What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Azure Active Directory.

November 2022

General Availability - Use Web Sign-in on Windows for password-less recovery with Temporary Access Pass

Type: Changed feature
Service category: N/A
Product capability: User Authentication

For users who don't know or use a password, the Temporary Access Pass can now be used to recover Azure AD-joined PCs when the EnableWebSignIn policy is enabled on the device. For more information, see: Authentication/EnableWebSignIn.


Public Preview - Workload Identity Federation for Managed Identities

Type: New feature
Service category: Managed identities for Azure resources
Product capability: Developer Experience

Developers can now use managed identities for their software workloads running anywhere, and for accessing Azure resources, without needing secrets. Key scenarios include:

  • Accessing Azure resources from Kubernetes pods running on-premises or in any cloud.
  • GitHub workflows to deploy to Azure, no secrets necessary.
  • Accessing Azure resources from other cloud platforms that support OIDC, such as Google Cloud.

For more information, see:


General Availability - Authenticator on iOS is FIPS 140 compliant

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator version 6.6.8 and higher on iOS will be FIPS 140 compliant for all Azure AD authentications using push multi-factor authentications (MFA), Password-less Phone Sign-In (PSI), and time-based one-time pass-codes (TOTP). No changes in configuration are required in the Authenticator app or Azure portal to enable this capability. For more information, see: FIPS 140 compliant for Azure AD authentication.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2022, we've added the following 22 new applications in our App gallery with Federation support

Adstream, Databook, Ecospend IAM, Digital Pigeon, Drawboard Projects, Vellum, Veracity, Microsoft OneNote to Bloomberg Note Sync, DX NetOps Portal, itslearning Outlook integration, Tranxfer, Occupop, Nialli Workspace, Tideways, SOWELL, Prewise Learning, CAPTOR for Intune, wayCloud Platform, Nura Space Meeting Room, Flexopus Exchange Integration, Ren Systems, Nudge Security

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


Public Preview - Dynamic Group pause functionality

Type: New feature
Service category: Group Management
Product capability: Directory

Admins can now pause, and resume, the processing of individual dynamic groups in the Entra Admin Center. For more information, see: Create or update a dynamic group in Azure Active Directory.


Public Preview - Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities.

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Update the Azure AD and Microsoft 365 sign in experience with new company branding capabilities. You can apply your company’s brand guidance to authentication experiences with pre-defined templates. For more information, see: Configure your company branding.


Type: New feature
Service category: Directory Management
Product capability: Directory

Update the company branding functionality on the Azure AD/Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon. For more information, see: Configure your company branding.


General Availability - Soft Delete for Administrative Units

Type: New feature
Service category: Directory Management
Product capability: Directory

Administrative Units now support soft deletion. Admins can now list, view properties of, or restore deleted Administrative Units using the Microsoft Graph. This functionality restores all configuration for the Administrative Unit when restored from soft delete, including memberships, admin roles, processing rules, and processing rules state.

This functionality greatly enhances recoverability and resilience when using Administrative Units. Now, when an Administrative Unit is accidentally deleted it can be restored quickly to the same state it was at time of deletion-removing uncertainty around how things were configured and making restoration quick and easy. For more information, see: List deletedItems (directory objects).


Public Preview - IPv6 coming to Azure AD

Type: Plan for change
Service category: Identity Protection
Product capability: Platform

With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and networks. Today, we’re excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD). This will allow customers to reach the Azure AD services over both IPv4 and IPv6 network protocols (dual stack). For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to de-prioritize IPv4 in any Azure Active Directory features or services. We'll begin introducing IPv6 support into Azure AD services in a phased approach, beginning March 31, 2023. We have guidance below which is specifically for Azure AD customers who use IPv6 addresses and also use Named Locations in their Conditional Access policies.

Customers who use named locations to identify specific network boundaries in their organization need to:

  1. Conduct an audit of existing named locations to anticipate potential impact.
  2. Work with your network partner to identify egress IPv6 addresses in use in your environment.
  3. Review and update existing named locations to include the identified IPv6 ranges.

Customers who use Conditional Access location based policies to restrict and secure access to their apps from specific networks need to:

  1. Conduct an audit of existing Conditional Access policies to identify use of named locations as a condition to anticipate potential impact.
  2. Review and update existing Conditional Access location based policies to ensure they continue to meet your organization’s security requirements.

