What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Azure Active Directory.


October 2021

Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021

Type: Plan for change
Service category: Other
Product capability: Developer Experience

Sometimes, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, a limit on the total number of required permissions that can be configured for an app registration will be enforced.

The total number of required permissions for any single application registration mustn't exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out mid-October 2021. Applications exceeding the limit can't increase the number of permissions they are configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.

In the Azure portal, the required permissions are listed under API permissions for the application you wish to configure. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. Learn more.


Email one-time passcode on by default change beginning rollout in November 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

Previously, we announced that starting October 31, 2021, Microsoft Azure Active Directory email one-time passcode authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. However, because of deployment schedules, we'll begin rolling out on November 1, 2021. Most of the tenants will see the change rolled out in January 2022 to minimize disruptions during the holidays and deployment lock downs. After this change, Microsoft will no longer allow redemption of invitations using Azure Active Directory accounts that are unmanaged. Learn more.


Conditional Access Guest Access Blocking Screen

Type: Fixed
Service category: Conditional Access
Product capability: End User Experiences

If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, we have created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user. Learn more.


50105 Errors will now result in a UX error message instead of an error response to the application

Type: Fixed
Service category: Authentications (Logins)
Product capability: Developer Experience

Azure AD has fixed a bug in an error response that occurs when a user isn't assigned to an app that requires a user assignment. Previously, Azure AD would return error 50105 with the OIDC error code "interaction_required" even during interactive authentication. This would cause well-coded applications to loop indefinitely, as they do interactive authentication and receive an error telling them to do interactive authentication, which they would then do.

The bug has been fixed, so that during non-interactive auth an "interaction_required" error will still be returned. Also, during interactive authentication an error page will be directly displayed to the user.

For greater details, see the change notices for Azure AD protocols.


Public preview - New claims transformation capabilities

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

The following new capabilities have been added to the claims transformations available for manipulating claims in tokens issued from Azure AD:

  • Join() on NameID. Used to be restricted to joining an email format address with a verified domain. Now Join() can be used on the NameID claim in the same way as any other claim, so NameID transforms can be used to create Windows account style NameIDs or any other string. For now if the result is an email address, the Azure AD will still validate that the domain is one that is verified in the tenant.
  • Substring(). A new transformation in the claims configuration UI allows extraction of defined position substrings such as five characters starting at character three - substring(3,5)
  • Claims transformations. These transformations can now be performed on Multi-valued attributes, and can emit multi-valued claims. Microsoft Graph can now be used to read/write multi-valued directory schema extension attributes. Learn more.

Public Preview – Flagged Sign-ins

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Flagged sign-ins is a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Also to help admins and help desk workers find the right sign-in events quickly and efficiently. Learn more.


Public preview - Device overview

Type: New feature
Service category: Device Registration and Management
Product capability: Device Lifecycle Management

The new Device Overview feature provides actionable insights about devices in your tenant. Learn more.


Public preview - Azure Active Directory workload identity federation

Type: New feature
Service category: Enterprise Apps
Product capability: Developer Experience

Azure AD workload identity federation is a new capability that's in public preview. It frees developers from handling application secrets or certificates. This includes secrets in scenarios such as using GitHub Actions and building applications on Kubernetes. Rather than creating an application secret and using that to get tokens for that application, developers can instead use tokens provided by the respective platforms such as GitHub and Kubernetes without having to manage any secrets manually.Learn more.


Public Preview - Updates to Sign-in Diagnostic

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

With this update, the diagnostic covers more scenarios and is made more easily available to admins.

New scenarios covered when using the Sign-in Diagnostic:

  • Pass Through Authentication sign-in failures
  • Seamless Single-Sign On sign-in failures

Other changes include:

  • Flagged Sign-ins will automatically appear for investigation when using the Sign-in Diagnostic from Diagnose and Solve.
  • Sign-in Diagnostic is now available from the Enterprise Apps Diagnose and Solve blade.
  • The Sign-in Diagnostic is now available in the Basic Info tab of the Sign-in Log event view for all sign-in events. Learn more.

General Availability - Privileged Role Administrators can now create Azure AD access reviews on role-assignable groups

Type: Fixed
Service category: Access Reviews
Product capability: Identity Governance

Privileged Role Administrators can now create Azure AD access reviews on Azure AD role-assignable groups, in addition to Azure AD roles. Learn more.


General Availability - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10/11

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. Learn more.


