Edit

What's new in Azure Active Directory?

  • Article

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page updates monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Azure Active Directory.

May 2023

General Availability - Conditional Access authentication strength for members, external users and FIDO2 restrictions

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. Likewise, to access a nonsensitive resource, they can allow less secure multifactor authentication (MFA) combinations such as password + SMS.

Authentication strength is now in General Availability for members and external users from any Microsoft cloud and FIDO2 restrictions. For more information, see: Conditional Access authentication strength.

General Availability - SAML/Ws-Fed based identity provider authentication for Azure Active Directory B2B users in US Sec and US Nat clouds

Type: New feature
Service category: B2B
Product capability: B2B/B2C

SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in US Sec, US Nat and China clouds. For more information, see: Federation with SAML/WS-Fed identity providers for guest users.

Generally Availability - Cross-tenant synchronization

Type: New feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

Cross-tenant synchronization allows you to set up a scalable and automated solution for users to access applications across tenants in your organization. It builds upon the Azure Active Directory B2B functionality and automates creating, updating, and deleting B2B users within tenants in your organization. For more information, see: What is cross-tenant synchronization?.

Public Preview(Refresh) - Custom Extensions in Entitlement Management

Type: New feature
Service category: Entitlement management
Product capability: Identity Governance

Last year we announced the public preview of custom extensions in Entitlement Management allowing you to automate complex processes when access is requested or about to expire. We have recently expanded the public preview to allow for the access package assignment request to be paused while your external process is running. In addition, the external process can now provide feedback to Entitlement Management to either surface additional information to end users in MyAccess or even stop the access request. This expands the scenarios of custom extension from notifications to additional stakeholders or the generation of tickets to advanced scenarios such as external governance, risk and compliance checks. In the course of this update, we have also improved the audit logs, token security and the payload sent to the Logic App. To learn more about the preview refresh, see:

General Availability - Managed Identity in Microsoft Authentication Library for .NET

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

The latest version of MSAL.NET graduates the Managed Identity APIs into the General Availability mode of support, which means that developers can integrate them safely in production workloads.

Managed identities are a part of the Azure infrastructure, simplifying how developers handle credentials and secrets to access cloud resources. With Managed Identities, developers do not need to manually handle credential retrieval and security. Instead, they can rely on an automatically managed set of identities to connect to resources that support Azure Active Directory (AAD) authentication. You can learn more in What are managed identities for Azure resources?

With MSAL.NET 4.54.0, the Managed Identity APIs are now stable. There are a few changes that we added that make them easier to use and integrate that might require tweaking your code if you’ve used our experimental implementation:

  • When using Managed Identity APIs, developers will need to specify the identity type when creating an ManagedIdentityApplication.
  • When acquiring tokens with Managed Identity APIs and using the default HTTP client, MSAL retries the request for certain exception codes.
  • We added a new MsalManagedIdentityException class that represents any Managed Identity-related exceptions. It includes general exception information, including the Azure source from which the exception originates.
  • MSAL will now proactively refresh tokens acquired with Managed Identity.

To get started with Managed Identity in MSAL.NET, you can use the Microsoft.Identity.Client package together with the ManagedIdentityApplicationBuilder class.

Public Preview - New My Groups Experience

Type: Changed feature
Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at myaccount.microsoft.com/groups. This experience replaces the existing My Groups experience at mygroups.microsoft.com in May. For more information, see: Update your Groups info in the My Apps portal.

General Availability - Admins can restrict their users from creating tenants

Type: New feature
Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings pane allows admins to restrict their users from being able to create new tenants. There's also a new Tenant Creator role to allow specific users to create tenants. For more information, see Default user permissions.

General Availability - Devices Self-Help Capability for Pending Devices

Type: New feature
Service category: Device Access Management
Product capability: End User Experiences

In the All Devices view under the Registered column, you can now select any pending devices you have, and it opens a context pane to help troubleshoot why a device may be pending. You can also offer feedback on if the summarized information is helpful or not. For more information, see: Pending devices in Azure Active Directory.

