What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Azure Active Directory.

August 2022

General Availability - Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Customers can now require a fresh authentication each time a user performs a certain action. Forced reauthentication supports requiring a user to reauthenticate during Intune device enrollment, password change for risky users, and risky sign-ins.

For more information, see: Configure authentication session management with Conditional Access


General Availability - Multi-Stage Access Reviews

Type: Changed feature
Service category: Access Reviews
Product capability: Identity Governance

Customers can now meet their complex audit and recertification requirements through multiple stages of reviews. For more information, see: Create a multi-stage access review.


Public Preview - External user leave settings

Type: New feature
Service category: Enterprise Apps
Product capability: B2B/B2C

Currently, users can self-service leave for an organization without the visibility of their IT administrators. Some organizations may want more control over this self-service process.

With this feature, IT administrators can now allow or restrict external identities to leave an organization by Microsoft provided self-service controls via Azure Active Directory in the Microsoft Entra portal. In order to restrict users to leave an organization, customers need to include "Global privacy contact" and "Privacy statement URL" under tenant properties.

A new policy API is available for the administrators to control tenant wide policy: externalIdentitiesPolicy resource type

For more information, see:


Public Preview - Restrict self-service BitLocker for devices

Type: New feature
Service category: Device Registration and Management
Product capability: Access Control

In some situations, you may want to restrict the ability for end users to self-service BitLocker keys. With this new functionality, you can now turn off self-service of BitLocker keys, so that only specific individuals with right privileges can recover a BitLocker key.

For more information, see: Block users from viewing their BitLocker keys (preview)


Public Preview- Identity Protection Alerts in Microsoft 365 Defender

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection risk detections (alerts) are now also available in Microsoft 365 Defender to provide a unified investigation experience for security professionals. For more information, see: Investigate alerts in Microsoft 365 Defender


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2022, we've added the following 40 new applications in our App gallery with Federation support

Albourne Castle, Adra by Trintech, workhub, 4DX, Ecospend IAM V1, TigerGraph, Sketch, Lattice, snapADDY Single Sign On, RELAYTO Content Experience Platform, oVice, Arena, QReserve, Curator, NetMotion Mobility, HackNotice, ERA_EHS_CORE, AnyClip Teams Connector, Wiz SSO, Tango Reserve by AgilQuest (EU Instance), valid8Me, Ahrtemis, KPMG Leasing Tool Mist Cloud Admin SSO, Work-Happy, Ediwin SaaS EDI, LUSID, Next Gen Math, Total ID, Cheetah For Benelux, Live Center Australia, Shop Floor Insight, Warehouse Insight, myAOS, Hero, FigBytes, VerosoftDesign, ViewpointOne - UK, EyeRate Reviews, Lytx DriveCam

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


General Availability - Workload Identity Federation with App Registrations are available now

Type: New feature
Service category: Other
Product capability: Developer Experience

Entra Workload Identity Federation allows developers to exchange tokens issued by another identity provider with Azure AD tokens, without needing secrets. It eliminates the need to store, and manage, credentials inside the code or secret stores to access Azure AD protected resources such as Azure and Microsoft Graph. By removing the secrets required to access Azure AD protected resources, workload identity federation can improve the security posture of your organization. This feature also reduces the burden of secret management and minimizes the risk of service downtime due to expired credentials.

For more information on this capability and supported scenarios, see Workload identity federation.


Public Preview - Entitlement management automatic assignment policies

Type: Changed feature
Service category: Entitlement Management
Product capability: Identity Governance

In Azure AD entitlement management, a new form of access package assignment policy is being added. The automatic assignment policy includes a filter rule, similar to a dynamic group, that specifies the users in the tenant who should have assignments. When users come into scope of matching that filter rule criteria, an assignment is automatically created, and when they no longer match, the assignment is removed.

For more information, see: Configure an automatic assignment policy for an access package in Azure AD entitlement management (Preview).


July 2022

Public Preview - ADFS to Azure AD: SAML App Multi-Instancing

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Users can now configure multiple instances of the same application within an Azure AD tenant. It's now supported for both IdP, and Service Provider (SP), initiated single sign-on requests. Multiple application accounts can now have a separate service principal to handle instance-specific claims mapping and roles assignment. For more information, see:


Public Preview - ADFS to Azure AD: Apply RegEx Replace to groups claim content

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Administrators up until recently has the capability to transform claims using many transformations, however using regular expression for claims transformation wasn't exposed to customers. With this public preview release, administrators can now configure and use regular expressions for claims transformation using portal UX. For more information, see:Customize app SAML token claims - Microsoft Entra | Microsoft Docs.