General Availability - New app indicator in My Apps

Type: New feature
Service category: My Apps
Product capability: End User Experiences

Apps that have been recently assigned to the user show up with a "new" indicator. When the app is launched or the page is refreshed, this indicator disappears. Learn more.


General availability - Custom domain support in Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Azure AD B2C customers can now enable custom domains so their end-users are redirected to a custom URL domain for authentication. This is done via integration with Azure Front Door's custom domains capability. Learn more.


General availability - Edge Administrator built-in role

Type: New feature
Service category: RBAC
Product capability: Access Control

Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets. Learn more


General availability - Windows 365 Administrator built-in role

Type: New feature
Service category: RBAC
Product capability: Access Control

Users with this role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices to associate a policy, and create and manage groups. Learn more


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2021 we've added the following 10 new applications in our App gallery with Federation support:

Adaptive Shield, SocialChorus Search, Hiretual-SSO, TeamSticker by Communitio, embed signage, JoinedUp, VECOS Releezme Locker management system, Altoura, Dagster Cloud, Qualaroo

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the following article: https://aka.ms/AzureADAppRequest


Continuous Access Evaluation migration with Conditional Access

Type: Changed feature
Service category: Conditional Access
Product capability: User Authentication

A new user experience is available for our CAE tenants. Tenants will now access CAE as part of Conditional Access. Any tenants that were previously using CAE for some (but not all) user accounts under the old UX or had previously disabled the old CAE UX will now be required to undergo a one time migration experience.Learn more.


Improved group list blade

Type: Changed feature
Service category: Group Management
Product capability: Directory

The new group list blade offers more sort and filtering capabilities, infinite scrolling, and better performance. Learn more.


General availability - Google deprecation of Gmail sign-in support on embedded webviews on September 30, 2021

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Google has deprecated Gmail sign-ins on Microsoft Teams mobile and custom apps that run Gmail authentications on embedded webviews on Sept. 30th, 2021.

If you would like to request an extension, impacted customers with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by Jan 31, 2022.

To continue allowing your Gmail users to sign in and redeem, we strongly recommend that you refer to Embedded vs System Web UI in the MSAL.NET documentation and modify your apps to use the system browser for sign-in. All MSAL SDKs use the system web-view by default.

As a workaround, we are deploying the device login flow by October 8. Between today and until then, it is likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to your region.)

For more details on the device login flow and details on requesting extension to Google, see Add Google as an identity provider for B2B guest users.


Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications

Type: Changed feature
Service category: Access Reviews
Product capability: Identity Governance

Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications. Learn more.


September 2021

Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021

Type: Plan for change
Service category: Other
Product capability: Developer Experience

Occasionally, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, we're enforcing a limit on the total number of required permissions that can be configured for an app registration.

The total number of required permissions for any single application registration must not exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out no sooner than mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and can't exceed 50 APIs.

In the Azure portal, the required permissions are listed under Azure Active Directory > Application registrations > (select an application) > API permissions. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. Learn more.


My Apps performance improvements

Type: Fixed
Service category: My Apps
Product capability: End User Experiences

The load time of My Apps has been improved. Users going to myapps.microsoft.com load My Apps directly, rather than being redirected through another service. Learn more.


Single Page Apps using the spa redirect URI type must use a CORS enabled browser for auth

Type: Known issue
Service category: Authentications (Logins)
Product capability: Developer Experience

The modern Edge browser is now included in the requirement to provide an Origin header when redeeming a single page app authorization code. A compatibility fix accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the Origin header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the Origin header per HTTP spec, to ensure CORS is enforced. Learn more.


General availability - On the My Apps portal, users can choose to view their apps in a list

Type: New feature
Service category: My Apps
Product capability: End User Experiences

By default, My Apps displays apps in a grid view. Users can now toggle their My Apps view to display apps in a list. Learn more.


Type: New feature
Service category: Audit
Product capability: Device Lifecycle Management

Admins can now see various new and improved device-related audit logs. The new audit logs include the create and delete passwordless credentials (Phone sign-in, FIDO2 key, and Windows Hello for Business), register/unregister device and pre-create/delete pre-create device. Additionally, there have been minor improvements to existing device-related audit logs that include adding more device details. Learn more.


General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. They can report any suspicious or unfamiliar activity based on the sign-in history and activity if necessary. Users also can change their Azure AD account passwords and update the account's security information. Learn more.


