What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22release+notes+for+azure+AD%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items that are older than six months, you can find them in the Archive for What's new in Azure Active Directory.


April 2020

Combined security info registration experience is now generally available

Type: New feature

Service category: Authentications (Logins)

Product capability: Identity Security & Protection

The combined registration experience for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) is now generally available. This new registration experience enables users to register for MFA and SSPR in a single, step-by-step process. When you deploy the new experience for your organization, users can register in less time and with fewer hassles. Check out the blog post here.


Continuous Access Evaluation

Type: New feature

Service category: Authentications (Logins)

Product capability: Identity Security & Protection

Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). We are rolling this feature out first for Teams and Outlook clients. For more details, please read our blog and documentation.


SMS Sign-in: Firstline Workers can sign in to Azure AD-backed applications with their phone number and no password

Type: New feature

Service category: Authentications (Logins)

Product capability: User Authentication

Office is launching a series of mobile-first business apps that cater to non-traditional organizations, and to employees in large organizations that don’t use email as their primary communication method. These apps target frontline employees, deskless workers, field agents, or retail employees that may not get an email address from their employer, have access to a computer, or to IT. This project will let these employees sign in to business applications by entering a phone number and roundtripping a code. For more details, please see our admin documentation and end user documentation.


Invite internal users to use B2B collaboration

Type: New feature

Service category: B2B

Product capability:

We're expanding B2B invitation capability to allow existing internal accounts to be invited to use B2B collaboration credentials going forward. This is done by passing the user object to the Invite API in addition to typical parameters like the invited email address. The user's object ID, UPN, group membership, app assignment, etc. remain intact, but going forward they'll use B2B to authenticate with their home tenant credentials rather than the internal credentials they used before the invitation. For details, see the documentation.


Report-only mode for Conditional Access is now generally available

Type: New feature

Service category: Conditional Access

Product capability: Identity Security & Protection

Report-only mode for Azure AD Conditional Access lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we’ve seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they’re created. And for those of you who use the MS Graph APIs, you can also manage report-only policies programmatically.


Conditional Access insights and reporting workbook is generally available

Type: New feature

Service category: Conditional Access

Product capability: Identity Security & Protection

The Conditional Access insights and reporting workbook gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes following these instructions. To make the dashboard more discoverable, we’ve moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.


Policy details blade for Conditional Access is in public preview

Type: New feature

Service category: Conditional Access

Product capability: Identity Security & Protection

The new policy details blade displays which assignments, conditions, and controls were satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details.


Type: New feature

Service category: Enterprise Apps

Product capability: 3rd Party Integration

In April 2020, we've added these 31 new apps with Federation support to the app gallery:

SincroPool Apps, SmartDB, Float, LMS365, IWT Procurement Suite, Lunni, EasySSO for Jira, Virtual Training Academy, Meraki Dashboard, Office 365 Mover, Speaker Engage, Honestly, Ally, DutyFlow, AlertMedia, gr8 People, Pendo, HighGround, Harmony, Timetabling Solutions, SynchroNet CLICK, empower, Fortes Change Cloud, Litmus, GroupTalk, Frontify, MongoDB Cloud, TickitLMS Learn, COCO, Nitro Productivity Suite , Trend Micro Web Security(TMWS)

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Microsoft Graph delta query support for oAuth2PermissionGrant available for Public Preview

Type: New feature

Service category: MS Graph

Product capability: Developer Experience

Delta query for oAuth2PermissionGrant is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. Learn more.


Microsoft Graph delta query support for organizational contact generally available

Type: New feature

Service category: MS Graph

Product capability: Developer Experience

Delta query for organizational contacts is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls orgContact data by delta query to significantly improve performance. Learn more.


Microsoft Graph delta query support for application generally available

Type: New feature

Service category: MS Graph

Product capability: Developer Experience

Delta query for applications is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls application data by delta query to significantly improve performance. Learn more.


