What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22release+notes+for+azure+AD%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up-to-date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items that are older than six months, you can find them in the Archive for What's new in Azure Active Directory.


July 2019

Plan for change: Application Proxy service update to support only TLS 1.2

Type: Plan for change
Service category: App Proxy
Product capability: Access Control

To help provide you with our strongest encryption, we're going to begin limiting Application Proxy service access to only TLS 1.2 protocols. This limitation will initially be rolled out to customers who are already using TLS 1.2 protocols, so you won't see the impact. Complete deprecation of the TLS 1.0 and TLS 1.1 protocols will be complete on August 31, 2019. Customers still using TLS 1.0 and TLS 1.1 will receive advanced notice to prepare for this change.

To maintain the connection to the Application Proxy service throughout this change, we recommend that you make sure your client-server and browser-server combinations are updated to use TLS 1.2. We also recommend that you make sure to include any client systems used by your employees to access apps published through the Application Proxy service.

For more information, see Add an on-premises application for remote access through Application Proxy in Azure Active Directory.


Type: Plan for change
Service category: Enterprise Apps
Product capability: SSO

New user interface changes are coming to the design of the Add from the gallery area of the Add an application blade. These changes will help you more easily find your apps that support automatic provisioning, OpenID Connect, Security Assertion Markup Language (SAML), and Password single sign-on (SSO).


Plan for change: Removal of the MFA server IP address from the Office 365 IP address

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We're removing the MFA server IP address from the Office 365 IP Address and URL Web service. If you currently rely on these pages to update your firewall settings, you must make sure you're also including the list of IP addresses documented in the Azure Multi-Factor Authentication Server firewall requirements section of the Getting started with the Azure Multi-Factor Authentication Server article.


App-only tokens now require the client app to exist in the resource tenant

Type: Fixed
Service category: Authentications (Logins)
Product capability: User Authentication

On July 26, 2019, we changed how we provide app-only tokens through the client credentials grant. Previously, apps could get tokens to call other apps, regardless of whether the client app was in the tenant. We've updated this behavior so single-tenant resources, sometimes called Web APIs, can only be called by client apps that exist in the resource tenant.

If your app isn't located in the resource tenant, you'll get an error message that says, The service principal named <app_name> was not found in the tenant named <tenant_name>. This can happen if the application has not been installed by the administrator of the tenant. To fix this problem, you must create the client app service principal in the tenant, using either the admin consent endpoint or through PowerShell, which ensures your tenant has given the app permission to operate within the tenant.

For more information, see What's new for authentication?.

Note

Existing consent between the client and the API continues to not be required. Apps should still be doing their own authorization checks.


New passwordless sign-in to Azure AD using FIDO2 security keys

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD customers can now set policies to manage FIDO2 security keys for their organization's users and groups. End-users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, as well as sign in to their Azure AD-joined Windows 10 devices.

For more information, see Enable passwordless sign in for Azure AD (preview) for administrator-related information, and Set up security info to use a security key (Preview) for end-user-related information.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2019, we've added these 18 new apps with Federation support to the app gallery:

Ungerboeck Software, Bright Pattern Omnichannel Contact Center, Clever Nelly, AcquireIO, Looop, productboard, MS Azure SSO Access for Ethidex Compliance Office™, Hype, Abstract, Ascentis, Flipsnack, Wandera, TwineSocial, Kallidus, HyperAnna, PharmID WasteWitness, i2B Connect, JFrog Artifactory

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Automate user account provisioning for these newly supported SaaS apps

Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD


New Azure AD Domain Services service tag for Network Security Group

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

If you're tired of managing long lists of IP addresses and ranges, you can use the new AzureActiveDirectoryDomainServices network service tag in your Azure network security group to help secure inbound traffic to your Azure AD Domain Services virtual network subnet.

For more information about this new service tag, see Network Security Groups for Azure AD Domain Services.


New Security Audits for Azure AD Domain Services (Public Preview)

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hub, using the Azure AD Domain Service portal.

For more information, see Enable Security Audits for Azure AD Domain Services (Preview).


