What's new in Azure Active Directory?

  • 30 minutes to read

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22release+notes+for+azure+AD%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items that are older than six months, you can find them in the Archive for What's new in Azure Active Directory.

February 2020

Identity Secure Score - MFA improvement action updates

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multi-factor authentication (MFA), and adding two.

The following improvement actions will be removed:

  • Register all users for MFA
  • Require MFA for all users
  • Require MFA for Azure AD privileged roles

The following improvement actions will be added:

  • Ensure all users can complete MFA for secure access
  • Require MFA for administrative roles

These new improvement actions will require registering your users or admins for MFA across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of setting security defaults that let Microsoft decide when to challenge users for MFA, or having multiple policies that apply scoped decisions. As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations. Read more about what's coming in Microsoft Secure Score.

Azure AD Domain Services SKU selection

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We’ve heard feedback that Azure AD Domain Services customers want more flexibility in selecting performance levels for their instances. Starting on February 1, 2020, we switched from a dynamic model (where Azure AD determines the performance and pricing tier based on object count) to a self-selection model. Now customers can choose a performance tier that matches their environment. This change also allows us to enable new scenarios like Resource Forests, and Premium features like daily backups. The object count is now unlimited for all SKUs, but we’ll continue to offer object count suggestions for each tier.

No immediate customer action is required. For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we will no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the Azure AD DS SKUs documentation and the Azure AD Domain Services pricing page.

New Federated Apps available in Azure AD App gallery - February 2020

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2020 we've added these 31 new apps with Federation support to the app gallery:

IamIP Patent Platform, Experience Cloud, NS1 SSO For Azure, Barracuda Email Security Service, ABa Reporting, In Case of Crisis - Online Portal, BIC Cloud Design, Beekeeper Azure AD Data Connector, Korn Ferry Assessments, Verkada Command, Splashtop, Syxsense, EAB Navigate, New Relic (Limited Release), Thulium, Ticket Manager, Template Chooser for Teams, Beesy, Health Support System, MURAL, Hive, LavaDo, Wakelet, Firmex VDR, ThingLink for Teachers and Schools, Coda, NearpodApp, WEDO, InvitePeople, Reprints Desk - Article Galaxy, TeamViewer

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.

New provisioning connectors in the Azure AD Application Gallery - February 2020

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.

Azure AD support for FIDO2 security keys in hybrid environments

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're announcing the public preview of Azure AD support for FIDO2 security keys in Hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get seamless sign-on to their on-premises and cloud resources. Support for Hybrid environments has been the top most-requested feature from our passwordless customers since we initially launched the public preview for FIDO2 support in Azure AD joined devices. Passwordless authentication using advanced technologies like biometrics and public/private key cryptography provide convenience and ease-of-use while being secure. With this public preview, you can now use modern authentication like FIDO2 security keys to access traditional Active Directory resources. For more information, go to SSO to on-premises resources.

To get started, visit enable FIDO2 security keys for your tenant for step-by-step instructions.

The new My Account experience is now generally available

Type: Changed feature
Service category: My Profile/Account
Product capability: End User Experiences

My Account, the one stop shop for all end-user account management needs, is now generally available! End users can access this new site via URL, or in the header of the new My Apps experience. Learn more about all the self-service capabilities the new experience offers at My Account Portal Overview.

My Account site URL updating to myaccount.microsoft.com

Type: Changed feature
Service category: My Profile/Account
Product capability: End User Experiences

The new My Account end user experience will be updating its URL to https://myaccount.microsoft.com in the next month. Find more information about the experience and all the account self-service capabilities it offers to end users at My Account portal help.

January 2020

The new My Apps portal is now generally available

Type: Plan for change
Service category: My Apps
Product capability: End User Experiences

Upgrade your organization to the new My Apps portal that is now generally available! Find more information on the new portal and collections at Create collections on the My Apps portal.

Workspaces in Azure AD have been renamed to collections

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

Workspaces, the filters admins can configure to organize their users apps, will now be referred to as collections. Find more info on how to configure them at Create collections on the My Apps portal.

Azure AD B2C Phone sign-up and sign-in using custom policy (Public Preview)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies, phone sign-up and sign-in allows developers and enterprises to communicate their brand through page customization. Find out how to set up phone sign-up and sign-in with custom policies in Azure AD B2C.

