What's new in Microsoft Entra ID?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Microsoft Entra ID (previously known as Azure Active Directory) receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

Note

If you're currently using Azure Active Directory today or are have previously deployed Azure Active Directory in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you.

This page updates monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Microsoft Entra ID?.

January 2024

Generally Availability - New Microsoft Entra Home page

Type: Changed feature
Service category: N/A
Product capability: Directory

We redesigned the Microsoft Entra admin center's homepage to help you do the following:

  • Learn about the product suite
  • Identify opportunities to maximize feature value
  • Stay up to date with recent announcements, new features, and more!

See the new experience here: https://entra.microsoft.com/


Public Preview - Granular Certificate-Based Authentication Configuration in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

With the authentication strength capability in Conditional Access, you can now create a custom authentication strength policy, with advanced certificate-based authentication (CBA) options to allow access based on certificate issuer or policy OIDs. For external users whose MFA is trusted from partners' Microsoft Entra ID tenant, access can also be restricted based on these properties. For more information, see: Custom Conditional Access authentication strengths.


Generally Availability - Conditional Access filters for apps

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Filters for apps in Conditional Access simplify policy management by allowing admins to tag applications with custom security, and target them in Conditional Access policies, instead of using direct assignments. With this feature, customers can scale up their policies, and protect any number of apps. For more information, see: Conditional Access: Filter for applications


Public preview - Cross-tenant manager synchronization

Type: New feature
Service category: Provisioning
Product capability: Identity Governance

Cross-tenant synchronization now supports synchronizing the manager attribute across tenants. For more information, see: Attributes.


General Availability- Microsoft Defender for Office alerts in Identity Protection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

The Suspicious sending patterns risk detection type is discovered using information provided by Microsoft Defender for Office (MDO). This alert is generated when someone in your organization has sent suspicious email, and is either at risk of being restricted from sending email, or has already been restricted from sending email. This detection moves users to medium risk, and only fires in organizations that have deployed MDO. For more information, see: What are risk detections?.


Public preview - New Microsoft Entra recommendation to migrate off MFA Server

Type: New feature
Service category: MFA
Product capability: User Authentication

We've released a new recommendation in the Microsoft Entra admin center for customers to move off MFA Server to Microsoft Entra multifactor authentication. MFA Server will be retired on September 30, 2024. Any customers with MFA Server activity in the last seven days see the recommendation that includes details about their current usage, and steps on how to move to Microsoft Entra multifactor authentication. For more information, see: Migrate from MFA Server to Microsoft Entra multifactor authentication.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: What is app provisioning in Microsoft Entra ID?.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2024 we've added the following 10 new applications in our App gallery with Federation support:

Boeing ToolBox, Kloud Connect Practice Management, トーニチ・ネクスタ・メイシ ( Tonichi Nexta Meishi ), Vinkey, Cognito Forms, Ocurus, Magister, eFlok, GoSkills, FortifyData, Toolsfactory platform, Briq, Mailosaur, Astro, JobDiva / Teams VOIP Integration, Colossyan SAML, CallTower Connect, Jellyfish, MetLife Legal Plans Member App, Navigo Cloud SAML, Delivery Scheduling Tool, Highspot for MS Teams, Reach 360, Fareharbor SAML SSO, HPE Aruba Networking EdgeConnect Orchestrator, Terranova Security Awareness Platform.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Microsoft Entra ID app gallery, read the details here https://aka.ms/AzureADAppRequest.


December 2023

Public Preview - Configurable redemption order for B2B collaboration

Type: New feature
Service category: B2B
Product capability: B2B/B2C

With configurable redemption, you can customize the order of identity providers that your guest users can sign in with when they accept your invitation. This lets your override the default configuration order set by Microsoft and use your own. This can be used to help with scenarios like prioritizing a SAML/WS-fed federation above a Microsoft Entra ID verified domain, disabling certain identity providers as an option during redemption, or even only using something like email one-time pass-code as a redemption option. For more information, see: Configurable redemption (Preview).


