What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22release+notes+for+azure+AD%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items that are older than six months, you can find them in the Archive for What's new in Azure Active Directory.


December 2019

Integrate SAP SuccessFactors provisioning into Azure AD and on-premises AD (Public Preview)

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

You can now integrate SAP SuccessFactors as an authoritative identity source in Azure AD. This integration helps you automate the end-to-end identity lifecycle, including using HR-based events, like new hires or terminations, to control provisioning of Azure AD accounts.

For more information about how to set up SAP SuccessFactors inbound provisioning to Azure AD, see the Configure SAP SuccessFactors automatic provisioning tutorial.


Support for customized emails in Azure AD B2C (Public Preview)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now use Azure AD B2C to create customized emails when your users sign up to use your apps. By using DisplayControls (currently in preview) and a third-party email provider (such as, SendGrid, SparkPost, or a custom REST API), you can use your own email template, From address, and subject text, as well as support localization and custom one-time password (OTP) settings.

For more information, see Custom email verification in Azure Active Directory B2C.


Replacement of baseline policies with security defaults

Type: Changed feature
Service category: Other
Product capability: Identity Security and Protection

As part of a secure-by-default model for authentication, we’re removing the existing baseline protection policies from all tenants. This removal is targeted for completion at the end of February. The replacement for these baseline protection policies is security defaults. If you’ve been using baseline protection policies, you must plan to move to the new security defaults policy or to Conditional Access. If you haven’t used these policies, there is no action for you to take.

For more information about the new security defaults, see What are security defaults? For more information about Conditional Access policies, see Common Conditional Access policies.


November 2019

Support for the SameSite attribute and Chrome 80

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the SameSite attribute. Any cookie that doesn't specify the SameSite attribute will be treated as though it was set to SameSite=Lax, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that your app may depend on. To maintain the older Chrome behavior, you can use the SameSite=None attribute and add an additional Secure attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020.

We recommend all our developers test their apps using this guidance:

  • Set the default value for the Use Secure Cookie setting to Yes.

  • Set the default value for the SameSite attribute to None.

  • Add an additional SameSite attribute of Secure.

For more information, see Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core and Potential disruption to customer websites and Microsoft products and services in Chrome version 79 and later.


New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2)

Type: Fixed
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

A hotfix rollup package (build 4.6.34.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the "Issues fixed and improvements added in this update" section.

For more information and to download the hotfix package, see Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available.


New AD FS app activity report to help migrate apps to Azure AD (Public Preview)

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Use the new Active Directory Federation Services (AD FS) app activity report, in the Azure portal, to identify which of your apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration.

For more information, see Use the AD FS application activity report to migrate applications to Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: Access Control

The new admin consent workflow gives admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that's accessible from the Azure portal, to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action.

For more information, see Configure the admin consent workflow (preview).


New Azure AD App Registrations Token configuration experience for managing optional claims (Public Preview)

Type: New feature
Service category: Other
Product capability: Developer Experience

The new Azure AD App Registrations Token configuration blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations.

For more information, see Provide optional claims to your Azure AD app.


New two-stage approval workflow in Azure AD entitlement management (Public Preview)

Type: New feature
Service category: Other
Product capability: Entitlement Management

We've introduced a new two-stage approval workflow that allows you to require two approvers to approve a user's request to an access package. For example, you can set it so the requesting user's manager must first approve, and then you can also require a resource owner to approve. If one of the approvers doesn't approve, access isn't granted.

For more information, see Change request and approval settings for an access package in Azure AD entitlement management.


Updates to the My Apps page along with new workspaces (General Availability)

Type: New feature
Service category: My Apps
Product capability: 3rd Party Integration

You can now customize the way your organization's users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for your users to find and organize apps.

For more information about the new My Apps experience and creating workspaces, see Create workspaces on the My Apps portal.


Google social ID support for Azure AD B2B collaboration (General Availability)

Type: New feature
Service category: B2B
Product capability: User Authentication

New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for your users and partners. There's no longer a need for your partners to create and manage a new Microsoft-specific account. Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints.

For more information, see Add Google as an identity provider for B2B guest users.


Microsoft Edge Mobile Support for Conditional Access and Single Sign-on (General Availability)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Azure AD for Microsoft Edge on iOS and Android now supports Azure AD Single Sign-On and Conditional Access:

  • Microsoft Edge single sign-on (SSO): Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD -connected apps.