Microsoft Graph delta query support for administrative units available for Public Preview

Type: New feature

Service category: MS Graph

Product capability: Developer Experience Delta query for administrative units is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. Learn more.


Manage authentication phone numbers and more in new Microsoft Graph beta APIs

Type: New feature

Service category: MS Graph

Product capability: Developer Experience

These APIs are a key tool for managing your users’ authentication methods. Now you can programmatically pre-register and manage the authenticators used for MFA and self-service password reset (SSPR). This has been one of the most-requested features in the Azure MFA, SSPR, and Microsoft Graph spaces. The new APIs we’ve released in this wave give you the ability to:

  • Read, add, update, and remove a user’s authentication phones
  • Reset a user’s password
  • Turn on and off SMS-sign-in

For more information, see Azure AD authentication methods API overview.


Administrative Units Public Preview

Type: New feature

Service category: RBAC

Product capability: Access Control

Administrative units allow you to grant admin permissions that are restricted to a department, region, or other segment of your organization that you define. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their administrative unit.

Using administrative units, a central administrator could:

  • Create an administrative unit for decentralized management of resources
  • Assign a role with administrative permissions over only Azure AD users in an administrative unit
  • Populate the administrative units with users and groups as needed

For more information, see Administrative units management in Azure Active Directory (preview).


Printer Administrator and Printer Technician built-in roles

Type: New feature

Service category: RBAC

Product capability: Access Control

Printer Administrator: Users with this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports.

Printer Technician: Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician cannot do are set user permissions on printers and sharing printers. Learn more.


Hybrid Identity Admin built-in role

Type: New feature

Service category: RBAC

Product capability: Access Control

Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods—Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider)—and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents. This role grants the ability to enable Seamless Single Sign-On (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. Learn more.


Network Administrator built-in role

Type: New feature

Service category: RBAC

Product capability: Access Control

Users with this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Network performance for Office 365 relies on careful enterprise customer network perimeter architecture, which is generally user location-specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. Learn more.


Bulk activity and downloads in the Azure AD admin portal experience

Type: New feature

Service category: User Management

Product capability: Directory

Now you can perform bulk activities on users and groups in Azure AD by uploading a CSV file in the Azure AD admin portal experience. You can create users, delete users, and invite guest users. And you can add and remove members from a group.

You can also download lists of Azure AD resources from the Azure AD admin portal experience. You can download the list of users in the directory, the list of groups in the directory, and the members of a particular group.

For more information, check out the following:


My Staff delegated user management

Type: New feature

Service category: User Management

Product capability:

My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who can’t access their account can re-gain access in just a couple of clicks, with no helpdesk or IT staff required. For more information, see the Manage your users with My Staff (preview) and Delegate user management with My Staff (preview).


An upgraded end user experience in access reviews

Type: Changed feature

Service category: Access Reviews

Product capability: Identity Governance

We have updated the reviewer experience for Azure AD access reviews in the My Apps portal. At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Please note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive. You can learn more about the updated experience here. This public preview will last until the end of July 2020. At the end of July, reviewers who have not opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, please make a request here.


Workday inbound user provisioning and writeback apps now support the latest versions of Workday Web Services API

Type: Changed feature

Service category: App Provisioning

Product capability:

Based on customer feedback, we have now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services (WWS) API. With this change, customers can specify the WWS API version that they would like to use in the connection string. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. The Workday Writeback app now uses the recommended Change_Work_Contact_Info Workday web service to overcome the limitations of Maintain_Contact_Info.

If no version is specified in the connection string, by default, the Workday inbound provisioning apps will continue to use WWS v21.1 To switch to the latest Workday APIs for inbound user provisioning, customers need to update the connection string as documented in the tutorial and also update the XPATHs used for Workday attributes as documented in the Workday attribute reference guide.

To use the new API for writeback, there are no changes required in the Workday Writeback provisioning app. On the Workday side, ensure that the Workday Integration System User (ISU) account has permissions to invoke the Change_Work_Contact business process as documented in the tutorial section, Configure business process security policy permissions.