Public Preview - Azure AD Domain Services - Trusts for User Forests

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

You can now create trusts on both user and resource forests. On-premises AD DS users can't authenticate to resources in the Azure AD DS resource forest until you create an outbound trust to your on-premises AD DS. An outbound trust requires network connectivity to your on-premises virtual network on which you have installed Azure AD Domain Service. On a user forest, trusts can be created for on-premises AD forests that aren't synchronized to Azure AD DS.

To learn more about trusts and how to deploy your own, visit How trust relationships work for forests in Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2022 we've added the following 28 new applications in our App gallery with Federation support:

Lunni Ticket Service, TESMA, Spring Health, Sorbet, Rainmaker UPS, Planview ID, Karbonalpha, Headspace, SeekOut, Stackby, Infrascale Cloud Backup, Keystone, LMS・教育管理システム Leaf, ZDiscovery, ラインズeライブラリアドバンス (Lines eLibrary Advance), Rootly, Articulate 360, Rise.com, SevOne Network Monitoring System (NMS), PGM, TouchRight Software, Tendium, Training Platform, Znapio, Preset, itslearning MS Teams sync, Veza, Trax

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


General Availability - No more waiting, provision groups on demand into your SaaS applications.

Type: New feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

Pick a group of up to five members and provision them into your third-party applications in seconds. Get started testing, troubleshooting, and provisioning to non-Microsoft applications such as ServiceNow, ZScaler, and Adobe. For more information, see: On-demand provisioning in Azure Active Directory.


General Availability – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


General Availability - Tenant-based service outage notifications

Type: New feature
Service category: Other
Product capability: Platform

Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure AD Admin Portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: What are Service Health notifications in Azure Active Directory?.


Public Preview - Multiple Passwordless Phone sign-in Accounts for iOS devices

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in either the same, or different, tenants. Guest accounts aren't supported for multiple account sign-ins from one device.

Note that end users are encouraged to enable the optional telemetry setting in the Authenticator App, if not done so already. For more information, see: Enable passwordless sign-in with Microsoft Authenticator


Public Preview - Azure AD Domain Services - Fine Grain Permissions

Type: Changed feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Previously to set up and administer your AAD-DS instance you needed top level permissions of Azure Contributor and Azure AD Global Admin. Now for both initial creation, and ongoing administration, you can utilize more fine grain permissions for enhanced security and control. The prerequisites now minimally require:

Check out these resources to learn more:


General Availability- Azure AD Connect update release with new functionality and bug fixes

Type: Changed feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

A new Azure AD Connect release fixes several bugs and includes new functionality. This release is also available for auto upgrade for eligible servers. For more information, see: Azure AD Connect: Version release history.


General Availability - Cross-tenant access settings for B2B collaboration

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now you’ll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. For more information, see: Cross-tenant access with Azure AD External Identities.


General Availability- Expression builder with Application Provisioning

Type: Changed feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in your apps or in your on-premises directory could be disastrous. We’re excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you visibility into the potential deletions. You can then accept or reject the deletions and have time to update the job’s scope if necessary. For more information, see Understand how expression builder in Application Provisioning works.


Public Preview - Improved app discovery view for My Apps portal

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

An improved app discovery view for My Apps is in public preview. The preview shows users more apps in the same space and allows them to scroll between collections. It doesn't currently support drag-and-drop and list view. Users can opt into the preview by selecting Try the preview and opt out by selecting Return to previous view. To learn more about My Apps, see My Apps portal overview.


Public Preview - New Azure AD Portal All Devices list

Type: Changed feature
Service category: Device Registration and Management
Product capability: End User Experiences

We're enhancing the All Devices list in the Azure AD Portal to make it easier to filter and manage your devices. Improvements include:

All Devices List:

  • Infinite scrolling
  • More devices properties can be filtered on
  • Columns can be reordered via drag and drop
  • Select all devices

For more information, see: Manage devices in Azure AD using the Azure portal.


Public Preview - ADFS to Azure AD: Persistent NameID for IDP-initiated Apps

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

Previously the only way to have persistent NameID value was to ​configure user attribute with an empty value. Admins can now explicitly configure the NameID value to be persistent ​along with the corresponding format.

For more information, see: Customize app SAML token claims - Microsoft identity platform | Microsoft Docs.