  • Microsoft Edge conditional access: Through application-based conditional access policies, your users must use Microsoft Intune-protected browsers, such as Microsoft Edge.

For more information about conditional access and SSO with Microsoft Edge, see the Microsoft Edge Mobile Support for Conditional Access and Single Sign-on Now Generally Available blog post. For more information about how to set up your client apps using app-based conditional access or device-based conditional access, see Manage web access using a Microsoft Intune policy-protected browser.


Azure AD entitlement management (General Availability)

Type: New feature
Service category: Other
Product capability: Entitlement Management

Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites.

With Azure AD entitlement management, you can more efficiently manage access both for employees and also for users outside your organization who need access to those resources.

For more information, see What is Azure AD entitlement management?


Automate user account provisioning for these newly supported SaaS apps

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

SAP Cloud Platform Identity Authentication Service, RingCentral, SpaceIQ, Miro, Cloudgate, Infor CloudSuite, OfficeSpace Software, Priority Matrix

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2019, we've added these 21 new apps with Federation support to the app gallery:

Airtable, Hootsuite, Blue Access for Members (BAM), Bitly, Riva, ResLife Portal, NegometrixPortal Single Sign On (SSO), TeamsChamp, Motus, MyAryaka, BlueMail, Beedle, Visma, OneDesk, Foko Retail, Qmarkets Idea & Innovation Management, Netskope User Authentication, uniFLOW Online, Claromentis, Jisc Student Voter Registration, e4enable

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

We've updated the Azure AD application gallery to make it easier for you to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on your Azure Active Directory tenant.

For more information, see Add an application to your Azure Active Directory tenant.


Increased app role definition length limit from 120 to 240 characters

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

We've heard from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. In response, we've increased the maximum length of the role value definition to 240 characters.

For more information about using application-specific role definitions, see Add app roles in your application and receive them in the token.


October 2019

Deprecation of the identityRiskEvent API for Azure AD Identity Protection risk detections

Type: Plan for change
Service category: Identity Protection
Product capability: Identity Security & Protection

In response to developer feedback, Azure AD Premium P2 subscribers can now perform complex queries on Azure AD Identity Protection’s risk detection data by using the new riskDetection API for Microsoft Graph. The existing identityRiskEvent API beta version will stop returning data around January 10, 2020. If your organization is using the identityRiskEvent API, you should transition to the new riskDetection API.

For more information about the new riskDetection API, see the Risk detection API reference documentation.


Application Proxy support for the SameSite Attribute and Chrome 80

Type: Plan for change
Service category: App Proxy
Product capability: Access Control

A couple of weeks prior to the Chrome 80 browser release, we plan to update how Application Proxy cookies treat the SameSite attribute. With the release of Chrome 80, any cookie that doesn't specify the SameSite attribute will be treated as though it was set to SameSite=Lax.

To help avoid potentially negative impacts due to this change, we're updating Application Proxy access and session cookies by:

  • Setting the default value for the Use Secure Cookie setting to Yes.

  • Setting the default value for the SameSite attribute to None.

    Note

    Application Proxy access cookies have always been transmitted exclusively over secure channels. These changes only apply to session cookies.

For more information about the Application Proxy cookie settings, see Cookie settings for accessing on-premises applications in Azure Active Directory.


App registrations (legacy) and converged app management from the Application Registration Portal (apps.dev.microsoft.com) will no longer be available

Type: Plan for change
Service category: N/A
Product capability: Developer Experience

In the near future, users with Azure AD accounts will no longer be able to register and manage converged applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage applications in the App registrations (legacy) experience in the Azure portal.

To learn more about the new App registrations experience, see the App registrations in the Azure portal training guide.


Users are no longer required to re-register during migration from per-user MFA to Conditional Access-based MFA

Type: Fixed
Service category: MFA
Product capability: Identity Security & Protection

We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user Multi-Factor Authentication (MFA) and then enabled for MFA through a Conditional Access policy.

To require users to re-register, you can select the Required re-register MFA option from the user's authentication methods in the Azure AD portal. For more information about migrating users from per-user MFA to Conditional Access-based MFA, see Convert users from per-user MFA to Conditional Access based MFA.


