the registry settings under the Policies paths. They might be deleted. This occurs when you do not rename the local temporary user policy file during Group Policy processing.
  • This update addresses an issue that affects the Active Directory Users and Computers MMC Snap-in (dsa.msc). It stops responding. This occurs when you use TaskPad view to enable or disable many objects at the same time.
0  

What's New in Microsoft Defender for Identity in June 2023

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

 

What's New

Advanced hunting with an enhanced IdentityInfo table

For tenants with Defender for Identity deployed, the Microsoft 365 IdentityInfo advanced hunting table now includes more attributes per identity, as well as identities detected by the Defender for Identity sensor from your on-premises environment.

 

Defender for Identity release 2.206

This version includes improvements and bug fixes for cloud services and the Defender for Identity sensor.

 

Defender for Identity release 2.205

This version includes improvements and bug fixes for internal sensor infrastructure.

0  

What's New in Azure Active Directory for June 2023

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for June 2023:

 

What's Planned

Modernizing Terms of Use Experiences

Service category: Terms of Use
Product capability: Authorization/Access Delegation

Recently, Microsoft announced the modernization of terms of use end-user experiences as part of ongoing service improvements. As previously communicated the end user experiences will be updated with a new PDF viewer and are moving from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com.

 

What's New

Support for Directory Extensions using Azure AD Cloud Sync General Availability

Service category: Provisioning
Product capability: Azure Active Directory Connect Cloud Sync

Hybrid IT Admins can now synchronize both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure Active Directory, thereby, allowing organizations to simply map the needed attributes using Cloud Sync's attribute mapping experience.

 

Privileged Identity Management for Groups General Availability

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

With Privileged Identity Management for Groups is now generally available, admins have the ability to grant users just-in-time membership in a group, which in turn provides access to Azure Active Directory roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, as well as third-party applications.

 

Privileged Identity Management and Conditional Access integration General Availability

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

The Privileged Identity Management (PIM) integration with Conditional Access authentication context is generally available. Admins can require users to meet a variety of requirements during role activation such as:

  • Have specific authentication method through Authentication Strengths
  • Activate from a compliant device
  • Validate location, based on GPS
  • Not have certain level of sign-in risk identified with Identity Protection
  • Meet other requirements defined in Conditional Access policies

The integration is available for all providers:

  • PIM for Azure AD roles
  • PIM for Azure resources
  • PIM for groups

 

Updated look and feel for Per-user MFA General Availability

Service category: Multi-factor Authentication (MFA)
Product capability: Identity Security & Protection

As part of ongoing service improvements, we're making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change doesn't include any changes to the core functionality and will only include visual improvements.

 

Converged Authentication Methods in US Gov cloud General Availability

Service category: MFA
Product capability: User Authentication

The Converged Authentication Methods Policy enables admins to manage all authentication methods used for Multi-factor Authentication (MFA) and Self-service Password Reset (SSPR) in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant.

Organizations should migrate management of authentication methods off the legacy MFA and SSPR policies before September 30, 2024.

 

Include/exclude Entitlement Management in Conditional Access policies General Availability

Service category: Entitlement Management
Product capability: Entitlement Management

The Entitlement Management service can now be targeted in Conditional Access policies for inclusion or exclusion of applications. To target the Entitlement Management service, select Azure AD Identity Governance – Entitlement Management in the cloud apps picker. The Entitlement Management app includes the entitlement management part of My Access, the Entitlement Management part of the Entra and Azure portals, and the Entitlement Management part of MS Graph.

 

Azure Active Directory User and Group capabilities on Azure Mobile General Availability

Service category: Azure Mobile App
Product capability: End User Experiences

The Azure Mobile app now includes a section for Azure Active Directory. Within Azure Active Directory on mobile, user can search for and view more details about user and groups. Additionally, permitted users can invite guest users to their active tenant, assign group memberships and ownerships for users, and view user sign-in logs.

 

Restricted Management Administrative Units Public Preview

Service category: Directory Management
Product capability: Access Control

Restricted Management Administrative Units (AUs) allow you to restrict modification of users, security groups, and device in Azure AD so that only designated administrators can make changes. Global Administrators and other tenant-level administrators can't modify the users, security groups, or devices that are added to a restricted management AU.

