What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items that are older than six months, you can find them in the Archive for What's new in Azure Active Directory.


July 2020

As an IT Admin, I want to target client apps using Conditional Access

Type: Plan for change
Service category: Conditional Access
Product capability: Identity Security & Protection

With the GA release of the client apps condition in Conditional Access, new policies will now apply by default to all client applications, including legacy authentication clients. Existing policies will remain unchanged, but the Configure Yes/No toggle will be removed from existing policies to easily see which client apps are applied to by the policy.

When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they will be blocked. Learn more.


Upcoming SCIM compliance fixes

Type: Plan for change
Service category: App Provisioning
Product capability: Identity Lifecycle Management

The Azure AD provisioning service leverages the SCIM standard for integrating with applications. Our implementation of the SCIM standard is evolving, and we expect to make changes to our behavior around how we perform PATCH operations as well as set the property "active" on a resource. Learn more.


Group owner setting on Azure Admin portal will be changed

Type: Plan for change
Service category: Group Management
Product capability: Collaboration

Owner settings on Groups general setting page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. We will soon have the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph.

We will start to disable the current setting for the customers who are not using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using Azure Active Directory.


Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1

Type: Plan for change
Service category: Device Registration and Management
Product capability: Platform

Transport layer security (TLS) 1.2 and update servers and clients will soon communicate with Azure Active Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device Registration service will retire:

  • On August 31, 2020, in all sovereign clouds (GCC High, DoD, etc.)
  • On October 30, 2020, in all commercial clouds

Learn more about TLS 1.2 for the Azure AD Registration Service.


Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs

Type: Fixed
Service category: Reporting
Product capability: Monitoring & Reporting

Windows Hello for Business allows end-users to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication.

Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD Sign-Ins blade in the Azure Portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting Sign-In Logs, please see the Sign-In Logs documentation.


Fixes to group deletion behavior and performance improvements

Type: Fixed
Service category: App Provisioning
Product capability: Identity Lifecycle Management

Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object was not being deleted. Now the group object will be deleted from the target application when it goes out of scope (disabled, deleted, unassigned, or did not pass scoping filter). Learn more.


Public Preview: Admins can now add custom content in the email to reviewers when creating an access review

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many of our customers asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer.

Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the "advanced" section of Azure AD Access Reviews. For guidance on creating access reviews, see Create an access review of groups and applications in Azure AD access reviews.


Authorization Code Flow for Single-page apps available

Type: New feature
Service category: Authentications (Logins)
Product capability: Developer Experience

Because of modern browser 3rd party cookie restrictions such as Safari ITP, SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO, and MSAL.js v 2.x will now support the authorization code flow.

There are corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. See Sign in users and get an access token in a JavaScript SPA using the auth code flow for further guidance.


Azure AD Application Proxy now supports the Remote Desktop Services Web Client

Type: New feature
Service category: App Proxy
Product capability: Access Control

Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For guidance, see Publish Remote Desktop with Azure AD Application Proxy.


Next generation Azure AD B2C user flows in public preview

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows. Try it now by creating a user flow.

For more information about users flows, see User flow versions in Azure Active Directory B2C.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2020 we have added following 55 new applications in our App gallery with Federation support:

Clap Your Hands, Appreiz, Inextor Vault, Beekast, Templafy OpenID Connect, PeterConnects receptionist, AlohaCloud, Control Tower, Cocoom, COINS Construction Cloud, Medxnote MT, Reflekt, Rever, MyCompanyArchive, GReminders, Titanfile, Wootric, SolarWinds Orion, OpenText Directory Services, Datasite, BlogIn, IntSights, kpifire, Textline, Cloud Academy - SSO, Community Spark, Chatwork, CloudSign, C3M Cloud Control, SmartHR, NumlyEngage™, Michigan Data Hub Single Sign-On, Egress, SendSafely, Eletive, Right-Hand Cybersecurity ADI, Fyde Enterprise Authentication, Verme, Lenses.io, Momenta, Uprise, Q, CloudCords, TellMe Bot, Inspire, Maverics Identity Orchestrator SAML Connector, Smartschool (School Management System), Zepto - Intelligent timekeeping, Studi.ly, Trackplan, Skedda, WhosOnLocation, Coggle, Kemp LoadMaster, BrowserStack Single Sign-on

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for the newly integrated app LinkedIn Learning.

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


View role assignments across all scopes and ability to download them to a csv file

Type: Changed feature
Service category: RBAC
Product capability: Access Control

You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure AD portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see View and assign administrator roles in Azure Active Directory.


Azure Multi-Factor Authentication Software Development (Azure MFA SDK) Deprecation

Type: Deprecated
Service category: MFA
Product capability: Identity Security & Protection

The Azure Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.

