What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Azure Active Directory.

January 2023

Public Preview - Cross-tenant synchronization

Type: New feature
Service category: Provisioning
Product capability: Collaboration

Cross-tenant synchronization allows you to set up a scalable and automated solution for users to access applications across tenants in your organization. It builds upon the Azure AD B2B functionality and automates creating, updating, and deleting B2B users. For more information, see: What is cross-tenant synchronization? (preview).


Public Preview - Devices Blade Self-Help Capability for Pending Devices

Type: New feature
Service category: Device Access Management
Product capability: End User Experiences

In the All Devices blade under the registered column, you can now select any pending devices you have, and it will open a context pane to help troubleshoot why the device may be pending. You can also offer feedback on if the summarized information is helpful or not. For more information, see: Pending devices in Azure Active Directory.


General Availability - Apple Watch companion app removed from Authenticator for iOS

Type: Deprecated
Service category: Identity Protection
Product capability: Identity Security & Protection

In the January 2023 release of Authenticator for iOS, there will be no companion app for watchOS due to it being incompatible with Authenticator security features. This means you won't be able to install or use Authenticator on Apple Watch. This change only impacts Apple Watch, so you'll still be able to use Authenticator on your other devices. For more information, see: Common questions about the Microsoft Authenticator app.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2023 we've added the following 10 new applications in our App gallery with Federation support:

MINT TMS, Exterro Legal GRC Software Platform, SIX.ONE Identity Access Manager, Lusha, Descartes, Travel Management System, Pinpoint (SAML), my.sdworx.com, itopia Labs, Better Stack.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


Public Preview - Azure AD cloud sync new user experience

Type: Changed feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Governance

Try out the new guided experience for syncing objects from AD to Azure AD using Azure AD Cloud Sync in Azure Portal. With this new experience, Hybrid Identity Administrators can easily determine which sync engine to use for their scenarios and learn more about the various options they have with our sync solutions. With a rich set of tutorials and videos, customers will be able to learn everything about Azure AD cloud sync in one single place.

This experience will also help administrators walk through the different steps involved in setting up a cloud sync configuration as well as an intuitive experience to help them easily manage it. Admins can also get insights into their sync configuration by using the "Insights" option which is integrated with Azure Monitor and Workbooks.

For more information:, see:


Public Preview - Support for Directory Extensions using Azure AD cloud sync

Type: New feature
Service category: Provisioning
Product capability: AAD Connect Cloud Sync

Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to simply map the needed attributes using Cloud Sync's attribute mapping experience.

For more details on how to enable this feature, see: Cloud Sync directory extensions and custom attribute mapping


December 2022

Public Preview - Windows 10+ Troubleshooter for Diagnostic Logs

Type: New feature
Service category: Audit
Product capability: Monitoring & Reporting

This feature analyzes uploaded client-side logs, also known as diagnostic logs, from a Windows 10+ device that is having an issue(s) and suggests remediation steps to resolve the issue(s). Admins can work with end user to collect client-side logs, and then upload them to this troubleshooter in the Entra Portal. For more information, see: Troubleshooting Windows devices in Azure AD.


General Availability - Multiple Password-less Phone Sign-in for iOS Devices

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

End users can now enable password-less phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use password-less phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in the same tenant or different tenants. Guest accounts are not supported for multiple account sign-in from one device.

End users are not required to enable the optional telemetry setting in the Authenticator App. For more information, see: Enable passwordless sign-in with Microsoft Authenticator.


Public Preview(refresh) - Updates to Conditional Access templates

Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. In total, there are 14 Conditional Access policy templates, filtered by five different scenarios; secure foundation, zero trust, remote work, protect administrators, and emerging threats.

In this Public Preview refresh, we have enhanced the user experience with an updated design and added four new improvements:

  • Admins can create a Conditional Access policy by importing a JSON file.
  • Admins can duplicate existing policy.
  • Admins can view more detailed policy information.
  • Admins can query templates programmatically via MSGraph API.

For more information, see: Conditional Access templates (Preview).


Public Preview - Admins can restrict their users from creating tenants

Type: New feature
Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings blade allows admins to restrict their users from being able to create new tenants. There is also a new Tenant Creator role to allow specific users to create tenants. For more information, see Default user permissions.


General availability - Consolidated App launcher (My Apps) settings and new preview settings

Type: New feature
Service category: My Apps
Product capability: End User Experiences

We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections blade by selecting App launchers. In addition, we have added a new App launchers Settings blade. This blade has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings blade also has controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature is turned on for your organization, and will be reflected in the My Apps portal and other app launchers for all of your users. To learn more about the preview settings, see: End-user experiences for applications.