General Availability - Admins can now restrict users from self-service accessing their BitLocker keys

Type: New feature
Service category: Device Access Management
Product capability: User Management

Admins can now restrict their users from self-service accessing their BitLocker keys through the Devices Settings page. Turning on this capability hides the BitLocker key(s) of all non-admin users. This helps to control BitLocker access management at the admin level. For more information, see: Restrict member users' default permissions.

Public Preview - New provisioning connectors in the Azure AD Application Gallery - May 2023

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.

General Availability - Microsoft Entra Permissions Management Azure Active Directory Insights

Type: New feature
Service category: Other
Product capability: Permissions Management

The Azure Active Directory Insights tab in Microsoft Entra Permissions Management provides a view of all permanent role assignments assigned to Global Administrators, and a curated list of highly privileged roles. Administrators can then use the report to take further action within the Azure Active Directory console. For more information, see View privileged role assignments in your organization (Preview).

Public Preview - In portal guide to configure multi-factor authentication

Type: New feature
Service category: MFA
Product capability: Identity Security & Protection

The in portal guide to configure multi-factor authentication helps you get started with Azure Active Directory's MFA capabilities. You can find this guide under the Tutorials tab in the Azure AD Overview. For more information, see: Configure multi-factor authentication using the portal guide.

General Availability - Authenticator Lite (In Outlook)

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator Lite (in Outlook) is an authentication solution for users that haven't yet downloaded the Microsoft Authenticator app. Users are prompted in Outlook on their mobile device to register for multi-factor authentication. After they enter their password at sign-in, they'll have the option to send a push notification to their Android or iOS device.

Due to the security enhancement this feature provides users, the Microsoft managed value of this feature will be changed from ‘disabled’ to ‘enabled’ on June 9. We’ve made some changes to the feature configuration, so if you made an update before GA, May 17, please validate that the feature is in the correct state for your tenant prior to June 9. If you don't wish for this feature to be enabled on June 9, move the state to ‘disabled’, or set users to include and exclude groups.

For more information, see: How to enable Microsoft Authenticator Lite for Outlook mobile (preview).

General Availability - PowerShell and Web Services connector support through the Azure AD provisioning agent

Type: New feature
Service category: Provisioning
Product capability: Outbound to On-premises Applications

The Azure AD on-premises application provisioning feature now supports both the PowerShell and web services connectors. you can now provision users into a flat file using the PowerShell connector or an app such as SAP ECC using the web services connector. For more information, see: Provisioning users into applications using PowerShell.

General Availability - Verified threat actor IP sign-in detection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-in's performed from IP addresses of known nation state and cyber-crime actors and allow customers to block these sign-ins's by using risk-based conditional access policies. For more information, see: Sign-in risk.

General Availability - Conditional Access Granular control for external user types

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

When configuring a Conditional Access policy, customers now have granular control over the types of external users they want to apply the policy to. External users are categorized based on how they authenticate (internally or externally) and their relationship to your organization (guest or member). For more information, see: Assigning Conditional Access policies to external user types.

General Availability - New Federated Apps available in Azure AD Application gallery - May 2023

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2023 we added the following 51 new applications in our App gallery with Federation support

INEXTRACK, Valotalive Digital Signage Microsoft 365 integration, Tailscale, MANTL, ServusConnect, Jigx MS Graph Demonstrator, Delivery Solutions, Radiant IOT Portal, Cosgrid Networks, voya SSO, Redocly, Glaass Pro, TalentLyftOIDC, Cisco Expressway, IBM TRIRIGA on Cloud, Avionte Bold SAML Federated SSO, InspectNTrack, CAREERSHIP, Cisco Unity Connection, HSC-Buddy, teamecho, Uni-tel A/S, AskFora, Enterprise Bot,CMD+CTRL Base Camp, Debitia Collections, EnergyManager, Visual Workforce, Uplifter, AI2, TES Cloud,VEDA Cloud, SOC SST, Alchemer, Cleanmail Swiss, WOX, WATS, Data Quality Assistant, Softdrive, Fluence Portal, Humbol, Document360, Engage by Local Measure,Gate Property Management Software, Locus, Banyan Infrastructure, Proactis Rego Invoice Capture, SecureTransport, Recnice

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

General Availability - My Security-info now shows Microsoft Authenticator type

Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection

We have improved My Sign-ins and My Security-Info to give you more clarity on the types of Microsoft Authenticator or other Authenticator apps a user has registered. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI) and for other Authenticator apps (Software OATH) we now indicate they're registered as a Time-based One-time password method. For more information, see: Set up the Microsoft Authenticator app as your verification method.