We have updated our tutorial guide to reflect the new API version support.


Users with default access role are now in scope for provisioning

Type: Changed feature

Service category: App Provisioning

Product capability: Identity Lifecycle Management

Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually we will change the behavior for existing provisioning configurations to support provisioning users with this role. Learn more.


Updated provisioning UI

Type: Changed feature

Service category: App Provisioning

Product capability: Identity Lifecycle Management

We've refreshed our provisioning experience to create a more focused management view. When you navigate to the provisioning blade for an enterprise application that has already been configured, you'll be able to easily monitor the progress of provisioning and manage actions such as starting, stopping, and restarting provisioning. Learn more.


Dynamic Group rule validation is now available for Public Preview

Type: Changed feature

Service category: Group Management

Product capability: Collaboration

Azure Active Directory (Azure AD) now provides the means to validate dynamic group rules. On the Validate rules tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When creating or updating dynamic group rules, administrators want to know whether a user or a device will be a member of the group. This helps evaluate whether a user or device meets the rule criteria and aids in troubleshooting when membership is not expected.

For more information, see Validate a dynamic group membership rule (preview).


Identity Secure Score - Security Defaults and MFA improvement action updates

Type: Changed feature

Service category: N/A

Product capability: Identity Security & Protection

Supporting security defaults for Azure AD improvement actions: Microsoft Secure Score will be updating improvement actions to support security defaults in Azure AD, which make it easier to help protect your organization with pre-configured security settings for common attacks. This will affect the following improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access
  • Require MFA for administrative roles
  • Enable policy to block legacy authentication

MFA improvement action updates: To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multi-factor authentication and added two.

Removed improvement actions:

  • Register all users for multi-factor authentication
  • Require MFA for all users
  • Require MFA for Azure AD privileged roles

Added improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access
  • Require MFA for administrative roles

These new improvement actions require registering your users or admins for multi-factor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for MFA. Read more about what's new in Microsoft Secure Score.


March 2020

Unmanaged Azure Active Directory accounts in B2B update for March, 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

Beginning on March 31, 2021, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure Active Directory (Azure AD) accounts and tenants for B2B collaboration scenarios. In preparation for this, we encourage you to opt in to email one-time passcode authentication.


Users with the default access role will be in scope for provisioning

Type: Plan for change
Service category: App Provisioning
Product capability: Identity Lifecycle Management

Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. We're working on deploying a change so that all new provisioning configurations will allow users with the default access role to be provisioned. Gradually, we'll change the behavior for existing provisioning configurations to support provisioning users with this role. No customer action is required. We'll post an update to our documentation once this change is in place.


Azure AD B2B collaboration will be available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

The Azure AD B2B collaboration capabilities will be made available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants, enabling users in an Azure China 21Vianet tenant to collaborate seamlessly with users in other Azure China 21Vianet tenants. Learn more about Azure AD B2B collaboration.


Azure AD B2B Collaboration invitation email redesign

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

The emails that are sent by the Azure AD B2B collaboration invitation service to invite users to the directory will be redesigned to make the invitation information and the user's next steps clearer.


HomeRealmDiscovery policy changes will appear in the audit logs

Type: Fixed
Service category: Audit
Product capability: Monitoring & Reporting

We fixed a bug where changes to the HomeRealmDiscovery policy were not included in the audit logs. You will now be able to see when and how the policy was changed, and by whom.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2020, we've added these 51 new apps with Federation support to the app gallery:

Cisco AnyConnect, Zoho One China, PlusPlus, Profit.co SAML App, iPoint Service Provider, contexxt.ai SPHERE, Wisdom By Invictus, Flare Digital Signage, Logz.io - Cloud Observability for Engineers, SpectrumU, BizzContact, Elqano SSO, MarketSignShare, CrossKnowledge Learning Suite, Netvision Compas, FCM HUB, RIB A/S Byggeweb Mobile, GoLinks, Datadog, Zscaler B2B User Portal, LIFT, Planview Enterprise One, WatchTeams, Aster, Skills Workflow, Node Insight, IP Platform, InVision, Pipedrive, Showcase Workshop, Greenlight Integration Platform, Greenlight Compliant Access Management, Grok Learning, Miradore Online, Khoros Care, AskYourTeam, TruNarrative, Smartwaiver, Bizagi Studio for Digital Process Automation, insuiteX, sybo, Britive, WhosOffice, E-days, Kollective SDN, Witivio, Playvox, Korn Ferry 360, Campus Café, Catchpoint, Code42

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Azure AD B2B Collaboration available in Azure Government tenants

Type: New feature
Service category: B2B
Product capability: B2B/B2C

The Azure AD B2B collaboration features are now available between some Azure Government tenants. To find out if your tenant is able to use these capabilities, follow the instructions at How can I tell if B2B collaboration is available in my Azure US Government tenant?.


Azure Monitor integration for Azure Logs is now available in Azure Government

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure Monitor integration with Azure AD logs is now available in Azure Government. You can route Azure AD Logs (Audit and Sign-in Logs) to a storage account, Event Hub and Log Analytics. Please check out the detailed documentation as well as deployment plans for reporting and monitoring for Azure AD scenarios.


Identity Protection Refresh in Azure Government

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We’re excited to share that we have now rolled out the refreshed Azure AD Identity Protection experience in the Microsoft Azure Government portal. For more information, see our announcement blog post.


Disaster recovery: Download and store your provisioning configuration

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

The Azure AD provisioning service provides a rich set of configuration capabilities. Customers need to be able to save their configuration so that they can refer to it later or roll back to a known good version. We've added the ability to download your provisioning configuration as a JSON file and upload it when you need it. Learn more.


SSPR (self-service password reset) now requires two gates for admins in Microsoft Azure operated by 21Vianet (Azure China 21Vianet)

Type: Changed feature
Service category: Self-Service Password Reset
Product capability: Identity Security & Protection

Previously in Microsoft Azure operated by 21Vianet (Azure China 21Vianet), admins using self-service password reset (SSPR) to reset their own passwords needed only one "gate" (challenge) to prove their identity. In public and other national clouds, admins generally must use two gates to prove their identity when using SSPR. But because we didn't support SMS or phone calls in Azure China 21Vianet, we allowed one-gate password reset by admins.

We're creating SSPR feature parity between Azure China 21Vianet and the public cloud. Going forward, admins must use two gates when using SSPR. SMS, phone calls, and Authenticator app notifications and codes will be supported. Learn more.


Password length is limited to 256 characters

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

To ensure the reliability of the Azure AD service, user passwords are now limited in length to 256 characters. Users with passwords longer than this will be asked to change their password on subsequent login, either by contacting their admin or by using the self-service password reset feature.

This change was enabled on March 13th, 2020, at 10AM PST (18:00 UTC), and the error is AADSTS 50052, InvalidPasswordExceedsMaxLength. See the breaking change notice for more details.


Azure AD sign-in logs are now available for all free tenants through the Azure portal

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

Starting now, customers who have free tenants can access the Azure AD sign-in logs from the Azure portal for up to 7 days. Previously, sign-in logs were available only for customers with Azure Active Directory Premium licenses. With this change, all tenants can access these logs through the portal.

Note

Customers still need a premium license (Azure Active Directory Premium P1 or P2) to access the sign-in logs through Microsoft Graph API and Azure Monitor.


Deprecation of Directory-wide groups option from Groups General Settings on Azure portal

Type: Deprecated
Service category: Group Management
Product capability: Collaboration

To provide a more flexible way for customers to create directory-wide groups that best meet their needs, we've replaced the Directory-wide Groups option from the Groups > General settings in the Azure portal with a link to dynamic group documentation. We've improved our documentation to include more instructions so administrators can create all-user groups that include or exclude guest users.


