What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22release+notes+for+azure+AD%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up-to-date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items that are older than six months, you can find them in the Archive for What's new in Azure Active Directory.


February 2019

Configurable Azure AD SAML token encryption (Public preview)

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

You can now configure any supported SAML app to receive encrypted SAML tokens. When configured and used with an app, Azure AD encrypts the emitted SAML assertions using a public key obtained from a certificate stored in Azure AD.

For more information about configuring your SAML token encryption, see Configure Azure AD SAML token encryption.


Create an access review for groups or apps using Azure AD Access Reviews

Type: New feature
Service category: Access Reviews
Product capability: Governance

You can now include multiple groups or apps in a single Azure AD access review for group membership or app assignment. Access reviews with multiple groups or apps are set up using the same settings and all included reviewers are notified at the same time.

For more information about how create an access review using Azure AD Access Reviews, see Create an access review of groups or applications in Azure AD Access Reviews


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2019, we've added these 27 new apps with Federation support to the app gallery:

Euromonitor Passport, MindTickle, FAT FINGER, AirStack, Oracle Fusion ERP, IDrive, Skyward Qmlativ, Brightidea, AlertOps, Soloinsight-CloudGate SSO, Permission Click, Brandfolder, StoregateSmartFile, Pexip, Stormboard, Seismic, Share A Dream, Bugsnag, webMethods Integration Cloud, Knowledge Anywhere LMS, OU Campus, Periscope Data, Netop Portal, smartvid.io, PureCloud by Genesys, ClickUp Productivity Platform

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Enhanced combined MFA/SSPR registration

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

In response to customer feedback, we’ve enhanced the combined MFA/SSPR registration preview experience, helping your users to more quickly register their security info for both MFA and SSPR.

To turn on the enhanced experience for your users today, follow these steps:

  1. As a global administrator or user administrator, sign in to the Azure portal and go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  2. In the Users who can use the preview features for registering and managing security info – refresh option, choose to turn on the features for a Selected group of users or for All users.

Over the next few weeks, we’ll be removing the ability to turn on the old combined MFA/SSPR registration preview experience for tenants that don’t already have it turned on.

To see if the control will be removed for your tenant, follow these steps:

  1. As a global administrator or user administrator, sign in to the Azure portal and go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  2. If the Users who can use the preview features for registering and managing security info option is set to None, the option will be removed from your tenant.

Regardless of whether you previously turned on the old combined MFA/SSPR registration preview experience for users or not, the old experience will be turned off at a future date. Because of that, we strongly suggest that you move to the new, enhanced experience as soon as possible.

For more information about the enhanced registration experience, see the Cool enhancements to the Azure AD combined MFA and password reset registration experience.


Updated policy management experience for user flows

Type: Changed feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

We've updated the policy creation and management process for user flows (previously known as, built-in policies) easier. This new experience is now the default for all of your Azure AD tenants.

You can provide additional feedback and suggestions by using the smile or frown icons in the Send us feedback area at the top of the portal screen.

For more information about the new policy management experience, see the Azure AD B2C now has JavaScript customization and many more new features blog.


Choose specific page element versions provided by Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now choose a specific version of the page elements provided by Azure AD B2C. By selecting a specific version, you can test your updates before they appear on a page and you can get predictable behavior. Additionally, you can now opt in to enforce specific page versions to allow JavaScript customizations. To turn this feature on, go to the Properties page in your user flows.

For more information about choosing specific versions of page elements, see the Azure AD B2C now has JavaScript customization and many more new features blog.


Configurable end-user password requirements for B2C (GA)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now specifically set up your organization's password complexity for your end-users, instead of having to use your native Azure AD password policy. From the Properties blade of your user flows (previously known as your built-in policies), you can choose a password complexity of Simple or Strong, or you can create a Custom set of requirements.

For more information about password complexity requirement configuration, see Configure complexity requirements for passwords in Azure Active Directory B2C.


New default templates for custom branded authentication experiences

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can use our new default templates, located on the Page layouts blade of your user flows (previously known as built-in policies), to create a custom branded authentication experience for your users.