New Authentication methods usage & insights (Public Preview)

Type: New feature
Service category: Self Service Password Reset
Product capability: Monitoring & Reporting

The new Authentication methods usage & insights reports can help you to understand how features like Azure Multi-Factor Authentication and self-service password reset are being registered and used in your organization, including the number of registered users for each feature, how often self-service password reset is used to reset passwords, and by which method the reset happens.

For more information, see Authentication methods usage & insights (preview).


New security reports are available for all Azure AD administrators (Public Preview)

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

All Azure AD administrators can now select the banner at the top of existing security reports, such as the Users flagged for risk report, to start using the new security experience as shown in the Risky users and the Risky sign-ins reports. Over time, all of the security reports will move from the older versions to the new versions, with the new reports providing you the following additional capabilities:

  • Advanced filtering and sorting

  • Bulk actions, such as dismissing user risk

  • Confirmation of compromised or safe entities

  • Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised

For more information, see Risky users report and Risky sign-ins report.


New Security Audits for Azure AD Domain Services (Public Preview)

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hub, using the Azure AD Domain Service portal.

For more information, see Enable Security Audits for Azure AD Domain Services (Preview).


New B2B direct federation using SAML/WS-Fed (Public Preview)

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Direct federation helps to make it easier for you to work with partners whose IT-managed identity solution is not Azure AD, by working with identity systems that support the SAML or WS-Fed standards. After you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account, making the user experience for your guests more seamless.

For more information, see Direct federation with AD FS and third-party providers for guest users (preview).


Automate user account provisioning for these newly supported SaaS apps

Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


New check for duplicate group names in the Azure AD portal

Type: New feature
Service category: Group Management
Product capability: Collaboration

Now, when you create or update a group name from the Azure AD portal, we'll perform a check to see if you are duplicating an existing group name in your resource. If we determine that the name is already in use by another group, you'll be asked to modify your name.

For more information, see Manage groups in the Azure AD portal.


Azure AD now supports static query parameters in reply (redirect) URIs

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD apps can now register and use reply (redirect) URIs with static query parameters (for example, https://contoso.com/oauth2?idp=microsoft) for OAuth 2.0 requests. The static query parameter is subject to string matching for reply URIs, just like any other part of the reply URI. If there's no registered string that matches the URL-decoded redirect-uri, the request is rejected. If the reply URI is found, the entire string is used to redirect the user, including the static query parameter.

Dynamic reply URIs are still forbidden because they represent a security risk and can't be used to retain state information across an authentication request. For this purpose, use the state parameter.

Currently, the app registration screens of the Azure portal still block query parameters. However, you can manually edit the app manifest to add and test query parameters in your app. For more information, see What's new for authentication?.


Activity logs (MS Graph APIs) for Azure AD are now available through PowerShell Cmdlets

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're excited to announce that Azure AD activity logs (Audit and Sign-ins reports) are now available through the Azure AD PowerShell module. Previously, you could create your own scripts using MS Graph API endpoints, and now we've extended that capability to PowerShell cmdlets.

For more information about how to use these cmdlets, see Azure AD PowerShell cmdlets for reporting.


Updated filter controls for Audit and Sign-in logs in Azure AD

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We've updated the Audit and Sign-in log reports so you can now apply various filters without having to add them as columns on the report screens. Additionally, you can now decide how many filters you want to show on the screen. These updates all work together to make your reports easier to read and more scoped to your needs.

For more information about these updates, see Filter audit logs and Filter sign-in activities.


June 2019

New riskDetections API for Microsoft Graph (Public preview)

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We're pleased to announce the new riskDetections API for Microsoft Graph is now in public preview. You can use this new API to view a list of your organization's Identity Protection-related user and sign-in risk detections. You can also use this API to more efficiently query your risk detections, including details about the detection type, status, level, and more.

