What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Azure Active Directory.


August 2021

New major version of AADConnect available

Type: Fixed
Service category: AD Connect
Product capability: Identity Lifecycle Management

We've released a new major version of Azure Active Directory Connect. This version contains several updates of foundational components to the latest versions and is recommended for all customers using Azure AD Connect. Learn more.


Public Preview - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

We now support native single sign-on (SSO) support and device-based Conditional Access to the Firefox browser on Windows 10 and Windows Server 2019. Support is available in Firefox version 91. Learn more.


Public preview - beta MS Graph APIs for Azure AD access reviews returns list of contacted reviewer names

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

We've released beta MS Graph API for Azure AD access reviews. The API has methods to return a list of contacted reviewer names in addition to the reviewer type. Learn more.


General Availability - "Register or join devices" user action in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

The "Register or join devices" user action is generally available in Conditional access. This user action allows you to control multifactor authentication (MFA) policies for Azure Active Directory (AD) device registration. Currently, this user action only allows you to enable MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. Learn more.


General Availability - customers can scope reviews of privileged roles to eligible or permanent assignments

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Administrators can now create access reviews of only permanent or eligible assignments to privileged Azure AD or Azure resource roles. Learn more.


General availability - assign roles to Azure Active Directory (AD) groups

Type: New feature
Service category: RBAC
Product capability: Access Control

Assigning roles to Azure AD groups is now generally available. This feature can simplify the management of role assignments in Azure AD for Global Administrators and Privileged Role Administrators. Learn more.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2021, we have added following 46 new applications in our App gallery with Federation support:

Siriux Customer Dashboard, STRUXI, Autodesk Construction Cloud - Meetings, Eccentex AppBase for Azure, Bookado, FilingRamp, BenQ IAM, Rhombus Systems, CorporateExperience, TutorOcean, Bookado Device, HiFives-AD-SSO, Darzin, Simply Stakeholders, KACTUS HCM - Smart People, Five9 UC Adapter for Microsoft Teams V2, Automation Center, Cirrus Identity Bridge for Azure AD, ShiftWizard SAML, Safesend Returns, Brushup, directprint.io Cloud Print Administration, plain-x,X-point Cloud, SmartHub INFER, Fresh Relevance, FluentPro G.A. Suite, Clockwork Recruiting, WalkMe SAML2.0, Sideways 6, Kronos Workforce Dimensions, SysTrack Cloud Edition, mailworx Dynamics CRM Connector, Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service, Peripass, JobDiva, Sanebox For Office365, Tulip, HP Wolf Security, Genesys Engage cloud Email, Meta Wiki, Palo Alto Networks Cloud Identity Engine Directory Sync, Valarea, LanSchool Air, Catalyst, Webcargo

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Multi-factor (MFA) fraud report – new audit event

Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection

To help administrators understand that their users are blocked for MFA as a result of fraud report, we have added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see multifactor authentication Fraud alert.


Improved Low-Risk Detections

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

To improve the quality of low risk alerts that Identity Protection issues, we've modified the algorithm to issue fewer low risk Risky Sign-Ins. Organizations may see a significant reduction in low risk sign-in in their environment. Learn more.


Non-interactive risky sign-ins

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection now emits risky sign-ins on non-interactive sign-ins. Admins can find these risky sign-ins using the sign-in type filter in the risky sign-ins report. Learn more.


Change from User Administrator to Identity Governance Administrator in Entitlement Management

Type: Changed feature
Service category: Roles
Product capability: Identity Governance

The permissions assignments to manage access packages and other resources in Entitlement Management are moving from the User Administrator role to the Identity Governance administrator role.

Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they will need a new assignment. You should instead assign these users the Identity Governance administrator role. Learn more


Windows Azure Active Directory connector is deprecated

Type: Deprecated
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

The Windows Azure AD Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to Azure AD Connect, Azure AD Connect Sync, or the Microsoft Graph Connector, as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. Learn more.


