Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for February 2021:
What’s Planned
Email one-time passcode authentication on by default
Service category: B2B
Product capability: B2B/B2C
Starting October 31, 2021, Azure AD email one-time passcode authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. At this time, Microsoft will no longer allow the redemption of invitations using unmanaged Azure Active Directory accounts.
Unrequested but consented permissions will no longer be added to tokens if they would trigger Conditional Access
Service category: Authentications (Logins)
Product capability: Platform
Currently, applications using dynamic permissions are given all of the permissions they're consented to access. This includes applications that are unrequested and even if they trigger conditional access. For example, this can cause an app requesting only user.read
that also has consent for files.read
to be forced to pass the Conditional Access assigned for the files.read
permission.
To reduce the number of unnecessary Conditional Access prompts, Azure AD is changing the way that unrequested scopes are provided to applications. Apps will only trigger conditional access for permission they explicitly request.
What’s New
Authentication Policy Administrator built-in role General availability
Service category: Role-based Access Control (RBAC)
Product capability: Access Control
People with this privileged Azure AD role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.
Domain Name Administrator built-in role General availability
Service category: Role-based Access Control (RBAC)
Product capability: Access Control
People with this privileged Azure AD role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects have domain dependencies.
For on-premises environments, people with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Federation settings need to be synchronized via Azure AD Connect, so users also have permissions to manage Azure AD Connect.
User collections on My Apps General availability
Service category: My Apps
Product capability: End User Experiences
People can now create their own groupings of apps on the My Apps app launcher. They can also reorder and hide collections shared with them by their administrator.
Autofill in Authenticator General availability
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection
Microsoft Authenticator provides multi-factor authentication (MFA) and account management capabilities, and now also will autofill passwords on sites and apps people visit on their mobile devices running iOS or Android.
To use autofill on Authenticator, people need to add their personal Microsoft account to Authenticator and use it to synchronize their passwords. Work or school accounts cannot be used to synchronize passwords at this time.
Invite internal users to B2B collaboration General availability
Service category: B2B
Product capability: B2B/B2C
Organizations can now invite internal guests to use B2B collaboration instead of sending an invitation to an existing internal account. This allows organizations to keep that user's object ID, userPrincipalName, group memberships, and app assignments.
Use a Temporary Access Pass to register Passwordless credentials Public Preview
Service category: Multi-factor authentication (MFA)
Product capability: Identity Security & Protection
Temporary Access Pass is a time-limited passcode that serves as strong credentials and allows onboarding of passwordless credentials and recovery when a person has lost or forgotten their strong authentication factor (for example, FIDO2 security key or Microsoft Authenticator app) and needs to sign in to register new strong authentication methods.
Keep me signed in (KMSI) in next generation of user flows Public Preview
Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C
The next generation of B2C user flows now supports the keep me signed in (KMSI) functionality that allows customers to extend the session lifetime for the people of their web and native applications by using a persistent cookie. This feature keeps the session active even when the person closes and reopens the browser, and is revoked when the person signs out.
External Identities Self-Service Sign-up in AAD using Microsoft accounts Public Preview
Service category: B2B
Product capability: B2B/B2C
External people will now be able to use Microsoft Accounts (MSAs) to sign in to Azure AD first party and line of business (LOB) apps.
Reset redemption status for a guest user Public Preview
Service category: B2B
Product capability: B2B/B2C
Organizations can now reinvite existing external guests to reset their redemption status, which allows the guest user account to remain without them losing any access.
/synchronization (provisioning) APIs now support application permissions Public Preview
Service category: App Provisioning
Product capability: Identity Lifecycle Management
Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. This is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It is currently not supported for HR-provisioning (Workday / Successfactors) or Azure AD Connect Cloud Sync.
New Federated Apps available in Azure AD Application gallery
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In February 2021, Microsoft has added following new applications in the Azure AD App gallery with Federation support:
- Loop Messenger Extension
- Silverfort Azure AD Adapter
- Interplay Learning
- Nura Space
- Yooz EU
- UXPressia
- introDus Pre- and Onboarding Platform
- Happybot
- LeaksID
- ShiftWizard
- PingFlow SSO
- Swiftlane
- Quasydoc SSO
- Fenwick Gold Account
- SeamlessDesk
- Learnsoft LMS & TMS
- P-TH+
- myViewBoard
- Tartabit IoT Bridge
- AKASHI
- Rewatch
- Zuddl
- Parkalot – Car park management
- HSB ThoughtSpot
- IBMid
- SharingCloud
- PoolParty Semantic Suite
- GlobeSmart
- Samsung Knox and Business Services
- Penji
- Kendis- Scaling Agile Platform
- Maptician
- Olfeo SAAS
- Sigma Computing
- CloudKnox Permissions Management Platform
- Klaxoon SAML
- Enablon
New provisioning connectors in the Azure AD Application Gallery
Service category: App Provisioning
Product capability: 3rd Party Integration
Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:
What’s Changed
10 Azure Active Directory roles now renamed
Ten Azure AD built-in roles have been renamed so that they're aligned across the Microsoft 365 admin center, Azure AD portal, and Microsoft Graph.
New Company Branding in MFA/SSPR Combined Registration
Service category: User Experience and Management
Product capability: End User Experiences
In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of MFA/SSPR Combined Registration. Company branding is also included on My Sign-Ins and the Security Info page.
Second level manager can be set as alternate approver
Service category: User Access Management
Product capability: Entitlement Management
An extra option when admins select approvers is now available in Entitlement Management. If you select Manager as approver for the First Approver field, they will have another option, Second level manager as alternate approver, available to choose in the alternate approver field. If admins select this option, they need to add a fallback approver to forward the request to in case the system can't find the second level manager.
Authentication Methods Activity Dashboard
Service category: Reporting
Product capability: Monitoring & Reporting
The refreshed Authentication Methods Activity dashboard gives admins an overview of authentication method registration and usage activity in their tenant(s). The report summarizes the number of users registered for each method, and also which methods are used during sign-in and password reset.
What’s Deprecated
Refresh and session token lifetimes configurability in Configurable Token Lifetime (CTL) are retired
Service category: Other
Product capability: User Authentication
Refresh and session token lifetimes configurability in CTL are retired. Azure AD no longer honors refresh and session token configuration in existing policies.
Login