We'll continue to share additional guidance on IPv6 enablement in Azure AD at this easy to remember link https://aka.ms/azureadipv6.


October 2022

General Availability - Upgrade Azure AD Provisioning agent to the latest version (version number: 1.1.977.0)

Type: Plan for change
Service category: Provisioning
Product capability: AAD Connect Cloud Sync

Microsoft will stop support for Azure AD provisioning agent with versions 1.1.818.0 and below starting Feb 1,2023. If you're using Azure AD cloud sync, please make sure you have the latest version of the agent. You can info about the agent release history here. You can download the latest version here

You can find out which version of the agent you're using as follows:

  1. Going to the domain server that you have the agent installed
  2. Right-click on the Microsoft Azure AD Connect Provisioning Agent app
  3. Select on “Details” tab and you can find the version number there

Note

Azure Active Directory (AD) Connect follows the Modern Lifecycle Policy. Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service. Product governed by the Modern Policy follow a continuous support and servicing model. Customers must take the latest update to remain supported. For products and services governed by the Modern Lifecycle Policy, Microsoft's policy is to provide a minimum 30 days' notification when customers are required to take action in order to avoid significant degradation to the normal use of the product or service.


General Availability - Add multiple domains to the same SAML/Ws-Fed based identity provider configuration for your external users

Type: New feature
Service category: B2B
Product capability: B2B/B2C

An IT admin can now add multiple domains to a single SAML/WS-Fed identity provider configuration to invite users from multiple domains to authenticate from the same identity provider endpoint. For more information, see: Federation with SAML/WS-Fed identity providers for guest users.


General Availability - Limits on the number of configured API permissions for an application registration will be enforced starting in October 2022

Type: Plan for change
Service category: Other
Product capability: Developer Experience

In the end of October, the total number of required permissions for any single application registration must not exceed 400 permissions across all APIs. Applications exceeding the limit won't be able to increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.

In the Azure portal, the required permissions are listed under API Permissions within specific applications in the application registration menu. When using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. For more information, see: Validation differences by supported account types (signInAudience).


Public Preview - Conditional access Authentication strengths

Type: New feature
Service category: Conditional Access
Product capability: User Authentication

Announcing Public preview of Authentication strength, a Conditional Access control that allows administrators to specify which authentication methods can be used to access a resource. For more information, see: Conditional Access authentication strength (preview). You can use custom authentication strengths to restrict access by requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and apply this through conditional access policies. For more information, see: FIDO2 security key advanced options.


Public Preview - Conditional access authentication strengths for external identities

Type: New feature
Service category: B2B
Product capability: B2B/B2C

You can now require your business partner (B2B) guests across all Microsoft clouds to use specific authentication methods to access your resources with Conditional Access Authentication Strength policies. For more information, see: Conditional Access: Require an authentication strength for external users.


Generally Availability - Windows Hello for Business, Cloud Kerberos Trust deployment

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, we’ve made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: Hybrid Cloud Kerberos Trust Deployment.


General Availability - Device-based conditional access on Linux Desktops

Type: New feature
Service category: Conditional Access
Product capability: SSO

This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

  • Users can register their Linux devices with Azure AD
  • Users can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions based upon policy definitions to allow device based conditional access on Linux Desktops
  • If compliant, users can use Edge Browser to enable Single-Sign on to M365/Azure resources and satisfy device-based Conditional Access policies.

For more information, see: Azure AD registered devices. Plan your Azure Active Directory device deployment


General Availability - Deprecation of Azure Multi-Factor Authentication Server

Type: Deprecated
Service category: MFA
Product capability: Identity Security & Protection

Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services, and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure AD Multi-Factor Authentication service using the latest Migration Utility included in the most recent Azure AD Multi-Factor Authentication Server update. For more information, see: Migrate from MFA Server to Azure AD Multi-Factor Authentication.


Type: New feature
Service category: Enterprise Apps
Product capability: Developer Experience

Starting Sept 30th, 2022, Microsoft will require all new tenants to follow a new user consent configuration. While this won't impact any existing tenants that were created before September 30, 2022, all new tenants created after September 30, 2022, will have the default setting of “Enable automatic updates (Recommendation)” under User consent settings. This change reduces the risk of malicious applications attempting to trick users into granting them access to your organization's data. For more information, see: Configure how users consent to applications.