 

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Admins can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

 

What's Changed

Report suspicious activity integrated with Identity Protection General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Report suspicious activity is an updated implementation of the MFA fraud alert, where users can report a voice or phone app MFA prompt as suspicious. If enabled, users reporting prompts have their user risk set to high, enabling admins to use Identity Protection risk based policies or risk detection APIs to take remediation actions. Report suspicious activity operates in parallel with the legacy MFA fraud alert at this time.

0  

On-premises Identity-related updates and fixes for June 2023

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for June 2023:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5027219 June 13, 2023

The June 13, 2023, update for Windows Server 2016 (KB5027219), updating the OS build number to 14393.5989, is a monthly cumulative update and includes no specific Identity-related improvements.

KB5028623 June 23, 2023

The June 23, 2023, update for Windows Server 2016 (June 23, 2023—KB5028623 (OS Build 14393.5996) Out-of-band – Microsoft Support), updating the OS build number to 14393.5996, is an out-of-band update for an Identity-related issue that was introduced with the June 13, 2023 update.

This update addresses a change that affects how admins use the X509CertificateX509Certificate2, or X509Certificate2Collection classes. This change is described in KB5028608. When using the X509CertificateX509Certificate2, or X509Certificate2Collection class to import a PKCS#12 blob containing a private key, the calling application may observe an exception. The exception message is:

System.Security.Cryptography.CryptographicException: PKCS12 (PFX) without a supplied password has exceeded maximum allowed iterations. See https://go.microsoft.com/fwlink/?linkid=2233907 for more information.

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5027222 June 13, 2023

The June 13, 2023, update for Windows Server 2019 (KB5027222), updating the OS build number to 17763.4499, is a monthly cumulative update and includes an Identity-related improvement. This update addresses an issue that might affect the Local Security Authority Subsystem Service (LSASS). It might close sporadically. The system logs the exception 0xc0000710 in the Application Error event 1000. Because of this, the domain controller restarts unexpectedly. This issue affects Read-only Domain Controllers (RODC) that also run Microsoft Defender Advanced Threat Protection (ATP).

 

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5027225 June 13, 2023

The June 13, 2023, update for Windows Server 2022 (KB5027225), updating the OS build number to 20348.1787, is a monthly cumulative update and includes two Identity-related improvements:

  • This update addresses an issue that might affect the Domain Name System (DNS) suffix search list. When you configure it, the parent domain might be missing.
  • This update addresses an issue that might affect the Local Security Authority Subsystem Service (LSASS). It might close sporadically. The system logs the exception 0xc0000710 in the Application Error event 1000. Because of this, the domain controller restarts unexpectedly. This issue affects Read-only Domain Controllers (RODCs) that also run Microsoft Defender Advanced Threat Protection (ATP).
0  

Multi-Factor Authentication Server version 8.1.9.1 offers improved migration abilities

Azure Multi-Factor Authentication

On June 15th, 2023, Microsoft released version 8.1.9.1 of its Azure MFA Server product that allows organization to add multi-factor authentication to RADIUS-, AD FS-, IIS-based and other on-premises authentication scenarios.

Note:
Currently, Microsoft no longer offers Azure Multi-Factor Authentication Server on-premises ("MFA Server") for new deployments and trial tenants. Existing Azure MFA Server deployments stop working starting September 30, 2024.

 

What's New

The release notes mention the following changes:

More options for migrating the default method

Previously, the Migration Utility offered a checkbox for either migrating or not migrating the default method. The latter could cause issues if the user didn't already have a default method in Azure Active Directory.

The new functionality provides three options in the Migration Utility UI:

  1. Always migrate
  2. Only migrate if not already set in Azure AD
  3. Set to the most secure method available if not already set in Azure AD

These options provide a lot more flexibility.

 

Check on the Authentication Methods Policy

When using the Migration Utility, the Authentication Methods Policy is now checked during migration.

If the default method being migrated is not allowed by the policy, then it will instead be set to the most secure method available.

 

Known Issues

Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2, and up.

 

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.