New provisioning connectors in the Azure AD Application Gallery - January 2020

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.

New Federated Apps available in Azure AD App gallery - January 2020

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2020, we've added these 33 new apps with Federation support to the app gallery:

JOSA, Fastly Edge Cloud, Terraform Enterprise, Spintr SSO, Abibot Netlogistik, SkyKick Cloud Backup for Office 365, Upshotly, LeaveBot, DataCamp, TripActions, SmartWork, Dotcom-Monitor, SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE, Hosted MyCirqa SSO, Yuhu Property Management Platform, LumApps, Upwork Enterprise, Talentsoft, SmartDB for Microsoft Teams, PressPage, ContractSafe Saml2 SSO, Maxient Conduct Manager Software, Helpshift, PortalTalk 365, CoreView, Squelch Cloud Office365 Connector, PingFlow Authentication, PrinterLogic SaaS, Taskize Connect, Sandwai, EZRentOut, AssetSonar, Akari Virtual Assistant

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.

Two new Identity Protection detections

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We've added two new sign-in linked detection types to Identity Protection: Suspicious inbox manipulation rules and Impossible travel. These offline detections are discovered by Microsoft Cloud App Security (MCAS) and influence the user and sign-in risk in Identity Protection. For more information on these detections, see our sign-in risk types.

Breaking Change: URI Fragments will not be carried through the login redirect

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

Starting on February 8, 2020, when a request is sent to login.microsoftonline.com to sign in a user, the service will append an empty fragment to the request. This prevents a class of redirect attacks by ensuring that the browser wipes out any existing fragment in the request. No application should have a dependency on this behavior. For more information, see Breaking changes in the Microsoft identity platform documentation.

December 2019

Integrate SAP SuccessFactors provisioning into Azure AD and on-premises AD (Public Preview)

Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

You can now integrate SAP SuccessFactors as an authoritative identity source in Azure AD. This integration helps you automate the end-to-end identity lifecycle, including using HR-based events, like new hires or terminations, to control provisioning of Azure AD accounts.

For more information about how to set up SAP SuccessFactors inbound provisioning to Azure AD, see the Configure SAP SuccessFactors automatic provisioning tutorial.

Support for customized emails in Azure AD B2C (Public Preview)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now use Azure AD B2C to create customized emails when your users sign up to use your apps. By using DisplayControls (currently in preview) and a third-party email provider (such as, SendGrid, SparkPost, or a custom REST API), you can use your own email template, From address, and subject text, as well as support localization and custom one-time password (OTP) settings.

For more information, see Custom email verification in Azure Active Directory B2C.

Replacement of baseline policies with security defaults

Type: Changed feature
Service category: Other
Product capability: Identity Security and Protection

As part of a secure-by-default model for authentication, we’re removing the existing baseline protection policies from all tenants. This removal is targeted for completion at the end of February. The replacement for these baseline protection policies is security defaults. If you’ve been using baseline protection policies, you must plan to move to the new security defaults policy or to Conditional Access. If you haven’t used these policies, there is no action for you to take.

For more information about the new security defaults, see What are security defaults? For more information about Conditional Access policies, see Common Conditional Access policies.

November 2019

Support for the SameSite attribute and Chrome 80

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the SameSite attribute. Any cookie that doesn't specify the SameSite attribute will be treated as though it was set to SameSite=Lax, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that your app may depend on. To maintain the older Chrome behavior, you can use the SameSite=None attribute and add an additional Secure attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020.

We recommend all our developers test their apps using this guidance:

  • Set the default value for the Use Secure Cookie setting to Yes.

  • Set the default value for the SameSite attribute to None.

  • Add an additional SameSite attribute of Secure.

For more information, see Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core and Potential disruption to customer websites and Microsoft products and services in Chrome version 79 and later.

New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2)

Type: Fixed
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

A hotfix rollup package (build 4.6.34.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the "Issues fixed and improvements added in this update" section.

For more information and to download the hotfix package, see Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available.

New AD FS app activity report to help migrate apps to Azure AD (Public Preview)

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Use the new Active Directory Federation Services (AD FS) app activity report, in the Azure portal, to identify which of your apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration.