Public Preview - Lifecycle Workflows is now available

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

We're excited to announce the public preview of Lifecycle Workflows, a new Identity Governance capability that allows customers to extend the user provisioning process, and adds enterprise grade user lifecycle management capabilities, in Azure AD to modernize your identity lifecycle management process. With Lifecycle Workflows, you can:

  • Confidently configure and deploy custom workflows to onboard and offboard cloud employees at scale replacing your manual processes.
  • Automate out-of-the-box actions critical to required Joiner and Leaver scenarios and get rich reporting insights.
  • Extend workflows via Logic Apps integrations with custom tasks extensions for more complex scenarios.

For more information, see: What are Lifecycle Workflows? (Public Preview).


Public Preview - User-to-Group Affiliation recommendation for group Access Reviews

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This feature provides Machine Learning based recommendations to the reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation detects user affiliation with other users within the group, and applies the scoring mechanism we built by computing the user’s average distance with other users in the group. For more information, see: Review recommendations for Access reviews.


General Availability - Group assignment for SuccessFactors Writeback application

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

When configuring writeback of attributes from Azure AD to SAP SuccessFactors Employee Central, you can now specify the scope of users using Azure AD group assignment. For more information, see: Tutorial: Configure attribute write-back from Azure AD to SAP SuccessFactors.


General Availability - Number Matching for Microsoft Authenticator notifications

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an MFA notification in the Microsoft Authenticator app. We've also refreshed the Azure portal admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update we have also added the highly requested ability for admins to exclude user groups from each feature.

The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. We highly encourage our customers to adopt this feature applying the rollout controls we have built. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting 27th of February 2023.

For more information, see: How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy.


General Availability - Additional context in Microsoft Authenticator notifications

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Customers can enhance notifications with the following:

  • Application Context: This feature will show users which application they're signing into.
  • Geographic Location Context: This feature will show users their sign-in location based on the IP address of the device they're signing into.

The feature is available for both MFA and Password-less Phone Sign-in notifications and greatly increases the security posture of the Microsoft Authenticator app. We've also refreshed the Azure portal Admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update, we've also added the highly requested ability for admins to exclude user groups from certain features.

We highly encourage our customers to adopt these critical security features to reduce accidental approvals of Authenticator notifications by end users.

For more information, see: How to use additional context in Microsoft Authenticator notifications - Authentication methods policy.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2022 we've added the following 15 new applications in our App gallery with Federation support:

Unifii, WaitWell Staff App, AuthParency, Oncospark Code Interceptor, Thread Legal Case Management, e2open CM-Global, OpenText XM Fax and XM SendSecure, Contentkalender, Evovia, Parmonic, mailto.wiki, JobDiva Azure SSO, Mapiq, IVM Smarthub, Span.zone – SSO and Read-only, UISolutions, RecruiterPal, Broker groupe Achat Solutions, Philips SpeechLive, Crayon, Cytric, Notate, ControlDocumentario, Intuiflow, Valence Security Platform, Skybreathe® Analytics

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


September 2022

General Availability - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync

Type: New feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Lifecycle Management

Azure AD Connect Cloud Sync Password writeback now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment.


General Availability - Device-based conditional access on Linux Desktops

Type: New feature
Service category: Conditional Access
Product capability: SSO

This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

  • Users can register their Linux devices with Azure AD.
  • Users can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions based upon policy definitions to allow device based conditional access on Linux Desktops.
  • If compliant, users can use Edge Browser to enable Single-Sign on to M365/Azure resources and satisfy device-based Conditional Access policies.

For more information, see:


General Availability - Azure AD SCIM Validator

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Independent Software Vendors(ISVs) and developers can self-test their SCIM endpoints for compatibility: We have made it easier for ISVs to validate that their endpoints are compatible with the SCIM-based Azure AD provisioning services. This is now in general availability (GA) status.

For more information, see: Tutorial: Validate a SCIM endpoint


General Availability - prevent accidental deletions

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in any system could be disastrous. We’re excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold, the Azure AD provisioning service will pause, provide you visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning.