For more information, see the Risk detection API reference documentation.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2019, we've added these 22 new apps with Federation support to the app gallery:

Azure AD SAML Toolkit, Otsuka Shokai (大塚商会), ANAQUA, Azure VPN Client, ExpenseIn, Helper Helper, Costpoint, GlobalOne, Mercedes-Benz In-Car Office, Skore, Oracle Cloud Infrastructure Console, CyberArk SAML Authentication, Scrible Edu, PandaDoc, Perceptyx, Proptimise OS, Vtiger CRM (SAML), Oracle Access Manager for Oracle Retail Merchandising, Oracle Access Manager for Oracle E-Business Suite, Oracle IDCS for E-Business Suite, Oracle IDCS for PeopleSoft, Oracle IDCS for JD Edwards

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Automate user account provisioning for these newly supported SaaS apps

Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD


View the real-time progress of the Azure AD provisioning service

Type: Changed feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

We've updated the Azure AD provisioning experience to include a new progress bar that shows you how far you are in the user provisioning process. This updated experience also provides information about the number of users provisioned during the current cycle, as well as how many users have been provisioned to date.

For more information, see Check the status of user provisioning.


Company branding now appears on sign out and error screens

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

We've updated Azure AD so that your company branding now appears on the sign out and error screens, as well as the sign-in page. You don't have to do anything to turn on this feature, Azure AD simply uses the assets you've already set up in the Company branding area of the Azure portal.

For more information about setting up your company branding, see Add branding to your organization's Azure Active Directory pages.


Azure Multi-Factor Authentication (MFA) Server is no longer available for new deployments

Type: Deprecated
Service category: MFA
Product capability: Identity Security & Protection

As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who want to require multi-factor authentication in their organization must now use cloud-based Azure Multi-Factor Authentication. Customers who activated MFA Server prior to July 1 won't see a change. You'll still be able to download the latest version, get future updates, and generate activation credentials.

For more information, see Getting started with the Azure Multi-Factor Authentication Server. For more information about cloud-based Azure Multi-Factor Authentication, see Planning a cloud-based Azure Multi-Factor Authentication deployment.


May 2019

Service change: Future support for only TLS 1.2 protocols on the Application Proxy service

Type: Plan for change
Service category: App Proxy
Product capability: Access Control

To help provide best-in-class encryption for our customers, we're limiting access to only TLS 1.2 protocols on the Application Proxy service. This change is gradually being rolled out to customers who are already only using TLS 1.2 protocols, so you shouldn't see any changes.

Deprecation of TLS 1.0 and TLS 1.1 happens on August 31, 2019, but we'll provide additional advanced notice, so you'll have time to prepare for this change. To prepare for this change make sure your client-server and browser-server combinations, including any clients your users use to access apps published through Application Proxy, are updated to use the TLS 1.2 protocol to maintain the connection to the Application Proxy service. For more information, see Add an on-premises application for remote access through Application Proxy in Azure Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting

You can now use the usage and insights report, located in the Enterprise applications area of the Azure portal, to get an application-centric view of your sign-in data, including info about:

  • Top used apps for your organization

  • Apps with the most failed sign-ins

  • Top sign-in errors for each app

For more information about this feature, see Usage and insights report in the Azure Active Directory portal


Automate your user provisioning to cloud apps using Azure AD

Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting

Follow these new tutorials to use the Azure AD Provisioning Service to automate the creation, deletion, and updating of user accounts for the following cloud-based apps:

You can also follow this new Dropbox tutorial, which provides info about how to provision group objects.

For more information about how to better secure your organization through automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Identity secure score is now available in Azure AD (General availability)

Type: New feature
Service category: N/A
Product capability: Identity Security & Protection

You can now monitor and improve your identity security posture by using the identity secure score feature in Azure AD. The identity secure score feature uses a single dashboard to help you:

  • Objectively measure your identity security posture, based on a score between 1 and 223.

  • Plan for your identity security improvements

  • Review the success of your security improvements

For more information about the identity security score feature, see What is the identity secure score in Azure Active Directory?.


New App registrations experience is now available (General availability)

Type: New feature
Service category: Authentications (Logins)
Product capability: Developer Experience

The new App registrations experience is now in general availability. This new experience includes all the key features you’re familiar with from the Azure portal and the Application Registration portal and improves upon them through:

  • Better app management. Instead of seeing your apps across different portals, you can now see all your apps in one location.

  • Simplified app registration. From the improved navigation experience to the revamped permission selection experience, it’s now easier to register and manage your apps.

  • More detailed information. You can find more details about your app, including quickstart guides and more.

For more information, see Microsoft identity platform and the App registrations experience is now generally available! blog announcement.