General availability - New MS Graph APIs for role management

Type: New feature
Service category: RBAC
Product capability: Access Control

New APIs for role management to MS Graph v1.0 endpoint are generally available. Instead of old directory roles, use unifiedRoleDefinition and unifiedRoleAssignment.


General availability - Access Packages can expire after number of hours

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

It's now possible in entitlement management to configure an access package that will expire in a matter of hours in addition to the previous support for days or specific dates. Learn more.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2021, we have added following 44 new applications in our App gallery with Federation support

Studybugs, Yello, LawVu, Formate eVo Mail, Revenue Grid, Orbit for Office 365, Upmarket, Alinto Protect, Cloud Concinnity, Matlantis, ModelGen for Visio (MG4V), NetRef: Classroom Management, VergeSense, iAuditor, Secutraq, Active and Thriving, Inova, TerraTrue, Facebook Work Accounts, Beyond Identity Admin Console, Visult, ENGAGE TAG, Appaegis Isolation Access Cloud, CrowdStrike Falcon Platform, MY Emergency Control, AlexisHR, Teachme Biz, Zero Networks, Mavim iMprove, Azumuta, Frankli, Amazon Managed Grafana, Productive, Create!Webフロー, Evercate, Ezra Coaching, Baldwin Safety and Compliance, Nulab Pass (Backlog,Cacoo,Typetalk), Metatask, Contrast Security, Animaker, Traction Guest, True Office Learning - LIO, Qiita Team

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Gmail users signing in on Microsoft Teams mobile and desktop clients will sign in with device login flow starting September 30, 2021

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Starting on September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts will have an extra login step. Users will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. If you haven't already done so, make sure to modify your apps to use the system browser for sign-in. See Embedded vs System Web UI in the MSAL.NET documentation for more information. All MSAL SDKs use the system web-view by default.

As the device login flow will start September 30, 2021, it's may not be available in your region immediately. If it's not available yet, your end-users will be met with the error screen shown in the doc until it gets deployed to your region.) For more details on the device login flow and details on requesting extension to Google, see Add Google as an identity provider for B2B guest users.


Improved Conditional Access Messaging for Non-compliant Device

Type: Changed feature
Service category: Conditional Access
Product capability: End User Experiences

The text and design on the Conditional Access blocking screen shown to users when their device is marked as non-compliant has been updated. Users will be blocked until they take the necessary actions to meet their company's device compliance policies. Additionally, we have streamlined the flow for a user to open their device management portal. These improvements apply to all conditional access supported OS platforms. Learn more


August 2021

New major version of AADConnect available

Type: Fixed
Service category: AD Connect
Product capability: Identity Lifecycle Management

We've released a new major version of Azure Active Directory Connect. This version contains several updates of foundational components to the latest versions and is recommended for all customers using Azure AD Connect. Learn more.


Public Preview - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

We now support native single sign-on (SSO) support and device-based Conditional Access to the Firefox browser on Windows 10 and Windows Server 2019. Support is available in Firefox version 91. Learn more.


Public preview - beta MS Graph APIs for Azure AD access reviews returns list of contacted reviewer names

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

We've released beta MS Graph API for Azure AD access reviews. The API has methods to return a list of contacted reviewer names in addition to the reviewer type. Learn more.


General Availability - "Register or join devices" user action in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

The "Register or join devices" user action is generally available in Conditional access. This user action allows you to control multifactor authentication (MFA) policies for Azure Active Directory (AD) device registration. Currently, this user action only allows you to enable multifactor authentication (MFA) as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. Learn more.


General Availability - customers can scope reviews of privileged roles to eligible or permanent assignments

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Administrators can now create access reviews of only permanent or eligible assignments to privileged Azure AD or Azure resource roles. Learn more.