For more information, see Use the AD FS application activity report to migrate applications to Azure AD.

Type: New feature
Service category: Enterprise Apps
Product capability: Access Control

The new admin consent workflow gives admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that's accessible from the Azure portal, to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action.

For more information, see Configure the admin consent workflow (preview).

New Azure AD App Registrations Token configuration experience for managing optional claims (Public Preview)

Type: New feature
Service category: Other
Product capability: Developer Experience

The new Azure AD App Registrations Token configuration blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations.

For more information, see Provide optional claims to your Azure AD app.

New two-stage approval workflow in Azure AD entitlement management (Public Preview)

Type: New feature
Service category: Other
Product capability: Entitlement Management

We've introduced a new two-stage approval workflow that allows you to require two approvers to approve a user's request to an access package. For example, you can set it so the requesting user's manager must first approve, and then you can also require a resource owner to approve. If one of the approvers doesn't approve, access isn't granted.

For more information, see Change request and approval settings for an access package in Azure AD entitlement management.

Updates to the My Apps page along with new workspaces (Public Preview)

Type: New feature
Service category: My Apps
Product capability: 3rd Party Integration

You can now customize the way your organization's users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for your users to find and organize apps.

For more information about the new My Apps experience and creating workspaces, see Create workspaces on the My Apps portal.

Google social ID support for Azure AD B2B collaboration (General Availability)

Type: New feature
Service category: B2B
Product capability: User Authentication

New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for your users and partners. There's no longer a need for your partners to create and manage a new Microsoft-specific account. Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints.

For more information, see Add Google as an identity provider for B2B guest users.

Microsoft Edge Mobile Support for Conditional Access and Single Sign-on (General Availability)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Azure AD for Microsoft Edge on iOS and Android now supports Azure AD Single Sign-On and Conditional Access:

  • Microsoft Edge single sign-on (SSO): Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD -connected apps.

  • Microsoft Edge conditional access: Through application-based conditional access policies, your users must use Microsoft Intune-protected browsers, such as Microsoft Edge.

For more information about conditional access and SSO with Microsoft Edge, see the Microsoft Edge Mobile Support for Conditional Access and Single Sign-on Now Generally Available blog post. For more information about how to set up your client apps using app-based conditional access or device-based conditional access, see Manage web access using a Microsoft Intune policy-protected browser.

Azure AD entitlement management (General Availability)

Type: New feature
Service category: Other
Product capability: Entitlement Management

Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites.

With Azure AD entitlement management, you can more efficiently manage access both for employees and also for users outside your organization who need access to those resources.

For more information, see What is Azure AD entitlement management?

Automate user account provisioning for these newly supported SaaS apps

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

SAP Cloud Platform Identity Authentication Service, RingCentral, SpaceIQ, Miro, Cloudgate, Infor CloudSuite, OfficeSpace Software, Priority Matrix

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.

New Federated Apps available in Azure AD App gallery - November 2019

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2019, we've added these 21 new apps with Federation support to the app gallery:

Airtable, Hootsuite, Blue Access for Members (BAM), Bitly, Riva, ResLife Portal, NegometrixPortal Single Sign On (SSO), TeamsChamp, Motus, MyAryaka, BlueMail, Beedle, Visma, OneDesk, Foko Retail, Qmarkets Idea & Innovation Management, Netskope User Authentication, uniFLOW Online, Claromentis, Jisc Student Voter Registration, e4enable

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

We've updated the Azure AD application gallery to make it easier for you to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on your Azure Active Directory tenant.

For more information, see Add an application to your Azure Active Directory tenant.

Increased app role definition length limit from 120 to 240 characters

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

We've heard from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. In response, we've increased the maximum length of the role value definition to 240 characters.

For more information about using application-specific role definitions, see Add app roles in your application and receive them in the token.

October 2019

Deprecation of the identityRiskEvent API for Azure AD Identity Protection risk detections

Type: Plan for change
Service category: Identity Protection
Product capability: Identity Security & Protection

In response to developer feedback, Azure AD Premium P2 subscribers can now perform complex queries on Azure AD Identity Protection’s risk detection data by using the new riskDetection API for Microsoft Graph. The existing identityRiskEvent API beta version will stop returning data around January 10, 2020. If your organization is using the identityRiskEvent API, you should transition to the new riskDetection API.