Retirement of older Azure AD Connect versions

Type: Deprecated
Service category: AD Connect
Product capability: User Management

Starting August 31 2022, all V1 versions of Azure AD Connect will be retired. If you haven't already done so, you need to update your server to Azure AD Connect V2.0. You need to make sure you're running a recent version of Azure AD Connect to receive an optimal support experience.

If you run a retired version of Azure AD Connect it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs.

See Azure Active Directory Connect V2.0, what has changed in V2.0 and how this change impacts you.


Retirement of support for installing MIM on Windows Server 2008 R2 or SQL Server 2008 R2

Type: Deprecated
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

Deploying MIM Sync, Service, Portal or CM on Windows Server 2008 R2, or using SQL Server 2008 R2 as the underlying database, is deprecated as these platforms are no longer in mainstream support. Installing MIM Sync and other components on Windows Server 2016 or later, and with SQL Server 2016 or later, is recommended.

Deploying MIM for Privileged Access Management with a Windows Server 2012 R2 domain controller in the PRIV forest is deprecated. Use Windows Server 2016 or later Active Directory, with Windows Server 2016 functional level, for your PRIV forest domain. The Windows Server 2012 R2 functional level is still permitted for a CORP forest's domain. Learn more.


July 2021

New Google sign-in integration for Azure AD B2C and B2B self-service sign-up and invited external users will stop working starting July 12, 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

Previously we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021.

On July 7, 2021, we learned from Google that some of these restrictions will apply starting July 12, 2021. Azure AD B2B and B2C customers who set up a new Google ID sign-in in their custom or line of business applications to invite external users or enable self-service sign-up will have the restrictions applied immediately. As a result, end-users will be met with an error screen that blocks their Gmail sign-in if the authentication is not moved to a system webview. Please see the docs linked below for details.

Most apps use system web-view by default, and will not be impacted by this change. This only applies to customers using embedded webviews (the non-default setting.) We advise customers to move their application’s authentication to system browsers instead, prior to creating any new Google integrations. To learn how to move to system browsers for Gmail authentications, please read the Embedded vs System Web UI section in the Using web browsers (MSAL.NET) documentation. All MSAL SDKs use the system web-view by default. Learn more.


Google sign-in on embedded web-views expiring September 30, 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

About two months ago we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021.

Recently, Google has specified the date to be September 30, 2021.

Rolling out globally beginning September 30, 2021, Azure AD B2B guests signing in with their Gmail accounts will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. This applies to invited guests as well as guests who signed up using Self-Service Sign-Up.

Azure AD B2C customers who have set up embedded webview Gmail authentications in their custom/line of business apps or have existing Google integrations, will no longer be able to let their users sign in with Gmail accounts. To mitigate this, please make sure to modify your apps to use the system browser for sign-in. For more information, read the Embedded vs System Web UI section in the Using web browsers (MSAL.NET) documentation. All MSAL SDKs use the system web-view by default.

As the device login flow will start rolling out on September 30, 2021, it is likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.)

For details on known impacted scenarios as well as what experience your users can expect, read Add Google as an identity provider for B2B guest users.


Bug fixes in My Apps

Type: Fixed
Service category: My Apps
Product capability: End User Experiences

  • Previously, the presence of the banner recommending the use of collections caused content to scroll behind the header. This issue has been resolved.
  • Previously, there was another issue when adding apps to a collection, the order of apps in All Apps collection would get randomly reordered. This issue has also been resolved.

For more information on My Apps, read Sign in and start apps from the My Apps portal.


Public preview - Application authentication method policies

Type: New feature
Service category: MS Graph
Product capability: Developer Experience

Application authentication method policies in MS Graph which allow IT admins to enforce lifetime on application password secret credential or block the use of secrets altogether. Policies can be enforced for an entire tenant as a default configuration and it can be scoped to specific applications or service principals. Learn more.


Public preview - Authentication Methods nudge to download Microsoft Authenticator

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

The Authenticator nudge policy helps admins to move their organizations to a more secure posture by prompting users to adopt the Microsoft Authenticator app. Prior to this feature, there was no way for an admin to push their users to set up the Authenticator app.