General availability - assign roles to Azure Active Directory (AD) groups

Type: New feature
Service category: RBAC
Product capability: Access Control

Assigning roles to Azure AD groups is now generally available. This feature can simplify the management of role assignments in Azure AD for Global Administrators and Privileged Role Administrators. Learn more.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2021, we have added following 46 new applications in our App gallery with Federation support:

Siriux Customer Dashboard, STRUXI, Autodesk Construction Cloud - Meetings, Eccentex AppBase for Azure, Bookado, FilingRamp, BenQ IAM, Rhombus Systems, CorporateExperience, TutorOcean, Bookado Device, HiFives-AD-SSO, Darzin, Simply Stakeholders, KACTUS HCM - Smart People, Five9 UC Adapter for Microsoft Teams V2, Automation Center, Cirrus Identity Bridge for Azure AD, ShiftWizard SAML, Safesend Returns, Brushup, directprint.io Cloud Print Administration, plain-x,X-point Cloud, SmartHub INFER, Fresh Relevance, FluentPro G.A. Suite, Clockwork Recruiting, WalkMe SAML2.0, Sideways 6, Kronos Workforce Dimensions, SysTrack Cloud Edition, mailworx Dynamics CRM Connector, Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service, Peripass, JobDiva, Sanebox For Office365, Tulip, HP Wolf Security, Genesys Engage cloud Email, Meta Wiki, Palo Alto Networks Cloud Identity Engine Directory Sync, Valarea, LanSchool Air, Catalyst, Webcargo

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Multifactor (MFA) fraud report – new audit event

Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection

To help administrators understand that their users are blocked for multifactor authentication (MFA) as a result of fraud report, we have added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see multifactor authentication Fraud alert.


Improved Low-Risk Detections

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

To improve the quality of low risk alerts that Identity Protection issues, we've modified the algorithm to issue fewer low risk Risky Sign-Ins. Organizations may see a significant reduction in low risk sign-in in their environment. Learn more.


Non-interactive risky sign-ins

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection now emits risky sign-ins on non-interactive sign-ins. Admins can find these risky sign-ins using the sign-in type filter in the risky sign-ins report. Learn more.


Change from User Administrator to Identity Governance Administrator in Entitlement Management

Type: Changed feature
Service category: Roles
Product capability: Identity Governance

The permissions assignments to manage access packages and other resources in Entitlement Management are moving from the User Administrator role to the Identity Governance administrator role.

Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they will need a new assignment. You should instead assign these users the Identity Governance administrator role. Learn more


Windows Azure Active Directory connector is deprecated

Type: Deprecated
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

The Windows Azure AD Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to Azure AD Connect, Azure AD Connect Sync, or the Microsoft Graph Connector, as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. Learn more.


Retirement of older Azure AD Connect versions

Type: Deprecated
Service category: AD Connect
Product capability: User Management

Starting August 31 2022, all V1 versions of Azure AD Connect will be retired. If you haven't already done so, you need to update your server to Azure AD Connect V2.0. You need to make sure you're running a recent version of Azure AD Connect to receive an optimal support experience.

If you run a retired version of Azure AD Connect it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs.

See Azure Active Directory Connect V2.0, what has changed in V2.0 and how this change impacts you.


Retirement of support for installing MIM on Windows Server 2008 R2 or SQL Server 2008 R2

Type: Deprecated
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

Deploying MIM Sync, Service, Portal or CM on Windows Server 2008 R2, or using SQL Server 2008 R2 as the underlying database, is deprecated as these platforms are no longer in mainstream support. Installing MIM Sync and other components on Windows Server 2016 or later, and with SQL Server 2016 or later, is recommended.

Deploying MIM for Privileged Access Management with a Windows Server 2012 R2 domain controller in the PRIV forest is deprecated. Use Windows Server 2016 or later Active Directory, with Windows Server 2016 functional level, for your PRIV forest domain. The Windows Server 2012 R2 functional level is still permitted for a CORP forest's domain. Learn more.


July 2021

New Google sign-in integration for Azure AD B2C and B2B self-service sign-up and invited external users will stop working starting July 12, 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

Previously we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021.

On July 7, 2021, we learned from Google that some of these restrictions will apply starting July 12, 2021. Azure AD B2B and B2C customers who set up a new Google ID sign-in in their custom or line of business applications to invite external users or enable self-service sign-up will have the restrictions applied immediately. As a result, end-users will be met with an error screen that blocks their Gmail sign-in if the authentication is not moved to a system webview. See the docs linked below for details.

Most apps use system web-view by default, and will not be impacted by this change. This only applies to customers using embedded webviews (the non-default setting.) We advise customers to move their application's authentication to system browsers instead, prior to creating any new Google integrations. To learn how to move to system browsers for Gmail authentications, read the Embedded vs System Web UI section in the Using web browsers (MSAL.NET) documentation. All MSAL SDKs use the system web-view by default. Learn more.


Google sign-in on embedded web-views expiring September 30, 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

About two months ago we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021.

Recently, Google has specified the date to be September 30, 2021.