General Availability - Edits to Dynamic Group Rule Builder

Type: Changed feature
Service category: Group Management
Product capability: Directory

The dynamic group rule builder is updated to no longer include the 'contains' and 'notContains' operators, as they're less performant. If needed, you can still create dynamic group rules with those operators by typing directly into the text box. For more information, see: Rule builder in the Azure portal.


November 2023

Decommissioning of Group Writeback V2 (Public Preview) in Entra Connect Sync

Type: Plan for change
Service category: Provisioning
Product capability: Microsoft Entra Connect Sync

The public preview of Group Writeback V2 (GWB) in Entra Connect Sync will no longer be available after June 30, 2024. After this date, Connect Sync will no longer support provisioning cloud security groups to Active Directory.

Another similar functionality is offered in Entra Cloud Sync, called “Group Provision to AD”, that maybe used instead of GWB V2 for provisioning cloud security groups to AD. Enhanced functionality in Cloud Sync, along with other new features, are being developed.

Customers who use this preview feature in Connect Sync should switch their configuration from Connect Sync to Cloud Sync. Customers can choose to move all their hybrid sync to Cloud Sync (if it supports their needs) or Cloud Sync can be run side-by-side and move only cloud security group provisioning to AD onto Cloud Sync.

Customers who provision Microsoft 365 groups to AD can continue using GWB V1 for this capability.

Customers can evaluate moving exclusively to Cloud Sync by using this wizard: https://aka.ms/EvaluateSyncOptions


General Availability - Microsoft Entra Cloud Sync now supports ability to enable Exchange Hybrid configuration for Exchange customers

Type: New feature
Service category: Provisioning
Product capability: Microsoft Entra Connect

Exchange hybrid capability allows for the coexistence of Exchange mailboxes both on-premises and in Microsoft 365. Microsoft Entra Cloud Sync synchronizes a specific set of Exchange-related attributes from Microsoft Entra ID back into your on-premises directory and to any forests that's disconnected (no network trust needed between them). With this capability, existing customers who have this feature enabled in Microsoft Entra Connect sync can now migrate, and apply, this feature with Microsoft Entra cloud sync. For more information, see: Exchange hybrid writeback with cloud sync.


General Availability - Guest Governance: Inactive Guest Insights

Type: New feature
Service category: Reporting
Product capability: Identity Governance

Monitor guest accounts at scale with intelligent insights into inactive guest users in your organization. Customize the inactivity threshold depending on your organization’s needs, narrow down the scope of guest users you want to monitor, and identify the guest users that might be inactive. For more information, see: Monitor and clean up stale guest accounts using access reviews.


Public Preview - lastSuccessfulSignIn property in signInActivity API

Type: New feature
Service category: MS Graph
Product capability: End User Experiences

An extra property is added to signInActivity API to display the last successful sign in time for a specific user, regardless if the sign in was interactive or non-interactive. The data won't be backfilled for this property, so you should expect to be returned only successful sign in data starting on December 8, 2023.


General Availability - Auto-rollout of Conditional Access policies

Type: New feature
Service category: Conditional Access
Product capability: Access Control

Starting in November 2023, Microsoft will begin automatically protecting customers with Microsoft managed Conditional Access policies. These are policies that Microsoft creates and enables in customer tenants. The following policies are rolled out to all eligible tenants, who will be notified prior to policy creation:

  1. Multifactor authentication for admin portals: This policy covers privileged admin roles and requires multifactor authentication when an admin signs into a Microsoft admin portal.
  2. Multifactor authentication for per-user multifactor authentication users: This policy covers users with per-user multifactor authentication and requires multifactor authentication for all cloud apps.
  3. Multifactor authentication for high-risk sign-ins: This policy covers all users and requires multifactor authentication and reauthentication for high-risk sign-ins.