General Availability - SAML/Ws-Fed based identity provider authentication for Azure Active Directory B2B users in US Sec and US Nat clouds

Type: New feature
Service category: B2B
Product capability: B2B/B2C

SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in US Sec, US Nat and China clouds. For more information, see: Federation with SAML/WS-Fed identity providers for guest users.

April 2023

Public Preview - Custom attributes for Azure Active Directory Domain Services

Type: New feature
Service category: Azure Active Directory Domain Services
Product capability: Azure Active Directory Domain Services

Azure Active Directory Domain Services will now support synchronizing custom attributes from Azure AD for on-premises accounts. For more information, see: Custom attributes for Azure Active Directory Domain Services.

General Availability - Enablement of combined security information registration for MFA and self-service password reset (SSPR)

Type: New feature
Service category: MFA
Product capability: Identity Security & Protection

Last year we announced the combined registration user experience for MFA and self-service password reset (SSPR) was rolling out as the default experience for all organizations. We're happy to announce that the combined security information registration experience is now fully rolled out. This change doesn't affect tenants located in the China region. For more information, see: Combined security information registration for Azure Active Directory overview.

General Availability - System preferred MFA method

Type: Changed feature
Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Currently, organizations and users rely on a range of authentication methods, each offering varying degrees of security. While Multifactor Authentication (MFA) is crucial, some MFA methods are more secure than others. Despite having access to more secure MFA options, users frequently choose less secure methods for various reasons.

To address this challenge, we're introducing a new system-preferred authentication method for MFA. When users sign in, the system will determine and display the most secure MFA method that the user has registered. This prompts users to switch from the default method to the most secure option. While users may still choose a different MFA method, they'll always be prompted to use the most secure method first for every session that requires MFA. For more information, see: System-preferred multifactor authentication - Authentication methods policy.

General Availability - PIM alert: Alert on active-permanent role assignments in Azure or assignments made outside of PIM

Type: Fixed
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Alert on Azure subscription role assignments made outside of Privileged Identity Management (PIM) provides an alert in PIM for Azure subscription assignments made outside of PIM. An owner or User Access Administrator can take a quick remediation action to remove those assignments.

Public Preview - Enhanced Create User and Invite User Experiences

Type: Changed feature
Service category: User Management
Product capability: User Management

Admins can now define more properties when creating and inviting a user in the Entra admin portal. These improvements bring our UX to parity with our Create User APIS. Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: Add or delete users using Azure Active Directory.

Public Preview - Azure AD Conditional Access protected actions

Type: Changed feature
Service category: RBAC
Product capability: Access Control

The protected actions public preview introduces the ability to apply Conditional Access to select permissions. When a user performs a protected action, they must satisfy Conditional Access policy requirements. For more information, see: What are protected actions in Azure AD? (preview).

Public Preview - Token Protection for Sign-in Sessions

Type: New feature
Service category: Conditional Access
Product capability: User Authentication

Token Protection for sign-in sessions is our first release on a road-map to combat attacks involving token theft and replay. It provides conditional access enforcement of token proof-of-possession for supported clients and services that ensure that access to specified resources is only from a device to which the user has signed in. For more information, see: Conditional Access: Token protection (preview).

General Availability- New limits on number and size of group secrets starting June 2023

Type: Plan for change
Service category: Group Management
Product capability: Directory

Starting in June 2023, the secrets stored on a single group can't exceed 48 individual secrets, or have a total size greater than 10KB across all secrets on a single group. Groups with more than 10KB of secrets will immediately stop working in June 2023. In June, groups exceeding 48 secrets are unable to increase the number of secrets they have, though they may still update or delete those secrets. We highly recommend reducing to fewer than 48 secrets by January 2024.

Group secrets are typically created when a group is assigned credentials to an app using Password-based single sign-on. To reduce the number of secrets assigned to a group, we recommend creating additional groups, and splitting up group assignments to your Password-based SSO applications across those new groups. For more information, see: Add password-based single sign-on to an application.