Rolling out globally beginning September 30, 2021, Azure AD B2B guests signing in with their Gmail accounts will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. This applies to invited guests and guests who signed up using Self-Service Sign-Up.

Azure AD B2C customers who have set up embedded webview Gmail authentications in their custom/line of business apps or have existing Google integrations, will no longer can let their users sign in with Gmail accounts. To mitigate this, make sure to modify your apps to use the system browser for sign-in. For more information, read the Embedded vs System Web UI section in the Using web browsers (MSAL.NET) documentation. All MSAL SDKs use the system web-view by default.

As the device login flow will start rolling out on September 30, 2021, it is likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.)

For details on known impacted scenarios and what experience your users can expect, read Add Google as an identity provider for B2B guest users.


Bug fixes in My Apps

Type: Fixed
Service category: My Apps
Product capability: End User Experiences

  • Previously, the presence of the banner recommending the use of collections caused content to scroll behind the header. This issue has been resolved.
  • Previously, there was another issue when adding apps to a collection, the order of apps in All Apps collection would get randomly reordered. This issue has also been resolved.

For more information on My Apps, read Sign in and start apps from the My Apps portal.


Public preview - Application authentication method policies

Type: New feature
Service category: MS Graph
Product capability: Developer Experience

Application authentication method policies in MS Graph which allow IT admins to enforce lifetime on application password secret credential or block the use of secrets altogether. Policies can be enforced for an entire tenant as a default configuration and it can be scoped to specific applications or service principals. Learn more.


Public preview - Authentication Methods registration campaign to download Microsoft Authenticator

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

The Authenticator registration campaign helps admins to move their organizations to a more secure posture by prompting users to adopt the Microsoft Authenticator app. Prior to this feature, there was no way for an admin to push their users to set up the Authenticator app.

The registration campaign comes with the ability for an admin to scope users and groups by including and excluding them from the registration campaign to ensure a smooth adoption across the organization. Learn more


Public preview - Separation of duties check

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request more access. Learn more.


Public preview - Identity Protection logs in Log Analytics, Storage Accounts, and Event Hubs

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

You can now send the risky users and risk detections logs to Azure Monitor, Storage Accounts, or Log Analytics using the Diagnostic Settings in the Azure AD blade. Learn more.


Public preview - Application Proxy API addition for backend SSL certificate validation

Type: New feature
Service category: App Proxy
Product capability: Access Control

The onPremisesPublishing resource type now includes the property, "isBackendCertificateValidationEnabled" which indicates whether backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property will be set to true by default. For all existing apps, the property will be set to false. For more information, read the onPremisesPublishing resource type api.


General availability - Improved Authenticator setup experience for add Azure AD account in Microsoft Authenticator app by directly signing into the app.

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Users can now use their existing authentication methods to directly sign into the Microsoft Authenticator app to set up their credential. Users don't need to scan a QR Code anymore and can use a Temporary Access Pass (TAP) or Password + SMS (or other authentication method) to configure their account in the Authenticator app.

This improves the user credential provisioning process for the Microsoft Authenticator app and gives the end user a self-service method to provision the app. Learn more.


General availability - Set manager as reviewer in Azure AD entitlement management access packages

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

Access packages in Azure AD entitlement management now support setting the user's manager as the reviewer for regularly occurring access reviews. Learn more.


General availability - Enable external users to self-service sign-up in AAD using MSA accounts

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Users can now enable external users to self-service sign-up in Azure Active Directory using Microsoft accounts. Learn more.


General availability - External Identities Self-Service Sign-Up with Email One-time Passcode

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Now users can enable external users to self-service sign-up in Azure Active Directory using their email and one-time passcode. Learn more.


General availability - Anomalous token

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Anomalous token detection is now available in Identity Protection. This feature can detect that there are abnormal characteristics in the token such as time active and authentication from unfamiliar IP address. Learn more.


General availability - Register or join devices in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

The Register or join devices user action in Conditional access is now in general availability. This user action allows you to control multifactor authentication (MFA) policies for Azure AD device registration.

Currently, this user action only allows you to enable multifactor authentication (MFA) as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. Learn more.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, read Automate user provisioning to SaaS applications with Azure AD.


Changes to security and Microsoft 365 group settings in Azure portal

Type: Changed feature
Service category: Group Management
Product capability: Directory

In the past, users could create security groups and Microsoft 365 groups in the Azure portal. Now users will have the ability to create groups across Azure portals, PowerShell, and API. Customers are required to verify and update the new settings have been configured for their organization. Learn More.