If your organization is using the Azure MFA SDK, you need to migrate by September 30th, 2020:

  • Azure MFA SDK for MIM: If you use the SDK with MIM, you should migrate to Azure MFA Server and activate Privileged Access Management (PAM) following these instructions.
  • Azure MFA SDK for customized apps: Consider integrating your app into Azure AD and use Conditional Access to enforce MFA. To get started, review this page.

June 2020

User risk condition in Conditional Access policy

Type: Plan for change
Service category: Conditional Access
Product capability: Identity Security & Protection

User risk support in Azure AD Conditional Access policy allows you to create multiple user risk-based policies. Different minimum user risk levels can be required for different users and apps. Based on user risk, you can create policies to block access, require multi-factor authentication, secure password change, or redirect to Microsoft Cloud App Security to enforce session policy, such as additional auditing.

The user risk condition requires Azure AD Premium P2 because it uses Azure Identity Protection, which is a P2 offering. for more information about conditional access, refer to Azure AD Conditional Access documentation.


SAML SSO now supports apps that require SPNameQualifier to be set when requested

Type: Fixed
Service category: Enterprise Apps
Product capability: SSO

Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow. To learn more about SAML protocol in Azure Active Directory, see Single Sign-On SAML protocol.


Azure AD B2B Collaboration supports inviting MSA and Google users in Azure Government tenants

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Azure Government tenants using the B2B collaboration features can now invite users that have a Microsoft or Google account. To find out if your tenant can use these capabilities, follow the instructions at How can I tell if B2B collaboration is available in my Azure US Government tenant?


User object in MS Graph v1 now includes externalUserState and externalUserStateChangedDateTime properties

Type: New feature
Service category: B2B
Product capability: B2B/B2C

The externalUserState and externalUserStateChangedDateTime properties can be used to find invited B2B guests who have not accepted their invitations yet as well as build automation such as deleting users who haven't accepted their invitations after some number of days. These properties are now available in MS Graph v1. For guidance on using these properties, refer to User resource type.


Manage authentication sessions in Azure AD Conditional Access is now generally available

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers to offer more security and flexibility in your environment.

Additionally, authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Now authentication session management will apply to MFA as well. For more information, see Configure authentication session management with Conditional Access.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2020 we have added the following 29 new applications in our App gallery with Federation support:

Shopify Plus, Ekarda, MailGates, BullseyeTDP, Raketa, Segment, Ai Auditor, Pobuca Connect, Proto.io, Gatekeeper, Hub Planner, Ansira-Partner Go-to-Market Toolbox, IBM Digital Business Automation on Cloud, Kisi Physical Security, ViewpointOne, IntelligenceBank, pymetrics, Zero, InStation, edX for Business SAML 2.0 Integration, MOOC Office 365, SmartKargo, PKIsigning platform, SiteIntel, Field iD, Curricula SAML, Perforce Helix Core - Helix Authentication Service, MyCompliance Cloud, Smallstep SSH

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial. For listing your application in the Azure AD app gallery, please read the details here: https://aka.ms/AzureADAppRequest.


API connectors for External Identities self-service sign-up are now in public preview

Type: New feature
Service category: B2B
Product capability: B2B/B2C

External Identities API connectors enable you to leverage web APIs to integrate self-service sign-up with external cloud systems. This means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows. For example, you can use API connectors to:

  • Integrate with a custom approval workflows.
  • Perform identity proofing
  • Validate user input data
  • Overwrite user attributes
  • Run custom business logic

For more information about all of the experiences possible with API connectors, see Use API connectors to customize and extend self-service sign-up, or Customize External Identities self-service sign-up with web API integrations.


Provision on-demand and get users into your apps in seconds

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The on-demand provisioning capability allows you to pick a user and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again.


New permission for using Azure AD entitlement management in Graph

Type: New feature
Service category: Other
Product capability: Entitlement Management

A new delegated permission EntitlementManagement.Read.All is now available for use with the Entitlement Management API in Microsoft Graph beta. To find out more about the available APIs, see Working with the Azure AD entitlement management API.


Identity Protection APIs available in v1.0

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they are available at the v1.0 endpoint, we invite you to use them in production. For more information, please check out the Microsoft Graph docs.


Sensitivity labels to apply policies to Microsoft 365 groups is now generally available

Type: New feature
Service category: Group Management
Product capability: Collaboration

You can now create sensitivity labels and use the label settings to apply policies to Microsoft 365 groups, including privacy (Public or Private) and external user access policy. You can create a label with the privacy policy to be Private, and external user access policy to not allow to add guest users. When a user applies this label to a group, the group will be private, and no guest users are allowed to be added to the group.

Sensitivity labels are important to protect your business-critical data and enable you to manage groups at scale, in a compliant and secure fashion. For guidance on using sensitivity labels, refer to Assign sensitivity labels to Office 365 groups in Azure Active Directory (preview).


Updates to support for Microsoft Identity Manager for Azure AD Premium customers

Type: Changed feature
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

Azure Support is now available for Azure AD integration components of Microsoft Identity Manager 2016, through the end of Extended Support for Microsoft Identity Manager 2016. Read more at Support update for Azure AD Premium customers using Microsoft Identity Manager.