For more information about the new riskDetection API, see the Risk detection API reference documentation.

Application Proxy support for the SameSite Attribute and Chrome 80

Type: Plan for change
Service category: App Proxy
Product capability: Access Control

A couple of weeks prior to the Chrome 80 browser release, we plan to update how Application Proxy cookies treat the SameSite attribute. With the release of Chrome 80, any cookie that doesn't specify the SameSite attribute will be treated as though it was set to SameSite=Lax.

To help avoid potentially negative impacts due to this change, we're updating Application Proxy access and session cookies by:

  • Setting the default value for the Use Secure Cookie setting to Yes.

  • Setting the default value for the SameSite attribute to None.

    Note

    Application Proxy access cookies have always been transmitted exclusively over secure channels. These changes only apply to session cookies.

For more information about the Application Proxy cookie settings, see Cookie settings for accessing on-premises applications in Azure Active Directory.

App registrations (legacy) and converged app management from the Application Registration Portal (apps.dev.microsoft.com) will no longer be available

Type: Plan for change
Service category: N/A
Product capability: Developer Experience

In the near future, users with Azure AD accounts will no longer be able to register and manage converged applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage applications in the App registrations (legacy) experience in the Azure portal.

To learn more about the new App registrations experience, see the App registrations in the Azure portal training guide.

Users are no longer required to re-register during migration from per-user MFA to Conditional Access-based MFA

Type: Fixed
Service category: MFA
Product capability: Identity Security & Protection

We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user Multi-Factor Authentication (MFA) and then enabled for MFA through a Conditional Access policy.

To require users to re-register, you can select the Required re-register MFA option from the user's authentication methods in the Azure AD portal. For more information about migrating users from per-user MFA to Conditional Access-based MFA, see Convert users from per-user MFA to Conditional Access based MFA.

New capabilities to transform and send claims in your SAML token

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

We've added additional capabilities to help you to customize and send claims in your SAML token. These new capabilities include:

  • Additional claims transformation functions, helping you to modify the value you send in the claim.

  • Ability to apply multiple transformations to a single claim.

  • Ability to specify the claim source, based on the user type and the group to which the user belongs.

For detailed information about these new capabilities, including how to use them, see Customize claims issued in the SAML token for enterprise applications.

New My Sign-ins page for end users in Azure AD

Type: New feature
Service category: Authentications (Logins)
Product capability: Monitoring & Reporting

We've added a new My Sign-ins page (https://mysignins.microsoft.com) to let your organization's users view their recent sign-in history to check for any unusual activity. This new page allows your users to see:

  • If anyone is attempting to guess their password.

  • If an attacker successfully signed in to their account and from what location.

  • What apps the attacker tried to access.

For more information, see the Users can now check their sign-in history for unusual activity blog.

Migration of Azure AD Domain Services (Azure AD DS) from classic to Azure Resource Manager virtual networks

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

To our customers who have been stuck on classic virtual networks -- we have great news for you! You can now perform a one-time migration from a classic virtual network to an existing Resource Manager virtual network. After moving to the Resource Manager virtual network, you'll be able to take advantage of the additional and upgraded features such as, fine-grained password policies, email notifications, and audit logs.

For more information, see Preview - Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager.

Updates to the Azure AD B2C page contract layout

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

We've introduced some new changes to version 1.2.0 of the page contract for Azure AD B2C. In this updated version, you can now control the load order for your elements, which can also help to stop the flicker that happens when the style sheet (CSS) is loaded.

For a full list of the changes made to the page contract, see the Version change log.

Update to the My Apps page along with new workspaces (Public preview)

Type: New feature
Service category: My Apps
Product capability: Access Control

You can now customize the way your organization's users view and access the brand-new My Apps experience, including using the new workspaces feature to make it easier for them to find apps. The new workspaces functionality acts as a filter for the apps your organization's users already have access to.

For more information on rolling out the new My Apps experience and creating workspaces, see Create workspaces on the My Apps (preview) portal.

Support for the monthly active user-based billing model (General availability)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Azure AD B2C now supports monthly active users (MAU) billing. MAU billing is based on the number of unique users with authentication activity during a calendar month. Existing customers can switch to this new billing method at any time.