"All Apps" collection has been renamed to "Apps"

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

In the My Apps portal, the collection that was called "All Apps" has been renamed to be called "Apps". As the product evolves, "Apps" is a more fitting name for this default collection. Learn more.


June 2021

Context panes to display risk details in Identity Protection Reports

Type: Plan for change
Service category: Identity Protection
Product capability: Identity Security & Protection

For the Risky users, Risky sign-ins, and Risk detections reports in Identity Protection, the risk details of a selected entry will be shown in a context pane appearing from the right of the page July 2021. The change only impacts the user interface and won't affect any existing functionalities. To learn more about the functionality of these features, refer to How To: Investigate risk.


Public preview - create Azure AD access reviews of Service Principals that are assigned to privileged roles

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

You can use Azure AD access reviews to review service principal's access to privileged Azure AD and Azure resource roles. Learn more.


Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Now group owners in Azure AD can create and manage Azure AD access reviews on their groups. This ability can be enabled by tenant administrators through Azure AD access review settings and is disabled by default. Learn more.


Public preview - customers can scope access reviews of privileged roles to just users with eligible or active access

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

When admins create access reviews of assignments to privileged roles, they can scope the reviews to only eligibly assigned users or only actively assigned users. Learn more.


Public preview - Microsoft Graph APIs for Mobility (MDM/MAM) management policies

Type: New feature
Service category: Other
Product capability: Device Lifecycle Management

Microsoft Graph support for the Mobility (MDM/MAM) configuration in Azure AD is in public preview. Administrators can configure user scope and URLs for MDM applications like Intune using Microsoft Graph v1.0. For more information, see mobilityManagementPolicy resource type


General availability - Custom questions in access package request flow in Azure Active Directory entitlement management

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

Azure AD entitlement management now supports the creation of custom questions in the access package request flow. This feature allows you to configure custom questions in the access package policy. These questions are shown to requestors who can input their answers as part of the access request process. These answers will be displayed to approvers, giving them helpful information that empowers them to make better decisions on the access request. Learn more.


General availability - Multi-geo SharePoint sites as resources in Entitlement Management Access Packages

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

Access packages in Entitlement Management now support multi-geo SharePoint sites for customers who use the multi-geo capabilities in SharePoint Online. Learn more.


General availability - Knowledge Admin and Knowledge Manager built-in roles

Type: New feature
Service category: RBAC
Product capability: Access Control

Two new roles, Knowledge Administrator and Knowledge Manager are now in general availability.

  • Users in the Knowledge Administrator role have full access to all Organizational knowledge settings in the Microsoft 365 admin center. They can create and manage content, like topics and acronyms. Additionally, these users can create content centers, monitor service health, and create service requests. Learn more
  • Users in the Knowledge Manager role can create and manage content and are primarily responsible for the quality and structure of knowledge. They have full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers. Learn more.

General availability - Cloud App Security Administrator built-in role

Type: New feature
Service category: RBAC
Product capability: Access Control

Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and do governance actions. Learn more.


General availability - Windows Update Deployment Administrator

Type: New feature
Service category: RBAC
Product capability: Access Control

Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed. Also, users can specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress. Learn more.


General availability - multi-camera support for Windows Hello

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Now with the Windows 10 21H1 update, Windows Hello supports multiple cameras. The update includes defaults to use the external camera when both built-in and outside cameras are present. Learn more.


General availability - Access Reviews MS Graph APIs now in v1.0

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. Learn more.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2021, we have added following 42 new applications in our App gallery with Federation support

Taksel, IDrive360, VIDA, ProProfs Classroom, WAN-Sign, Citrix Cloud SAML SSO, Fabric, DssAD, RICOH Creative Collaboration RICC, Styleflow, Chaos, Traced Connector, Squarespace, MX3 Diagnostics Connector, Ten Spot, Finvari, Mobile4ERP, WalkMe US OpenID Connect, Neustar UltraDNS, cloudtamer.io, A Cloud Guru, PetroVue, Postman, ReadCube Papers, Peklostroj, SynCloud, Polymerhq.io, Bonos, Astra Schedule, Draup, Inc, Applied Mental Health, iHASCO Training, Nexsure, XEOX, Plandisc, foundU, Standard for Success Accreditation, Penji Teams, CheckPoint Infinity Portal, Teamgo, Hopsworks.ai, HoloMeeting 2

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Device code flow now includes an app verification prompt

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

The device code flow has been updated to include one extra user prompt. While signing in, the user will see a prompt asking them to validate the app they're signing into. The prompt ensures that they aren't subject to a phishing attack. Learn more.