For more information, see: Enable accidental deletions prevention in the Azure AD provisioning service


General Availability - Identity Protection Anonymous and Malicious IP for ADFS on-premises logins

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity protection expands its Anonymous and Malicious IP detections to protect ADFS sign-ins. This will automatically apply to all customers who have AD Connect Health deployed and enabled, and will show up as the existing "Anonymous IP" or "Malicious IP" detections with a token issuer type of "AD Federation Services".

For more information, see: What is risk?


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2022 we've added the following 15 new applications in our App gallery with Federation support:

RocketReach SSO, Arena EU, Zola, FourKites SAML2.0 SSO for Tracking, Syniverse Customer Portal, Rimo, Q Ware CMMS, Mapiq (OIDC), NICE Cxone, dominKnow|ONE, Waynbo for Azure AD, innDex, Profiler Software, Trotto go links, AsignetSSOIntegration.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


August 2022

General Availability - Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Customers can now require a fresh authentication each time a user performs a certain action. Forced reauthentication supports requiring a user to reauthenticate during Intune device enrollment, password change for risky users, and risky sign-ins.

For more information, see: Configure authentication session management with Conditional Access


General Availability - Multi-Stage Access Reviews

Type: Changed feature
Service category: Access Reviews
Product capability: Identity Governance

Customers can now meet their complex audit and recertification requirements through multiple stages of reviews. For more information, see: Create a multi-stage access review.


Public Preview - External user leave settings

Type: New feature
Service category: Enterprise Apps
Product capability: B2B/B2C

Currently, users can self-service leave for an organization without the visibility of their IT administrators. Some organizations may want more control over this self-service process.

With this feature, IT administrators can now allow or restrict external identities to leave an organization by Microsoft provided self-service controls via Azure Active Directory in the Microsoft Entra portal. In order to restrict users to leave an organization, customers need to include "Global privacy contact" and "Privacy statement URL" under tenant properties.

A new policy API is available for the administrators to control tenant wide policy: externalIdentitiesPolicy resource type

For more information, see:


Public Preview - Restrict self-service BitLocker for devices

Type: New feature
Service category: Device Registration and Management
Product capability: Access Control

In some situations, you may want to restrict the ability for end users to self-service BitLocker keys. With this new functionality, you can now turn off self-service of BitLocker keys, so that only specific individuals with right privileges can recover a BitLocker key.

For more information, see: Block users from viewing their BitLocker keys (preview)


Public Preview- Identity Protection Alerts in Microsoft 365 Defender

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection risk detections (alerts) are now also available in Microsoft 365 Defender to provide a unified investigation experience for security professionals. For more information, see: Investigate alerts in Microsoft 365 Defender


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2022, we've added the following 40 new applications in our App gallery with Federation support

Albourne Castle, Adra by Trintech, workhub, 4DX, Ecospend IAM V1, TigerGraph, Sketch, Lattice, snapADDY Single Sign On, RELAYTO Content Experience Platform, oVice, Arena, QReserve, Curator, NetMotion Mobility, HackNotice, ERA_EHS_CORE, AnyClip Teams Connector, Wiz SSO, Tango Reserve by AgilQuest (EU Instance), valid8Me, Ahrtemis, KPMG Leasing Tool Mist Cloud Admin SSO, Work-Happy, Ediwin SaaS EDI, LUSID, Next Gen Math, Total ID, Cheetah For Benelux, Live Center Australia, Shop Floor Insight, Warehouse Insight, myAOS, Hero, FigBytes, VerosoftDesign, ViewpointOne - UK, EyeRate Reviews, Lytx DriveCam

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


General Availability - Workload Identity Federation with App Registrations are available now

Type: New feature
Service category: Other
Product capability: Developer Experience

Entra Workload Identity Federation allows developers to exchange tokens issued by another identity provider with Azure AD tokens, without needing secrets. It eliminates the need to store, and manage, credentials inside the code or secret stores to access Azure AD protected resources such as Azure and Microsoft Graph. By removing the secrets required to access Azure AD protected resources, workload identity federation can improve the security posture of your organization. This feature also reduces the burden of secret management and minimizes the risk of service downtime due to expired credentials.

For more information on this capability and supported scenarios, see Workload identity federation.