New capabilities to transform and send claims in your SAML token

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

We've added additional capabilities to help you to customize and send claims in your SAML token. These new capabilities include:

  • Additional claims transformation functions, helping you to modify the value you send in the claim.

  • Ability to apply multiple transformations to a single claim.

  • Ability to specify the claim source, based on the user type and the group to which the user belongs.

For detailed information about these new capabilities, including how to use them, see Customize claims issued in the SAML token for enterprise applications.


New My Sign-ins page for end users in Azure AD

Type: New feature
Service category: Authentications (Logins)
Product capability: Monitoring & Reporting

We've added a new My Sign-ins page (https://mysignins.microsoft.com) to let your organization's users view their recent sign-in history to check for any unusual activity. This new page allows your users to see:

  • If anyone is attempting to guess their password.

  • If an attacker successfully signed in to their account and from what location.

  • What apps the attacker tried to access.

For more information, see the Users can now check their sign-in history for unusual activity blog.


Migration of Azure AD Domain Services (Azure AD DS) from classic to Azure Resource Manager virtual networks

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

To our customers who have been stuck on classic virtual networks -- we have great news for you! You can now perform a one-time migration from a classic virtual network to an existing Resource Manager virtual network. After moving to the Resource Manager virtual network, you'll be able to take advantage of the additional and upgraded features such as, fine-grained password policies, email notifications, and audit logs.

For more information, see Preview - Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager.


Updates to the Azure AD B2C page contract layout

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

We've introduced some new changes to version 1.2.0 of the page contract for Azure AD B2C. In this updated version, you can now control the load order for your elements, which can also help to stop the flicker that happens when the style sheet (CSS) is loaded.

For a full list of the changes made to the page contract, see the Version change log.


Update to the My Apps page along with new workspaces (Public preview)

Type: New feature
Service category: My Apps
Product capability: Access Control

You can now customize the way your organization's users view and access the brand-new My Apps experience, including using the new workspaces feature to make it easier for them to find apps. The new workspaces functionality acts as a filter for the apps your organization's users already have access to.

For more information on rolling out the new My Apps experience and creating workspaces, see Create workspaces on the My Apps (preview) portal.


Support for the monthly active user-based billing model (General availability)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Azure AD B2C now supports monthly active users (MAU) billing. MAU billing is based on the number of unique users with authentication activity during a calendar month. Existing customers can switch to this new billing method at any time.

Starting on November 1, 2019, all new customers will automatically be billed using this method. This billing method benefits customers through cost benefits and the ability to plan ahead.

For more information, see Upgrade to monthly active users billing model.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2019, we've added these 35 new apps with Federation support to the app gallery:

In Case of Crisis – Mobile, Juno Journey, ExponentHR, Tact, OpusCapita Cash Management, Salestim, Learnster, Dynatrace, HunchBuzz, Freshworks, eCornell, ShipHazmat, Netskope Cloud Security, Contentful, Bindtuning, HireVue Coordinate – EU, HireVue Coordinate - USOnly, HireVue Coordinate - US, WittyParrot Knowledge Box, Cloudmore, Visit.org, Cambium Xirrus EasyPass Portal, Paylocity, Mail Luck!, Teamie, Velocity for Teams, SIGNL4, EAB Navigate IMPL, ScreenMeet, Omega Point, Speaking Email for Intune (iPhone), Speaking Email for Office 365 Direct (iPhone/Android), ExactCare SSO, iHealthHome Care Navigation System, Qubie

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Consolidated Security menu item in the Azure AD portal

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

You can now access all of the available Azure AD security features from the new Security menu item, and from the Search bar, in the Azure portal. Additionally, the new Security landing page, called Security - Getting started, will provide links to our public documentation, security guidance, and deployment guides.

The new Security menu includes:

  • Conditional Access
  • Identity Protection
  • Security Center
  • Identity Secure Score
  • Authentication methods
  • MFA
  • Risk reports - Risky users, Risky sign-ins, Risk detections
  • And more...

For more information, see Security - Getting started.


Office 365 groups expiration policy enhanced with autorenewal

Type: Changed feature
Service category: Group Management
Product capability: Identity Lifecycle Management

The Office 365 groups expiration policy has been enhanced to automatically renew groups that are actively in use by its members. Groups will be autorenewed based on user activity across all the Office 365 apps, including Outlook, SharePoint, and Teams.