February 2020

Upcoming changes to custom controls

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We're planning to replace the current custom controls preview with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences. Today, partner MFA solutions face the following limitations: they work only after a password has been entered; they don't serve as MFA for step-up authentication in other key scenarios; and they don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including registration, usage, MFA claims, step up authentication, reporting, and logging.

Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We are working closely with customers and providers and will communicate the timeline as we get closer. Learn more.


Identity Secure Score - MFA improvement action updates

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multi-factor authentication (MFA), and adding two.

The following improvement actions will be removed:

  • Register all users for MFA
  • Require MFA for all users
  • Require MFA for Azure AD privileged roles

The following improvement actions will be added:

  • Ensure all users can complete MFA for secure access
  • Require MFA for administrative roles

These new improvement actions will require registering your users or admins for MFA across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of setting security defaults that let Microsoft decide when to challenge users for MFA, or having multiple policies that apply scoped decisions. As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations. Read more about what's coming in Microsoft Secure Score.


Azure AD Domain Services SKU selection

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We've heard feedback that Azure AD Domain Services customers want more flexibility in selecting performance levels for their instances. Starting on February 1, 2020, we switched from a dynamic model (where Azure AD determines the performance and pricing tier based on object count) to a self-selection model. Now customers can choose a performance tier that matches their environment. This change also allows us to enable new scenarios like Resource Forests, and Premium features like daily backups. The object count is now unlimited for all SKUs, but we'll continue to offer object count suggestions for each tier.

No immediate customer action is required. For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we will no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the Azure AD DS SKUs documentation and the Azure AD Domain Services pricing page.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2020, we've added these 31 new apps with Federation support to the app gallery:

IamIP Patent Platform, Experience Cloud, NS1 SSO For Azure, Barracuda Email Security Service, ABa Reporting, In Case of Crisis - Online Portal, BIC Cloud Design, Beekeeper Azure AD Data Connector, Korn Ferry Assessments, Verkada Command, Splashtop, Syxsense, EAB Navigate, New Relic (Limited Release), Thulium, Ticket Manager, Template Chooser for Teams, Beesy, Health Support System, MURAL, Hive, LavaDo, Wakelet, Firmex VDR, ThingLink for Teachers and Schools, Coda, NearpodApp, WEDO, InvitePeople, Reprints Desk - Article Galaxy, TeamViewer

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Azure AD support for FIDO2 security keys in hybrid environments

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're announcing the public preview of Azure AD support for FIDO2 security keys in Hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get seamless sign-on to their on-premises and cloud resources. Support for Hybrid environments has been the top most-requested feature from our passwordless customers since we initially launched the public preview for FIDO2 support in Azure AD joined devices. Passwordless authentication using advanced technologies like biometrics and public/private key cryptography provide convenience and ease-of-use while being secure. With this public preview, you can now use modern authentication like FIDO2 security keys to access traditional Active Directory resources. For more information, go to SSO to on-premises resources.

To get started, visit enable FIDO2 security keys for your tenant for step-by-step instructions.


The new My Account experience is now generally available

Type: Changed feature
Service category: My Profile/Account
Product capability: End User Experiences

My Account, the one stop shop for all end-user account management needs, is now generally available! End users can access this new site via URL, or in the header of the new My Apps experience. Learn more about all the self-service capabilities the new experience offers at My Account Portal Overview.


My Account site URL updating to myaccount.microsoft.com

Type: Changed feature
Service category: My Profile/Account
Product capability: End User Experiences

The new My Account end user experience will be updating its URL to https://myaccount.microsoft.com in the next month. Find more information about the experience and all the account self-service capabilities it offers to end users at My Account portal help.


January 2020

The new My Apps portal is now generally available

Type: Plan for change
Service category: My Apps
Product capability: End User Experiences

Upgrade your organization to the new My Apps portal that is now generally available! Find more information on the new portal and collections at Create collections on the My Apps portal.


Workspaces in Azure AD have been renamed to collections

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

Workspaces, the filters admins can configure to organize their users' apps, will now be referred to as collections. Find more info on how to configure them at Create collections on the My Apps portal.