For more information about using the templates, see Azure AD B2C now has JavaScript customization and many more new features.


January 2019

Active Directory B2B collaboration using one-time passcode authentication (Public preview)

Type: New feature
Service category: B2B
Product capability: B2B/B2C

We've introduced one-time passcode authentication (OTP) for B2B guest users who can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. This new authentication method means that guest users don't have to create a new Microsoft account. Instead, while redeeming an invitation or accessing a shared resource, a guest user can request a temporary code to be sent to an email address. Using this temporary code, the guest user can continue to sign in.

For more information, see Email one-time passcode authentication (preview) and the blog, Azure AD makes sharing and collaboration seamless for any user with any account.

Type: New feature
Service category: App Proxy
Product capability: Access Control

We've introduced three new cookie settings, available for your apps that are published through Application Proxy:

  • Use HTTP-Only cookie. Sets the HTTPOnly flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, such as helping to prevent copying or modifying of cookies through client-side scripting. We recommend you turn on this flag (choose Yes) for the added benefits.

  • Use secure cookie. Sets the Secure flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, by making sure cookies are only transmitted over TLS secure channels, such as HTTPS. We recommend you turn on this flag (choose Yes) for the added benefits.

  • Use persistent cookie. Prevents access cookies from expiring when the web browser is closed. These cookies last for the lifetime of the access token. However, the cookies are reset if the expiration time is reached or if the user manually deletes the cookie. We recommend you keep the default setting No, only turning on the setting for older apps that don't share cookies between processes.

For more information about the new cookies, see Cookie settings for accessing on-premises applications in Azure Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2019, we've added these 35 new apps with Federation support to the app gallery:

Firstbird, Folloze, Talent Palette, Infor CloudSuite, Cisco Umbrella, Zscaler Internet Access Administrator, Expiration Reminder, InstaVR Viewer, CorpTax, Verb, OpenLattice, TheOrgWiki, Pavaso Digital Close, GoodPractice Toolkit, Cloud Service PICCO, AuditBoard, iProva, Workable, CallPlease, GTNexus SSO System, CBRE ServiceInsight, Deskradar, Coralogixv, Signagelive, ARES for Enterprise, K2 for Office 365, Xledger, iDiD Manager, HighGear, Visitly, Korn Ferry ALP, Acadia, Adoddle cSaas Platform

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New Azure AD Identity Protection enhancements (Public preview)

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We're excited to announce that we've added the following enhancements to the Azure AD Identity Protection public preview offering, including:

  • An updated and more integrated user interface

  • Additional APIs

  • Improved risk assessment through machine learning

  • Product-wide alignment across risky users and risky sign-ins

For more information about the enhancements, see What is Azure Active Directory Identity Protection (refreshed)? to learn more and to share your thoughts through the in-product prompts.


New App Lock feature for the Microsoft Authenticator app on iOS and Android devices

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

To keep your one-time passcodes, app information, and app settings more secure, you can turn on the App Lock feature in the Microsoft Authenticator app. Turning on App Lock means you’ll be asked to authenticate using your PIN or biometric every time you open the Microsoft Authenticator app.

For more information, see the Microsoft Authenticator app FAQ.


Enhanced Azure AD Privileged Identity Management (PIM) export capabilities

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management (PIM) administrators can now export all active and eligible role assignments for a specific resource, which includes role assignments for all child resources. Previously, it was difficult for administrators to get a complete list of role assignments for a subscription and they had to export role assignments for each specific resource.

For more information, see View activity and audit history for Azure resource roles in PIM.


November/December 2018

Users removed from synchronization scope no longer switch to cloud-only accounts

Type: Fixed
Service category: User Management
Product capability: Directory

Important

We've heard and understand your frustration because of this fix. Therefore, we've reverted this change until such time that we can make the fix easier for you to implement in your organization.

We’ve fixed a bug in which the DirSyncEnabled flag of a user would be erroneously switched to False when the Active Directory Domain Services (AD DS) object was excluded from synchronization scope and then moved to the Recycle Bin in Azure AD on the following sync cycle. As a result of this fix, if the user is excluded from sync scope and afterwards restored from Azure AD Recycle Bin, the user account remains as synchronized from on-premises AD, as expected, and cannot be managed in the cloud since its source of authority (SoA) remains as on-premises AD.