Starting on November 1, 2019, all new customers will automatically be billed using this method. This billing method benefits customers through cost benefits and the ability to plan ahead.

For more information, see Upgrade to monthly active users billing model.

New Federated Apps available in Azure AD App gallery - October 2019

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2019, we've added these 35 new apps with Federation support to the app gallery:

In Case of Crisis – Mobile, Juno Journey, ExponentHR, Tact, OpusCapita Cash Management, Salestim, Learnster, Dynatrace, HunchBuzz, Freshworks, eCornell, ShipHazmat, Netskope Cloud Security, Contentful, Bindtuning, HireVue Coordinate – EU, HireVue Coordinate - USOnly, HireVue Coordinate - US, WittyParrot Knowledge Box, Cloudmore, Visit.org, Cambium Xirrus EasyPass Portal, Paylocity, Mail Luck!, Teamie, Velocity for Teams, SIGNL4, EAB Navigate IMPL, ScreenMeet, Omega Point, Speaking Email for Intune (iPhone), Speaking Email for Office 365 Direct (iPhone/Android), ExactCare SSO, iHealthHome Care Navigation System, Qubie

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.

Consolidated Security menu item in the Azure AD portal

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

You can now access all of the available Azure AD security features from the new Security menu item, and from the Search bar, in the Azure portal. Additionally, the new Security landing page, called Security - Getting started, will provide links to our public documentation, security guidance, and deployment guides.

The new Security menu includes:

  • Conditional Access
  • Identity Protection
  • Security Center
  • Identity Secure Score
  • Authentication methods
  • MFA
  • Risk reports - Risky users, Risky sign-ins, Risk detections
  • And more...

For more information, see Security - Getting started.

Office 365 groups expiration policy enhanced with autorenewal

Type: Changed feature
Service category: Group Management
Product capability: Identity Lifecycle Management

The Office 365 groups expiration policy has been enhanced to automatically renew groups that are actively in use by its members. Groups will be autorenewed based on user activity across all the Office 365 apps, including Outlook, SharePoint, and Teams.

This enhancement helps to reduce your group expiration notifications and helps to make sure that active groups continue to be available. If you already have an active expiration policy for your Office 365 groups, you don't need to do anything to turn on this new functionality.

For more information, see Configure the expiration policy for Office 365 groups.

Updated Azure AD Domain Services (Azure AD DS) creation experience

Type: Changed feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

We've updated Azure AD Domain Services (Azure AD DS) to include a new and improved creation experience, helping you to create a managed domain in just three clicks! In addition, you can now upload and deploy Azure AD DS from a template.

For more information, see Tutorial: Create and configure an Azure Active Directory Domain Services instance.

September 2019

Plan for change: Deprecation of the Power BI content packs

Type: Plan for change
Service category: Reporting
Product capability: Monitoring & Reporting

Starting on October 1, 2019, Power BI will begin to deprecate all content packs, including the Azure AD Power BI content pack. As an alternative to this content pack, you can use Azure AD Workbooks to gain insights into your Azure AD-related services. Additional workbooks are coming, including workbooks about Conditional Access policies in report-only mode, app consent-based insights, and more.

For more information about the workbooks, see How to use Azure Monitor workbooks for Azure Active Directory reports. For more information about the deprecation of the content packs, see the Announcing Power BI template apps general availability blog post.

My Profile is renaming and integrating with the Microsoft Office account page

Type: Plan for change
Service category: My Profile/Account
Product capability: Collaboration

Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that currently says, My Profile will change to My Account. On top of the naming change and some design improvements, the updated experience will offer additional integration with the Microsoft Office account page. Specifically, you'll be able to access Office installations and subscriptions from the Overview Account page, along with Office-related contact preferences from the Privacy page.

For more information about the My Profile (preview) experience, see My Profile (preview) portal overview.

Bulk manage groups and members using CSV files in the Azure AD portal (Public Preview)

Type: New feature
Service category: Group Management
Product capability: Collaboration

We're pleased to announce public preview availability of the bulk group management experiences in the Azure AD portal. You can now use a CSV file and the Azure AD portal to manage groups and member lists, including:

  • Adding or removing members from a group.

  • Downloading the list of groups from the directory.

  • Downloading the list of group members for a specific group.