New capabilities available in the Risky Users API for Identity Protection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We're pleased to announce that you can now use the Risky Users API to retrieve users' risk history, dismiss risky users, and to confirm users as compromised. This change helps you to more efficiently update the risk status of your users and understand their risk history.

For more information, see the Risky Users API reference documentation.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2019, we've added these 21 new apps with Federation support to the app gallery:

Freedcamp, Real Links, Kianda, Simple Sign, Braze, Displayr, Templafy, Marketo Sales Engage, ACLP, OutSystems, Meta4 Global HR, Quantum Workplace, Cobalt, webMethods API Cloud, RedFlag, Whatfix, Control, JOBHUB, NEOGOV, Foodee, MyVR

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Improved groups creation and management experiences in the Azure AD portal

Type: New feature
Service category: Group Management
Product capability: Collaboration

We've made improvements to the groups-related experiences in the Azure AD portal. These improvements allow administrators to better manage groups lists, members lists, and to provide additional creation options.

Improvements include:

  • Basic filtering by membership type and group type.

  • Addition of new columns, such as Source and Email address.

  • Ability to multi-select groups, members, and owner lists for easy deletion.

  • Ability to choose an email address and add owners during group creation.

For more information, see Create a basic group and add members using Azure Active Directory.


Configure a naming policy for Office 365 groups in Azure AD portal (General availability)

Type: Changed feature
Service category: Group Management
Product capability: Collaboration

Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.

You can configure naming policy for Office 365 groups in two different ways:

  • Define prefixes or suffixes, which are automatically added to a group name.

  • Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, “CEO, Payroll, HR”).

For more information, see Enforce a Naming Policy for Office 365 groups.


Microsoft Graph API endpoints are now available for Azure AD activity logs (General availability)

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're happy to announce general availability of Microsoft Graph API endpoints support for Azure AD activity logs. With this release, you can now use Version 1.0 of both the Azure AD audit logs, as well as the sign-in logs APIs.

For more information, see Azure AD audit log API overview.


Administrators can now use Conditional Access for the combined registration process (Public preview)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Administrators can now create Conditional Access policies for use by the combined registration page. This includes applying policies to allow registration if:

  • Users are on a trusted network.

  • Users are a low sign-in risk.

  • Users are on a managed device.

  • Users agree to the organization’s terms of use (TOU).

For more information about Conditional Access and password reset, you can see the Conditional Access for the Azure AD combined MFA and password reset registration experience blog post. For more information about Conditional Access policies for the combined registration process, see Conditional Access policies for combined registration. For more information about the Azure AD terms of use feature, see Azure Active Directory terms of use feature.


April 2019

New Azure AD threat intelligence detection is now available in refreshed Azure AD Identity Protection

Type: New feature
Service category: Azure AD Identity Protection
Product capability: Identity Security & Protection

Azure AD threat intelligence detection is now available in the refreshed Azure AD Identity Protection. This new functionality helps to indicate user activity that’s unusual for a specific user or that’s consistent with known attack patterns based on Microsoft’s internal and external threat intelligence.

For more information about the refreshed version of Azure AD Identity Protection, see the Four major Azure AD Identity Protection enhancements are now in public preview blog and the What is Azure Active Directory Identity Protection (refreshed)? article. For more information about Azure AD threat intelligence detection, see the Azure Active Directory Identity Protection risk events article.


Azure AD entitlement management is now available (Public preview)

Type: New feature
Service category: Identity Governance
Product capability: Identity Governance

Azure AD entitlement management, now in public preview, helps customers to delegate management of access packages, which defines how employees and business partners can request access, who must approve, and how long they have access. Access packages can manage membership in Azure AD and Office 365 groups, role assignments in enterprise applications, and role assignments for SharePoint Online sites. Read more about entitlement management at the overview of Azure AD entitlement management. To learn more about the breadth of Azure AD Identity Governance features, including Privileged Identity Management, access reviews and terms of use, see What is Azure AD Identity Governance?.


Configure a naming policy for Office 365 groups in Azure AD portal (Public preview)

Type: New feature
Service category: Group Management
Product capability: Collaboration

Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.