The Nudge comes with the ability for an admin to scope users and groups by including and excluding them from the Nudge to ensure a smooth adoption across the organization. Learn more


Public preview - Separation of duties check

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request additional access. Learn more.


Public preview - Identity Protection logs in Log Analytics, Storage Accounts, and Event Hubs

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

You can now send the risky users and risk detections logs to Azure Monitor, Storage Accounts, or Log Analytics using the Diagnostic Settings in the Azure AD blade. Learn more.


Public preview - Application Proxy API addition for backend SSL certificate validation

Type: New feature
Service category: App Proxy
Product capability: Access Control

The onPremisesPublishing resource type now includes the property, "isBackendCertificateValidationEnabled" which indicates whether backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property will be set to true by default. For all existing apps, the property will be set to false. For more information, read the onPremisesPublishing resource type api.


General availability - Improved Authenticator setup experience for add Azure AD account in Microsoft Authenticator app by directly signing into the app.

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Users can now use their existing authentication methods to directly sign into the Microsoft Authenticator app to set up their credential. Users don't need to scan a QR Code anymore and can use a Temporary Access Pass (TAP) or Password + SMS (or other authentication method) to configure their account in the Authenticator app.

This improves the user credential provisioning process for the Microsoft Authenticator app and gives the end user a self-service method to provision the app. Learn more.


General availability - Set manager as reviewer in Azure AD entitlement management access packages

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

Access packages in Azure AD entitlement management now support setting the user's manager as the reviewer for regularly occurring access reviews. Learn more.


General availability - Enable external users to self-service sign-up in AAD using MSA accounts

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Users can now enable external users to self-service sign-up in Azure Active Directory using Microsoft accounts. Learn more.


General availability - External Identities Self-Service Sign-Up with Email One-time Passcode

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Now users can enable external users to self-service sign-up in Azure Active Directory using their email and one-time passcode. Learn more.


General availability - Anomalous token

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Anomalous token detection is now available in Identity Protection. This feature can detect that there are abnormal characteristics in the token such as time active and authentication from unfamiliar IP address. Learn more.


General availability - Register or join devices in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

The Register or join devices user action in Conditional access is now in general availability. This user action allows you to control Multi-factor Authentication (MFA) policies for Azure AD device registration.

Currently, this user action only allows you to enable MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. Learn more.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, read Automate user provisioning to SaaS applications with Azure AD.


Changes to security and Microsoft 365 group settings in Azure portal

Type: Changed feature
Service category: Group Management
Product capability: Directory

In the past, users could create security groups and Microsoft 365 groups in the Azure portal. Now users will have the ability to create groups across Azure portals, PowerShell, and API. Customers are required to verify and update the new settings have been configured for their organization. Learn More.


"All Apps" collection has been renamed to "Apps"

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

In the My Apps portal, the collection that was called "All Apps" has been renamed to be called "Apps". As the product evolves, "Apps" is a more fitting name for this default collection. Learn more.


June 2021

Context panes to display risk details in Identity Protection Reports

Type: Plan for change
Service category: Identity Protection
Product capability: Identity Security & Protection

For the Risky users, Risky sign-ins, and Risk detections reports in Identity Protection, the risk details of a selected entry will be shown in a context pane appearing from the right of the page July 2021. The change only impacts the user interface and won't affect any existing functionalities. To learn more about the functionality of these features, refer to How To: Investigate risk.


Public preview - create Azure AD access reviews of Service Principals that are assigned to privileged roles

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

You can use Azure AD access reviews to review service principal's access to privileged Azure AD and Azure resource roles. Learn more.


Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Now group owners in Azure AD can create and manage Azure AD access reviews on their groups. This ability can be enabled by tenant administrators through Azure AD access review settings and is disabled by default. Learn more.


Public preview - customers can scope access reviews of privileged roles to just users with eligible or active access

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

When admins create access reviews of assignments to privileged roles, they can scope the reviews to only eligibly assigned users or only actively assigned users. Learn more.