For more information, see Bulk add members, Bulk remove members, Bulk download members list, and Bulk download groups list.

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We've created a new admin consent endpoint to support dynamic consent, which is helpful for apps that want to use the dynamic consent model on the Microsoft Identity platform.

For more information about how to use this new endpoint, see Using the admin consent endpoint.

New Federated Apps available in Azure AD App gallery - September 2019

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2019, we've added these 29 new apps with Federation support to the app gallery:

ScheduleLook, MS Azure SSO Access for Ethidex Compliance Office™ - Single sign-on, iServer Portal, SKYSITE, Concur Travel and Expense, WorkBoard, YeeFlow, ARC Facilities, Luware Stratus Team, Wide Ideas, Prisma Cloud, JDLT Client Hub, RENRAKU, SealPath Secure Browser, Prisma Cloud, Penneo, Hiretual, Cintoo Cloud, Whitesource, Hosted Heritage Online SSO, IDC, CakeHR, BIS, Coo Kai Team Build, Sonarqube, Adobe Identity Management, Discovery Benefits SSO, Amelio, iTask

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.

New Azure AD Global Reader role

Type: New feature
Service category: RBAC
Product capability: Access Control

Starting on September 24, 2019, we're going to start rolling out a new Azure Active Directory (AD) role called Global Reader. This rollout will start with production and Global cloud customers (GCC), finishing up worldwide in October.

The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can't take management actions. We’ve created the Global Reader role to help reduce the number of Global Administrators in your organization. Because Global Administrator accounts are powerful and vulnerable to attack, we recommend that you have fewer than five Global Administrators. We recommend using the Global Reader role for planning, audits, or investigations. We also recommend using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role.

The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Compliance Center, Azure AD Admin Center, and the Device Management Admin Center.

Note

At the start of public preview, the Global Reader role won't work with: SharePoint, Privileged Access Management, Customer Lockbox, sensitivity labels, Teams Lifecycle, Teams Reporting & Call Analytics, Teams IP Phone Device Management, and Teams App Catalog. All of these services are intended to work with the role in the future.

For more information, see Administrator role permissions in Azure Active Directory.

Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application Proxy

Type: New feature
Service category: App Proxy
Product capability: Access Control

New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization's reports hosted on the on-premises Power BI Report Server.

For information about the Power BI Mobile app, including where to download the app, see the Power BI site. For more information about how to set up the Power BI mobile app with Azure AD Application Proxy, see Enable remote access to Power BI Mobile with Azure AD Application Proxy.

New version of the AzureADPreview PowerShell module is available

Type: Changed feature
Service category: Other
Product capability: Directory

New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:

  • Add-AzureADMSFeatureRolloutPolicyDirectoryObject
  • Get-AzureADMSFeatureRolloutPolicy
  • New-AzureADMSFeatureRolloutPolicy
  • Remove-AzureADMSFeatureRolloutPolicy
  • Remove-AzureADMSFeatureRolloutPolicyDirectoryObject
  • Set-AzureADMSFeatureRolloutPolicy

New version of Azure AD Connect

Type: Changed feature
Service category: Other
Product capability: Directory

We've released an updated version of Azure AD Connect for auto-upgrade customers. This new version includes several new features, improvements, and bug fixes. For more information about this new version, see Azure AD Connect: Version release history.

Azure Multi-Factor Authentication (MFA) Server, version 8.0.2 is now available

Type: Fixed
Service category: MFA
Product capability: Identity Security & Protection

If you're an existing customer, who activated MFA Server prior to July 1, 2019, you can now download the latest version of MFA Server (version 8.0.2). In this new version, we:

  • Fixed an issue so when Azure AD sync changes a user from Disabled to Enabled, an email is sent to the user.

  • Fixed an issue so customers can successfully upgrade, while continuing to use the Tags functionality.

  • Added the Kosovo (+383) country code.

  • Added one-time bypass audit logging to the MultiFactorAuthSvc.log.

  • Improved performance for the Web Service SDK.

  • Fixed other minor bugs.

Starting July 1, 2019, Microsoft stopped offering MFA Server for new deployments. New customers who require multi-factor authentication should use cloud-based Azure Multi-Factor Authentication. For more information, see Planning a cloud-based Azure Multi-Factor Authentication deployment.