Azure AD B2C Phone sign-up and sign-in using custom policy (Public Preview)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies, phone sign-up and sign-in allows developers and enterprises to communicate their brand through page customization. Find out how to set up phone sign-up and sign-in with custom policies in Azure AD B2C.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2020, we've added these 33 new apps with Federation support to the app gallery:

JOSA, Fastly Edge Cloud, Terraform Enterprise, Spintr SSO, Abibot Netlogistik, SkyKick, Upshotly, LeaveBot, DataCamp, TripActions, SmartWork, Dotcom-Monitor, SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE, Hosted MyCirqa SSO, Yuhu Property Management Platform, LumApps, Upwork Enterprise, Talentsoft, SmartDB for Microsoft Teams, PressPage, ContractSafe Saml2 SSO, Maxient Conduct Manager Software, Helpshift, PortalTalk 365, CoreView, Squelch Cloud Office365 Connector, PingFlow Authentication, PrinterLogic SaaS, Taskize Connect, Sandwai, EZRentOut, AssetSonar, Akari Virtual Assistant

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Two new Identity Protection detections

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We've added two new sign-in linked detection types to Identity Protection: Suspicious inbox manipulation rules and Impossible travel. These offline detections are discovered by Microsoft Cloud App Security (MCAS) and influence the user and sign-in risk in Identity Protection. For more information on these detections, see our sign-in risk types.


Breaking Change: URI Fragments will not be carried through the login redirect

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

Starting on February 8, 2020, when a request is sent to login.microsoftonline.com to sign in a user, the service will append an empty fragment to the request. This prevents a class of redirect attacks by ensuring that the browser wipes out any existing fragment in the request. No application should have a dependency on this behavior. For more information, see Breaking changes in the Microsoft identity platform documentation.


December 2019

Integrate SAP SuccessFactors provisioning into Azure AD and on-premises AD (Public Preview)

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

You can now integrate SAP SuccessFactors as an authoritative identity source in Azure AD. This integration helps you automate the end-to-end identity lifecycle, including using HR-based events, like new hires or terminations, to control provisioning of Azure AD accounts.

For more information about how to set up SAP SuccessFactors inbound provisioning to Azure AD, see the Configure SAP SuccessFactors automatic provisioning tutorial.


Support for customized emails in Azure AD B2C (Public Preview)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now use Azure AD B2C to create customized emails when your users sign up to use your apps. By using DisplayControls (currently in preview) and a third-party email provider (such as, SendGrid, SparkPost, or a custom REST API), you can use your own email template, From address, and subject text, as well as support localization and custom one-time password (OTP) settings.

For more information, see Custom email verification in Azure Active Directory B2C.


Replacement of baseline policies with security defaults

Type: Changed feature
Service category: Other
Product capability: Identity Security and Protection

As part of a secure-by-default model for authentication, we're removing the existing baseline protection policies from all tenants. This removal is targeted for completion at the end of February. The replacement for these baseline protection policies is security defaults. If you've been using baseline protection policies, you must plan to move to the new security defaults policy or to Conditional Access. If you haven't used these policies, there is no action for you to take.

For more information about the new security defaults, see What are security defaults? For more information about Conditional Access policies, see Common Conditional Access policies.


November 2019

Support for the SameSite attribute and Chrome 80

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the SameSite attribute. Any cookie that doesn't specify the SameSite attribute will be treated as though it was set to SameSite=Lax, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that your app may depend on. To maintain the older Chrome behavior, you can use the SameSite=None attribute and add an additional Secure attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020.

We recommend all our developers test their apps using this guidance:

  • Set the default value for the Use Secure Cookie setting to Yes.

  • Set the default value for the SameSite attribute to None.

  • Add an additional SameSite attribute of Secure.

For more information, see Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core and Potential disruption to customer websites and Microsoft products and services in Chrome version 79 and later.