The use of group membership conditions in SSO claims configuration is increased

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

Previously, the number of groups you could use when you conditionally change claims based on group membership within any single application configuration was limited to 10. The use of group membership conditions in SSO claims configuration has now increased to a maximum of 50 groups. For more information on how to configure claims, refer to Enterprise Applications SSO claims configuration.


Enabling basic formatting on the Sign In Page Text component in Company Branding.

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

The Company Branding functionality on the Azure AD/Microsoft 365 login experience has been updated to allow the customer to add hyperlinks and simple formatting, including bold font, underline, and italics. For guidance on using this functionality, see Add branding to your organization's Azure Active Directory sign-in page.


Provisioning performance improvements

Type: Changed feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

The provisioning service has been updated to reduce the time for an incremental cycle to complete. This means that users and groups will be provisioned into their applications faster than they were previously. All new provisioning jobs created after 6/10/2020 will automatically benefit from the performance improvements. Any applications configured for provisioning before 6/10/2020 will need to restart once after 6/10/2020 to take advantage of the performance improvements.


Announcing the deprecation of ADAL and MS Graph Parity

Type: Deprecated
Service category: N/A
Product capability: Device Lifecycle Management

Now that Microsoft Authentication Libraries (MSAL) is available, we will no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. For more information on how to migrate to MSAL, refer to Migrate applications to Microsoft Authentication Library (MSAL).

Additionally, we have finished the work to make all Azure AD Graph functionality available through MS Graph. So, Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. For more information, see Update your applications to use Microsoft Authentication Library and Microsoft Graph API


May 2020

Retirement of properties in signIns, riskyUsers, and riskDetections APIs

Type: Plan for change
Service category: Identity Protection
Product capability: Identity Security & Protection

Currently, enumerated types are used to represent the riskType property in both the riskDetections API and riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the signIns API. Going forward we will represent these properties as strings.

Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API, and to riskEventTypes_v2 property in the beta signIns API by September 9th, 2020. At that date, we will be retiring the current riskType and riskEventTypes properties. For more information, refer to Changes to risk event properties and Identity Protection APIs on Microsoft Graph.


Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph

Type: Plan for change
Service category: Reporting
Product capability: Identity Security & Protection

Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September 2020. In addition to impacting the preview APIs, this change will also impact the in-production signIns API.

We have introduced a new riskEventsTypes_v2 (string) property to the signIns v1.0 API. We will retire the current riskEventTypes (enum) property on June 11, 2022 in accordance with our Microsoft Graph deprecation policy. Customers should transition to the riskEventTypes_v2 property in the v1.0 signIns API by June 11, 2022. For more information, refer to Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph.


Upcoming changes to MFA email notifications

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We are making the following changes to the email notifications for cloud MFA:

E-mail notifications will be sent from the following address: azure-noreply@microsoft.com and msonlineservicesteam@microsoftonline.com. We're updating the content of fraud alert emails to better indicate the required steps to unblock uses.


New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't synced to Azure Active Directory.

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

Currently, users who are in domains federated in Azure AD, but who are not synced into the tenant, can't access Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign up." This is an extension of the existing capability to do email verified self-sign up that users in managed domains can do and can be controlled using the same flag. This change will complete rolling out during the following two months. Watch for documentation updates here.


Upcoming fix: The OIDC discovery document for the Azure Government cloud is being updated to reference the correct Graph endpoints.

Type: Plan for change
Service category: Sovereign Clouds
Product capability: User Authentication

Starting in June, the OIDC discovery document Microsoft identity platform and OpenID Connect protocol on the Azure Government cloud endpoint (login.microsoftonline.us), will begin to return the correct National cloud graph endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently provides the incorrect Graph endpoint (graph.microsoft.com) "msgraph_host" field.

This bug fix will be rolled out gradually over approximately 2 months.


Azure Government users will no longer be able to sign in on login.microsoftonline.com

Type: Plan for Change
Service category: Sovereign Clouds
Product capability: User Authentication

On 1 June 2018, the official Azure Active Directory (AAD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the .us endpoint.

Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint (microsoftonline.com). Impacted apps will begin seeing an error AADSTS900439 - USGClientNotSupportedOnPublicEndpoint.

There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020. For more details, please see the Azure Government blog post.


SAML Single Logout request now sends NameID in the correct format

Type: Fixed
Service category: Authentications (Logins)
Product capability: User Authentication

When a user clicks on sign-out (e.g., in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.

If the original SAML sign-in token used a different format for NameID (e.g. email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.