Prior to this fix, there was an issue when the DirSyncEnabled flag was switched to False. It gave the wrong impression that these accounts were converted to cloud-only objects and that the accounts could be managed in the cloud. However, the accounts still retained their SoA as on-premises and all synchronized properties (shadow attributes) coming from on-premises AD. This condition caused multiple issues in Azure AD and other cloud workloads (like Exchange Online) that expected to treat these accounts as synchronized from AD but were now behaving like cloud-only accounts.

At this time, the only way to truly convert a synchronized-from-AD account to cloud-only account is by disabling DirSync at the tenant level, which triggers a backend operation to transfer the SoA. This type of SoA change requires (but is not limited to) cleaning all the on-premises related attributes (such as LastDirSyncTime and shadow attributes) and sending a signal to other cloud workloads to have its respective object converted to a cloud-only account too.

This fix consequently prevents direct updates on the ImmutableID attribute of a user synchronized from AD, which in some scenarios in the past were required. By design, the ImmutableID of an object in Azure AD, as the name implies, is meant to be immutable. New features implemented in Azure AD Connect Health and Azure AD Connect Synchronization client are available to address such scenarios:

  • Large-scale ImmutableID update for many users in a staged approach

    For example, you need to do a lengthy AD DS inter-forest migration. Solution: Use Azure AD Connect to Configure Source Anchor and, as the user migrates, copy the existing ImmutableID values from Azure AD into the local AD DS user’s ms-DS-Consistency-Guid attribute of the new forest. For more information, see Using ms-DS-ConsistencyGuid as sourceAnchor.

  • Large-scale ImmutableID updates for many users in one shot

    For example, while implementing Azure AD Connect you make a mistake, and now you need to change the SourceAnchor attribute. Solution: Disable DirSync at the tenant level and clear all the invalid ImmutableID values. For more information, see Turn off directory synchronization for Office 365.

  • Rematch on-premises user with an existing user in Azure AD For example, a user that has been re-created in AD DS generates a duplicate in Azure AD account instead of rematching it with an existing Azure AD account (orphaned object). Solution: Use Azure AD Connect Health in the Azure portal to remap the Source Anchor/ImmutableID. For more information, see Orphaned object scenario.

Breaking Change: Updates to the audit and sign-in logs schema through Azure Monitor

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're currently publishing both the Audit and Sign-in log streams through Azure Monitor, so you can seamlessly integrate the log files with your SIEM tools or with Log Analytics. Based on your feedback, and in preparation for this feature's general availability announcement, we're making the following changes to our schema. These schema changes and its related documentation updates will happen by the first week of January.

New fields in the Audit schema

We're adding a new Operation Type field, to provide the type of operation performed on the resource. For example, Add, Update, or Delete.

Changed fields in the Audit schema

The following fields are changing in the Audit schema:

Field name What changed Old values New Values
Category This was the Service Name field. It's now the Audit Categories field. Service Name has been renamed to the loggedByService field.
  • Account Provisioning
  • Core Directory
  • Self-service Password Reset
  • User Management
  • Group Management
  • App Management
targetResources Includes TargetResourceType at the top level.  
  • Policy
  • App
  • User
  • Group
loggedByService Provides the name of the service that generated the audit log. Null
  • Account Provisioning
  • Core Directory
  • Self-service password reset
Result Provides the result of the audit logs. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • Success
  • Failure

Changed fields in the Sign-in schema

The following fields are changing in the Sign-in schema:

Field name What changed Old values New Values
appliedConditionalAccessPolicies This was the conditionalaccessPolicies field. It's now the appliedConditionalAccessPolicies field. No change No change
conditionalAccessStatus Provides the result of the Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • 2
  • 3
  • Success
  • Failure
  • Not Applied
  • Disabled
appliedConditionalAccessPolicies: result Provides the result of the individual Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • 2
  • 3
  • Success
  • Failure
  • Not Applied
  • Disabled

For more information about the schema, see Interpret the Azure AD audit logs schema in Azure Monitor (preview)


Identity Protection improvements to the supervised machine learning model and the risk score engine

Type: Changed feature
Service category: Identity Protection
Product capability: Risk Scores

Improvements to the Identity Protection-related user and sign-in risk assessment engine can help to improve user risk accuracy and coverage. Administrators may notice that user risk level is no longer directly linked to the risk level of specific detections, and that there's an increase in the number and level of risky sign-in events.