This enhancement helps to reduce your group expiration notifications and helps to make sure that active groups continue to be available. If you already have an active expiration policy for your Office 365 groups, you don't need to do anything to turn on this new functionality.

For more information, see Configure the expiration policy for Office 365 groups.


Updated Azure AD Domain Services (Azure AD DS) creation experience

Type: Changed feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We've updated Azure AD Domain Services (Azure AD DS) to include a new and improved creation experience, helping you to create a managed domain in just three clicks! In addition, you can now upload and deploy Azure AD DS from a template.

For more information, see Tutorial: Create and configure an Azure Active Directory Domain Services instance.


September 2019

Plan for change: Deprecation of the Power BI content packs

Type: Plan for change
Service category: Reporting
Product capability: Monitoring & Reporting

Starting on October 1, 2019, Power BI will begin to deprecate all content packs, including the Azure AD Power BI content pack. As an alternative to this content pack, you can use Azure AD Workbooks to gain insights into your Azure AD-related services. Additional workbooks are coming, including workbooks about Conditional Access policies in report-only mode, app consent-based insights, and more.

For more information about the workbooks, see How to use Azure Monitor workbooks for Azure Active Directory reports. For more information about the deprecation of the content packs, see the Announcing Power BI template apps general availability blog post.


My Profile is renaming and integrating with the Microsoft Office account page

Type: Plan for change
Service category: My Profile/Account
Product capability: Collaboration

Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that currently says, My Profile will change to My Account. On top of the naming change and some design improvements, the updated experience will offer additional integration with the Microsoft Office account page. Specifically, you'll be able to access Office installations and subscriptions from the Overview Account page, along with Office-related contact preferences from the Privacy page.

For more information about the My Profile (preview) experience, see My Profile (preview) portal overview.


Bulk manage groups and members using CSV files in the Azure AD portal (Public Preview)

Type: New feature
Service category: Group Management
Product capability: Collaboration

We're pleased to announce public preview availability of the bulk group management experiences in the Azure AD portal. You can now use a CSV file and the Azure AD portal to manage groups and member lists, including:

  • Adding or removing members from a group.

  • Downloading the list of groups from the directory.

  • Downloading the list of group members for a specific group.

For more information, see Bulk add members, Bulk remove members, Bulk download members list, and Bulk download groups list.


Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We've created a new admin consent endpoint to support dynamic consent, which is helpful for apps that want to use the dynamic consent model on the Microsoft Identity platform.

For more information about how to use this new endpoint, see Using the admin consent endpoint.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2019, we've added these 29 new apps with Federation support to the app gallery:

ScheduleLook, MS Azure SSO Access for Ethidex Compliance Office™ - Single sign-on, iServer Portal, SKYSITE, Concur Travel and Expense, WorkBoard, YeeFlow, ARC Facilities, Luware Stratus Team, Wide Ideas, Prisma Cloud, JDLT Client Hub, RENRAKU, SealPath Secure Browser, Prisma Cloud, Penneo, Hiretual, Cintoo Cloud, Whitesource, Hosted Heritage Online SSO, IDC, CakeHR, BIS, Coo Kai Team Build, Sonarqube, Adobe Identity Management, Discovery Benefits SSO, Amelio, iTask

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New Azure AD Global Reader role

Type: New feature
Service category: RBAC
Product capability: Access Control

Starting on September 24, 2019, we're going to start rolling out a new Azure Active Directory (AD) role called Global Reader. This rollout will start with production and Global cloud customers (GCC), finishing up worldwide in October.

The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can't take management actions. We’ve created the Global Reader role to help reduce the number of Global Administrators in your organization. Because Global Administrator accounts are powerful and vulnerable to attack, we recommend that you have fewer than five Global Administrators. We recommend using the Global Reader role for planning, audits, or investigations. We also recommend using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role.

The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Compliance Center, Azure AD Admin Center, and the Device Management Admin Center.

Note

At the start of public preview, the Global Reader role won't work with: SharePoint, Privileged Access Management, Customer Lockbox, sensitivity labels, Teams Lifecycle, Teams Reporting & Call Analytics, Teams IP Phone Device Management, and Teams App Catalog. All of these services are intended to work with the role in the future.