 

Download

You can download Azure Multi-Factor Authentication Server 8.1.9.1 here.
The download weighs 146 MB.

 

Version information

This is version 8.1.9.1 of Azure Multi-Factor Authentication Server.
It was signed off on June 15th, 2023.

FURTHER READING

Existing Azure MFA Server deployments stop working starting September 30, 2024
Ten Things you need to know about Azure Multi-Factor Authentication Server
Supported Azure MFA Server Deployment Scenarios and their pros and cons
HOWTO: Uninstall and Remove Azure MFA Server versions 7.x and 8.x Implementations

0  

What's New in Azure Active Directory for May 2023

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May 2023:

 

What's New

Cross-tenant synchronization General Availability

Service category: Provisioning
Product capability: Identity Lifecycle Management

Cross-tenant synchronization allows admins to set up a scalable and automated solution for users to access applications across tenants in the organization. It builds upon the External ID functionality and automates creating, updating, and deleting External IDs within tenants in the organization.

 

Conditional Access authentication strength for members, external users and FIDO2 restrictions General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

Authentication strength is a Conditional Access control that allows admins to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. Likewise, to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations such as password + SMS.

 

Conditional Access Granular control for external user types General Availability

Service category: Conditional Access
Product capability: Identity Security & Protection

When configuring a Conditional Access policy, organizations now have granular control over the types of external users they want to apply the policy to. External users are categorized based on how they authenticate (internally or externally) and their relationship to the organization (guest or member).

 

Authenticator Lite (In Outlook) General Availability

Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator Lite (in Outlook) is an authentication solution for users that haven't yet downloaded the Microsoft Authenticator app. Users are prompted in Outlook on their mobile device to register for multi-factor authentication. After they enter their password at sign-in, they'll have the option to send a push notification to their Android or iOS device.

Due to the security enhancement this feature provides users, the Microsoft managed value of this feature will be changed from ‘disabled’ to ‘enabled’ on June 9. We’ve made some changes to the feature configuration, so if admins made an update before GA, May 17, please validate that the feature is in the correct state for the tenant prior to June 9. If admins don't wish for this feature to be enabled on June 9, move the state to ‘disabled’, or set users to include and exclude groups.

 

Admins can restrict their users from creating tenants General Availability

Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings pane allows admins to restrict their users from being able to create new tenants.

 

Admins can now restrict users from self-service accessing their BitLocker keys General Availability

Service category: Device Access Management
Product capability: User Management

Admins can now restrict their users from self-service accessing their BitLocker keys through the Devices Settings page. Turning on this capability hides the BitLocker key(s) of all non-admin users. This helps to control BitLocker access management at the admin level.

 

Devices Self-Help Capability for Pending Devices General Availability

Service category: Device Access Management
Product capability: End User Experiences

In the All Devices view under the Registered column, people can now select any pending devices they have, and it opens a context pane to help troubleshoot why a device may be pending.

 

SAML/Ws-Fed based identity provider authentication for External IDs in US Sec and US Nat clouds General Availability

Service category: Business 2 Business collaboration
Product capability: External ID

SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in:

  • US Sec cloud
  • US Nat cloud
  • China cloud

 

Verified threat actor IP sign-in detection General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-ins performed from IP addresses of known nation state and cyber-crime actors and allow organizations to block these sign-ins by using risk-based conditional access policies.

 

PowerShell and Web Services connector support through the Azure AD provisioning agent General Availability

Service category: Provisioning
Product capability: Outbound to On-premises Applications

The Azure AD on-premises application provisioning feature now supports both the PowerShell and web services connectors. Admins can now provision user objects into a flat file using the PowerShell connector or an app such as SAP ECC using the web services connector.

 

Managed Identity in Microsoft Authentication Library for .NET General Availability

Service category: Authentications (Logins)
Product capability: User Authentication

The latest version of MSAL.NET graduates the Managed Identity APIs into the General Availability mode of support, which means that developers can integrate them safely in production workloads.

Managed identities are a part of the Azure infrastructure, simplifying how developers handle credentials and secrets to access cloud resources. With Managed Identities, developers don't need to manually handle credential retrieval and security. Instead, they can rely on an automatically managed set of identities to connect to resources that support Azure Active Directory authentication.