Hybrid Identity Administrator role is now available with Cloud Provisioning

Type: New feature
Service category: Azure AD Cloud Provisioning
Product capability: Identity Lifecycle Management

IT Admins can start using the new "Hybrid Admin" role as the least privileged role for setting up Azure ADConnect Cloud Provisioning. With this new role, you no longer have to use the Global Admin role to setup and configure Cloud Provisioning. Learn more.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2020, we have added the following 36 new applications in our App gallery with Federation support:

Moula, Surveypal, Kbot365, TackleBox, Powell Teams, Talentsoft Assistant, ASC Recording Insights, GO1, B-Engaged, Competella Contact Center Workgroup, Asite, ImageSoft Identity, My IBISWorld, insuite, Change Process Management, Cyara CX Assurance Platform, Smart Global Governance, Prezi, Mapbox, Datava Enterprise Service Platform, Whimsical, Trelica, EasySSO for Confluence, EasySSO for BitBucket, EasySSO for Bamboo, Torii, Axiad Cloud, Humanage, ColorTokens ZTNA, CCH Tagetik, ShareVault, Vyond, TextExpander, Anyone Home CRM, askSpoke, ice Contact Center

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest.


Report-only mode for Conditional Access is now generally available

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Report-only mode for Azure AD Conditional Access lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we’ve seen strong adoption of report-only mode—over 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they’re created. And for those of you who use the MS Graph APIs, you can manage report-only policies programmatically as well.


Self-service sign up for guest users

Type: New feature
Service category: B2B
Product capability: B2B/B2C

With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources while letting them sign in using whatever identity they prefer. When sharing an application with external users, you might not always know in advance who will need access to the application. With self-service sign-up, you can enable guest users to sign up and gain a guest account for your line of business (LOB) apps. The sign-up flow can be created and customized to support Azure AD and social identities. You can also collect additional information about the user during sign-up.


Conditional Access Insights and Reporting workbook is generally available

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

The insights and reporting workbook gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real-time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes following these instructions. To make the dashboard more discoverable, we’ve moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.


Policy details blade for Conditional Access is in public preview

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

The new policy details blade displays the assignments, conditions, and controls satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details.


New query capabilities for Directory Objects in Microsoft Graph are in Public Preview

Type: New feature
Service category: MS Graph Product capability: Developer Experience

New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter, and Sort operations. This will give developers the ability to quickly query our Directory Objects without workarounds such as in-memory filtering and sorting. Find out more in this blog post.

We are currently in Public Preview, looking for feedback. Please send your comments with this brief survey.


Configure SAML-based single sign-on using Microsoft Graph API (Beta)

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Support for creating and configuring an application from the Azure AD Gallery using MS Graph APIs in Beta is now available. If you need to set up SAML-based single sign-on for multiple instances of an application, save time by using the Microsoft Graph APIs to automate the configuration of SAML-based single sign-on.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


SAML Token Encryption is Generally Available

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

SAML token encryption allows applications to be configured to receive encrypted SAML assertions. The feature is now generally available in all clouds.


Group name claims in application tokens is Generally Available

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

The group claims issued in a token can now be limited to just those groups assigned to the application. This is especially important when users are members of large numbers of groups and there was a risk of exceeding token size limits. With this new capability in place, the ability to add group names to tokens is generally available.


Workday Writeback now supports setting work phone number attributes

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

We have enhanced the Workday Writeback provisioning app to now support writeback of work phone number and mobile number attributes. In addition to email and username, you can now configure the Workday Writeback provisioning app to flow phone number values from Azure AD to Workday. For more details on how to configure phone number writeback, refer to the Workday Writeback app tutorial.


Publisher Verification (preview)

Type: New feature
Service category: Other
Product capability: Developer Experience

Publisher verification (preview) helps admins and end-users understand the authenticity of application developers integrating with the Microsoft identity platform. For details, refer to Publisher verification (preview).


Authorization Code Flow for Single-page apps

Type: Changed feature Service category: Authentication Product capability: Developer Experience

Because of modern browser 3rd party cookie restrictions such as Safari ITP, SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO; MSAL.js v 2.x will now support the authorization code flow. There as corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. For guidance, refer to Quickstart: Sign in users and get an access token in a JavaScript SPA using the auth code flow.


Improved Filtering for Devices is in Public Preview

Type: Changed Feature
Service category: Device Management Product capability: Device Lifecycle Management

Previously, the only filters you could use were "Enabled" and "Activity date." Now, you can filter your list of devices on more properties, including OS type, join type, compliance, and more. These additions should simplify locating a particular device.


The new App registrations experience for Azure AD B2C is now generally available

Type: Changed Feature
Service category: B2C - Consumer Identity Management
Product capability: Identity Lifecycle Management

The new App registrations experience for Azure AD B2C is now generally available.

Previously, you had to manage your B2C consumer-facing applications separately from the rest of your apps using the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure.

The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. Whether you need to manage a customer-facing app or an app that has access to Microsoft Graph to programmatically manage Azure AD B2C resources, you only need to learn one way to do things.