Public Preview - ADFS to Azure Active Directory: Customize attrname-format​

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

With this new parity update, customers can now integrate non-gallery applications such as Socure DevHub with Azure AD to have SSO via SAML.

For more information, see Claims mapping policy - Microsoft Entra | Microsoft Docs.


June 2022

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Public Preview - Roles are being assigned outside of Privileged Identity Management

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Customers can be alerted on assignments made outside PIM either directly on the Azure portal or also via email. For the current public preview, the assignments are being tracked at the subscription level. For more information, see Configure security alerts for Azure roles in Privileged Identity Management.


General Availability - Temporary Access Pass is now available

Type: New feature
Service category: MFA
Product capability: User Authentication

Temporary Access Pass (TAP) is now generally available. TAP can be used to securely register password-less methods such as Phone Sign-in, phishing resistant methods such as FIDO2, and even help Windows onboarding (AADJ and WHFB). TAP also makes recovery easier when a user has lost or forgotten their strong authentication methods and needs to sign in to register new authentication methods. For more information, see: Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods.


Public Preview of Dynamic Group support for MemberOf

Type: New feature
Service category: Group Management
Product capability: Directory

Create "nested" groups with Azure AD Dynamic Groups! This feature enables you to build dynamic Azure AD Security Groups and Microsoft 365 groups based on other groups! For example, you can now create Dynamic-Group-A with members of Group-X and Group-Y. For more information, see: Steps to create a memberOf dynamic group.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2022 we've added the following 22 new applications in our App gallery with Federation support:

Leadcamp Mailer, PULCE, Hive Learning, Planview LeanKit, Javelo, きょうしつでビスケット,Agile Provisioning, xCarrier®, Skillcast, JTRA, InnerSpace inTELLO, Seculio, XplicitTrust Partner Console, Veracity Single-Sign On, Guardium Data Protection, IntellicureEHR v7, BMIS - Battery Management Information System, Finbiosoft Cloud, Standard for Success K-12, E2open LSP, TVU Service, S4 - Digitsec.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, see the details here https://aka.ms/AzureADAppRequest


General Availability – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.


Public Preview - New Azure AD Portal All Users list and User Profile UI

Type: Changed feature
Service category: User Management
Product capability: User Management

We're enhancing the All Users list and User Profile in the Azure AD Portal to make it easier to find and manage your users. Improvements include:

All Users List:

  • Infinite scrolling (yes, no 'Load more')
  • More user properties can be added as columns and filtered on
  • Columns can be reordered via drag and drop
  • Default columns shown and their order can be managed via the column picker
  • The ability to copy and share the current view

User Profile:

  • A new Overview page that surfaces insights (that is, group memberships, account enabled, MFA capable, risky user, etc.)
  • A new monitoring tab
  • More user properties can be viewed and edited in the properties tab

For more information, see: User management enhancements in Azure Active Directory.


General Availability - More device properties supported for Dynamic Device groups

Type: Changed feature
Service category: Group Management
Product capability: Directory

You can now create or update dynamic device groups using the following properties:

  • deviceManagementAppId
  • deviceTrustType
  • extensionAttribute1-15
  • profileType

For more information on how to use this feature, see: Dynamic membership rule for device groups.


May 2022

General Availability: Tenant-based service outage notifications

Type: Plan for change
Service category: Other
Product capability: Platform

Azure Service Health will soon support service outage notifications to Tenant Admins for Azure Active Directory issues soon. These outages will also appear on the Azure AD admin portal overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information will be available when this capability is released. The expected release is for June 2022.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2022 we've added the following 25 new applications in our App gallery with Federation support:

UserZoom, AMX Mobile, i-Sight, Method InSight, Chronus SAML, Attendant Console for Microsoft Teams, Skopenow, Fidelity PlanViewer, Lyve Cloud, Framer, Authomize, gamba!, Datto File Protection Single Sign On, LONEALERT, Payfactors, deBroome Brand Portal, TeamSlide, Sensera Systems, YEAP, Monaca Education, Personify Inc, Phenom TXM, Forcepoint Cloud Security Gateway - User Authentication, GoalQuest, OpenForms.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


General Availability – My Apps users can make apps from URLs (add sites)

Type: New feature
Service category: My Apps
Product capability: End User Experiences

When editing a collection using the My Apps portal, users can now add their own sites, in addition to adding apps that have been assigned to them by an admin. To add a site, users must provide a name and URL. For more information on how to use this feature, see: Customize app collections in the My Apps portal.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