Public Preview - Entitlement management automatic assignment policies

Type: Changed feature
Service category: Entitlement Management
Product capability: Identity Governance

In Azure AD entitlement management, a new form of access package assignment policy is being added. The automatic assignment policy includes a filter rule, similar to a dynamic group, that specifies the users in the tenant who should have assignments. When users come into scope of matching that filter rule criteria, an assignment is automatically created, and when they no longer match, the assignment is removed.

For more information, see: Configure an automatic assignment policy for an access package in Azure AD entitlement management (Preview).


July 2022

Public Preview - ADFS to Azure AD: SAML App Multi-Instancing

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Users can now configure multiple instances of the same application within an Azure AD tenant. It's now supported for both IdP, and Service Provider (SP), initiated single sign-on requests. Multiple application accounts can now have a separate service principal to handle instance-specific claims mapping and roles assignment. For more information, see:


Public Preview - ADFS to Azure AD: Apply RegEx Replace to groups claim content

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Administrators up until recently has the capability to transform claims using many transformations, however using regular expression for claims transformation wasn't exposed to customers. With this public preview release, administrators can now configure and use regular expressions for claims transformation using portal UX. For more information, see:Customize app SAML token claims - Microsoft Entra | Microsoft Docs.


Public Preview - Azure AD Domain Services - Trusts for User Forests

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

You can now create trusts on both user and resource forests. On-premises AD DS users can't authenticate to resources in the Azure AD DS resource forest until you create an outbound trust to your on-premises AD DS. An outbound trust requires network connectivity to your on-premises virtual network on which you have installed Azure AD Domain Service. On a user forest, trusts can be created for on-premises AD forests that aren't synchronized to Azure AD DS.

To learn more about trusts and how to deploy your own, visit How trust relationships work for forests in Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2022 we've added the following 28 new applications in our App gallery with Federation support:

Lunni Ticket Service, TESMA, Spring Health, Sorbet, Rainmaker UPS, Planview ID, Karbonalpha, Headspace, SeekOut, Stackby, Infrascale Cloud Backup, Keystone, LMS・教育管理システム Leaf, ZDiscovery, ラインズeライブラリアドバンス (Lines eLibrary Advance), Rootly, Articulate 360, Rise.com, SevOne Network Monitoring System (NMS), PGM, TouchRight Software, Tendium, Training Platform, Znapio, Preset, itslearning MS Teams sync, Veza, Trax

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


General Availability - No more waiting, provision groups on demand into your SaaS applications.

Type: New feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

Pick a group of up to five members and provision them into your third-party applications in seconds. Get started testing, troubleshooting, and provisioning to non-Microsoft applications such as ServiceNow, ZScaler, and Adobe. For more information, see: On-demand provisioning in Azure Active Directory.


General Availability – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


General Availability - Tenant-based service outage notifications

Type: New feature
Service category: Other
Product capability: Platform

Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure AD Admin Portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: What are Service Health notifications in Azure Active Directory?.


Public Preview - Multiple Passwordless Phone sign-in Accounts for iOS devices

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in either the same, or different, tenants. Guest accounts aren't supported for multiple account sign-ins from one device.

Note that end users are encouraged to enable the optional telemetry setting in the Authenticator App, if not done so already. For more information, see: Enable passwordless sign-in with Microsoft Authenticator


Public Preview - Azure AD Domain Services - Fine Grain Permissions

Type: Changed feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Previously to set up and administer your AAD-DS instance you needed top level permissions of Azure Contributor and Azure AD Global Admin. Now for both initial creation, and ongoing administration, you can utilize more fine grain permissions for enhanced security and control. The prerequisites now minimally require:

Check out these resources to learn more:


General Availability- Azure AD Connect update release with new functionality and bug fixes

Type: Changed feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

A new Azure AD Connect release fixes several bugs and includes new functionality. This release is also available for auto upgrade for eligible servers. For more information, see: Azure AD Connect: Version release history.


General Availability - Cross-tenant access settings for B2B collaboration

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now you’ll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. For more information, see: Cross-tenant access with Azure AD External Identities.


General Availability- Expression builder with Application Provisioning

Type: Changed feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in your apps or in your on-premises directory could be disastrous. We’re excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you visibility into the potential deletions. You can then accept or reject the deletions and have time to update the job’s scope if necessary. For more information, see Understand how expression builder in Application Provisioning works.