Public preview - Microsoft Graph APIs for Mobility (MDM/MAM) management policies

Type: New feature
Service category: Other
Product capability: Device Lifecycle Management

Microsoft Graph support for the Mobility (MDM/MAM) configuration in Azure AD is in public preview. Administrators can configure user scope and URLs for MDM applications like Intune using Microsoft Graph v1.0. For more information, see mobilityManagementPolicy resource type


General availability - Custom questions in access package request flow in Azure Active Directory entitlement management

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

Azure AD entitlement management now supports the creation of custom questions in the access package request flow. This feature allows you to configure custom questions in the access package policy. These questions are shown to requestors who can input their answers as part of the access request process. These answers will be displayed to approvers, giving them helpful information that empowers them to make better decisions on the access request. Learn more.


General availability - Multi-geo SharePoint sites as resources in Entitlement Management Access Packages

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

Access packages in Entitlement Management now support multi-geo SharePoint sites for customers who use the multi-geo capabilities in SharePoint Online. Learn more.


General availability - Knowledge Admin and Knowledge Manager built-in roles

Type: New feature
Service category: RBAC
Product capability: Access Control

Two new roles, Knowledge Administrator and Knowledge Manager are now in general availability.

  • Users in the Knowledge Administrator role have full access to all Organizational knowledge settings in the Microsoft 365 admin center. They can create and manage content, like topics and acronyms. Additionally, these users can create content centers, monitor service health, and create service requests. Learn more
  • Users in the Knowledge Manager role can create and manage content and are primarily responsible for the quality and structure of knowledge. They have full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers. Learn more.

General availability - Cloud App Security Administrator built-in role

Type: New feature
Service category: RBAC
Product capability: Access Control

Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and do governance actions. Learn more.


General availability - Windows Update Deployment Administrator

Type: New feature
Service category: RBAC
Product capability: Access Control

Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed. Also, users can specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress. Learn more.


General availability - multi-camera support for Windows Hello

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Now with the Windows 10 21H1 update, Windows Hello supports multiple cameras. The update includes defaults to use the external camera when both built-in and outside cameras are present. Learn more.


General availability - Access Reviews MS Graph APIs now in v1.0

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. Learn more.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2021, we have added following 42 new applications in our App gallery with Federation support

Taksel, IDrive360, VIDA, ProProfs Classroom, WAN-Sign, Citrix Cloud SAML SSO, Fabric, DssAD, RICOH Creative Collaboration RICC, Styleflow, Chaos, Traced Connector, Squarespace, MX3 Diagnostics Connector, Ten Spot, Finvari, Mobile4ERP, WalkMe US OpenID Connect, Neustar UltraDNS, cloudtamer.io, A Cloud Guru, PetroVue, Postman, ReadCube Papers, Peklostroj, SynCloud, Polymerhq.io, Bonos, Astra Schedule, Draup, Inc, Applied Mental Health, iHASCO Training, Nexsure, XEOX, Plandisc, foundU, Standard for Success Accreditation, Penji Teams, CheckPoint Infinity Portal, Teamgo, Hopsworks.ai, HoloMeeting 2

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Device code flow now includes an app verification prompt

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

The device code flow has been updated to include one extra user prompt. While signing in, the user will see a prompt asking them to validate the app they're signing into. The prompt ensures that they aren't subject to a phishing attack. Learn more.


User last sign-in date and time is now available on Azure portal

Type: Changed feature
Service category: User Management
Product capability: User Management

You can now view your users' last sign-in date and time stamp on the Azure portal. The information is available for each user on the user profile page. This information helps you identify inactive users and effectively manage risky events. Learn more.


MIM BHOLD Suite impact of end of support for Microsoft Silverlight

Type: Changed feature
Service category: Microsoft Identity Manager
Product capability: Identity Governance

Microsoft Silverlight will reach its end of support on October 12, 2021. This change only impacts customers using the Microsoft BHOLD Suite, and doesn't impact other Microsoft Identity Manager scenarios. For more information, see Silverlight End of Support.

Users who haven't installed Microsoft Silverlight in their browser can't use the BHOLD Suite modules which require Silverlight. This includes the BHOLD Model Generator, BHOLD FIM Self-service integration, and BHOLD Analytics. Customers with an existing BHOLD deployment of one or more of those modules should plan to uninstall those modules from their BHOLD server computers by October 2021. Also, they should plan to uninstall Silverlight from any user computers that were previously interacting with that BHOLD deployment.