Public Preview: Confirm safe and compromised in sign-ins API beta

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

The sign-ins Microsoft Graph API now supports confirming safe and compromised on risky sign-ins. This public preview functionality is available at the beta endpoint. For more information, please check out the Microsoft Graph documentation: signIn: confirmSafe - Microsoft Graph beta | Microsoft Docs


Public Preview of Microsoft cloud settings for Azure AD B2B

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:

-Microsoft Azure global cloud and Microsoft Azure Government -Microsoft Azure global cloud and Microsoft Azure China 21Vianet

To learn more about Microsoft cloud settings for B2B collaboration, see: Cross-tenant access overview - Azure AD | Microsoft Docs.


General Availability of SAML and WS-Fed federation in External Identities

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

When setting up federation with a partner's IdP, new guest users from that domain can use their own IdP-managed organizational account to sign in to your Azure AD tenant and start collaborating with you. There's no need for the guest user to create a separate Azure AD account. To learn more about federating with SAML or WS-Fed identity providers in External Identities, see: Federation with a SAML/WS-Fed identity provider (IdP) for B2B - Azure AD | Microsoft Docs.


Public Preview - Create Group in Administrative Unit

Type: Changed feature
Service category: Directory Management
Product capability: Access Control

Groups Administrators assigned over the scope of an administrative unit can now create groups within the administrative unit. This enables scoped group administrators to create groups that they can manage directly, without needing to elevate to Global Administrator or Privileged Role Administrator. For more information, see: Administrative units in Azure Active Directory.


Public Preview - Dynamic administrative unit support for onPremisesDistinguishedName property

Type: Changed feature
Service category: Directory Management
Product capability: AuthZ/Access Delegation

The public preview of dynamic administrative units now supports the onPremisesDistinguishedName property for users. This makes it possible to create dynamic rules that incorporate the organizational unit of the user from on-premises AD. For more information, see: Manage users or devices for an administrative unit with dynamic membership rules (Preview).


General Availability - Improvements to Azure AD Smart Lockout

Type: Changed feature
Service category: Other
Product capability: User Management

Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold. For more information, see: Protect user accounts from attacks with Azure Active Directory smart lockout.


April 2022

General Availability - Entitlement management separation of duties checks for incompatible access packages

Type: Changed feature Service category: Other Product capability: Identity Governance

In Azure AD entitlement management, an administrator can now configure the incompatible access packages and groups of an access package in the Azure portal. This prevents a user who already has one of those incompatible access rights from being able to request further access. For more information, see: Configure separation of duties checks for an access package in Azure AD entitlement management.


General Availability - Microsoft Defender for Endpoint Signal in Identity Protection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against PRT theft detection. To learn more, see: What is risk? Azure AD Identity Protection | Microsoft Docs.


General Availability - Entitlement management 3 stages of approval

Type: Changed feature
Service category: Other
Product capability: Entitlement Management

This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This will be able to be configured via the Azure portal or Microsoft Graph. For more information, see: Change approval and requestor information settings for an access package in Azure AD entitlement management.


General Availability - Improvements to Azure AD Smart Lockout

Type: Changed feature
Service category: Identity Protection
Product capability: User Management

With a recent improvement, Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold. For more information, see: Protect user accounts from attacks with Azure Active Directory smart lockout.


Type: New feature
Service category: User Access Management
Product capability: AuthZ/Access Delegation

Microsoft 365 Certification status for an app is now available in Azure AD consent UX, and custom app consent policies. The status will later be displayed in several other Identity-owned interfaces such as enterprise apps. For more information, see: Understanding Azure AD application consent experiences.


Public preview - Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels. For more information, see: Include B2B direct connect users and teams accessing Teams Shared Channels in access reviews (preview).


Public Preview - New MS Graph APIs to configure federated settings when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're announcing the public preview of following MS Graph APIs and PowerShell cmdlets for configuring federated settings when federated with Azure AD:

Action MS Graph API PowerShell cmdlet
Get federation settings for a federated domain Get internalDomainFederation Get-MgDomainFederationConfiguration
Create federation settings for a federated domain Create internalDomainFederation New-MgDomainFederationConfiguration
Remove federation settings for a federated domain Delete internalDomainFederation Remove-MgDomainFederationConfiguration
Update federation settings for a federated domain Update internalDomainFederation Update-MgDomainFederationConfiguration

If using older MSOnline cmdlets (Get-MsolDomainFederationSettings and Set-MsolDomainFederationSettings), we highly recommend transitioning to the latest MS Graph APIs and PowerShell cmdlets.