You can reach the new experience by navigating the Azure AD B2C service and selecting the App registrations blade. The experience is also accessible from the Azure Active Directory service.

The Azure AD B2C App registrations experience is based on the general App Registration experience for Azure AD tenants but is tailored for Azure AD B2C. The legacy "Applications" experience will be deprecated in the future.

For more information, visit The New app registration experience for Azure AD B2C.


April 2020

Combined security info registration experience is now generally available

Type: New feature

Service category: Authentications (Logins)

Product capability: Identity Security & Protection

The combined registration experience for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) is now generally available. This new registration experience enables users to register for MFA and SSPR in a single, step-by-step process. When you deploy the new experience for your organization, users can register in less time and with fewer hassles. Check out the blog post here.


Continuous Access Evaluation

Type: New feature

Service category: Authentications (Logins)

Product capability: Identity Security & Protection

Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). We are rolling this feature out first for Teams and Outlook clients. For more details, please read our blog and documentation.


SMS Sign-in: Firstline Workers can sign in to Azure AD-backed applications with their phone number and no password

Type: New feature

Service category: Authentications (Logins)

Product capability: User Authentication

Office is launching a series of mobile-first business apps that cater to non-traditional organizations, and to employees in large organizations that don’t use email as their primary communication method. These apps target frontline employees, deskless workers, field agents, or retail employees that may not get an email address from their employer, have access to a computer, or to IT. This project will let these employees sign in to business applications by entering a phone number and roundtripping a code. For more details, please see our admin documentation and end user documentation.


Invite internal users to use B2B collaboration

Type: New feature

Service category: B2B

Product capability:

We're expanding B2B invitation capability to allow existing internal accounts to be invited to use B2B collaboration credentials going forward. This is done by passing the user object to the Invite API in addition to typical parameters like the invited email address. The user's object ID, UPN, group membership, app assignment, etc. remain intact, but going forward they'll use B2B to authenticate with their home tenant credentials rather than the internal credentials they used before the invitation. For details, see the documentation.


Report-only mode for Conditional Access is now generally available

Type: New feature

Service category: Conditional Access

Product capability: Identity Security & Protection

Report-only mode for Azure AD Conditional Access lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we’ve seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they’re created. And for those of you who use the MS Graph APIs, you can also manage report-only policies programmatically.


Conditional Access insights and reporting workbook is generally available

Type: New feature

Service category: Conditional Access

Product capability: Identity Security & Protection

The Conditional Access insights and reporting workbook gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes following these instructions. To make the dashboard more discoverable, we’ve moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.


Policy details blade for Conditional Access is in public preview

Type: New feature

Service category: Conditional Access

Product capability: Identity Security & Protection

The new policy details blade displays which assignments, conditions, and controls were satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details.


Type: New feature

Service category: Enterprise Apps

Product capability: 3rd Party Integration

In April 2020, we've added these 31 new apps with Federation support to the app gallery:

SincroPool Apps, SmartDB, Float, LMS365, IWT Procurement Suite, Lunni, EasySSO for Jira, Virtual Training Academy, Meraki Dashboard, Office 365 Mover, Speaker Engage, Honestly, Ally, DutyFlow, AlertMedia, gr8 People, Pendo, HighGround, Harmony, Timetabling Solutions, SynchroNet CLICK, empower, Fortes Change Cloud, Litmus, GroupTalk, Frontify, MongoDB Cloud, TickitLMS Learn, COCO, Nitro Productivity Suite , Trend Micro Web Security(TMWS)

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Microsoft Graph delta query support for oAuth2PermissionGrant available for Public Preview

Type: New feature

Service category: MS Graph

Product capability: Developer Experience

Delta query for oAuth2PermissionGrant is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. Learn more.


Microsoft Graph delta query support for organizational contact generally available

Type: New feature

Service category: MS Graph

Product capability: Developer Experience

Delta query for organizational contacts is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls orgContact data by delta query to significantly improve performance. Learn more.


Microsoft Graph delta query support for application generally available

Type: New feature

Service category: MS Graph

Product capability: Developer Experience

Delta query for applications is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls application data by delta query to significantly improve performance. Learn more.


Microsoft Graph delta query support for administrative units available for Public Preview

Type: New feature

Service category: MS Graph

Product capability: Developer Experience Delta query for administrative units is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. Learn more.


Manage authentication phone numbers and more in new Microsoft Graph beta APIs

Type: New feature

Service category: MS Graph

Product capability: Developer Experience

These APIs are a key tool for managing your users’ authentication methods. Now you can programmatically pre-register and manage the authenticators used for MFA and self-service password reset (SSPR). This has been one of the most-requested features in the Azure MFA, SSPR, and Microsoft Graph spaces. The new APIs we’ve released in this wave give you the ability to:

  • Read, add, update, and remove a user’s authentication phones
  • Reset a user’s password
  • Turn on and off SMS-sign-in

For more information, see Azure AD authentication methods API overview.