Risk detections are now evaluated by the supervised machine learning model, which calculates user risk by using additional features of the user’s sign-ins and a pattern of detections. Based on this model, the administrator might find users with high risk scores, even if detections associated with that user are of low or medium risk.


Administrators can reset their own password using the Microsoft Authenticator app (Public preview)

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

Azure AD administrators can now reset their own password using the Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. To reset their own password, administrators will now be able to use two of the following methods:

  • Microsoft Authenticator app notification

  • Other mobile authenticator app / Hardware token code

  • Email

  • Phone call

  • Text message

For more information about using the Microsoft Authenticator app to reset passwords, see Azure AD self-service password reset - Mobile app and SSPR (Preview)


New Azure AD Cloud Device Administrator role (Public preview)

Type: New feature
Service category: Device Registration and Management
Product capability: Access control

Administrators can assign users to the new Cloud Device Administrator role to perform cloud device administrator tasks. Users assigned the Cloud Device Administrators role can enable, disable, and delete devices in Azure AD, along with being able to read Windows 10 BitLocker keys (if present) in the Azure portal.

For more information about roles and permissions, see Assigning administrator roles in Azure Active Directory


Manage your devices using the new activity timestamp in Azure AD (Public preview)

Type: New feature
Service category: Device Registration and Management
Product capability: Device Lifecycle Management

We realize that over time you must refresh and retire your organizations' devices in Azure AD, to avoid having stale devices hanging around in your environment. To help with this process, Azure AD now updates your devices with a new activity timestamp, helping you to manage your device lifecycle.

For more information about how to get and use this timestamp, see How To: Manage the stale devices in Azure AD


Administrators can require users to accept a Terms of use on each device

Type: New feature
Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Require users to consent on every device option to require your users to accept your Terms of use on every device they're using on your tenant.

For more information, see the Per-device Terms of use section of the Azure Active Directory Terms of use feature.


Administrators can configure a Terms of use to expire based on a recurring schedule

Type: New feature
Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Expire consents option to make a Terms of use expire for all of your users based on your specified recurring schedule. The schedule can be annually, bi-annually, quarterly, or monthly. After the Terms of use expires, users must reaccept.

For more information, see the Add Terms of use section of the Azure Active Directory Terms of use feature.


Administrators can configure a Terms of use to expire based on each user’s schedule

Type: New feature
Service category: Terms of Use
Product capability: Governance

Administrators can now specify a duration that user must reaccept a Terms of use. For example, administrators can specify that users must reaccept a Terms of use every 90 days.

For more information, see the Add Terms of use section of the Azure Active Directory Terms of use feature.


New Azure AD Privileged Identity Management (PIM) emails for Azure Active Directory roles

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Customers using Azure AD Privileged Identity Management (PIM) can now receive a weekly digest email, including the following information for the last seven days:

  • Overview of the top eligible and permanent role assignments

  • Number of users activating roles

  • Number of users assigned to roles in PIM

  • Number of users assigned to roles outside of PIM

  • Number of users "made permanent" in PIM

For more information about PIM and the available email notifications, see Email notifications in PIM.


Group-based licensing is now generally available

Type: Changed feature
Service category: Other
Product capability: Directory

Group-based licensing is out of public preview and is now generally available. As part of this general release, we've made this feature more scalable and have added the ability to reprocess group-based licensing assignments for a single user and the ability to use group-based licensing with Office 365 E3/A3 licenses.

For more information about group-based licensing, see What is group-based licensing in Azure Active Directory?