For more information, see:


General Availability - Custom security attributes in Microsoft Entra ID

Type: New feature
Service category: Directory Management
Product capability: Directory

Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. Custom security attributes can be used with Azure attribute-based access control (Azure ABAC). For more information, see: What are custom security attributes in Microsoft Entra ID?.

Changes were made to custom security attribute audit logs for general availability that might impact your daily operations. If you have been using custom security attribute audit logs during the preview, there are the actions you must take before February 2024 to ensure your audit log operations aren't disrupted. For more information, see: Custom security attribute audit logs.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: What is app provisioning in Microsoft Entra ID?.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2023 we've added the following 10 new applications in our App gallery with Federation support:

Citrix Cloud, Freight Audit, Movement by project44, Alohi, AMCS Fleet Maintenance, Real Links Campaign App, Propely, Contentstack, Jasper AI, IANS Client Portal, Avionic Interface Technologies LSMA, CultureHQ, Hone, Collector Systems, NetSfere, Spendwise, Stage and Screen

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Microsoft Entra ID app gallery, read the details here https://aka.ms/AzureADAppRequest.


Note

In new updates from the previous version of the release notes: Microsoft Authenticator is not yet FIPS 140 compliant on Android. Microsoft Authenticator on Android is currently pending FIPS compliance certification to support our customers that may require FIPS validated cryptography.

October 2023

Public Preview - Managing and Changing Passwords in My Security Info

Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences

My Sign Ins (My Sign-Ins (microsoft.com)) now supports end users managing and changing their passwords. Users are able to manage passwords in My Security Info and change their password inline. If a user authenticates with a password and an MFA credential, they're able to are able to change their password without entering their existing password.

For more information, see: Combined security information registration for Microsoft Entra overview.


Public Preview - Govern AD on-premises applications (Kerberos based) using Microsoft Entra Governance

Type: New feature
Service category: Provisioning
Product capability: Microsoft Entra Cloud Sync

Security groups provisioning to AD (also known as Group Writeback) is now publicly available through Microsoft Entra Cloud Sync. With this new capability, you can easily govern AD based on-premises applications (Kerberos based apps) using Microsoft Entra Governance.

For more information, see: Govern on-premises Active Directory based apps (Kerberos) using Microsoft Entra ID Governance


Public Preview - Microsoft Entra Permissions Management: Permissions Analytics Report PDF for multiple authorization systems

Type: Changed feature
Service category:
Product capability: Permissions Management

The Permissions Analytics Report (PAR) lists findings relating to permissions risks across identities and resources in Permissions Management. The PAR is an integral part of the risk assessment process where customers discover areas of highest risk in their cloud infrastructure. This report can be directly viewed in the Permissions Management UI, downloaded in Excel (XSLX) format, and exported as a PDF. The report is available for all supported cloud environments: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). 

The PAR PDF has been redesigned to enhance usability, align with the product UX redesign effort, and address various customer feature requests. You can download the PAR PDF for up to 10 authorization systems.


General Availability - Enhanced Devices List Management Experience

Type: Changed feature
Service category: Device Access Management
Product capability: End User Experiences

Several changes have been made to the All Devices list since announcing public preview, including:

  • Prioritized consistency and accessibility across the different components
  • Modernized the list and addressed top customer feedback
    • Added infinite scrolling, column reordering, and the ability to select all devices
    • Added filters for OS Version and Autopilot devices
  • Created more connections between Microsoft Entra and Intune
    • Added links to Intune in Compliant and MDM columns
    • Added Security Settings Management column

For more information, see: View and filter your devices.


General Availability - Windows MAM

Type: New feature
Service category: Conditional Access
Product capability: Access Control

Windows MAM is the first step toward Microsoft management capabilities for unmanaged Windows devices. This functionality comes at a critical time when we need to ensure the Windows platform is on par with the simplicity and privacy promise we offer end users today on the mobile platforms. End users can access company resources without needing the whole device to be MDM managed.