Public preview - Converged Authentication Methods Policy

Type: New feature
Service category: MFA
Product capability: User Authentication

The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant. For more information, see: Manage authentication methods for Azure AD.


General Availability - Administrative unit support for devices

Type: New feature
Service category: Directory Management
Product capability: AuthZ/Access Delegation

You can now use administrative units to delegate management of specified devices in your tenant by adding devices to an administrative unit, and assigning built-in and custom device management roles scoped to that administrative unit. For more information, see: Device management.


Public Preview - Frontline workers using shared devices can now use Edge and Yammer apps on Android

Type: New feature
Service category: N/A
Product capability: SSO

Companies often provide mobile devices to frontline workers that need to be shared between shifts. Microsoft’s shared device mode allows frontline workers to easily authenticate by automatically signing users in and out of all the apps that have enabled this feature. In addition to Microsoft Teams and Managed Home Screen being generally available, we are excited to announce that Edge and Yammer apps on Android are now in Public Preview.

For further guidance on deploying frontline solutions, see: frontline deployment documentation.

For more information on shared-device mode, see: Azure Active Directory Shared Device Mode documentation.

For steps to setup shared device mode with Intune, see: Intune setup blog.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


General Availability - On-premises application provisioning

Type: Changed feature
Service category: Provisioning
Product capability: Outbound to On-premises Applications

Azure AD supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports SCIM, or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to directly connect with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an LDAP user store, or a SQL database, Azure AD can support those as well.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In December 2022 we have added the following 44 new applications in our App gallery with Federation support

Bionexo IDM, SMART Meeting Pro, Venafi Control Plane – Datacenter, HighQ, Drawboard PDF, ETU Skillsims, TencentCloud IDaaS, TeamHeadquarters Email Agent OAuth, Verizon MDM, QRadar SOAR, Tripwire Enterprise, Cisco Unified Communications Manager, Howspace, Flipsnack SAML, Albert, Altinget.no, Coveo Hosted Services, Cybozu(cybozu.com), BombBomb, VMware Identity Service, Cimmaron Exchange Sync - Delegated, HexaSync, Trifecta Teams, VerosoftDesign, Mazepay, Wistia, Begin.AI, WebCE, Dream Broker Studio, PKSHA Chatbot, PGM-BCP, ChartDesk SSO, Elsevier SP, GreenCommerce IdentityServer, Fullview, Aqua Platform, SpedTrack, Pinpoint, Darzin Outlook Add-in, Simply Stakeholders Outlook Add-in, tesma, Parkable, Unite Us

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


ADAL End of Support Announcement

Type: N/A
Service category: Other
Product capability: Developer Experience

As part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications, we will end support for the Azure Active Directory Authentication Library (ADAL). The final deadline to migrate your applications to Microsoft Authentication Library (MSAL) has been extended to June 30, 2023.

Why are we doing this?

As we consolidate and evolve the Microsoft Identity platform, we are also investing in making significant improvements to the developer experience and service features that make it possible to build secure, robust and resilient applications. To make these features available to our customers we needed to update the architecture of our software development kits. As a result of this change, we’ve decided that the path forward requires us to sunset ADAL so that we can focus on developer experience investments with MSAL.

What happens?

We recognize that changing libraries is not an easy task, and cannot be accomplished quickly. We are committed to helping customers plan their migrations to MSAL as well as execute them with minimal disruption.

  • In June 2020 we announced the 2-year end of support timeline for ADAL.
  • In December 2022 we’ve decided to extend the ADAL end of support to June 2023.
  • Through the next six months (January 2023 – June 2023) we will continue informing customers about the upcoming end of support along with providing guidance on migration.
  • On June 2023 we will officially sunset ADAL, removing library documentation and archiving all GitHub repositories related to the project.

How to find out which applications in my tenant are using ADAL?

Refer to our post on Microsoft Q&A for details on identifying ADAL apps with the help of Azure Workbooks.

If I’m using ADAL, what can I expect after the deadline?

  • There will be no new releases (security or otherwise) to the library after June 2023.
  • We will not be accepting any incident reports or support requests for ADAL. ADAL to MSAL migration support would continue.
  • The underpinning services will continue working and applications that depend on ADAL should continue working; however, applications and the resources they access will be at increased security and reliability risk due to not having the latest updates, service configuration, and enhancements made available through the Microsoft Identity platform.