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2018, we've added these 26 new apps with Federation support to the app gallery:

CoreStack, HubSpot, GetThere, Gra-Pe, eHour, Consent2Go, Appinux, DriveDollar, Useall, Infinite Campus, Alaya, HeyBuddy, Wrike SAML, Drift, Zenegy for Business Central 365, Everbridge Member Portal, IDEO, Ivanti Service Manager (ISM), Peakon, Allbound SSO, Plex Apps - Classic Test, Plex Apps – Classic, Plex Apps - UX Test, Plex Apps – UX, Plex Apps – IAM, CRAFTS - Childcare Records, Attendance, & Financial Tracking System

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


October 2018

Azure AD Logs now work with Azure Log Analytics (Public preview)

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're excited to announce that you can now forward your Azure AD logs to Azure Log Analytics! This top-requested feature helps give you even better access to analytics for your business, operations, and security, as well as a way to help monitor your infrastructure. For more information, see the Azure Active Directory Activity logs in Azure Log Analytics now available blog.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2018, we've added these 14 new apps with Federation support to the app gallery:

My Award Points, Vibe HCM, ambyint, MyWorkDrive, BorrowBox, Dialpad, ON24 Virtual Environment, RingCentral, Zscaler Three, Phraseanet, Appraisd, Workspot Control, Shuccho Navi, Glassfrog

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Azure AD Domain Services Email Notifications

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Azure AD Domain Services provides alerts on the Azure portal about misconfigurations or problems with your managed domain. These alerts include step-by-step guides so you can try to fix the problems without having to contact support.

Starting in October, you'll be able to customize the notification settings for your managed domain so when new alerts occur, an email is sent to a designated group of people, eliminating the need to constantly check the portal for updates.

For more information, see Notification settings in Azure AD Domain Services.


Azure AD portal supports using the ForceDelete domain API to delete custom domains

Type: Changed feature
Service category: Directory Management
Product capability: Directory

We're pleased to announce that you can now use the ForceDelete domain API to delete your custom domain names by asynchronously renaming references, like users, groups, and apps from your custom domain name (contoso.com) back to the initial default domain name (contoso.onmicrosoft.com).

This change helps you to more quickly delete your custom domain names if your organization no longer uses the name, or if you need to use the domain name with another Azure AD.

For more information, see Delete a custom domain name.


September 2018

Updated administrator role permissions for dynamic groups

Type: Fixed
Service category: Group Management
Product capability: Collaboration

We've fixed an issue so specific administrator roles can now create and update dynamic membership rules, without needing to be the owner of the group.

The roles are:

  • Global administrator

  • Intune administrator

  • User administrator

For more information, see Create a dynamic group and check status


Simplified Single Sign-On (SSO) configuration settings for some third-party apps

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

We realize that setting up Single Sign-On (SSO) for Software as a Service (SaaS) apps can be challenging due to the unique nature of each apps configuration. We've built a simplified configuration experience to auto-populate the SSO configuration settings for the following third-party SaaS apps:

  • Zendesk

  • ArcGis Online

  • Jamf Pro

To start using this one-click experience, go to the Azure portal > SSO configuration page for the app. For more information, see SaaS application integration with Azure Active Directory


Azure Active Directory - Where is your data located? page

Type: New feature
Service category: Other
Product capability: GoLocal

Select your company's region from the Azure Active Directory - Where is your data located page to view which Azure datacenter houses your Azure AD data at rest for all Azure AD services. You can filter the information by specific Azure AD services for your company's region.

To access this feature and for more information, see Azure Active Directory - Where is your data located.


New deployment plan available for the My Apps Access panel

Type: New feature
Service category: My Apps
Product capability: SSO

Check out the new deployment plan that's available for the My Apps Access panel (https://aka.ms/deploymentplans). The My Apps Access panel provides users with a single place to find and access their apps. This portal also provides users with self-service opportunities, such as requesting access to apps and groups, or managing access to these resources on behalf of others.

For more information, see What is the My Apps portal?