User last sign-in date and time is now available on Azure portal

Type: Changed feature
Service category: User Management
Product capability: User Management

You can now view your users' last sign-in date and time stamp on the Azure portal. The information is available for each user on the user profile page. This information helps you identify inactive users and effectively manage risky events. Learn more.


MIM BHOLD Suite impact of end of support for Microsoft Silverlight

Type: Changed feature
Service category: Microsoft Identity Manager
Product capability: Identity Governance

Microsoft Silverlight will reach its end of support on October 12, 2021. This change only impacts customers using the Microsoft BHOLD Suite, and doesn't impact other Microsoft Identity Manager scenarios. For more information, see Silverlight End of Support.

Users who haven't installed Microsoft Silverlight in their browser can't use the BHOLD Suite modules which require Silverlight. This includes the BHOLD Model Generator, BHOLD FIM Self-service integration, and BHOLD Analytics. Customers with an existing BHOLD deployment of one or more of those modules should plan to uninstall those modules from their BHOLD server computers by October 2021. Also, they should plan to uninstall Silverlight from any user computers that were previously interacting with that BHOLD deployment.


My* experiences: End of support for Internet Explorer 11

Type: Deprecated
Service category: My Apps
Product capability: End User Experiences

Microsoft 365 and other apps are ending support for Internet Explorer 11 on August 21, 2021, and this includes the My* experiences. The My*s accessed via Internet Explorer won't receive bug fixes or any updates, which may lead to issues. These dates are being driven by the Edge team and may be subject to change. Learn more.


Planned deprecation - Malware linked IP address detection in Identity Protection

Type: Deprecated
Service category: Identity Protection
Product capability: Identity Security & Protection

Starting October 1, 2021, Azure AD Identity Protection will no longer generate the "Malware linked IP address" detection. No action is required and customers will remain protected by the other detections provided by Identity Protection. To learn more about protection policies, refer to Identity Protection policies.


May 2021

Public preview - Azure AD verifiable credentials

Type: New feature
Service category: Other
Product capability: User Authentication

Azure AD customers can now easily design and issue verifiable credentials. Verifiable credentials can be used to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. Learn more.


Public preview - Device code flow now includes an app verification prompt

Type: New feature
Service category: User Authentication
Product capability: Authentications (Logins)

As a security improvement, the device code flow has been updated to include an another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30.

To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: "Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it cannot be removed or bypassed. Learn more.


Public preview - build and test expressions for user provisioning

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

The expression builder allows you to create and test expressions, without having to wait for the full sync cycle. Learn more.


Public preview - enhanced audit logs for Conditional Access policy changes

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

An important aspect of managing Conditional Access is understanding changes to your policies over time. Policy changes may cause disruptions for your end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical.

and showing who made a policy change and when, the audit logs will now also contain a modified properties value. This change gives admins greater visibility into what assignments, conditions, or controls changed. If you want to revert to a previous version of a policy, you can copy the JSON representation of the old version and use the Conditional Access APIs to change the policy to its previous state. Learn more.


Public preview - Sign-in logs include authentication methods used during sign-in

Type: New feature
Service category: MFA
Product capability: Monitoring & Reporting

Admins can now see the sequential steps users took to sign-in, including which authentication methods were used during sign-in.

To access these details, go to the Azure AD sign-in logs, select a sign-in, and then navigate to the Authentication Method Details tab. Here we have included information such as which method was used, details about the method (for example, phone number, phone name), authentication requirement satisfied, and result details. Learn more.


Public preview - PIM adds support for ABAC conditions in Azure Storage roles

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Along with the public preview of attributed based access control for specific Azure RBAC role, you can also add ABAC conditions inside Privileged Identity Management for your eligible assignments. Learn more.


General availability - Conditional Access and Identity Protection Reports in B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

B2C now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables customers to protect their users with granular risk- and location-based access controls. With these features, customers can now look at the signals and create a policy to provide more security and access to your customers. Learn more.


General availability - KMSI and Password reset now in next generation of user flows

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

The next generation of B2C user flows now supports keep me signed in (KMSI) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser. The session is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password ' link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory. Learn more.