Administrative Units Public Preview

Type: New feature

Service category: RBAC

Product capability: Access Control

Administrative units allow you to grant admin permissions that are restricted to a department, region, or other segment of your organization that you define. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their administrative unit.

Using administrative units, a central administrator could:

  • Create an administrative unit for decentralized management of resources
  • Assign a role with administrative permissions over only Azure AD users in an administrative unit
  • Populate the administrative units with users and groups as needed

For more information, see Administrative units management in Azure Active Directory (preview).


Printer Administrator and Printer Technician built-in roles

Type: New feature

Service category: RBAC

Product capability: Access Control

Printer Administrator: Users with this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports.

Printer Technician: Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician cannot do are set user permissions on printers and sharing printers. Learn more.


Hybrid Identity Admin built-in role

Type: New feature

Service category: RBAC

Product capability: Access Control

Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods—Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider)—and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents. This role grants the ability to enable Seamless Single Sign-On (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. Learn more.


Network Administrator built-in role

Type: New feature

Service category: RBAC

Product capability: Access Control

Users with this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Network performance for Office 365 relies on careful enterprise customer network perimeter architecture, which is generally user location-specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. Learn more.


Bulk activity and downloads in the Azure AD admin portal experience

Type: New feature

Service category: User Management

Product capability: Directory

Now you can perform bulk activities on users and groups in Azure AD by uploading a CSV file in the Azure AD admin portal experience. You can create users, delete users, and invite guest users. And you can add and remove members from a group.

You can also download lists of Azure AD resources from the Azure AD admin portal experience. You can download the list of users in the directory, the list of groups in the directory, and the members of a particular group.

For more information, check out the following:


My Staff delegated user management

Type: New feature

Service category: User Management

Product capability:

My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who can’t access their account can re-gain access in just a couple of clicks, with no helpdesk or IT staff required. For more information, see the Manage your users with My Staff (preview) and Delegate user management with My Staff (preview).


An upgraded end user experience in access reviews

Type: Changed feature

Service category: Access Reviews

Product capability: Identity Governance

We have updated the reviewer experience for Azure AD access reviews in the My Apps portal. At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Please note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive. You can learn more about the updated experience here. This public preview will last until the end of July 2020. At the end of July, reviewers who have not opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, please make a request here.


Workday inbound user provisioning and writeback apps now support the latest versions of Workday Web Services API

Type: Changed feature

Service category: App Provisioning

Product capability:

Based on customer feedback, we have now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services (WWS) API. With this change, customers can specify the WWS API version that they would like to use in the connection string. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. The Workday Writeback app now uses the recommended Change_Work_Contact_Info Workday web service to overcome the limitations of Maintain_Contact_Info.

If no version is specified in the connection string, by default, the Workday inbound provisioning apps will continue to use WWS v21.1 To switch to the latest Workday APIs for inbound user provisioning, customers need to update the connection string as documented in the tutorial and also update the XPATHs used for Workday attributes as documented in the Workday attribute reference guide.

To use the new API for writeback, there are no changes required in the Workday Writeback provisioning app. On the Workday side, ensure that the Workday Integration System User (ISU) account has permissions to invoke the Change_Work_Contact business process as documented in the tutorial section, Configure business process security policy permissions.

We have updated our tutorial guide to reflect the new API version support.


Users with default access role are now in scope for provisioning

Type: Changed feature

Service category: App Provisioning

Product capability: Identity Lifecycle Management

Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually we will change the behavior for existing provisioning configurations to support provisioning users with this role. Learn more.


Updated provisioning UI

Type: Changed feature

Service category: App Provisioning

Product capability: Identity Lifecycle Management

We've refreshed our provisioning experience to create a more focused management view. When you navigate to the provisioning blade for an enterprise application that has already been configured, you'll be able to easily monitor the progress of provisioning and manage actions such as starting, stopping, and restarting provisioning. Learn more.


Dynamic Group rule validation is now available for Public Preview

Type: Changed feature

Service category: Group Management

Product capability: Collaboration

Azure Active Directory (Azure AD) now provides the means to validate dynamic group rules. On the Validate rules tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When creating or updating dynamic group rules, administrators want to know whether a user or a device will be a member of the group. This helps evaluate whether a user or device meets the rule criteria and aids in troubleshooting when membership is not expected.

For more information, see Validate a dynamic group membership rule (preview).


Identity Secure Score - Security Defaults and MFA improvement action updates

Type: Changed feature

Service category: N/A

Product capability: Identity Security & Protection

Supporting security defaults for Azure AD improvement actions: Microsoft Secure Score will be updating improvement actions to support security defaults in Azure AD, which make it easier to help protect your organization with pre-configured security settings for common attacks. This will affect the following improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access
  • Require MFA for administrative roles
  • Enable policy to block legacy authentication

MFA improvement action updates: To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multi-factor authentication and added two.