For more information, see Administrator role permissions in Azure Active Directory.


Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application Proxy

Type: New feature
Service category: App Proxy
Product capability: Access Control

New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization's reports hosted on the on-premises Power BI Report Server.

For information about the Power BI Mobile app, including where to download the app, see the Power BI site. For more information about how to set up the Power BI mobile app with Azure AD Application Proxy, see Enable remote access to Power BI Mobile with Azure AD Application Proxy.


New version of the AzureADPreview PowerShell module is available

Type: Changed feature
Service category: Other
Product capability: Directory

New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:

  • Add-AzureADMSFeatureRolloutPolicyDirectoryObject
  • Get-AzureADMSFeatureRolloutPolicy
  • New-AzureADMSFeatureRolloutPolicy
  • Remove-AzureADMSFeatureRolloutPolicy
  • Remove-AzureADMSFeatureRolloutPolicyDirectoryObject
  • Set-AzureADMSFeatureRolloutPolicy

New version of Azure AD Connect

Type: Changed feature
Service category: Other
Product capability: Directory

We've released an updated version of Azure AD Connect for auto-upgrade customers. This new version includes several new features, improvements, and bug fixes. For more information about this new version, see Azure AD Connect: Version release history.


Azure Multi-Factor Authentication (MFA) Server, version 8.0.2 is now available

Type: Fixed
Service category: MFA
Product capability: Identity Security & Protection

If you're an existing customer, who activated MFA Server prior to July 1, 2019, you can now download the latest version of MFA Server (version 8.0.2). In this new version, we:

  • Fixed an issue so when Azure AD sync changes a user from Disabled to Enabled, an email is sent to the user.

  • Fixed an issue so customers can successfully upgrade, while continuing to use the Tags functionality.

  • Added the Kosovo (+383) country code.

  • Added one-time bypass audit logging to the MultiFactorAuthSvc.log.

  • Improved performance for the Web Service SDK.

  • Fixed other minor bugs.

Starting July 1, 2019, Microsoft stopped offering MFA Server for new deployments. New customers who require multi-factor authentication should use cloud-based Azure Multi-Factor Authentication. For more information, see Planning a cloud-based Azure Multi-Factor Authentication deployment.


August 2019

Enhanced search, filtering, and sorting for groups is available in the Azure AD portal (Public Preview)

Type: New feature
Service category: Group Management
Product capability: Collaboration

We're pleased to announce public preview availability of the enhanced groups-related experiences in the Azure AD portal. These enhancements help you better manage groups and member lists, by providing:

  • Advanced search capabilities, such as substring search on groups lists.
  • Advanced filtering and sorting options on member and owner lists.
  • New search capabilities for member and owner lists.
  • More accurate group counts for large groups.

For more information, see Manage groups in the Azure portal.


New custom roles are available for app registration management (Public Preview)

Type: New feature
Service category: RBAC
Product capability: Access Control

Custom roles (available with an Azure AD P1 or P2 subscription) can now help provide you with fine-grained access, by letting you create role definitions with specific permissions and then to assign those roles to specific resources. Currently, you create custom roles by using permissions for managing app registrations and then assigning the role to a specific app. For more information about custom roles, see Custom administrator roles in Azure Active Directory (preview).

If you need additional permissions or resources supported, which you don’t currently see, you can send feedback to our Azure feedback site and we’ll add your request to our update road map.


New provisioning logs can help you monitor and troubleshoot your app provisioning deployment (Public Preview)

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

New provisioning logs are available to help you monitor and troubleshoot the user and group provisioning deployment. These new log files include information about:

For more information, see Provisioning reports in the Azure Active Directory portal (preview).


New security reports for all Azure AD administrators (General Availability)

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, you will be able to use the banner at the top of the modern security reports to return to the old reports.

The modern security reports will provide additional capabilities from the older versions, including:

  • Advanced filtering and sorting
  • Bulk actions, such as dismissing user risk
  • Confirmation of compromised or safe entities
  • Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised
  • New risk-related detections (available to Azure AD Premium subscribers)

For more information, see Risky users, Risky sign-ins, and Risk detections.