You can configure naming policy for Office 365 groups in two different ways:

  • Define prefixes or suffixes, which are automatically added to a group name.

  • Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, “CEO, Payroll, HR”).

For more information, see Enforce a Naming Policy for Office 365 groups.


Azure AD Activity logs are now available in Azure Monitor (General availability)

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

To help address your feedback about visualizations with the Azure AD Activity logs, we're introducing a new Insights feature in Log Analytics. This feature helps you gain insights about your Azure AD resources by using our interactive templates, called Workbooks. These pre-built Workbooks can provide details for apps or users, and include:

  • Sign-ins. Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins.

  • Legacy authentication and Conditional Access. Provides details for apps and users using legacy authentication, including Multi-Factor Authentication usage triggered by Conditional Access policies, apps using Conditional Access policies, and so on.

  • Sign-in failure analysis. Helps you to determine if your sign-in errors are occurring due to a user action, policy issues, or your infrastructure.

  • Custom reports. You can create new, or edit existing Workbooks to help customize the Insights feature for your organization.

For more information, see How to use Azure Monitor workbooks for Azure Active Directory reports.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2019, we've added these 21 new apps with Federation support to the app gallery:

SAP Fiori, HRworks Single Sign-On, Percolate, MobiControl, Citrix NetScaler, Shibumi, Benchling, MileIQ, PageDNA, EduBrite LMS, RStudio Connect, AMMS, Mitel Connect, Alibaba Cloud (Role-based SSO), Certent Equity Management, Sectigo Certificate Manager, GreenOrbit, Workgrid, monday.com, SurveyMonkey Enterprise, Indiggo

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New access reviews frequency option and multiple role selection

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

New updates in Azure AD access reviews allow you to:

  • Change the frequency of your access reviews to semi-annually, in addition to the previously existing options of weekly, monthly, quarterly, and annually.

  • Select multiple Azure AD and Azure resource roles when creating a single access review. In this situation, all roles are set up with the same settings and all reviewers are notified at the same time.

For more information about how to create an access review, see Create an access review of groups or applications in Azure AD access reviews.


Azure AD Connect email alert system(s) are transitioning, sending new email sender information for some customers

Type: Changed feature
Service category: AD Sync
Product capability: Platform

Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, you must add azure-noreply@microsoft.com to your organization's allow list or you won't be able to continue receiving important alerts from your Office 365, Azure, or your Sync services.


UPN suffix changes are now successful between Federated domains in Azure AD Connect

Type: Fixed
Service category: AD Sync
Product capability: Platform

You can now successfully change a user's UPN suffix from one Federated domain to another Federated domain in Azure AD Connect. This fix means you should no longer experience the FederatedDomainChangeError error message during the synchronization cycle or receive a notification email stating, "Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services".

For more information, see Troubleshooting Errors during synchronization.


Increased security using the app protection-based Conditional Access policy in Azure AD (Public preview)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

App protection-based Conditional Access is now available by using the Require app protection policy. This new policy helps to increase your organization's security by helping to prevent:

  • Users gaining access to apps without a Microsoft Intune license.

  • Users being unable to get a Microsoft Intune app protection policy.

  • Users gaining access to apps without a configured Microsoft Intune app protection policy.

For more information, see How to Require app protection policy for cloud app access with Conditional Access.


New support for Azure AD single sign-on and Conditional Access in Microsoft Edge (Public preview)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

We've enhanced our Azure AD support for Microsoft Edge, including providing new support for Azure AD single sign-on and Conditional Access. If you've previously used Microsoft Intune Managed Browser, you can now use Microsoft Edge instead.

For more information about setting up and managing your devices and apps using Conditional Access, see Require managed devices for cloud app access with Conditional Access and Require approved client apps for cloud app access with Conditional Access. For more information about how to manage access using Microsoft Edge with Microsoft Intune policies, see Manage Internet access using a Microsoft Intune policy-protected browser.


March 2019

Identity Experience Framework and custom policy support in Azure Active Directory B2C is now available (GA)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now create custom policies in Azure AD B2C, including the following tasks, which are supported at-scale and under our Azure SLA:

  • Create and upload custom authentication user journeys by using custom policies.

  • Describe user journeys step-by-step as exchanges between claims providers.