New Troubleshooting and Support tab on the Sign-ins Logs page of the Azure portal

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

The new Troubleshooting and Support tab on the Sign-ins page of the Azure portal, is intended to help admins and support engineers troubleshoot issues related to Azure AD sign-ins. This new tab provides the error code, error message, and remediation recommendations (if any) to help solve the problem. If you're unable to resolve the problem, we also give you a new way to create a support ticket using the Copy to clipboard experience, which populates the Request ID and Date (UTC) fields for the log file in your support ticket.

Sign-in logs showing the new tab


Enhanced support for custom extension properties used to create dynamic membership rules

Type: Changed feature
Service category: Group Management
Product capability: Collaboration

With this update, you can now click the Get custom extension properties link from the dynamic user group rule builder, enter your unique app ID, and receive the full list of custom extension properties to use when creating a dynamic membership rule for users. This list can also be refreshed to get any new custom extension properties for that app.

For more information about using custom extension properties for dynamic membership rules, see Extension properties and custom extension properties


New approved client apps for Azure AD app-based conditional access

Type: Plan for change
Service category: Conditional access
Product capability: Identity security and protection

The following apps are on the list of approved client apps:

  • Microsoft To-Do

  • Microsoft Stream

For more information, see:


New support for Self-Service Password Reset from the Windows 7/8/8.1 Lock screen

Type: New feature
Service category: SSPR
Product capability: User Authentication

After you set up this new feature, your users will see a link to reset their password from the Lock screen of a device running Windows 7, Windows 8, or Windows 8.1. By clicking that link, the user is guided through the same password reset flow as through the web browser.

For more information, see How to enable password reset from Windows 7, 8, and 8.1


Change notice: Authorization codes will no longer be available for reuse

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

Starting on November 15, 2018, Azure AD will stop accepting previously used authentication codes for apps. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.

If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code to get a refresh token, and then use that refresh token to acquire additional tokens for other resources. Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple resources. An app that attempts to reuse an authentication code during the OAuth code flow will get an invalid_grant error.

For this and other protocols-related changes, see the full list of what's new for authentication.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2018, we've added these 16 new apps with Federation support to the app gallery:

Uberflip, Comeet Recruiting Software, Workteam, ArcGIS Enterprise, Nuclino, JDA Cloud, Snowflake, NavigoCloud, Figma, join.me, ZephyrSSO, Silverback, Riverbed Xirrus EasyPass, Rackspace SSO, Enlyft SSO for Azure, SurveyMonkey, Convene, dmarcian

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Support for additional claims transformations methods

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

We've introduced new claim transformation methods, ToLower() and ToUpper(), which can be applied to SAML tokens from the SAML-based Single Sign-On Configuration page.

For more information, see How to customize claims issued in the SAML token for enterprise applications in Azure AD


Updated SAML-based app configuration UI (preview)

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

As part of our updated SAML-based app configuration UI, you'll get:

  • An updated walkthrough experience for configuring your SAML-based apps.

  • More visibility about what's missing or incorrect in your configuration.

  • The ability to add multiple email addresses for expiration certificate notification.

  • New claim transformation methods, ToLower() and ToUpper(), and more.

  • A way to upload your own token signing certificate for your enterprise apps.

  • A way to set the NameID Format for SAML apps, and a way to set the NameID value as Directory Extensions.

To turn on this updated view, click the Try out our new experience link from the top of the Single Sign-On page. For more information, see Tutorial: Configure SAML-based single sign-on for an application with Azure Active Directory.


August 2018

Changes to Azure Active Directory IP address ranges

Type: Plan for change
Service category: Other
Product capability: Platform

We're introducing larger IP ranges to Azure AD, which means if you've configured Azure AD IP address ranges for your firewalls, routers, or Network Security Groups, you'll need to update them. We're making this update so you won't have to change your firewall, router, or Network Security Groups IP range configurations again when Azure AD adds new endpoints.

Network traffic is moving to these new ranges over the next two months. To continue with uninterrupted service, you must add these updated values to your IP Addresses before September 10, 2018:

  • 20.190.128.0/18

  • 40.126.0.0/18

We strongly recommend not removing the old IP Address ranges until all of your network traffic has moved to the new ranges. For updates about the move and to learn when you can remove the old ranges, see Office 365 URLs and IP address ranges.