My* experiences: End of support for Internet Explorer 11

Type: Deprecated
Service category: My Apps
Product capability: End User Experiences

Microsoft 365 and other apps are ending support for Internet Explorer 11 on August 21, 2021, and this includes the My* experiences. The My*s accessed via Internet Explorer won't receive bug fixes or any updates, which may lead to issues. These dates are being driven by the Edge team and may be subject to change. Learn more.


Planned deprecation - Malware linked IP address detection in Identity Protection

Type: Deprecated
Service category: Identity Protection
Product capability: Identity Security & Protection

Starting October 1, 2021, Azure AD Identity Protection will no longer generate the "Malware linked IP address" detection. No action is required and customers will remain protected by the other detections provided by Identity Protection. To learn more about protection policies, refer to Identity Protection policies.


May 2021

Public preview - Azure AD verifiable credentials

Type: New feature
Service category: Other
Product capability: User Authentication

Azure AD customers can now easily design and issue verifiable credentials. Verifiable credentials can be used to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. Learn more.


Public preview - Device code flow now includes an app verification prompt

Type: New feature
Service category: User Authentication
Product capability: Authentications (Logins)

As a security improvement, the device code flow has been updated to include an another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30.

To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: “Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it cannot be removed or bypassed. Learn more.


Public preview - build and test expressions for user provisioning

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

The expression builder allows you to create and test expressions, without having to wait for the full sync cycle. Learn more.


Public preview - enhanced audit logs for Conditional Access policy changes

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

An important aspect of managing Conditional Access is understanding changes to your policies over time. Policy changes may cause disruptions for your end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical.

As well as showing who made a policy change and when, the audit logs will now also contain a modified properties value. This change gives admins greater visibility into what assignments, conditions, or controls changed. If you want to revert to a previous version of a policy, you can copy the JSON representation of the old version and use the Conditional Access APIs to change the policy to its previous state. Learn more.


Public preview - Sign-in logs include authentication methods used during sign-in

Type: New feature
Service category: MFA
Product capability: Monitoring & Reporting

Admins can now see the sequential steps users took to sign-in, including which authentication methods were used during sign-in.

To access these details, go to the Azure AD sign-in logs, select a sign-in, and then navigate to the Authentication Method Details tab. Here we have included information such as which method was used, details about the method (for example, phone number, phone name), authentication requirement satisfied, and result details. Learn more.


Public preview - PIM adds support for ABAC conditions in Azure Storage roles

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Along with the public preview of attributed based access control for specific Azure RBAC role, you can also add ABAC conditions inside Privileged Identity Management for your eligible assignments. Learn more.


General availability - Conditional Access and Identity Protection Reports in B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

B2C now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables customers to protect their users with granular risk- and location-based access controls. With these features, customers can now look at the signals and create a policy to provide more security and access to your customers. Learn more.


General availability - KMSI and Password reset now in next generation of user flows

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

The next generation of B2C user flows now supports keep me signed in (KMSI) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser. The session is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password ' link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory. Learn more.


General availability - New Log Analytics workbook Application role assignment activity

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

A new workbook has been added for surfacing audit events for application role assignment changes. Learn more.


General availability - Next generation Azure AD B2C user flows

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users can enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to Create user flows in Azure AD B2C for guidance on using this feature. Learn more.


General availability - Azure Active Directory threat intelligence for sign-in risk

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

This new detection serves as an ad-hoc method to allow our security teams to notify you and protect your users by raising their session risk to a High risk when we observe an attack happening. The detection will also mark the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams. Learn more.


General availability - Conditional Access named locations improvements

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

IPv6 support in named locations is now generally available. Updates include:

  • Added the capability to define IPv6 address ranges
  • Increased limit of named locations from 90 to 195
  • Increased limit of IP ranges per named location from 1200 to 2000
  • Added capabilities to search and sort named locations and filter by location type and trust type
  • Added named locations a sign-in belonged to in the sign-in logs

Additionally, to prevent admins from defining problematically named locations, extra checks have been added to reduce the chance of misconfiguration. Learn more.