  • Define conditional branching in user journeys.

  • Transform and map claims for use in real-time decisions and communications.

  • Use REST API-enabled services in your custom authentication user journeys. For example, with email providers, CRMs, and proprietary authorization systems.

  • Federate with identity providers who are compliant with the OpenIDConnect protocol. For example, with multi-tenant Azure AD, social account providers, or two-factor verification providers.

For more information about creating custom policies, see Developer notes for custom policies in Azure Active Directory B2C and read Alex Simon’s blog post, including case studies.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2019, we've added these 14 new apps with Federation support to the app gallery:

ISEC7 Mobile Exchange Delegate, MediusFlow, ePlatform, Fulcrum, ExcelityGlobal, Explanation-Based Auditing System, Lean, Powerschool Performance Matters, Cinode, Iris Intranet, Empactis, SmartDraw, Confirmit Horizons, TAS

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

Automate creating, updating, and deleting user accounts for the following apps:

Zscaler, Zscaler Beta, Zscaler One, Zscaler Two, Zscaler Three, Zscaler ZSCloud, Atlassian Cloud

For more information about how to better secure your organization through automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Restore and manage your deleted Office 365 groups in the Azure AD portal

Type: New feature
Service category: Group Management
Product capability: Collaboration

You can now view and manage your deleted Office 365 groups from the Azure AD portal. This change helps you to see which groups are available to restore, along with letting you permanently delete any groups that aren’t needed by your organization.

For more information, see Restore expired or deleted groups.


Single sign-on is now available for Azure AD SAML-secured on-premises apps through Application Proxy (public preview)

Type: New feature
Service category: App Proxy
Product capability: Access Control

You can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through Application Proxy. For more information about how to set up SAML SSO with your on-premises apps, see SAML single sign-on for on-premises applications with Application Proxy (Preview).


Client apps in request loops will be interrupted to improve reliability and user experience

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Client apps can incorrectly issue hundreds of the same login requests over a short period of time. These requests, whether they're successful or not, all contribute to a poor user experience and heightened workloads for the IDP, increasing latency for all users and reducing the availability of the IDP.

This update sends an invalid_grant error: AADSTS50196: The server terminated an operation because it encountered a loop while processing a request to client apps that issue duplicate requests multiple times over a short period of time, beyond the scope of normal operation. Client apps that encounter this issue should show an interactive prompt, requiring the user to sign in again. For more information about this change and about how to fix your app if it encounters this error, see What's new for authentication?.


New Audit Logs user experience now available

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We've created a new Azure AD Audit logs page to help improve both readability and how you search for your information. To see the new Audit logs page, select Audit logs in the Activity section of Azure AD.

New Audit logs page, with sample info

For more information about the new Audit logs page, see Audit activity reports in the Azure Active Directory portal.


New warnings and guidance to help prevent accidental administrator lockout from misconfigured Conditional Access policies

Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

To help prevent administrators from accidentally locking themselves out of their own tenants through misconfigured Conditional Access policies, we've created new warnings and updated guidance in the Azure portal. For more information about the new guidance, see What are service dependencies in Azure Active Directory Conditional Access.


Improved end-user terms of use experiences on mobile devices

Type: Changed feature
Service category: Terms of use
Product capability: Governance

We've updated our existing terms of use experiences to help improve how you review and consent to terms of use on a mobile device. You can now zoom in and out, go back, download the information, and select hyperlinks. For more information about the updated terms of use, see Azure Active Directory terms of use feature.


New Azure AD Activity logs download experience available

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

You can now download large amounts of activity logs directly from the Azure portal. This update lets you:

  • Download up to 250,000 rows.

  • Get notified after the download completes.

  • Customize your file name.

  • Determine your output format, either JSON or CSV.

For more information about this feature, see Quickstart: Download an audit report using the Azure portal


Breaking change: Updates to condition evaluation by Exchange ActiveSync (EAS)

Type: Plan for change
Service category: Conditional Access
Product capability: Access Control

We’re in the process of updating how Exchange ActiveSync (EAS) evaluates the following conditions:

  • User location, based on country, region, or IP address

  • Sign-in risk

  • Device platform

If you’ve previously used these conditions in your Conditional Access policies, be aware that the condition behavior might change. For example, if you previously used the user location condition in a policy, you might find the policy now being skipped based on the location of your user.