Change notice: Authorization codes will no longer be available for reuse

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

Starting on November 15, 2018, Azure AD will stop accepting previously used authentication codes for apps. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.

If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code to get a refresh token, and then use that refresh token to acquire additional tokens for other resources. Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple resources. An app that attempts to reuse an authentication code during the OAuth code flow will get an invalid_grant error.

For this and other protocols-related changes, see the full list of what's new for authentication.


Converged security info management for self-service password (SSPR) and Multi-Factor Authentication (MFA)

Type: New feature
Service category: SSPR
Product capability: User Authentication

This new feature helps people manage their security info (such as, phone number, mobile app, and so on) for SSPR and MFA in a single location and experience; as compared to previously, where it was done in two different locations.

This converged experience also works for people using either SSPR or MFA. Additionally, if your organization doesn't enforce MFA or SSPR registration, people can still register any MFA or SSPR security info methods allowed by your organization from the My Apps portal.

This is an opt-in public preview. Administrators can turn on the new experience (if desired) for a selected group or for all users in a tenant. For more information about the converged experience, see the Converged experience blog


New HTTP-Only cookies setting in Azure AD Application proxy apps

Type: New feature
Service category: App Proxy
Product capability: Access Control

There's a new setting called, HTTP-Only Cookies in your Application Proxy apps. This setting helps provide extra security by including the HTTPOnly flag in the HTTP response header for both Application Proxy access and session cookies, stopping access to the cookie from a client-side script and further preventing actions like copying or modifying the cookie. Although this flag hasn't been used previously, your cookies have always been encrypted and transmitted using an SSL connection to help protect against improper modifications.

This setting isn't compatible with apps using ActiveX controls, such as Remote Desktop. If you're in this situation, we recommend that you turn off this setting.

For more information about the HTTP-Only Cookies setting, see Publish applications using Azure AD Application Proxy.


Privileged Identity Management (PIM) for Azure resources supports Management Group resource types

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Just-In-Time activation and assignment settings can now be applied to Management Group resource types, just like you already do for Subscriptions, Resource Groups, and Resources (such as VMs, App Services, and more). In addition, anyone with a role that provides administrator access for a Management Group can discover and manage that resource in PIM.

For more information about PIM and Azure resources, see Discover and manage Azure resources by using Privileged Identity Management


Application access (preview) provides faster access to the Azure AD portal

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Today, when activating a role using PIM, it can take over 10 minutes for the permissions to take effect. If you choose to use Application access, which is currently in public preview, administrators can access the Azure AD portal as soon as the activation request completes.

Currently, Application access only supports the Azure AD portal experience and Azure resources. For more information about PIM and Application access, see What is Azure AD Privileged Identity Management?


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2018, we've added these 16 new apps with Federation support to the app gallery:

Hornbill, Bridgeline Unbound, Sauce Labs - Mobile and Web Testing, Meta Networks Connector, Way We Do, Spotinst, ProMaster (by Inlogik), SchoolBooking, 4me, Dossier, N2F - Expense reports, Comm100 Live Chat, SafeConnect, ZenQMS, eLuminate, Dovetale.

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Native Tableau support is now available in Azure AD Application Proxy

Type: Changed feature
Service category: App Proxy
Product capability: Access Control

With our update from the OpenID Connect to the OAuth 2.0 Code Grant protocol for our pre-authentication protocol, you no longer have to do any additional configuration to use Tableau with Application Proxy. This protocol change also helps Application Proxy better support more modern apps by using only HTTP redirects, which are commonly supported in JavaScript and HTML tags.

For more information about our native support for Tableau, see Azure AD Application Proxy now with native Tableau support.


New support to add Google as an identity provider for B2B guest users in Azure Active Directory (preview)

Type: New feature
Service category: B2B
Product capability: B2B/B2C

By setting up federation with Google in your organization, you can let invited Gmail users sign in to your shared apps and resources using their existing Google account, without having to create a personal Microsoft Account (MSAs) or an Azure AD account.

This is an opt-in public preview. For more information about Google federation, see Add Google as an identity provider for B2B guest users.