Public Preview - Authenticator Lite in Outlook

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator Lite is an additional surface for Azure Active Directory users to complete multifactor authentication using push notifications on their Android or iOS device. With Authenticator Lite, users can satisfy a multifactor authentication requirement from the convenience of a familiar app. Authenticator Lite is currently enabled in the Outlook mobile app. Users may receive a notification in their Outlook mobile app to approve or deny, or use the Outlook app to generate an OATH verification code that can be entered during sign-in. The 'Microsoft managed' setting for this feature will be set to enabled on May 26th, 2023. This enables the feature for all users in tenants where the feature is set to Microsoft managed. If you wish to change the state of this feature, please do so before May 26, 2023. For more information, see: How to enable Microsoft Authenticator Lite for Outlook mobile (preview).

General Availability - Updated look and feel for Per-user MFA

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

As part of ongoing service improvements, we're making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change doesn't include any changes to the core functionality and will only include visual improvements.  For more information, see: Enable per-user Azure AD Multi-Factor Authentication to secure sign-in events.

General Availability - Additional terms of use audit logs will be turned off

Type: Fixed
Service category: Terms of Use
Product capability: AuthZ/Access Delegation

Due to a technical issue, we have recently started to emit additional audit logs for terms of use. The additional audit logs will be turned off by the first of May and are tagged with the core directory service and the agreement category. If you have built a dependency on the additional audit logs, you must switch to the regular audit logs tagged with the terms of use service.

General Availability - New Federated Apps available in Azure AD Application gallery - April 2023

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2023 we've added the following 10 new applications in our App gallery with Federation support:

iTel Alert, goFLUENT, StructureFlow, StructureFlow AU, StructureFlow CA, StructureFlow EU, StructureFlow USA, Predict360 SSO, Cegid Cloud, HashiCorp Cloud Platform (HCP), O'Reilly learning platform, LeftClick Web Services – RoomGuide, LeftClick Web Services – Sharepoint, LeftClick Web Services – Presence, LeftClick Web Services - Single Sign-On, InterPrice Technologies, WiggleDesk SSO, Application Experience with Mist, Connect Plans 360, Proactis Rego Source-to-Contract, Danomics, Fountain, Theom, DDC Web, Dozuki.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

Public Preview - New provisioning connectors in the Azure AD Application Gallery - April 2023

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.

Public Preview - New PIM Azure resource picker

Type: Changed feature
Service category: Privileged Identity Management
Product capability: End User Experiences

With this new experience, PIM now automatically manages any type of resource in a tenant, so discovery and activation is no longer required. With the new resource picker, users can directly choose the scope they want to manage from the Management Group down to the resources themselves, making it faster and easier to locate the resources they need to administer. For more information, see: Assign Azure resource roles in Privileged Identity Management.

General availability - Self Service Password Reset (SSPR) now supports PIM eligible users and indirect group role assignment

Type: Changed feature
Service category: Self Service Password Reset
Product capability: Identity Security & Protection

Self Service Password Reset (SSPR) can now check for PIM eligible users, and evaluate group-based memberships, along with direct memberships when checking if a user is in a particular administrator role. This capability provides more accurate SSPR policy enforcement by validating if users are in scope for the default SSPR admin policy or your organizations SSPR user policy.

For more information, see:

March 2023

Public Preview - New provisioning connectors in the Azure AD Application Gallery - March 2023

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.

General Availability - Workload identity Federation for Managed Identities

Type: New feature
Service category: Managed identities for Azure resources
Product capability: Developer Experience

Workload Identity Federation enables developers to use managed identities for their software workloads running anywhere and access Azure resources without needing secrets. Key scenarios include:

  • Accessing Azure resources from Kubernetes pods running in any cloud or on-premises
  • GitHub workflows to deploy to Azure, no secrets necessary
  • Accessing Azure resources from other cloud platforms that support OIDC, such as Google Cloud Platform.