General availability - Restricted guest access permissions in Azure AD

Type: New feature
Service category: User Management
Product capability: Directory

Directory level permissions for guest users have been updated. These permissions allow administrators to require extra restrictions and controls on external guest user access.

Admins can now add more restrictions for external guests' access to user and groups' profile and membership information. Also, customers can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in. To learn more, see Restrict guest access permissions in Azure Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2021, we have added following 29 new applications in our App gallery with Federation support

InviteDesk, Webrecruit ATS, Workshop, Gravity Sketch, JustLogin, Custellence, WEVO, AppTec360 MDM, Filemail,Ardoq, Leadfamly, Documo, Autodesk SSO, Check Point Harmony Connect, BrightHire, Rescana, Bluewhale, AlacrityLaw, Equisolve, Zip, Cognician, Acra, VaultMe, TAP App Security, Cavelo Office365 Cloud Connector, Clebex, Banyan Command Center, Check Point Remote Access VPN, LogMeIn

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest


Improved Conditional Access Messaging for Android and iOS

Type: Changed feature
Service category: Device Registration and Management
Product capability: End User Experiences

We've updated the wording on the Conditional Access screen shown to users when they're blocked from accessing corporate resources. They'll be blocked until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed:

  • “Help us keep your device secure” has changed to “Set up your device to get access”
  • “Your sign-in was successful but your admin requires your device to be managed by Microsoft to access this resource.” to “[Organization’s name] requires you to secure this device before you can access [organization’s name] email, files, and data.”
  • “Enroll Now” to “Continue”

The information in Enroll your Android enterprise device is out of date.


Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is given across organizations. This ensures that the user understands that the organization that owns the document will collect some information about the user as part of the document access. Learn more.


Provisioning logs schema change impacting Graph API and Azure Monitor integration

Type: Changed feature
Service category: App Provisioning
Product capability: Monitoring & Reporting

The attributes "Action" and "statusInfo" will be changed to "provisioningAction" and "provisoiningStatusInfo." Update any scripts that you have created using the provisioning logs Graph API or Azure Monitor integrations.


New ARM API to manage PIM for Azure Resources and Azure AD roles

Type: Changed feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

An updated version of PIM's API for Azure Resource role and Azure AD role has been released. The PIM API for Azure Resource role is now released under the ARM API standard, which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under graph API aligned with the unifiedRoleManagement APIs. Some of the benefits of this change include:

  • Alignment of the PIM API with objects in ARM and Graph for role managementReducing the need to call PIM to onboard new Azure resources.
  • All Azure resources automatically work with new PIM API.
  • Reducing the need to call PIM for role definition or keeping a PIM resource ID
  • Supporting app-only API permissions in PIM for both Azure AD and Azure Resource roles

Previous version of PIM's API under /privilegedaccess will continue to function but we recommend you to move to this new API going forward. Learn more.


Revision of roles in Azure AD entitlement management

Type: Changed feature
Service category: Roles
Product capability: Entitlement Management

A new role, Identity Governance Administrator, has recently been introduced. This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. If you have assigned administrators to the User Administrator role or have them activate this role to manage access packages in Azure AD entitlement management, switch to the Identity Governance Administrator role instead. The User Administrator role will no longer be providing administrative rights to catalogs or access packages. Learn more.


April 2021

Bug fixed - Azure AD will no longer double-encode the state parameter in responses

Type: Fixed
Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD has identified, tested, and released a fix for a bug in the /authorize response to a client application. Azure AD was incorrectly URL encoding the state parameter twice when sending responses back to the client. This can cause a client application to reject the request, due to a mismatch in state parameters. Learn more.


Users can only create security and Microsoft 365 groups in Azure portal being deprecated

Type: Plan for change
Service category: Group Management
Product capability: Directory

Users will no longer be limited to create security and Microsoft 365 groups only in the Azure portal. The new setting will allow users to create security groups in the Azure portal, PowerShell, and API. Users will be required to verify and update the new setting. Learn more.