 

Microsoft Entra Permissions Management Azure Active Directory Insights General Availability

Service category: Other
Product capability: Permissions Management

The Azure Active Directory Insights tab in Microsoft Entra Permissions Management provides a view of all permanent role assignments assigned to Global Administrators, and a curated list of highly privileged roles. Administrators can then use the report to take further action within the Azure Active Directory console.

 

Custom Extensions in Entitlement Management Public Preview

Service category: Entitlement management
Product capability: Identity Governance

Last year Microsoft announced the public preview of custom extensions in Entitlement Management allowing admins to automate complex processes when access is requested or about to expire. Microsoft has recently expanded the public preview to allow for the access package assignment request to be paused while an external process is running. In addition, the external process can now provide feedback to Entitlement Management to either surface additional information to end users in MyAccess or even stop the access request. This expands the scenarios of custom extension from notifications to additional stakeholders or the generation of tickets to advanced scenarios such as external governance, risk and compliance checks. In the course of this update, Microsoft has also improved the audit logs, token security and the payload sent to the Logic App.

 

In portal guide to configure multi-factor authentication Public Preview

Service category: MFA
Product capability: Identity Security & Protection

The in portal guide to configure multi-factor authentication helps admins get started with Azure Active Directory's MFA capabilities. Admins can find this guide under the Tutorials tab in the Azure AD Overview.

 

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

 

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2023 Microsoft added the following new applications in the Azure AD App gallery with Federation support:

  1. INEXTRACK
  2. Valotalive Digital Signage Microsoft 365 integration
  3. Tailscale
  4. MANTL
  5. ServusConnect
  6. Jigx MS Graph Demonstrator
  7. Delivery Solutions
  8. Radiant IOT Portal
  9. Cosgrid Networks
  10. voya SSO
  11. Redocly
  12. Glaass Pro
  13. TalentLyftOIDC
  14. Cisco Expressway
  15. IBM TRIRIGA on Cloud
  16. Avionte Bold SAML Federated SSO
  17. InspectNTrack
  18. CAREERSHIP
  19. Cisco Unity Connection
  20. HSC-Buddy
  21. teamecho
  22. Uni-tel A/S
  23. AskFora
  24. Enterprise Bot
  25. CMD+CTRL Base Camp
  26. Debitia Collections
  27. EnergyManager
  28. Visual Workforce
  29. Uplifter
  30. AI2
  31. TES Cloud
  32. VEDA Cloud
  33. SOC SST
  34. Alchemer
  35. Cleanmail Swiss
  36. WOX
  37. WATS
  38. Data Quality Assistant
  39. Softdrive
  40. Fluence Portal
  41. Humbol
  42. Document360
  43. Engage by Local Measure
  44. Gate Property Management Software
  45. Locus
  46. Banyan Infrastructure
  47. Proactis Rego Invoice Capture
  48. SecureTransport
  49. Recnice

 

What's Changed

My Security-info now shows Microsoft Authenticator type General Availaibility

Service category: MFA
Product capability: Identity Security & Protection

Microsoft has improved My Sign-ins and My Security-Info to give admins more clarity on the types of Microsoft Authenticator or other Authenticator apps a user has registered. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI) and for other Authenticator apps (Software OATH) Microsoft now indicates they're registered as a Time-based One-time password method.

 

New My Groups Experience Public Preview

Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at myaccount.microsoft.com/groups. This experience replaces the existing My Groups experience at mygroups.microsoft.com in May.

0  

What's New in Microsoft Defender for Identity in May 2023

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

 

What's New

Enhanced Active Directory account control highlights

The Microsoft 365 Defender Identity > user details page now includes new Active Directory account control data.

On the user details Overview tab, Microsoft has added the new Active Directory account controls card to highlight important security settings and Active directory controls. For example, use this card to learn whether a specific user is able to bypass password requirements or has a password that never expires.

 

Defender for Identity release 2.204

On May 29, 2023, Microsoft released Defender for Identity release 2.204. It features a new health alert for VPN (RADIUS) integration data ingestion failures.

This version also includes improvements and bug fixes for internal sensor infrastructure.