February 2019

Configurable Azure AD SAML token encryption (Public preview)

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

You can now configure any supported SAML app to receive encrypted SAML tokens. When configured and used with an app, Azure AD encrypts the emitted SAML assertions using a public key obtained from a certificate stored in Azure AD.

For more information about configuring your SAML token encryption, see Configure Azure AD SAML token encryption.


Create an access review for groups or apps using Azure AD Access Reviews

Type: New feature
Service category: Access Reviews
Product capability: Governance

You can now include multiple groups or apps in a single Azure AD access review for group membership or app assignment. Access reviews with multiple groups or apps are set up using the same settings and all included reviewers are notified at the same time.

For more information about how create an access review using Azure AD Access Reviews, see Create an access review of groups or applications in Azure AD Access Reviews


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2019, we've added these 27 new apps with Federation support to the app gallery:

Euromonitor Passport, MindTickle, FAT FINGER, AirStack, Oracle Fusion ERP, IDrive, Skyward Qmlativ, Brightidea, AlertOps, Soloinsight-CloudGate SSO, Permission Click, Brandfolder, StoregateSmartFile, Pexip, Stormboard, Seismic, Share A Dream, Bugsnag, webMethods Integration Cloud, Knowledge Anywhere LMS, OU Campus, Periscope Data, Netop Portal, smartvid.io, PureCloud by Genesys, ClickUp Productivity Platform

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Enhanced combined MFA/SSPR registration

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

In response to customer feedback, we’ve enhanced the combined MFA/SSPR registration preview experience, helping your users to more quickly register their security info for both MFA and SSPR.

To turn on the enhanced experience for your users' today, follow these steps:

  1. As a global administrator or user administrator, sign in to the Azure portal and go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  2. In the Users who can use the preview features for registering and managing security info – refresh option, choose to turn on the features for a Selected group of users or for All users.

Over the next few weeks, we’ll be removing the ability to turn on the old combined MFA/SSPR registration preview experience for tenants that don’t already have it turned on.

To see if the control will be removed for your tenant, follow these steps:

  1. As a global administrator or user administrator, sign in to the Azure portal and go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  2. If the Users who can use the preview features for registering and managing security info option is set to None, the option will be removed from your tenant.

Regardless of whether you previously turned on the old combined MFA/SSPR registration preview experience for users or not, the old experience will be turned off at a future date. Because of that, we strongly suggest that you move to the new, enhanced experience as soon as possible.

For more information about the enhanced registration experience, see the Cool enhancements to the Azure AD combined MFA and password reset registration experience.


Updated policy management experience for user flows

Type: Changed feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

We've updated the policy creation and management process for user flows (previously known as, built-in policies) easier. This new experience is now the default for all of your Azure AD tenants.

You can provide additional feedback and suggestions by using the smile or frown icons in the Send us feedback area at the top of the portal screen.

For more information about the new policy management experience, see the Azure AD B2C now has JavaScript customization and many more new features blog.


Choose specific page element versions provided by Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now choose a specific version of the page elements provided by Azure AD B2C. By selecting a specific version, you can test your updates before they appear on a page and you can get predictable behavior. Additionally, you can now opt in to enforce specific page versions to allow JavaScript customizations. To turn on this feature, go to the Properties page in your user flows.

For more information about choosing specific versions of page elements, see the Azure AD B2C now has JavaScript customization and many more new features blog.


Configurable end-user password requirements for B2C (GA)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now set up your organization's password complexity for your end users, instead of having to use your native Azure AD password policy. From the Properties blade of your user flows (previously known as your built-in policies), you can choose a password complexity of Simple or Strong, or you can create a Custom set of requirements.

For more information about password complexity requirement configuration, see Configure complexity requirements for passwords in Azure Active Directory B2C.


New default templates for custom branded authentication experiences

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can use our new default templates, located on the Page layouts blade of your user flows (previously known as built-in policies), to create a custom branded authentication experience for your users.

For more information about using the templates, see Azure AD B2C now has JavaScript customization and many more new features.