User-assigned managed identity is available for Virtual Machines and Virtual Machine Scale Sets (General Availability)

Type: New feature
Service category: Managed identities for Azure resources
Product capability: Developer Experience

User-assigned managed identities are now generally available for Virtual Machines and Virtual Machine Scale Sets. As part of this, Azure can create an identity in the Azure AD tenant that's trusted by the subscription in use, and can be assigned to one or more Azure service instances. For more information about user-assigned managed identities, see What is managed identities for Azure resources?.


Users can reset their passwords using a mobile app or hardware token (General Availability)

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

Users who have registered a mobile app with your organization can now reset their own password by approving a notification from the Microsoft Authenticator app or by entering a code from their mobile app or hardware token.

For more information, see How it works: Azure AD self-service password reset. For more information about the user experience, see Reset your own work or school password overview.


ADAL.NET ignores the MSAL.NET shared cache for on-behalf-of scenarios

Type: Fixed
Service category: Authentications (Logins)
Product capability: User Authentication

Starting with Azure AD authentication library (ADAL.NET) version 5.0.0-preview, app developers must serialize one cache per account for web apps and web APIs. Otherwise, some scenarios using the on-behalf-of flow, along with some specific use cases of UserAssertion, may result in an elevation of privilege. To avoid this vulnerability, ADAL.NET now ignores the Microsoft authentication library for dotnet (MSAL.NET) shared cache for on-behalf-of scenarios.

For more information about this issue, see Azure Active Directory Authentication Library Elevation of Privilege Vulnerability.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2019, we've added these 26 new apps with Federation support to the app gallery:

Civic Platform, Amazon Business, ProNovos Ops Manager, Cognidox, Viareport's Inativ Portal (Europe), Azure Databricks, Robin, Academy Attendance, Priority Matrix, Cousto MySpace, Uploadcare, Carbonite Endpoint Backup, CPQSync by Cincom, Chargebee, deliver.media™ Portal, Frontline Education, F5, stashcat AD connect, Blink, Vocoli, ProNovos Analytics, Sigstr, Darwinbox, Watch by Colors, Harness, EAB Navigate Strategic Care

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New versions of the AzureAD PowerShell and AzureADPreview PowerShell modules are available

Type: Changed feature
Service category: Other
Product capability: Directory

New updates to the AzureAD and AzureAD Preview PowerShell modules are available:

  • A new -Filter parameter was added to the Get-AzureADDirectoryRole parameter in the AzureAD module. This parameter helps you filter on the directory roles returned by the cmdlet.

  • New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:

    • Get-AzureADMSRoleAssignment
    • Get-AzureADMSRoleDefinition
    • New-AzureADMSRoleAssignment
    • New-AzureADMSRoleDefinition
    • Remove-AzureADMSRoleAssignment
    • Remove-AzureADMSRoleDefinition
    • Set-AzureADMSRoleDefinition

Improvements to the UI of the dynamic group rule builder in the Azure portal

Type: Changed feature
Service category: Group Management
Product capability: Collaboration

We've made some UI improvements to the dynamic group rule builder, available in the Azure portal, to help you more easily set up a new rule, or change existing rules. This design improvement allows you to create rules with up to five expressions, instead of just one. We've also updated the device property list to remove deprecated device properties.

For more information, see Manage dynamic membership rules.


New Microsoft Graph app permission available for use with access reviews

Type: Changed feature
Service category: Access Reviews
Product capability: Identity Governance

We've introduced a new Microsoft Graph app permission, AccessReview.ReadWrite.Membership, which allows apps to automatically create and retrieve access reviews for group memberships and app assignments. This permission can be used by your scheduled jobs or as part of your automation, without requiring a logged-in user context.

For more information, see the Example how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell blog.


Azure AD activity logs are now available for government cloud instances in Azure Monitor

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're excited to announce that Azure AD activity logs are now available for government cloud instances in Azure Monitor. You can now send Azure AD logs to your storage account or to an event hub to integrate with your SIEM tools, like Sumologic, Splunk, and ArcSight.

For more information about setting up Azure Monitor, see Azure AD activity logs in Azure Monitor.


Update your users to the new, enhanced security info experience

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

On September 25, 2019, we'll be turning off the old, non-enhanced security info experience for registering and managing user security info and only turning on the new, enhanced version. This means that your users will no longer be able to use the old experience.