Removed improvement actions:

  • Register all users for multi-factor authentication
  • Require MFA for all users
  • Require MFA for Azure AD privileged roles

Added improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access
  • Require MFA for administrative roles

These new improvement actions require registering your users or admins for multi-factor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for MFA. Read more about what's new in Microsoft Secure Score.


March 2020

Unmanaged Azure Active Directory accounts in B2B update for March, 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

Beginning on March 31, 2021, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure Active Directory (Azure AD) accounts and tenants for B2B collaboration scenarios. In preparation for this, we encourage you to opt in to email one-time passcode authentication.


Users with the default access role will be in scope for provisioning

Type: Plan for change
Service category: App Provisioning
Product capability: Identity Lifecycle Management

Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. We're working on deploying a change so that all new provisioning configurations will allow users with the default access role to be provisioned. Gradually, we'll change the behavior for existing provisioning configurations to support provisioning users with this role. No customer action is required. We'll post an update to our documentation once this change is in place.


Azure AD B2B collaboration will be available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

The Azure AD B2B collaboration capabilities will be made available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants, enabling users in an Azure China 21Vianet tenant to collaborate seamlessly with users in other Azure China 21Vianet tenants. Learn more about Azure AD B2B collaboration.


Azure AD B2B Collaboration invitation email redesign

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

The emails that are sent by the Azure AD B2B collaboration invitation service to invite users to the directory will be redesigned to make the invitation information and the user's next steps clearer.


HomeRealmDiscovery policy changes will appear in the audit logs

Type: Fixed
Service category: Audit
Product capability: Monitoring & Reporting

We fixed a bug where changes to the HomeRealmDiscovery policy were not included in the audit logs. You will now be able to see when and how the policy was changed, and by whom.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2020, we've added these 51 new apps with Federation support to the app gallery:

Cisco AnyConnect, Zoho One China, PlusPlus, Profit.co SAML App, iPoint Service Provider, contexxt.ai SPHERE, Wisdom By Invictus, Flare Digital Signage, Logz.io - Cloud Observability for Engineers, SpectrumU, BizzContact, Elqano SSO, MarketSignShare, CrossKnowledge Learning Suite, Netvision Compas, FCM HUB, RIB A/S Byggeweb Mobile, GoLinks, Datadog, Zscaler B2B User Portal, LIFT, Planview Enterprise One, WatchTeams, Aster, Skills Workflow, Node Insight, IP Platform, InVision, Pipedrive, Showcase Workshop, Greenlight Integration Platform, Greenlight Compliant Access Management, Grok Learning, Miradore Online, Khoros Care, AskYourTeam, TruNarrative, Smartwaiver, Bizagi Studio for Digital Process Automation, insuiteX, sybo, Britive, WhosOffice, E-days, Kollective SDN, Witivio, Playvox, Korn Ferry 360, Campus Café, Catchpoint, Code42

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Azure AD B2B Collaboration available in Azure Government tenants

Type: New feature
Service category: B2B
Product capability: B2B/B2C

The Azure AD B2B collaboration features are now available between some Azure Government tenants. To find out if your tenant is able to use these capabilities, follow the instructions at How can I tell if B2B collaboration is available in my Azure US Government tenant?.


Azure Monitor integration for Azure Logs is now available in Azure Government

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure Monitor integration with Azure AD logs is now available in Azure Government. You can route Azure AD Logs (Audit and Sign-in Logs) to a storage account, Event Hub and Log Analytics. Please check out the detailed documentation as well as deployment plans for reporting and monitoring for Azure AD scenarios.


Identity Protection Refresh in Azure Government

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We’re excited to share that we have now rolled out the refreshed Azure AD Identity Protection experience in the Microsoft Azure Government portal. For more information, see our announcement blog post.


Disaster recovery: Download and store your provisioning configuration

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

The Azure AD provisioning service provides a rich set of configuration capabilities. Customers need to be able to save their configuration so that they can refer to it later or roll back to a known good version. We've added the ability to download your provisioning configuration as a JSON file and upload it when you need it. Learn more.


SSPR (self-service password reset) now requires two gates for admins in Microsoft Azure operated by 21Vianet (Azure China 21Vianet)

Type: Changed feature
Service category: Self-Service Password Reset
Product capability: Identity Security & Protection

Previously in Microsoft Azure operated by 21Vianet (Azure China 21Vianet), admins using self-service password reset (SSPR) to reset their own passwords needed only one "gate" (challenge) to prove their identity. In public and other national clouds, admins generally must use two gates to prove their identity when using SSPR. But because we didn't support SMS or phone calls in Azure China 21Vianet, we allowed one-gate password reset by admins.

We're creating SSPR feature parity between Azure China 21Vianet and the public cloud. Going forward, admins must use two gates when using SSPR. SMS, phone calls, and Authenticator app notifications and codes will be supported. Learn more.