What features can I only access with MSAL?

The number of features and capabilities that we are adding to MSAL libraries are growing weekly. Some of them include:

  • Support for Microsoft accounts (MSA)
  • Support for Azure AD B2C accounts
  • Handling throttling
  • Proactive token refresh and token revocation based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE)
  • Auth broker support with device-based conditional access policies
  • Azure AD hardware-based certificate authentication (CBA) on mobile
  • System browsers on mobile devices And more. For an up-to-date list, refer to our migration guide.

How to migrate?

To make the migration process easier we published a comprehensive guide that documents the migration paths across different platforms and programming languages.

In addition to the ADAL to MSAL update, we recommend migrating from Azure AD Graph API to Microsoft Graph. This change will enable you to take advantage of the latest additions and enhancements, such as CAE, across the Microsoft service offering through a single, unified endpoint. You can read more in our Migrate your apps from Azure AD Graph to Microsoft Graph guide. Any questions can be posted to Microsoft Q&A or Stack Overflow


November 2022

General Availability - Use Web Sign-in on Windows for password-less recovery with Temporary Access Pass

Type: Changed feature
Service category: N/A
Product capability: User Authentication

For users who don't know or use a password, the Temporary Access Pass can now be used to recover Azure AD-joined PCs when the EnableWebSignIn policy is enabled on the device. For more information, see: Authentication/EnableWebSignIn.


Public Preview - Workload Identity Federation for Managed Identities

Type: New feature
Service category: Managed identities for Azure resources
Product capability: Developer Experience

Developers can now use managed identities for their software workloads running anywhere, and for accessing Azure resources, without needing secrets. Key scenarios include:

  • Accessing Azure resources from Kubernetes pods running on-premises or in any cloud.
  • GitHub workflows to deploy to Azure, no secrets necessary.
  • Accessing Azure resources from other cloud platforms that support OIDC, such as Google Cloud.

For more information, see:


General Availability - Authenticator on iOS is FIPS 140 compliant

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator version 6.6.8 and higher on iOS will be FIPS 140 compliant for all Azure AD authentications using push multi-factor authentications (MFA), Password-less Phone Sign-In (PSI), and time-based one-time pass-codes (TOTP). No changes in configuration are required in the Authenticator app or Azure portal to enable this capability. For more information, see: FIPS 140 compliant for Azure AD authentication.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2022, we've added the following 22 new applications in our App gallery with Federation support

Adstream, Databook, Ecospend IAM, Digital Pigeon, Drawboard Projects, Vellum, Veracity, Microsoft OneNote to Bloomberg Note Sync, DX NetOps Portal, itslearning Outlook integration, Tranxfer, Occupop, Nialli Workspace, Tideways, SOWELL, Prewise Learning, CAPTOR for Intune, wayCloud Platform, Nura Space Meeting Room, Flexopus Exchange Integration, Ren Systems, Nudge Security

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


Public Preview - Dynamic Group pause functionality

Type: New feature
Service category: Group Management
Product capability: Directory

Admins can now pause, and resume, the processing of individual dynamic groups in the Entra Admin Center. For more information, see: Create or update a dynamic group in Azure Active Directory.


Public Preview - Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities.

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Update the Azure AD and Microsoft 365 sign in experience with new company branding capabilities. You can apply your company’s brand guidance to authentication experiences with pre-defined templates. For more information, see: Configure your company branding.


Type: New feature
Service category: Directory Management
Product capability: Directory

Update the company branding functionality on the Azure AD/Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon. For more information, see: Configure your company branding.


General Availability - Soft Delete for Administrative Units

Type: New feature
Service category: Directory Management
Product capability: Directory

Administrative Units now support soft deletion. Admins can now list, view properties of, or restore deleted Administrative Units using the Microsoft Graph. This functionality restores all configuration for the Administrative Unit when restored from soft delete, including memberships, admin roles, processing rules, and processing rules state.

This functionality greatly enhances recoverability and resilience when using Administrative Units. Now, when an Administrative Unit is accidentally deleted it can be restored quickly to the same state it was at time of deletion-removing uncertainty around how things were configured and making restoration quick and easy. For more information, see: List deletedItems (directory objects).


Public Preview - IPv6 coming to Azure AD

Type: Plan for change
Service category: Identity Protection
Product capability: Platform

With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and networks. Today, we’re excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD). This will allow customers to reach the Azure AD services over both IPv4 and IPv6 network protocols (dual stack). For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to de-prioritize IPv4 in any Azure Active Directory features or services. We'll begin introducing IPv6 support into Azure AD services in a phased approach, beginning March 31, 2023. We have guidance below which is specifically for Azure AD customers who use IPv6 addresses and also use Named Locations in their Conditional Access policies.