For more information, see:

Public Preview - New My Groups Experience

Type: Changed feature
Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at https://www.myaccount.microsoft.com/groups. My Groups enables end users to easily manage groups, such as finding groups to join, managing groups they own, and managing existing group memberships. Based on customer feedback, the new My Groups support sorting and filtering on lists of groups and group members, a full list of group members in large groups, and an actionable overview page for membership requests. This experience replaces the existing My Groups experience at https://www.mygroups.microsoft.com in May.

For more information, see: Update your Groups info in the My Apps portal.

Public preview - Customize tokens with Custom Claims Providers

Type: New feature
Service category: Authentications (Logins)
Product capability: Extensibility

A custom claims provider lets you call an API and map custom claims into the token during the authentication flow. The API call is made after the user has completed all their authentication challenges, and a token is about to be issued to the app. For more information, see: Custom authentication extensions (preview).

General Availability - Converged Authentication Methods

Type: New feature
Service category: MFA
Product capability: User Authentication

The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in your tenant. For more information, see: Manage authentication methods.

General Availability - Provisioning Insights Workbook

Type: New feature
Service category: Provisioning
Product capability: Monitoring & Reporting

This new workbook makes it easier to investigate and gain insights into your provisioning workflows in a given tenant. This includes HR-driven provisioning, cloud sync, app provisioning, and cross-tenant sync.

Some key questions this workbook can help answer are:

  • How many identities have been synced in a given time range?
  • How many create, delete, update, or other operations were performed?
  • How many operations were successful, skipped, or failed?
  • What specific identities failed? And what step did they fail on?
  • For any given user, what tenants / applications were they provisioned or deprovisioned to?

For more information, see: Provisioning insights workbook.

General Availability - Number Matching for Microsoft Authenticator notifications

Type: Plan for Change
Service category: Microsoft Authenticator App
Product capability: User Authentication

Microsoft Authenticator app’s number matching feature has been Generally Available since Nov 2022! If you haven't already used the rollout controls (via Azure portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We previously announced that we'll remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we'll extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8, 2023. We'll also remove the rollout controls for number matching after that date.

If customers don’t enable number match for all Microsoft Authenticator push notifications prior to May 8, 2023, Authenticator users may experience inconsistent sign-ins while the services are rolling out this change. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.

For more information, see: How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy

Public Preview - IPv6 coming to Azure AD

Type: Plan for Change
Service category: Identity Protection
Product capability: Platform

Earlier, we announced our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD), enabling our customers to reach the Azure AD services over IPv4, IPv6 or dual stack endpoints. This is just a reminder that we have started introducing IPv6 support into Azure AD services in a phased approach in late March 2023.

If you utilize Conditional Access or Identity Protection, and have IPv6 enabled on any of your devices, you likely must take action to avoid impacting your users. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to deprioritize IPv4 in any Azure AD features or services. We'll continue to share additional guidance on IPv6 enablement in Azure AD at this link: IPv6 support in Azure Active Directory.

General Availability - Microsoft cloud settings for Azure AD B2B

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:

  • Microsoft Azure commercial and Microsoft Azure Government
  • Microsoft Azure commercial and Microsoft Azure China 21Vianet

For more information about Microsoft cloud settings for B2B collaboration, see Microsoft cloud settings.

Modernizing Terms of Use Experiences

Type: Plan for Change
Service category: Terms of use
Product capability: AuthZ/Access Delegation

Starting July 2023, we're modernizing the following Terms of Use end user experiences with an updated PDF viewer, and moving the experiences from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com:

  • View previously accepted terms of use.
  • Accept or decline terms of use as part of the sign-in flow.

No functionalities will be removed. The new PDF viewer adds functionality and the limited visual changes in the end-user experiences will be communicated in a future update. If your organization has allow-listed only certain domains, you must ensure your allowlist includes the domains ‘myaccount.microsoft.com’ and ‘*.myaccount.microsoft.com’ for Terms of Use to continue working as expected.

February 2023

General Availability - Expanding Privileged Identity Management Role Activation across the Azure portal

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management (PIM) role activation has been expanded to the Billing and AD extensions in the Azure portal. Shortcuts have been added to Subscriptions (billing) and Access Control (AD) to allow users to activate PIM roles directly from these blades. From the Subscriptions blade, select View eligible subscriptions in the horizontal command menu to check your eligible, active, and expired assignments. From there, you can activate an eligible assignment in the same pane. In Access control (IAM) for a resource, you can now select View my access to see your currently active and eligible role assignments and activate directly. By integrating PIM capabilities into different Azure portal blades, this new feature allows users to gain temporary access to view or edit subscriptions and resources more easily.