General availability - New Log Analytics workbook Application role assignment activity

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

A new workbook has been added for surfacing audit events for application role assignment changes. Learn more.


General availability - Next generation Azure AD B2C user flows

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users can enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to Create user flows in Azure AD B2C for guidance on using this feature. Learn more.


General availability - Azure Active Directory threat intelligence for sign-in risk

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

This new detection serves as an ad-hoc method to allow our security teams to notify you and protect your users by raising their session risk to a High risk when we observe an attack happening. The detection will also mark the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams. Learn more.


General availability - Conditional Access named locations improvements

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

IPv6 support in named locations is now generally available. Updates include:

  • Added the capability to define IPv6 address ranges
  • Increased limit of named locations from 90 to 195
  • Increased limit of IP ranges per named location from 1200 to 2000
  • Added capabilities to search and sort named locations and filter by location type and trust type
  • Added named locations a sign-in belonged to in the sign-in logs

Additionally, to prevent admins from defining problematically named locations, extra checks have been added to reduce the chance of misconfiguration. Learn more.


General availability - Restricted guest access permissions in Azure AD

Type: New feature
Service category: User Management
Product capability: Directory

Directory level permissions for guest users have been updated. These permissions allow administrators to require extra restrictions and controls on external guest user access.

Admins can now add more restrictions for external guests' access to user and groups' profile and membership information. Also, customers can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in. To learn more, see Restrict guest access permissions in Azure Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2021, we have added following 29 new applications in our App gallery with Federation support

InviteDesk, Webrecruit ATS, Workshop, Gravity Sketch, JustLogin, Custellence, WEVO, AppTec360 MDM, Filemail,Ardoq, Leadfamly, Documo, Autodesk SSO, Check Point Harmony Connect, BrightHire, Rescana, Bluewhale, AlacrityLaw, Equisolve, Zip, Cognician, Acra, VaultMe, TAP App Security, Cavelo Office365 Cloud Connector, Clebex, Banyan Command Center, Check Point Remote Access VPN, LogMeIn

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest


Improved Conditional Access Messaging for Android and iOS

Type: Changed feature
Service category: Device Registration and Management
Product capability: End User Experiences

We've updated the wording on the Conditional Access screen shown to users when they're blocked from accessing corporate resources. They'll be blocked until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed:

  • "Help us keep your device secure" has changed to "Set up your device to get access"
  • "Your sign-in was successful but your admin requires your device to be managed by Microsoft to access this resource." to "[Organization's name] requires you to secure this device before you can access [organization's name] email, files, and data."
  • "Enroll Now" to "Continue"

The information in Enroll your Android enterprise device is out of date.


Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is given across organizations. This ensures that the user understands that the organization that owns the document will collect some information about the user as part of the document access. Learn more.


Provisioning logs schema change impacting Graph API and Azure Monitor integration

Type: Changed feature
Service category: App Provisioning
Product capability: Monitoring & Reporting

The attributes "Action" and "statusInfo" will be changed to "provisioningAction" and "provisoiningStatusInfo." Update any scripts that you have created using the provisioning logs Graph API or Azure Monitor integrations.


New ARM API to manage PIM for Azure Resources and Azure AD roles

Type: Changed feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

An updated version of the PIM API for Azure Resource role and Azure AD role has been released. The PIM API for Azure Resource role is now released under the ARM API standard, which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under graph API aligned with the unifiedRoleManagement APIs. Some of the benefits of this change include:

  • Alignment of the PIM API with objects in ARM and Graph for role managementReducing the need to call PIM to onboard new Azure resources.
  • All Azure resources automatically work with new PIM API.
  • Reducing the need to call PIM for role definition or keeping a PIM resource ID
  • Supporting app-only API permissions in PIM for both Azure AD and Azure Resource roles

A previous version of the PIM API under /privilegedaccess will continue to function but we recommend you to move to this new API going forward. Learn more.


Revision of roles in Azure AD entitlement management

Type: Changed feature
Service category: Roles
Product capability: Entitlement Management

A new role, Identity Governance Administrator, has recently been introduced. This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. If you have assigned administrators to the User Administrator role or have them activate this role to manage access packages in Azure AD entitlement management, switch to the Identity Governance Administrator role instead. The User Administrator role will no longer be providing administrative rights to catalogs or access packages. Learn more.