Customers who use named locations to identify specific network boundaries in their organization need to:

  1. Conduct an audit of existing named locations to anticipate potential impact.
  2. Work with your network partner to identify egress IPv6 addresses in use in your environment.
  3. Review and update existing named locations to include the identified IPv6 ranges.

Customers who use Conditional Access location based policies to restrict and secure access to their apps from specific networks need to:

  1. Conduct an audit of existing Conditional Access policies to identify use of named locations as a condition to anticipate potential impact.
  2. Review and update existing Conditional Access location based policies to ensure they continue to meet your organization’s security requirements.

We'll continue to share additional guidance on IPv6 enablement in Azure AD at this easy to remember link https://aka.ms/azureadipv6.


October 2022

General Availability - Upgrade Azure AD Provisioning agent to the latest version (version number: 1.1.977.0)

Type: Plan for change
Service category: Provisioning
Product capability: AAD Connect Cloud Sync

Microsoft will stop support for Azure AD provisioning agent with versions 1.1.818.0 and below starting Feb 1,2023. If you're using Azure AD cloud sync, please make sure you have the latest version of the agent. You can info about the agent release history here. You can download the latest version here

You can find out which version of the agent you're using as follows:

  1. Going to the domain server that you have the agent installed
  2. Right-click on the Microsoft Azure AD Connect Provisioning Agent app
  3. Select on “Details” tab and you can find the version number there

Note

Azure Active Directory (AD) Connect follows the Modern Lifecycle Policy. Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service. Product governed by the Modern Policy follow a continuous support and servicing model. Customers must take the latest update to remain supported. For products and services governed by the Modern Lifecycle Policy, Microsoft's policy is to provide a minimum 30 days' notification when customers are required to take action in order to avoid significant degradation to the normal use of the product or service.


General Availability - Add multiple domains to the same SAML/Ws-Fed based identity provider configuration for your external users

Type: New feature
Service category: B2B
Product capability: B2B/B2C

An IT admin can now add multiple domains to a single SAML/WS-Fed identity provider configuration to invite users from multiple domains to authenticate from the same identity provider endpoint. For more information, see: Federation with SAML/WS-Fed identity providers for guest users.


General Availability - Limits on the number of configured API permissions for an application registration will be enforced starting in October 2022

Type: Plan for change
Service category: Other
Product capability: Developer Experience

In the end of October, the total number of required permissions for any single application registration must not exceed 400 permissions across all APIs. Applications exceeding the limit won't be able to increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.

In the Azure portal, the required permissions are listed under API Permissions within specific applications in the application registration menu. When using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. For more information, see: Validation differences by supported account types (signInAudience).


Public Preview - Conditional access Authentication strengths

Type: New feature
Service category: Conditional Access
Product capability: User Authentication

Announcing Public preview of Authentication strength, a Conditional Access control that allows administrators to specify which authentication methods can be used to access a resource. For more information, see: Conditional Access authentication strength (preview). You can use custom authentication strengths to restrict access by requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and apply this through conditional access policies. For more information, see: FIDO2 security key advanced options.


Public Preview - Conditional access authentication strengths for external identities

Type: New feature
Service category: B2B
Product capability: B2B/B2C

You can now require your business partner (B2B) guests across all Microsoft clouds to use specific authentication methods to access your resources with Conditional Access Authentication Strength policies. For more information, see: Conditional Access: Require an authentication strength for external users.


Generally Availability - Windows Hello for Business, Cloud Kerberos Trust deployment

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, we’ve made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: Hybrid Cloud Kerberos Trust Deployment.


General Availability - Device-based conditional access on Linux Desktops

Type: New feature
Service category: Conditional Access
Product capability: SSO

This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

  • Users can register their Linux devices with Azure AD
  • Users can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions based upon policy definitions to allow device based conditional access on Linux Desktops
  • If compliant, users can use Edge Browser to enable Single-Sign on to M365/Azure resources and satisfy device-based Conditional Access policies.

For more information, see: Azure AD registered devices. Plan your Azure Active Directory device deployment


General Availability - Deprecation of Azure Multi-Factor Authentication Server

Type: Deprecated
Service category: MFA
Product capability: Identity Security & Protection

Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services, and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure AD Multi-Factor Authentication service using the latest Migration Utility included in the most recent Azure AD Multi-Factor Authentication Server update. For more information, see: Migrate from MFA Server to Azure AD Multi-Factor Authentication.