For more information Microsoft cloud settings, see: Activate my Azure resource roles in Privileged Identity Management.

General Availability - Follow Azure AD best practices with recommendations

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD recommendations help you improve your tenant posture by surfacing opportunities to implement best practices. On a daily basis, Azure AD analyzes the configuration of your tenant. During this analysis, Azure AD compares the data of a recommendation with the actual configuration of your tenant. If a recommendation is flagged as applicable to your tenant, the recommendation appears in the Recommendations section of the Azure AD Overview.

This release includes our first 3 recommendations:

  • Convert from per-user MFA to Conditional Access MFA
  • Migration applications from AD FS to Azure AD
  • Minimize MFA prompts from known devices

For more information, see:

Public Preview - Azure AD PIM + Conditional Access integration

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Now you can require users who are eligible for a role to satisfy Conditional Access policy requirements for activation: use specific authentication method enforced through Authentication Strengths, activate from Intune compliant device, comply with Terms of Use, and use 3rd party MFA and satisfy location requirements.

For more information, see: Configure Azure AD role settings in Privileged Identity Management.

General Availability - More information on why a sign-in was flagged as "unfamiliar"

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Unfamiliar sign-in properties risk detection now provides risk reasons as to which properties are unfamiliar for customers to better investigate that risk.

Identity Protection now surfaces the unfamiliar properties in the Azure portal on UX and in API as Additional Info with a user-friendly description explaining that the following properties are unfamiliar for this sign-in of the given user.

There's no additional work to enable this feature, the unfamiliar properties are shown by default. For more information, see: Sign-in risk.

General Availability - New Federated Apps available in Azure AD Application gallery - February 2023

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2023 we've added the following 10 new applications in our App gallery with Federation support:

PROCAS, Tanium Cloud SSO, LeanDNA, CalendarAnything LWC, courses.work, Udemy Business SAML, Canva, Kno2fy, IT-Conductor, ナレッジワーク(Knowledge Work), Valotalive Digital Signage Microsoft 365 integration, Priority Matrix HIPAA, Priority Matrix Government, Beable, Grain, DojoNavi, Global Validity Access Manager, FieldEquip, Peoplevine, Respondent, WebTMA, ClearIP, Pennylane, VsimpleSSO, Compliance Genie, Dataminr Corporate, Talon.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

Public Preview - New provisioning connectors in the Azure AD Application Gallery - February 2023

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.

January 2023

Public Preview - Cross-tenant synchronization

Type: New feature
Service category: Provisioning
Product capability: Collaboration

Cross-tenant synchronization allows you to set up a scalable and automated solution for users to access applications across tenants in your organization. It builds upon the Azure AD B2B functionality and automates creating, updating, and deleting B2B users. For more information, see: What is cross-tenant synchronization? (preview).

General Availability - Apple Watch companion app removed from Authenticator for iOS

Type: Deprecated
Service category: Identity Protection
Product capability: Identity Security & Protection

In the January 2023 release of Authenticator for iOS, there's no companion app for watchOS due to it being incompatible with Authenticator security features, meaning you aren't able to install or use Authenticator on Apple Watch. This change only impacts Apple Watch, so you can still use Authenticator on your other devices. For more information, see: Common questions about the Microsoft Authenticator app.

General Availability - New Federated Apps available in Azure AD Application gallery - January 2023

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2023 we've added the following 10 new applications in our App gallery with Federation support:

MINT TMS, Exterro Legal GRC Software Platform, SIX.ONE Identity Access Manager, Lusha, Descartes, Travel Management System, Pinpoint (SAML), my.sdworx.com, itopia Labs, Better Stack.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

Public Preview - New provisioning connectors in the Azure AD Application Gallery - January 2023

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.

Public Preview - Azure AD cloud sync new user experience

Type: Changed feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Governance

Try out the new guided experience for syncing objects from AD to Azure AD using Azure AD Cloud Sync in Azure portal. With this new experience, Hybrid Identity Administrators can easily determine which sync engine to use for their scenarios and learn more about the various options they have with our sync solutions. With a rich set of tutorials and videos, customers are able to learn everything about Azure AD cloud sync in one single place.