 

Defender for Identity release 2.203

On May 15, 2023, Microsoft released Defender for Identity release 2.203. It features the following new functionality:

  • New health alert for verifying that ADFS Container Auditing is configured correctly.
  • The Microsoft Defender 365 Identity page includes UI updates for the lateral movement path experience. No functionality was changed.

This version also includes improvements and bug fixes for internal sensor infrastructure.

 

Identity timeline enhancements

The identity Timeline tab now contains new and enhanced features! With the updated timeline, admins can now filter by:

  • Activity type
  • Protocol
  • Location

These filters are in addition to the original filters. Admins can also export the timeline to a CSV file and find additional information about activities associated with MITRE ATT&CK techniques.

 

Alert tuning in Microsoft 365 Defender

Alert tuning, now available in Microsoft 365 Defender, allows admins to adjust alerts and optimize them. Alert tuning reduces false positives, allows the SOC teams to focus on high-priority alerts, and improves threat detection coverage across the system.

In Microsoft 365 Defender, create rule conditions based on evidence types, and then apply the rule on any rule type that matches the conditions.

0  

On-premises Identity-related updates and fixes for May 2023

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for May 2023:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5026363 May 9, 2023

The May 9, 2023, update for Windows Server 2016 (KB5026363, updating the OS build number to 14393.5921, is a monthly cumulative update and includes an Identity-related improvement: It addresses an issue that affects the Key Distribution Center (KDC) service. When the service stops on a local machine, signing in to all local Kerberos fails. The error is:

STATUS_NETLOGON_NOT_STARTED

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5026362 May 9, 2023

The May 9, 2023, update for Windows Server 2019 (KB5026362), updating the OS build number to 17763.4377, is a monthly cumulative update and includes six Identity-related improvements:

  • It addresses an issue that affects the Key Distribution Center (KDC) service. When the service stops on a local machine, signing in to all local Kerberos fails. The error is:

STATUS_NETLOGON_NOT_STARTED

  • It addresses an issue that affects accounts that run the Set-AdfsCertificate PowerShell cmdlet. It fails. This occurs when an account does not have read permissions for the related Distributed Key Manager (DKM) container.
  • It addresses an Active Directory Federation Services (AD FS) issue. You might need to retry authentication multiple times to sign in successfully.
  • It addresses an issue that might affect the Windows Local Administrator Password Solution (LAPS). It might fail. This occurs on versions of Windows Server 2019 that run Server Core. The error code is:

0x8007007f

  • It addresses a race condition in Windows LAPS. The Local Security Authority Subsystem Service (LSASS) might stop responding. This occurs when the system processes multiple local account operations at the same time. The access violation error code is:

0xc0000005

  • It addresses an issue that affects the legacy Local Administrator Password Solution (LAPS) and the new Windows LAPS feature. They fail to manage the configured local account password. This occurs when you install the legacy LAPS .msi file after you have installed the April 11, 2023, Windows update on machines that have a legacy LAPS policy.

 

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5026370 May 9, 2023

The May 9, 2023, update for Windows Server 2022 (KB5026370), updating the OS build number to 20348.1726, is a monthly cumulative update and includes x Identity-related improvements:

  • It addresses an issue that sends unexpected password expiration notices to users. This occurs when you set up an account to use Smart Card is Required for Interactive Logon and set Enable rolling of expiring NTLM secrets.
  • It addresses an Active Directory Federation Services (AD FS) issue. You might need to retry authentication multiple times to sign in successfully.
  • It addresses an issue that affects accounts that run the Set-AdfsCertificate PowerShell cmdlet. It fails. This occurs when an account does not have read permissions for the related Distributed Key Manager (DKM) container.
  • It addresses a race condition in Windows LAPS. The Local Security Authority Subsystem Service (LSASS) might stop responding. This occurs when the system processes multiple local account operations at the same time. The access violation error code is:

0xc0000005

  • It addresses an issue that affects the legacy Local Administrator Password Solution (LAPS) and the new Windows LAPS feature. They fail to manage the configured local account password. This occurs when you install the legacy LAPS .msi file after you have installed the April 11, 2023, Windows update on machines that have a legacy LAPS policy.
0