Public preview - External Identities Self-Service Sign-up in AAD using Email One-Time Passcode accounts

Type: New feature
Service category: B2B
Product capability: B2B/B2C

External users can now use Email One-Time Passcode accounts to sign up or sign in to Azure AD 1st party and line-of-business applications. Learn more.


General availability - External Identities Self-Service Sign Up

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Self-service sign-up for external users is now in general availability. With this new feature, external users can now self-service sign up to an application.

You can create customized experiences for these external users, including collecting information about your users during the registration process and allowing external identity providers like Facebook and Google. You can also integrate with third-party cloud providers for various functionalities like identity verification or approval of users. Learn more.


General availability - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

B2C Phone Sign-up and Sign-in using a built-in policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign-up using a phone number in user flows. With this feature, disclaimer links such as privacy policy and terms of use can be customized and shown on the page before the end-user proceeds to receive the one-time passcode via text message. Learn more.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2021, we have added following 31 new applications in our App gallery with Federation support

Zii Travel Azure AD Connect, Cerby, Selflessly, Apollo CX, Pedagoo, Measureup, Wistec Education, ProcessUnity, Cisco Intersight, Codility, H5mag, Check Point Identity Awareness, Jarvis, desknet's NEO, SDS & Chemical Information Management, Wúru App, Holmes, Tide Multi Tenant, Telenor, Yooz US, Mooncamp, inwise SSO, Ecolab Digital Solutions, Taguchi Digital Marketing System, XpressDox EU Cloud, EZSSH, EZSSH Client, Verto 365, KPN Grip, AddressLook, Cornerstone Single Sign-On

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization with automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Introducing new versions of page layouts for B2C

Type: Changed feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

The page layouts for B2C scenarios on the Azure AD B2C has been updated to reduce security risks by introducing the new versions of jQuery and Handlebars JS.


Updates to Sign-in Diagnostic

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

The scenario coverage of the Sign-in Diagnostic tool has increased.

With this update, the following event-related scenarios will now be included in the sign-in diagnosis results:

  • Enterprise Applications configuration problem events.
  • Enterprise Applications service provider (application-side) events.
  • Incorrect credentials events.

These results will show contextual and relevant details about the event and actions to take to resolve these problems. Also, for scenarios where we don't have deep contextual diagnostics, Sign-in Diagnostic will present more descriptive content about the error event.

For more information, see What is sign-in diagnostic in Azure AD?


Azure AD Connect cloud sync general availability refresh

Type: Changed feature
Service category: Azure AD Connect Cloud Sync Product capability: Directory

Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the version history. With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we have changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members.

Check out the newly available expression builder for cloud sync, which, helps you build complex expressions as well as simple expressions when you do transformations of attribute values from AD to Azure AD using attribute mapping.


March 2021

Guidance on how to enable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation

Type: Plan for change
Service category: N/A
Product capability: Standards

Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021:

  • TLS 1.0
  • TLS 1.1
  • 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

Affected environments include:

  • Azure Commercial Cloud
  • Office 365 GCC and WW

For more information, see Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation.


Public preview - Azure AD Entitlement management now supports multi-geo SharePoint Online

Type: New feature
Service category: Other
Product capability: Entitlement Management

For organizations using multi-geo SharePoint Online, you can now include sites from specific multi-geo environments to your Entitlement management access packages. Learn more.


Public preview - Restore deleted apps from App registrations

Type: New feature
Service category: Other
Product capability: Developer Experience

Customers can now view, restore, and permanently remove deleted app registrations from the Azure portal. This applies only to applications associated to a directory, not applications from a personal Microsoft account. Learn more.


Public preview - New "User action" in Conditional Access for registering or joining devices

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

A new user action called "Register or join devices" in Conditional access is available. This user action allows you to control Multi-factor Authentication (MFA) policies for Azure AD device registration.

Currently, this user action only allows you to enable MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action. Learn more.