Public Preview - Improved app discovery view for My Apps portal

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

An improved app discovery view for My Apps is in public preview. The preview shows users more apps in the same space and allows them to scroll between collections. It doesn't currently support drag-and-drop and list view. Users can opt into the preview by selecting Try the preview and opt out by selecting Return to previous view. To learn more about My Apps, see My Apps portal overview.


Public Preview - New Azure AD Portal All Devices list

Type: Changed feature
Service category: Device Registration and Management
Product capability: End User Experiences

We're enhancing the All Devices list in the Azure AD Portal to make it easier to filter and manage your devices. Improvements include:

All Devices List:

  • Infinite scrolling
  • More devices properties can be filtered on
  • Columns can be reordered via drag and drop
  • Select all devices

For more information, see: Manage devices in Azure AD using the Azure portal.


Public Preview - ADFS to Azure AD: Persistent NameID for IDP-initiated Apps

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

Previously the only way to have persistent NameID value was to ​configure user attribute with an empty value. Admins can now explicitly configure the NameID value to be persistent ​along with the corresponding format.

For more information, see: Customize app SAML token claims - Microsoft identity platform | Microsoft Docs.


Public Preview - ADFS to Azure Active Directory: Customize attrname-format​

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

With this new parity update, customers can now integrate non-gallery applications such as Socure DevHub with Azure AD to have SSO via SAML.

For more information, see Claims mapping policy - Microsoft Entra | Microsoft Docs.


June 2022

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Public Preview - Roles are being assigned outside of Privileged Identity Management

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Customers can be alerted on assignments made outside PIM either directly on the Azure portal or also via email. For the current public preview, the assignments are being tracked at the subscription level. For more information, see Configure security alerts for Azure roles in Privileged Identity Management.


General Availability - Temporary Access Pass is now available

Type: New feature
Service category: MFA
Product capability: User Authentication

Temporary Access Pass (TAP) is now generally available. TAP can be used to securely register password-less methods such as Phone Sign-in, phishing resistant methods such as FIDO2, and even help Windows onboarding (AADJ and WHFB). TAP also makes recovery easier when a user has lost or forgotten their strong authentication methods and needs to sign in to register new authentication methods. For more information, see: Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods.


Public Preview of Dynamic Group support for MemberOf

Type: New feature
Service category: Group Management
Product capability: Directory

Create "nested" groups with Azure AD Dynamic Groups! This feature enables you to build dynamic Azure AD Security Groups and Microsoft 365 groups based on other groups! For example, you can now create Dynamic-Group-A with members of Group-X and Group-Y. For more information, see: Steps to create a memberOf dynamic group.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2022 we've added the following 22 new applications in our App gallery with Federation support:

Leadcamp Mailer, PULCE, Hive Learning, Planview LeanKit, Javelo, きょうしつでビスケット,Agile Provisioning, xCarrier®, Skillcast, JTRA, InnerSpace inTELLO, Seculio, XplicitTrust Partner Console, Veracity Single-Sign On, Guardium Data Protection, IntellicureEHR v7, BMIS - Battery Management Information System, Finbiosoft Cloud, Standard for Success K-12, E2open LSP, TVU Service, S4 - Digitsec.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, see the details here https://aka.ms/AzureADAppRequest


General Availability – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.


Public Preview - New Azure AD Portal All Users list and User Profile UI

Type: Changed feature
Service category: User Management
Product capability: User Management

We're enhancing the All Users list and User Profile in the Azure AD Portal to make it easier to find and manage your users. Improvements include:

All Users List:

  • Infinite scrolling (yes, no 'Load more')
  • More user properties can be added as columns and filtered on
  • Columns can be reordered via drag and drop
  • Default columns shown and their order can be managed via the column picker
  • The ability to copy and share the current view

User Profile:

  • A new Overview page that surfaces insights (that is, group memberships, account enabled, MFA capable, risky user, etc.)
  • A new monitoring tab
  • More user properties can be viewed and edited in the properties tab

For more information, see: User management enhancements in Azure Active Directory.


General Availability - More device properties supported for Dynamic Device groups

Type: Changed feature
Service category: Group Management
Product capability: Directory

You can now create or update dynamic device groups using the following properties:

  • deviceManagementAppId
  • deviceTrustType
  • extensionAttribute1-15
  • profileType

For more information on how to use this feature, see: Dynamic membership rule for device groups.