For more information, see internalDomainFederation resource type - Microsoft Graph beta | Microsoft Docs.


Public Preview – Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

Type: New feature
Service category: RBAC role
Product capability: AuthZ/Access Delegation

Added functionality to session controls allowing admins to reauthenticate a user on every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a device in Intune. For more information, see Configure authentication session management with conditional Access.


Public Preview – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: Third Party Integration

In April 2022 we added the following 24 new applications in our App gallery with Federation support: X-1FBO, select Armor, Smint.io Portals for SharePoint, Pluto, ADEM, Smart360, MessageWatcher SSO, Beatrust, AeyeScan, ABa Customer, Twilio Sendgrid, Vault Platform, Speexx, Clicksign, Per Angusta, EruditAI, MetaMoJi ClassRoom, Numici, MCB.CLOUD, DepositLink, Last9, ParkHere Corporate, Keepabl, Swit

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


General Availability - Customer data storage for Japan customers in Japanese data centers

Type: New feature
Service category: App Provisioning
Product capability: GoLocal

From April 15, 2022, Microsoft began storing Azure AD’s Customer Data for new tenants with a Japan billing address within the Japanese data centers. For more information, see: Customer data storage for Japan customers in Azure Active Directory.


Type: New feature
Service category: App Provisioning
Product capability: Third Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD


March 2022

Tenant enablement of combined security information registration for Azure Active Directory

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We announced in April 2020 General Availability of our new combined registration experience, enabling users to register security information for multi-factor authentication and self-service password reset at the same time, which was available for existing customers to opt in. We're happy to announce the combined security information registration experience will be enabled to all non-enabled customers after September 30, 2022. This change doesn't impact tenants created after August 15, 2020, or tenants located in the China region. For more information, see: Combined security information registration for Azure Active Directory overview.


Type: New feature
Service category: App Provisioning
Product capability: Third Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


Public preview - Azure AD Recommendations

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD Recommendations is now in public preview. This feature provides personalized insights with actionable guidance to help you identify opportunities to implement Azure AD best practices, and optimize the state of your tenant. For more information, see: What is Azure Active Directory recommendations


Public Preview: Dynamic administrative unit membership for users and devices

Type: New feature
Service category: RBAC role
Product capability: Access Control

Administrative units now support dynamic membership rules for user and device members. Instead of manually assigning users and devices to administrative units, tenant admins can set up a query for the administrative unit. The membership will be automatically maintained by Azure AD. For more information, see:Administrative units in Azure Active Directory.


Public Preview: Devices in Administrative Units

Type: New feature
Service category: RBAC role
Product capability: AuthZ/Access Delegation

Devices can now be added as members of administrative units. This enables scoped delegation of device permissions to a specific set of devices in the tenant. Built-in and custom roles are also supported. For more information, see: Administrative units in Azure Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: Third Party Integration

In March 2022 we've added the following 29 new applications in our App gallery with Federation support:

Informatica Platform, Buttonwood Central SSO, Blockbax, Datto Workplace Single Sign On, Atlas by Workland, Simply.Coach, Benevity, Engage Absence Management, LitLingo App Authentication, ADP EMEA French HR Portal mon.adp.com, Ready Room, Rainmaker UPSMQDEV, Axway CSOS, Alloy, U.S. Bank Prepaid, EdApp, GoSimplo, Snow Atlas SSO, Abacus.AI, Culture Shift, StaySafe Hub, OpenLearning, Draup, Inc, Air, Regulatory Lab, SafetyLine, Zest, iGrafx Platform, Tracker Software Technologies

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Public Preview - New APIs for fetching transitive role assignments and role permissions

Type: New feature
Service category: RBAC role
Product capability: Access Control

  1. transitiveRoleAssignments - Last year the ability to assign Azure AD roles to groups was created. Originally it took four calls to fetch all direct, and transitive, role assignments of a user. This new API call allows it all to be done via one API call. For more information, see: List transitiveRoleAssignment - Microsoft Graph beta | Microsoft Docs.

  2. unifiedRbacResourceAction - Developers can use this API to list all role permissions and their descriptions in Azure AD. This API can be thought of as a dictionary that can help build custom roles without relying on UX. For more information, see: List resourceActions - Microsoft Graph beta | Microsoft Docs.