For more information, see: Require an app protection policy on Windows devices.


General Availability - Microsoft Security email update and Resources for Azure AD rename to Microsoft Entra ID

Type: Plan for change
Service category: Other
Product capability: End User Experiences

Microsoft Entra ID is the new name for Azure Active Directory (Azure AD). The rename and new product icon are now being deployed across experiences from Microsoft. Most updates are complete by mid-November of this year. As previously announced, this is just a new name, with no impact on deployments or daily work. There are no changes to capabilities, licensing, terms of service, or support.

From October 15 to November 15, Azure AD emails previously sent from azure-noreply@microsoft.com will start being sent from MSSecurity-noreply@microsoft.com. You might need to update your Outlook rules to match this.

Additionally, we'll update email content to remove all references of Azure AD where relevant, and include an informational banner that announces this change.

Here are some resources to guide you rename your own product experiences or content where necessary:


General Availability - End users will no longer be able to add password SSO apps in My Apps.

Type: Deprecated
Service category: My Apps
Product capability: End User Experiences

Effective November 15, 2023, end users will no longer be able to add password SSO Apps to their gallery in My Apps. However, admins can still add password SSO apps following these instructions. Password SSO apps previously added by end users remain available in My Apps.

For more information, see: Discover applications.


General Availability - Restrict Microsoft Entra ID Tenant Creation To Only Paid Subscription

Type: Changed feature
Service category: Managed identities for Azure resources
Product capability: End User Experiences

The ability to create new tenants from the Microsoft Entra admin center allows users in your organization to create test and demo tenants from your Microsoft Entra ID tenant, Learn more about creating tenants. When used incorrectly this feature can allow the creation of tenants that aren't managed or viewable by your organization. We recommend that you restrict this capability so that only trusted admins can use this feature, Learn more about restricting member users' default permissions. We also recommend you use the Microsoft Entra audit log to monitor for the Directory Management: Create Company event that signals a new tenant has been created by a user in your organization.

To further protect your organization, Microsoft is now limiting this functionality to only paid customers. Customers on trial subscriptions are unable to create additional tenants from the Microsoft Entra admin center. Customers in this situation who need a new trial tenant can sign up for a Free Azure Account.


General Availability - Users can't modify GPS location when using location based access control

Type: Plan for change
Service category: Conditional Access
Product capability: User Authentication

In an ever-evolving security landscape, the Microsoft Authenticator is updating its security baseline for Location Based Access Control (LBAC) conditional access policies to disallow authentications where the user might be using a different location than the actual GPS location of the mobile device. Today, it's possible for users to modify the location reported by the device on iOS and Android devices. The Authenticator app starts to deny LBAC authentications where we detect that the user isn't using the actual location of the mobile device where the Authenticator is installed.

In the November 2023 release of the Authenticator app, users who are modifying the location of their device sees a denial message in the app when doing an LBAC authentication. To ensure that users aren’t using older app versions to continue authenticating with a modified location, beginning January 2024, any users that are on Android Authenticator 6.2309.6329 version or prior and iOS Authenticator version 6.7.16 or prior will be blocked from using LBAC. To determine which users are using older versions of the Authenticator app, you can use our MSGraph APIs.


Public Preview - Overview page in My Access portal

Type: New feature
Service category: Entitlement Management
Product capability: Identity Governance

Today, when users navigate to myaccess.microsoft.com, they land on a list of available access packages in their organization. The new Overview page provides a more relevant place for users to land. The Overview page points them to the tasks they need to complete and helps familiarize users with how to complete tasks in My Access.

Admins can enable/disable the Overview page preview by signing into the Microsoft Entra admin center and navigating to Entitlement management > Settings > Opt-in Preview Features and locating My Access overview page in the table.

For more information, see: My Access Overview page (preview).