This experience helps administrators walk through the different steps involved in setting up a cloud sync configuration and an intuitive experience to help them easily manage it. Admins can also get insights into their sync configuration by using the "Insights" option, which integrates with Azure Monitor and Workbooks.

For more information, see:

Public Preview - Support for Directory Extensions using Azure AD cloud sync

Type: New feature
Service category: Provisioning
Product capability: Azure AD Connect Cloud Sync

Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience.

For more information on how to enable this feature, see: Cloud Sync directory extensions and custom attribute mapping

December 2022

Public Preview - Windows 10+ Troubleshooter for Diagnostic Logs

Type: New feature
Service category: Audit
Product capability: Monitoring & Reporting

This feature analyzes uploaded client-side logs, also known as diagnostic logs, from a Windows 10+ device that is having an issue(s) and suggests remediation steps to resolve the issue(s). Admins can work with end user to collect client-side logs, and then upload them to this troubleshooter in the Entra Portal. For more information, see: Troubleshooting Windows devices in Azure AD.

General Availability - Multiple Password-less Phone Sign-ins for iOS Devices

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

End users can now enable password-less phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use password-less phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-ins from one device.

End users aren't required to enable the optional telemetry setting in the Authenticator App. For more information, see: Enable passwordless sign-in with Microsoft Authenticator.

Public Preview(refresh) - Updates to Conditional Access templates

Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. In total, there are 14 Conditional Access policy templates, filtered by five different scenarios; secure foundation, zero trust, remote work, protect administrators, and emerging threats.

In this Public Preview refresh, we've enhanced the user experience with an updated design and added four new improvements:

  • Admins can create a Conditional Access policy by importing a JSON file.
  • Admins can duplicate existing policy.
  • Admins can view more detailed policy information.
  • Admins can query templates programmatically via MSGraph API.

For more information, see: Conditional Access templates (Preview).

Public Preview - Admins can restrict their users from creating tenants

Type: New feature
Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings option allows admins to restrict their users from being able to create new tenants. There's also a new Tenant Creator role to allow specific users to create tenants. For more information, see Default user permissions.

General availability - Consolidated App launcher (My Apps) settings and new preview settings

Type: New feature
Service category: My Apps
Product capability: End User Experiences

We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: End-user experiences for applications.

Public preview - Converged Authentication Methods Policy

Type: New feature
Service category: MFA
Product capability: User Authentication

The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy. You can migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant. For more information, see: Manage authentication methods for Azure AD.

General Availability - Administrative unit support for devices

Type: New feature
Service category: Directory Management
Product capability: AuthZ/Access Delegation

You can now use administrative units to delegate management of specified devices in your tenant by adding devices to an administrative unit. You're also able to assign built-in, and custom device management roles, scoped to that administrative unit. For more information, see: Device management.

Public Preview - Frontline workers using shared devices can now use Microsoft Edge and Yammer apps on Android

Type: New feature
Service category: N/A
Product capability: SSO

Companies often provide mobile devices to frontline workers that need are shared between shifts. Microsoft’s shared device mode allows frontline workers to easily authenticate by automatically signing users in and out of all the apps that have enabled this feature. In addition to Microsoft Teams and Managed Home Screen being generally available, we're excited to announce that Microsoft Edge and Yammer apps on Android are now in Public Preview.

For more information on deploying frontline solutions, see: frontline deployment documentation.

For more information on shared-device mode, see: Azure Active Directory Shared Device Mode documentation.

For steps to set up shared device mode with Intune, see: Intune setup blog.

Public preview - New provisioning connectors in the Azure AD Application Gallery - December 2022

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.

General Availability - On-premises application provisioning

Type: Changed feature
Service category: Provisioning
Product capability: Outbound to On-premises Applications

Azure AD supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports SCIM, or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to directly connect with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an LDAP user store, or a SQL database, Azure AD can support those as well.