Public Preview - Lifecycle Workflows is now available

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

We're excited to announce the public preview of Lifecycle Workflows, a new Identity Governance capability that allows customers to extend the user provisioning process, and adds enterprise grade user lifecycle management capabilities, in Azure AD to modernize your identity lifecycle management process. With Lifecycle Workflows, you can:

  • Confidently configure and deploy custom workflows to onboard and offboard cloud employees at scale replacing your manual processes.
  • Automate out-of-the-box actions critical to required Joiner and Leaver scenarios and get rich reporting insights.
  • Extend workflows via Logic Apps integrations with custom tasks extensions for more complex scenarios.

For more information, see: What are Lifecycle Workflows? (Public Preview).


Public Preview - User-to-Group Affiliation recommendation for group Access Reviews

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This feature provides Machine Learning based recommendations to the reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation detects user affiliation with other users within the group, and applies the scoring mechanism we built by computing the user’s average distance with other users in the group. For more information, see: Review recommendations for Access reviews.


General Availability - Group assignment for SuccessFactors Writeback application

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

When configuring writeback of attributes from Azure AD to SAP SuccessFactors Employee Central, you can now specify the scope of users using Azure AD group assignment. For more information, see: Tutorial: Configure attribute write-back from Azure AD to SAP SuccessFactors.


General Availability - Number Matching for Microsoft Authenticator notifications

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an MFA notification in the Microsoft Authenticator app. We've also refreshed the Azure portal admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update we have also added the highly requested ability for admins to exclude user groups from each feature.

The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. We highly encourage our customers to adopt this feature applying the rollout controls we have built. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting 27th of February 2023.

For more information, see: How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy.


General Availability - Additional context in Microsoft Authenticator notifications

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Customers can enhance notifications with the following:

  • Application Context: This feature will show users which application they're signing into.
  • Geographic Location Context: This feature will show users their sign-in location based on the IP address of the device they're signing into.

The feature is available for both MFA and Password-less Phone Sign-in notifications and greatly increases the security posture of the Microsoft Authenticator app. We've also refreshed the Azure portal Admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update, we've also added the highly requested ability for admins to exclude user groups from certain features.

We highly encourage our customers to adopt these critical security features to reduce accidental approvals of Authenticator notifications by end users.

For more information, see: How to use additional context in Microsoft Authenticator notifications - Authentication methods policy.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2022 we've added the following 15 new applications in our App gallery with Federation support:

Unifii, WaitWell Staff App, AuthParency, Oncospark Code Interceptor, Thread Legal Case Management, e2open CM-Global, OpenText XM Fax and XM SendSecure, Contentkalender, Evovia, Parmonic, mailto.wiki, JobDiva Azure SSO, Mapiq, IVM Smarthub, Span.zone – SSO and Read-only, UISolutions, RecruiterPal, Broker groupe Achat Solutions, Philips SpeechLive, Crayon, Cytric, Notate, ControlDocumentario, Intuiflow, Valence Security Platform, Skybreathe® Analytics

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


September 2022

General Availability - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync

Type: New feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Lifecycle Management

Azure AD Connect Cloud Sync Password writeback now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment.


General Availability - Device-based conditional access on Linux Desktops

Type: New feature
Service category: Conditional Access
Product capability: SSO

This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

  • Users can register their Linux devices with Azure AD.
  • Users can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions based upon policy definitions to allow device based conditional access on Linux Desktops.
  • If compliant, users can use Edge Browser to enable Single-Sign on to M365/Azure resources and satisfy device-based Conditional Access policies.

For more information, see:


General Availability - Azure AD SCIM Validator

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Independent Software Vendors(ISVs) and developers can self-test their SCIM endpoints for compatibility: We have made it easier for ISVs to validate that their endpoints are compatible with the SCIM-based Azure AD provisioning services. This is now in general availability (GA) status.

For more information, see: Tutorial: Validate a SCIM endpoint


General Availability - prevent accidental deletions

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in any system could be disastrous. We’re excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold, the Azure AD provisioning service will pause, provide you visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning.

For more information, see: Enable accidental deletions prevention in the Azure AD provisioning service


General Availability - Identity Protection Anonymous and Malicious IP for ADFS on-premises logins

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity protection expands its Anonymous and Malicious IP detections to protect ADFS sign-ins. This will automatically apply to all customers who have AD Connect Health deployed and enabled, and will show up as the existing "Anonymous IP" or "Malicious IP" detections with a token issuer type of "AD Federation Services".