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: What is app provisioning in Microsoft Entra ID?.


Public Preview - Microsoft Graph Activity Logs

Type: New feature
Service category: Microsoft Graph
Product capability: Monitoring & Reporting

The MicrosoftGraphActivityLogs provides administrators full visibility into all HTTP requests accessing your tenant’s resources through the Microsoft Graph API. These logs can be used to find activity from compromised accounts, identify anomalous behavior, or investigate application activity. For more information, see: Access Microsoft Graph activity logs (preview).


Public Preview - Microsoft Entra Verified ID quick setup

Type: New feature
Service category: Other
Product capability: Identity Governance

Quick Microsoft Entra Verified ID setup, available in preview, removes several configuration steps an admin needs to complete with a single select on a Get started button. The quick setup takes care of signing keys, registering your decentralized ID, and verifying your domain ownership. It also creates a Verified Workplace Credential for you. For more information, see: Quick Microsoft Entra Verified ID setup.


September 2023

Public Preview - Changes to FIDO2 authentication methods and Windows Hello for Business

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

Beginning January 2024, Microsoft Entra ID supports device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.

We expand the existing FIDO2 authentication methods policy, and end user experiences, to support this preview release. For your organization to opt in to this preview, you need to enforce key restrictions to allow specified passkey providers in your FIDO2 policy. Learn more about FIDO2 key restrictions here.

In addition, the existing end user sign-in option for Windows Hello and FIDO2 security keys are renamed to “Face, fingerprint, PIN, or security key”. The term “passkey” will be mentioned in the updated sign-in experience to be inclusive of passkey credentials presented from security keys, computers, and mobile devices.


General Availability - Recovery of deleted application and service principals is now available

Type: New feature
Service category: Enterprise Apps
Product capability: Identity Lifecycle Management

With this release, you can now recover applications along with their original service principals, eliminating the need for extensive reconfiguration and code changes (Learn more). It significantly improves the application recovery story and addresses a long-standing customer need. This change is beneficial to you on:

  • Faster Recovery: You can now recover their systems in a fraction of the time it used to take, reducing downtime and minimizing disruptions.
  • Cost Savings: With quicker recovery, you can save on operational costs associated with extended outages and labor-intensive recovery efforts.
  • Preserved Data: Previously lost data, such as SMAL configurations, is now retained, ensuring a smoother transition back to normal operations.
  • Improved User Experience: Faster recovery times translate to improved user experience and customer satisfaction, as applications are back up and running swiftly.

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: What is app provisioning in Microsoft Entra ID?.


General Availability - Web Sign-In for Windows

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're thrilled to announce that as part of the Windows 11 September moment, we're releasing a new Web Sign-In experience that will expand the number of supported scenarios and greatly improve security, reliability, performance, and overall end-to-end experience for our users.

Web Sign-In (WSI) is a credential provider on the Windows lock/sign-in screen for AADJ joined devices that provide a web experience used for authentication and returns an auth token back to the operating system to allow the user to unlock/sign-in to the machine.

Web Sign-In was initially intended to be used for a wide range of auth credential scenarios; however, it was only previously released for limited scenarios such as: Simplified EDU Web Sign-In and recovery flows via Temporary Access Password (TAP).

The underlying provider for Web Sign-In is re-written from the ground up with security and improved performance in mind. This release moves the Web Sign-in infrastructure from the Cloud Host Experience (CHX) WebApp to a newly written Login Web Host (LWH) for the September moment. This release provides better security and reliability to support previous EDU & TAP experiences and new workflows enabling using various Auth Methods to unlock/login to the desktop.


General Availability - Support for Microsoft admin portals in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:

  • Azure portal
  • Exchange admin center
  • Microsoft 365 admin center
  • Microsoft 365 Defender portal
  • Microsoft Entra admin center
  • Microsoft Intune admin center
  • Microsoft Purview compliance portal

For more information, see: Microsoft Admin Portals.