General Availability - New Federated Apps available in Azure AD Application gallery - December 2022

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In December 2022 we've added the following 44 new applications in our App gallery with Federation support:

Bionexo IDM, SMART Meeting Pro, Venafi Control Plane – Datacenter, HighQ, Drawboard PDF, ETU Skillsims, TencentCloud IDaaS, TeamHeadquarters Email Agent OAuth, Verizon MDM, QRadar SOAR, Tripwire Enterprise, Cisco Unified Communications Manager, Howspace, Flipsnack SAML, Albert, Altinget.no, Coveo Hosted Services, Cybozu(cybozu.com), BombBomb, VMware Identity Service, HexaSync, Trifecta Teams, VerosoftDesign, Mazepay, Wistia, Begin.AI, WebCE, Dream Broker Studio, PKSHA Chatbot, PGM-BCP, ChartDesk SSO, Elsevier SP, GreenCommerce IdentityServer, Fullview, Aqua Platform, SpedTrack, Pinpoint, Darzin Outlook Add-in, Simply Stakeholders Outlook Add-in, tesma, Parkable, Unite Us

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

ADAL End of Support Announcement

Type: N/A
Service category: Other
Product capability: Developer Experience

As part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications, we'll end support for the Azure Active Directory Authentication Library (ADAL). The final deadline to migrate your applications to Azure Active Directory Authentication Library (MSAL) has been extended to June 30, 2023.

Why are we doing this?

As we consolidate and evolve the Microsoft Identity platform, we're also investing in making significant improvements to the developer experience and service features that make it possible to build secure, robust and resilient applications. To make these features available to our customers, we needed to update the architecture of our software development kits. As a result of this change, we’ve decided that the path forward requires us to sunset Azure Active Directory Authentication Library. This allows us to focus on developer experience investments with Azure Active Directory Authentication Library.

What happens?

We recognize that changing libraries isn't an easy task, and can't be accomplished quickly. We're committed to helping customers plan their migrations to Microsoft Authentication Library and execute them with minimal disruption.

  • In June 2020, we announced the 2-year end of support timeline for ADAL.
  • In December 2022, we’ve decided to extend the Azure Active Directory Authentication Library end of support to June 2023.
  • Through the next six months (January 2023 – June 2023) we continue informing customers about the upcoming end of support along with providing guidance on migration.
  • On June 2023 we'll officially sunset Azure Active Directory Authentication Library, removing library documentation and archiving all GitHub repositories related to the project.

How to find out which applications in my tenant are using Azure Active Directory Authentication Library?

Refer to our post on Microsoft Q&A for details on identifying Azure Active Directory Authentication Library apps with the help of Azure Workbooks.

If I’m using Azure Active Directory Authentication Library, what can I expect after the deadline?

  • There will be no new releases (security or otherwise) to the library after June 2023.
  • We won't accept any incident reports or support requests for Azure Active Directory Authentication Library. Azure Active Directory Authentication Library to Microsoft Authentication Library migration support would continue.
  • The underpinning services continue working and applications that depend on Azure Active Directory Authentication Library should continue working. Applications, and the resources they access, are at increased security and reliability risk due to not having the latest updates, service configuration, and enhancements made available through the Microsoft Identity platform.

What features can I only access with Microsoft Authentication Library?

The number of features and capabilities that we're adding to Microsoft Authentication Library libraries are growing weekly. Some of them include:

  • Support for Microsoft accounts (MSA)
  • Support for Azure AD B2C accounts
  • Handling throttling
  • Proactive token refresh and token revocation based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE)
  • Auth broker support with device-based conditional access policies
  • Azure AD hardware-based certificate authentication (CBA) on mobile
  • System browsers on mobile devices And more. For an up-to-date list, refer to our migration guide.

How to migrate?

To make the migration process easier, we published a comprehensive guide that documents the migration paths across different platforms and programming languages.

In addition to the Azure Active Directory Authentication Library to Microsoft Authentication Library update, we recommend migrating from Azure AD Graph API to Microsoft Graph. This change enables you to take advantage of the latest additions and enhancements, such as CAE, across the Microsoft service offering through a single, unified endpoint. You can read more in our Migrate your apps from Azure AD Graph to Microsoft Graph guide. You can post any questions to Microsoft Q&A or Stack Overflow.