For more information, see: What is risk?


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2022 we've added the following 15 new applications in our App gallery with Federation support:

RocketReach SSO, Arena EU, Zola, FourKites SAML2.0 SSO for Tracking, Syniverse Customer Portal, Rimo, Q Ware CMMS, Mapiq (OIDC), NICE Cxone, dominKnow|ONE, Waynbo for Azure AD, innDex, Profiler Software, Trotto go links, AsignetSSOIntegration.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


August 2022

General Availability - Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Customers can now require a fresh authentication each time a user performs a certain action. Forced reauthentication supports requiring a user to reauthenticate during Intune device enrollment, password change for risky users, and risky sign-ins.

For more information, see: Configure authentication session management with Conditional Access


General Availability - Multi-Stage Access Reviews

Type: Changed feature
Service category: Access Reviews
Product capability: Identity Governance

Customers can now meet their complex audit and recertification requirements through multiple stages of reviews. For more information, see: Create a multi-stage access review.


Public Preview - External user leave settings

Type: New feature
Service category: Enterprise Apps
Product capability: B2B/B2C

Currently, users can self-service leave for an organization without the visibility of their IT administrators. Some organizations may want more control over this self-service process.

With this feature, IT administrators can now allow or restrict external identities to leave an organization by Microsoft provided self-service controls via Azure Active Directory in the Microsoft Entra portal. In order to restrict users to leave an organization, customers need to include "Global privacy contact" and "Privacy statement URL" under tenant properties.

A new policy API is available for the administrators to control tenant wide policy: externalIdentitiesPolicy resource type

For more information, see:


Public Preview - Restrict self-service BitLocker for devices

Type: New feature
Service category: Device Registration and Management
Product capability: Access Control

In some situations, you may want to restrict the ability for end users to self-service BitLocker keys. With this new functionality, you can now turn off self-service of BitLocker keys, so that only specific individuals with right privileges can recover a BitLocker key.

For more information, see: Block users from viewing their BitLocker keys (preview)


Public Preview- Identity Protection Alerts in Microsoft 365 Defender

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection risk detections (alerts) are now also available in Microsoft 365 Defender to provide a unified investigation experience for security professionals. For more information, see: Investigate alerts in Microsoft 365 Defender


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2022, we've added the following 40 new applications in our App gallery with Federation support

Albourne Castle, Adra by Trintech, workhub, 4DX, Ecospend IAM V1, TigerGraph, Sketch, Lattice, snapADDY Single Sign On, RELAYTO Content Experience Platform, oVice, Arena, QReserve, Curator, NetMotion Mobility, HackNotice, ERA_EHS_CORE, AnyClip Teams Connector, Wiz SSO, Tango Reserve by AgilQuest (EU Instance), valid8Me, Ahrtemis, KPMG Leasing Tool Mist Cloud Admin SSO, Work-Happy, Ediwin SaaS EDI, LUSID, Next Gen Math, Total ID, Cheetah For Benelux, Live Center Australia, Shop Floor Insight, Warehouse Insight, myAOS, Hero, FigBytes, VerosoftDesign, ViewpointOne - UK, EyeRate Reviews, Lytx DriveCam

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


General Availability - Workload Identity Federation with App Registrations are available now

Type: New feature
Service category: Other
Product capability: Developer Experience

Entra Workload Identity Federation allows developers to exchange tokens issued by another identity provider with Azure AD tokens, without needing secrets. It eliminates the need to store, and manage, credentials inside the code or secret stores to access Azure AD protected resources such as Azure and Microsoft Graph. By removing the secrets required to access Azure AD protected resources, workload identity federation can improve the security posture of your organization. This feature also reduces the burden of secret management and minimizes the risk of service downtime due to expired credentials.

For more information on this capability and supported scenarios, see Workload identity federation.


Public Preview - Entitlement management automatic assignment policies

Type: Changed feature
Service category: Entitlement Management
Product capability: Identity Governance

In Azure AD entitlement management, a new form of access package assignment policy is being added. The automatic assignment policy includes a filter rule, similar to a dynamic group, that specifies the users in the tenant who should have assignments. When users come into scope of matching that filter rule criteria, an assignment is automatically created, and when they no longer match, the assignment is removed.

For more information, see: Configure an automatic assignment policy for an access package in Azure AD entitlement management (Preview).