New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2)

Type: Fixed
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

A hotfix rollup package (build 4.6.34.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the "Issues fixed and improvements added in this update" section.

For more information and to download the hotfix package, see Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available.


New AD FS app activity report to help migrate apps to Azure AD (Public Preview)

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Use the new Active Directory Federation Services (AD FS) app activity report, in the Azure portal, to identify which of your apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration.

For more information, see Use the AD FS application activity report to migrate applications to Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: Access Control

The new admin consent workflow gives admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that's accessible from the Azure portal, to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action.

For more information, see Configure the admin consent workflow (preview).


New Azure AD App Registrations Token configuration experience for managing optional claims (Public Preview)

Type: New feature
Service category: Other
Product capability: Developer Experience

The new Azure AD App Registrations Token configuration blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations.

For more information, see Provide optional claims to your Azure AD app.


New two-stage approval workflow in Azure AD entitlement management (Public Preview)

Type: New feature
Service category: Other
Product capability: Entitlement Management

We've introduced a new two-stage approval workflow that allows you to require two approvers to approve a user's request to an access package. For example, you can set it so the requesting user's manager must first approve, and then you can also require a resource owner to approve. If one of the approvers doesn't approve, access isn't granted.

For more information, see Change request and approval settings for an access package in Azure AD entitlement management.


Updates to the My Apps page along with new workspaces (Public Preview)

Type: New feature
Service category: My Apps
Product capability: 3rd Party Integration

You can now customize the way your organization's users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for your users to find and organize apps.

For more information about the new My Apps experience and creating workspaces, see Create workspaces on the My Apps portal.


Google social ID support for Azure AD B2B collaboration (General Availability)

Type: New feature
Service category: B2B
Product capability: User Authentication

New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for your users and partners. There's no longer a need for your partners to create and manage a new Microsoft-specific account. Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints.

For more information, see Add Google as an identity provider for B2B guest users.


Microsoft Edge Mobile Support for Conditional Access and Single Sign-on (General Availability)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Azure AD for Microsoft Edge on iOS and Android now supports Azure AD Single Sign-On and Conditional Access:

  • Microsoft Edge single sign-on (SSO): Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD -connected apps.

  • Microsoft Edge conditional access: Through application-based conditional access policies, your users must use Microsoft Intune-protected browsers, such as Microsoft Edge.

For more information about conditional access and SSO with Microsoft Edge, see the Microsoft Edge Mobile Support for Conditional Access and Single Sign-on Now Generally Available blog post. For more information about how to set up your client apps using app-based conditional access or device-based conditional access, see Manage web access using a Microsoft Intune policy-protected browser.


Azure AD entitlement management (General Availability)

Type: New feature
Service category: Other
Product capability: Entitlement Management

Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites.

With Azure AD entitlement management, you can more efficiently manage access both for employees and also for users outside your organization who need access to those resources.

For more information, see What is Azure AD entitlement management?


Automate user account provisioning for these newly supported SaaS apps

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

SAP Cloud Platform Identity Authentication Service, RingCentral, SpaceIQ, Miro, Cloudgate, Infor CloudSuite, OfficeSpace Software, Priority Matrix

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2019, we've added these 21 new apps with Federation support to the app gallery:

Airtable, Hootsuite, Blue Access for Members (BAM), Bitly, Riva, ResLife Portal, NegometrixPortal Single Sign On (SSO), TeamsChamp, Motus, MyAryaka, BlueMail, Beedle, Visma, OneDesk, Foko Retail, Qmarkets Idea & Innovation Management, Netskope User Authentication, uniFLOW Online, Claromentis, Jisc Student Voter Registration, e4enable

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

We've updated the Azure AD application gallery to make it easier for you to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on your Azure Active Directory tenant.

For more information, see Add an application to your Azure Active Directory tenant.


Increased app role definition length limit from 120 to 240 characters

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

We've heard from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. In response, we've increased the maximum length of the role value definition to 240 characters.

For more information about using application-specific role definitions, see Add app roles in your application and receive them in the token.