Password length is limited to 256 characters

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

To ensure the reliability of the Azure AD service, user passwords are now limited in length to 256 characters. Users with passwords longer than this will be asked to change their password on subsequent login, either by contacting their admin or by using the self-service password reset feature.

This change was enabled on March 13th, 2020, at 10AM PST (18:00 UTC), and the error is AADSTS 50052, InvalidPasswordExceedsMaxLength. See the breaking change notice for more details.


Azure AD sign-in logs are now available for all free tenants through the Azure portal

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

Starting now, customers who have free tenants can access the Azure AD sign-in logs from the Azure portal for up to 7 days. Previously, sign-in logs were available only for customers with Azure Active Directory Premium licenses. With this change, all tenants can access these logs through the portal.

Note

Customers still need a premium license (Azure Active Directory Premium P1 or P2) to access the sign-in logs through Microsoft Graph API and Azure Monitor.


Deprecation of Directory-wide groups option from Groups General Settings on Azure portal

Type: Deprecated
Service category: Group Management
Product capability: Collaboration

To provide a more flexible way for customers to create directory-wide groups that best meet their needs, we've replaced the Directory-wide Groups option from the Groups > General settings in the Azure portal with a link to dynamic group documentation. We've improved our documentation to include more instructions so administrators can create all-user groups that include or exclude guest users.


February 2020

Upcoming changes to custom controls

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We're planning to replace the current custom controls preview with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences. Today, partner MFA solutions face the following limitations: they work only after a password has been entered; they don't serve as MFA for step-up authentication in other key scenarios; and they don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including registration, usage, MFA claims, step up authentication, reporting, and logging.

Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We are working closely with customers and providers and will communicate the timeline as we get closer. Learn more.


Identity Secure Score - MFA improvement action updates

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multi-factor authentication (MFA), and adding two.

The following improvement actions will be removed:

  • Register all users for MFA
  • Require MFA for all users
  • Require MFA for Azure AD privileged roles

The following improvement actions will be added:

  • Ensure all users can complete MFA for secure access
  • Require MFA for administrative roles

These new improvement actions will require registering your users or admins for MFA across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of setting security defaults that let Microsoft decide when to challenge users for MFA, or having multiple policies that apply scoped decisions. As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations. Read more about what's coming in Microsoft Secure Score.


Azure AD Domain Services SKU selection

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We've heard feedback that Azure AD Domain Services customers want more flexibility in selecting performance levels for their instances. Starting on February 1, 2020, we switched from a dynamic model (where Azure AD determines the performance and pricing tier based on object count) to a self-selection model. Now customers can choose a performance tier that matches their environment. This change also allows us to enable new scenarios like Resource Forests, and Premium features like daily backups. The object count is now unlimited for all SKUs, but we'll continue to offer object count suggestions for each tier.

No immediate customer action is required. For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we will no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the Azure AD DS SKUs documentation and the Azure AD Domain Services pricing page.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2020, we've added these 31 new apps with Federation support to the app gallery:

IamIP Patent Platform, Experience Cloud, NS1 SSO For Azure, Barracuda Email Security Service, ABa Reporting, In Case of Crisis - Online Portal, BIC Cloud Design, Beekeeper Azure AD Data Connector, Korn Ferry Assessments, Verkada Command, Splashtop, Syxsense, EAB Navigate, New Relic (Limited Release), Thulium, Ticket Manager, Template Chooser for Teams, Beesy, Health Support System, MURAL, Hive, LavaDo, Wakelet, Firmex VDR, ThingLink for Teachers and Schools, Coda, NearpodApp, WEDO, InvitePeople, Reprints Desk - Article Galaxy, TeamViewer

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Azure AD support for FIDO2 security keys in hybrid environments

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're announcing the public preview of Azure AD support for FIDO2 security keys in Hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get seamless sign-on to their on-premises and cloud resources. Support for Hybrid environments has been the top most-requested feature from our passwordless customers since we initially launched the public preview for FIDO2 support in Azure AD joined devices. Passwordless authentication using advanced technologies like biometrics and public/private key cryptography provide convenience and ease-of-use while being secure. With this public preview, you can now use modern authentication like FIDO2 security keys to access traditional Active Directory resources. For more information, go to SSO to on-premises resources.

To get started, visit enable FIDO2 security keys for your tenant for step-by-step instructions.


The new My Account experience is now generally available

Type: Changed feature
Service category: My Profile/Account
Product capability: End User Experiences

My Account, the one stop shop for all end-user account management needs, is now generally available! End users can access this new site via URL, or in the header of the new My Apps experience. Learn more about all the self-service capabilities the new experience offers at My Account Portal Overview.


My Account site URL updating to myaccount.microsoft.com

Type: Changed feature
Service category: My Profile/Account
Product capability: End User Experiences

The new My Account end user experience will be updating its URL to https://myaccount.microsoft.com in the next month. Find more information about the experience and all the account self-service capabilities it offers to end users at My Account portal help.