Public preview - Optimize connector groups to use the closest Application Proxy cloud service

Type: New feature
Service category: App Proxy
Product capability: Access Control

With this new capability, connector groups can be assigned to the closest regional Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenant’s region. Learn more.


Public preview - External Identities Self-Service Sign-up in AAD using Email One-Time Passcode accounts

Type: New feature
Service category: B2B
Product capability: B2B/B2C

External users will now be able to use Email One-Time Passcode accounts to sign up in to Azure AD 1st party and LOB apps. Learn more.


Public preview - Availability of AD FS Sign-Ins in Azure AD

Type: New feature
Service category: Authentications (Logins)
Product capability: Monitoring & Reporting

AD FS sign-in activity can now be integrated with Azure AD activity reporting, providing a unified view of hybrid identity infrastructure. Using the Azure AD Sign-Ins report, Log Analytics, and Azure Monitor Workbooks, it's possible to do in-depth analysis for both AAD and AD FS sign-in scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts.

To learn more, visit AD FS sign-ins in Azure AD with Connect Health.


General availability - Staged rollout to cloud authentication

Type: New feature
Service category: AD Connect
Product capability: User Authentication

Staged rollout to cloud authentication is now generally available. The staged rollout feature allows you to selectively test groups of users with cloud authentication methods, such as Passthrough Authentication (PTA) or Password Hash Sync (PHS). Meanwhile, all other users in the federated domains continue to use federation services, such as AD FS or any other federation services to authenticate users. Learn more.


General availability - User Type attribute can now be updated in the Azure admin portal

Type: New feature
Service category: User Experience and Management
Product capability: User Management

Customers can now update the user type of Azure AD users when they update their user profile information from the Azure admin portal. The user type can be updated from Microsoft Graph also. To learn more, see Add or update user profile information.


General availability - Replica Sets for Azure Active Directory Domain Services

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

The capability of replica sets in Azure AD DS is now generally available. Learn more.


General availability - Collaborate with your partners using Email One-Time Passcode in the Azure Government cloud

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Organizations in the Microsoft Azure Government cloud can now enable their guests to redeem invitations with Email One-Time Passcode. This ensures that any guest users with no Azure AD, Microsoft, or Gmail accounts in the Azure Government cloud can still collaborate with their partners by requesting and entering a temporary code to sign in to shared resources. Learn more.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2021 we have added following 37 new applications in our App gallery with Federation support:

Bambuser Live Video Shopping, DeepDyve Inc, Moqups, RICOH Spaces Mobile, Flipgrid, hCaptcha Enterprise, SchoolStream ASA, TransPerfect GlobalLink Dashboard, SimplificaCI, Thrive LXP, Lexonis TalentScape, Exium, Sapient, TrueChoice, RICOH Spaces, Saba Cloud, Acunetix 360, Exceed.ai, GitHub Enterprise Managed User, Enterprise Vault.cloud for Outlook, Smartlook, Accenture Academy, Onshape, Tradeshift, JuriBlox, SecurityStudio, ClicData, Evergreen, Patchdeck, FAX.PLUS, ValidSign, AWS Single Sign-on, Nura Space, Broadcom DX SaaS, Interplay Learning, SendPro Enterprise, FortiSASE SIA

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Introducing MS Graph API for Company Branding

Type: Changed feature
Service category: MS Graph
Product capability: B2B/B2C

MS Graph API for the Company Branding is available for the Azure AD or Microsoft 365 login experience to allow the management of the branding parameters programmatically.


General availability - Header-based authentication SSO with Application Proxy

Type: Changed feature
Service category: App Proxy
Product capability: Access Control

Azure AD Application Proxy native support for header-based authentication is now in general availability. With this feature, you can configure the user attributes required as HTTP headers for the application without additional components needed to deploy. Learn more.


Two-way SMS for MFA Server is no longer supported

Type: Deprecated
Service category: MFA
Product capability: Identity Security & Protection

Two-way SMS for MFA Server was originally deprecated in 2018, and will not be supported after February 24, 2021. Administrators should enable another method for users who still use two-way SMS.

Email notifications and Azure portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. Learn more.