For more information about the enhanced security info experience, see our admin documentation and our user documentation.

To turn on this new experience, you must:

  1. Sign in to the Azure portal as a Global Administrator or User Administrator.

  2. Go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  3. In the Users can use preview features for registering and managing security info - enhanced area, select Selected, and then either choose a group of users or choose All to turn on this feature for all users in the tenant.

  4. In the Users can use preview features for registering and managing security info area, select None.

  5. Save your settings.

    After you save your settings, you'll no longer have access to the old security info experience.

Important

If you don't complete these steps before September 25, 2019, your Azure Active Directory tenant will be automatically enabled for the enhanced experience. If you have questions, please contact us at registrationpreview@microsoft.com.


Authentication requests using POST logins will be more strictly validated

Type: Changed feature
Service category: Authentications (Logins)
Product capability: Standards

Starting on September 2, 2019, authentication requests using the POST method will be more strictly validated against the HTTP standards. Specifically, spaces and double-quotes (") will no longer be removed from request form values. These changes aren't expected to break any existing clients, and will help to make sure that requests sent to Azure AD are reliably handled every time.

For more information, see the Azure AD breaking changes notices.


July 2019

Plan for change: Application Proxy service update to support only TLS 1.2

Type: Plan for change
Service category: App Proxy
Product capability: Access Control

To help provide you with our strongest encryption, we're going to begin limiting Application Proxy service access to only TLS 1.2 protocols. This limitation will initially be rolled out to customers who are already using TLS 1.2 protocols, so you won't see the impact. Complete deprecation of the TLS 1.0 and TLS 1.1 protocols will be complete on August 31, 2019. Customers still using TLS 1.0 and TLS 1.1 will receive advanced notice to prepare for this change.

To maintain the connection to the Application Proxy service throughout this change, we recommend that you make sure your client-server and browser-server combinations are updated to use TLS 1.2. We also recommend that you make sure to include any client systems used by your employees to access apps published through the Application Proxy service.

For more information, see Add an on-premises application for remote access through Application Proxy in Azure Active Directory.


Type: Plan for change
Service category: Enterprise Apps
Product capability: SSO

New user interface changes are coming to the design of the Add from the gallery area of the Add an application blade. These changes will help you more easily find your apps that support automatic provisioning, OpenID Connect, Security Assertion Markup Language (SAML), and Password single sign-on (SSO).


Plan for change: Removal of the MFA server IP address from the Office 365 IP address

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We're removing the MFA server IP address from the Office 365 IP Address and URL Web service. If you currently rely on these pages to update your firewall settings, you must make sure you're also including the list of IP addresses documented in the Azure Multi-Factor Authentication Server firewall requirements section of the Getting started with the Azure Multi-Factor Authentication Server article.


App-only tokens now require the client app to exist in the resource tenant

Type: Fixed
Service category: Authentications (Logins)
Product capability: User Authentication

On July 26, 2019, we changed how we provide app-only tokens through the client credentials grant. Previously, apps could get tokens to call other apps, regardless of whether the client app was in the tenant. We've updated this behavior so single-tenant resources, sometimes called Web APIs, can only be called by client apps that exist in the resource tenant.

If your app isn't located in the resource tenant, you'll get an error message that says, The service principal named <app_name> was not found in the tenant named <tenant_name>. This can happen if the application has not been installed by the administrator of the tenant. To fix this problem, you must create the client app service principal in the tenant, using either the admin consent endpoint or through PowerShell, which ensures your tenant has given the app permission to operate within the tenant.

For more information, see What's new for authentication?.

Note

Existing consent between the client and the API continues to not be required. Apps should still be doing their own authorization checks.


New passwordless sign-in to Azure AD using FIDO2 security keys

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD customers can now set policies to manage FIDO2 security keys for their organization's users and groups. End users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, as well as sign-in to their Azure AD-joined Windows 10 devices.

For more information, see Enable passwordless sign in for Azure AD (preview) for administrator-related information, and Set up security info to use a security key (Preview) for end-user-related information.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2019, we've added these 18 new apps with Federation support to the app gallery:

Ungerboeck Software, Bright Pattern Omnichannel Contact Center, Clever Nelly, AcquireIO, Looop, productboard, MS Azure SSO Access for Ethidex Compliance Office™, Hype, Abstract, Ascentis, Flipsnack, Wandera, TwineSocial, Kallidus, HyperAnna, PharmID WasteWitness, i2B Connect, JFrog Artifactory

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Automate user account provisioning for these newly supported SaaS apps

Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD


New Azure AD Domain Services service tag for Network Security Group

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

If you're tired of managing long lists of IP addresses and ranges, you can use the new AzureActiveDirectoryDomainServices network service tag in your Azure network security group to help secure inbound traffic to your Azure AD Domain Services virtual network subnet.

For more information about this new service tag, see Network Security Groups for Azure AD Domain Services.


New Security Audits for Azure AD Domain Services (Public Preview)

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hub, using the Azure AD Domain Service portal.

For more information, see Enable Security Audits for Azure AD Domain Services (Preview).


New Authentication methods usage & insights (Public Preview)

Type: New feature
Service category: Self Service Password Reset
Product capability: Monitoring & Reporting

The new Authentication methods usage & insights reports can help you to understand how features like Azure Multi-Factor Authentication and self-service password reset are being registered and used in your organization, including the number of registered users for each feature, how often self-service password reset is used to reset passwords, and by which method the reset happens.

For more information, see Authentication methods usage & insights (preview).


New security reports are available for all Azure AD administrators (Public Preview)

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

All Azure AD administrators can now select the banner at the top of existing security reports, such as the Users flagged for risk report, to start using the new security experience as shown in the Risky users and the Risky sign-ins reports. Over time, all of the security reports will move from the older versions to the new versions, with the new reports providing you the following additional capabilities:

  • Advanced filtering and sorting

  • Bulk actions, such as dismissing user risk

  • Confirmation of compromised or safe entities

  • Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised

For more information, see Risky users report and Risky sign-ins report.


New Security Audits for Azure AD Domain Services (Public Preview)

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hub, using the Azure AD Domain Service portal.

For more information, see Enable Security Audits for Azure AD Domain Services (Preview).


New B2B direct federation using SAML/WS-Fed (Public Preview)

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Direct federation helps to make it easier for you to work with partners whose IT-managed identity solution is not Azure AD, by working with identity systems that support the SAML or WS-Fed standards. After you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account, making the user experience for your guests more seamless.

For more information, see Direct federation with AD FS and third-party providers for guest users (preview).


Automate user account provisioning for these newly supported SaaS apps

Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


New check for duplicate group names in the Azure AD portal

Type: New feature
Service category: Group Management
Product capability: Collaboration

Now, when you create or update a group name from the Azure AD portal, we'll perform a check to see if you are duplicating an existing group name in your resource. If we determine that the name is already in use by another group, you'll be asked to modify your name.

For more information, see Manage groups in the Azure AD portal.


Azure AD now supports static query parameters in reply (redirect) URIs

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD apps can now register and use reply (redirect) URIs with static query parameters (for example, https://contoso.com/oauth2?idp=microsoft) for OAuth 2.0 requests. The static query parameter is subject to string matching for reply URIs, just like any other part of the reply URI. If there's no registered string that matches the URL-decoded redirect-uri, the request is rejected. If the reply URI is found, the entire string is used to redirect the user, including the static query parameter.

Dynamic reply URIs are still forbidden because they represent a security risk and can't be used to retain state information across an authentication request. For this purpose, use the state parameter.

Currently, the app registration screens of the Azure portal still block query parameters. However, you can manually edit the app manifest to add and test query parameters in your app. For more information, see What's new for authentication?.


Activity logs (MS Graph APIs) for Azure AD are now available through PowerShell Cmdlets

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're excited to announce that Azure AD activity logs (Audit and Sign-ins reports) are now available through the Azure AD PowerShell module. Previously, you could create your own scripts using MS Graph API endpoints, and now we've extended that capability to PowerShell cmdlets.

For more information about how to use these cmdlets, see Azure AD PowerShell cmdlets for reporting.


Updated filter controls for Audit and Sign-in logs in Azure AD

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We've updated the Audit and Sign-in log reports so you can now apply various filters without having to add them as columns on the report screens. Additionally, you can now decide how many filters you want to show on the screen. These updates all work together to make your reports easier to read and more scoped to your needs.

For more information about these updates, see Filter audit logs and Filter sign-in activities.