What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22release+notes+for+azure+AD%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up-to-date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items that are older than six months, you can find them in the Archive for What's new in Azure Active Directory.


April 2019

Azure Active Directory (Azure AD) entitlement management is now available (Public preview)

Type: New feature
Service category: Identity Governance
Product capability: Identity Governance

Azure AD entitlement management, now in public preview, helps customers to delegate management of access packages, which defines how employees and business partners can request access, who must approve, and how long they have access. Access packages can manage membership in Azure AD and Office 365 groups, role assignments in enterprise applications, and role assignments for SharePoint Online sites. Read more about entitlement management at the overview of Azure AD entitlement management. To learn more about the breadth of Azure AD Identity Governance features, including Privileged Identity Management, access reviews and Terms of use, see What is Azure AD Identity Governance?.


Configure a naming policy for Office 365 groups in Azure AD portal (Public preview)

Type: New feature
Service category: Group Management
Product capability: Collaboration

Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.

You can configure naming policy for Office 365 groups in two different ways:

  • Define prefixes or suffixes, which are automatically added to a group name.

  • Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, “CEO, Payroll, HR”).

For more information, see Enforce a Naming Policy for Office 365 groups.


Azure AD Activity logs are now available in Azure Monitor (General availability)

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

To help address your feedback about visualizations with the Azure AD Activity logs, we're introducing a new Insights feature in Log Analytics. This feature helps you gain insights about your Azure AD resources by using our interactive templates, called Workbooks. These pre-built Workbooks can provide details for apps or users, and include:

  • Sign-ins. Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins.

  • Legacy authentication and conditional access. Provides details for apps and users using legacy authentication, including Multi-Factor Authentication usage triggered by conditional access policies, apps using conditional access policies, and so on.

  • Sign-in failure analysis. Helps you to determine if your sign-in errors are occurring due to a user action, policy issues, or your infrastructure.

  • Custom reports. You can create new, or edit existing Workbooks to help customize the Insights feature for your organization.

For more information, see How to use Azure Monitor workbooks for Azure Active Directory reports.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2019, we've added these 21 new apps with Federation support to the app gallery:

SAP Fiori, HRworks Single Sign-On, Percolate, MobiControl, Citrix NetScaler, Shibumi, Benchling, MileIQ, PageDNA, EduBrite LMS, RStudio Connect, AMMS, Mitel Connect, Alibaba Cloud (Role-based SSO), Certent Equity Management, Sectigo Certificate Manager, GreenOrbit, Workgrid, monday.com, SurveyMonkey Enterprise, Indiggo

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New access reviews frequency option and multiple role selection

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

New updates in Azure AD access reviews allow you to:

  • Change the frequency of your access reviews to semi-annually, in addition to the previously existing options of weekly, monthly, quarterly, and annually.

  • Select multiple Azure AD and Azure resource roles when creating a single access review. In this situation, all roles are set up with the same settings and all reviewers are notified at the same time.

For more information about how to create an access review, see Create an access review of groups or applications in Azure AD access reviews.


Azure AD Connect email alert system(s) are transitioning, sending new email sender information for some customers

Type: Changed feature
Service category: AD Sync
Product capability: Platform

Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, you must add azure-noreply@microsoft.com to your organization's whitelist or you won't be able to continue receiving important alerts from your Office 365, Azure, or your Sync services.


UPN suffix changes are now successful between Federated domains in Azure AD Connect

Type: Fixed
Service category: AD Sync
Product capability: Platform

You can now successfully change a user's UPN suffix from one Federated domain to another Federated domain in Azure AD Connect. This fix means you should no longer experience the FederatedDomainChangeError error message during the synchronization cycle or receive a notification email stating, "Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services".

For more information, see Troubleshooting Errors during synchronization.


Increased security using the app protection-based conditional access policy in Azure AD (Public preview)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

App protection-based conditional access is now available by using the Require app protection policy. This new policy helps to increase your organization's security by helping to prevent:

  • Users gaining access to apps without a Microsoft Intune license.

  • Users being unable to get a Microsoft Intune app protection policy.

  • Users gaining access to apps without a configured Microsoft Intune app protection policy.

For more information, see How to Require app protection policy for cloud app access with conditional access.


New support for Azure AD single sign-on and conditional access in Microsoft Edge (Public preview)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

We've enhanced our Azure AD support for Microsoft Edge, including providing new support for Azure AD single sign-on and conditional access. If you've previously used Microsoft Intune Managed Browser, you can now use Microsoft Edge instead.

For more information about setting up and managing your devices and apps using conditional access, see Require managed devices for cloud app access with conditional access and Require approved client apps for cloud app access with conditional access. For more information about how to manage access using Microsoft Edge with Microsoft Intune policies, see Manage Internet access using a Microsoft Intune policy-protected browser.


March 2019

Identity Experience Framework and custom policy support in Azure Active Directory B2C is now available (GA)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now create custom policies in Azure AD B2C, including the following tasks, which are supported at-scale and under our Azure SLA:

  • Create and upload custom authentication user journeys by using custom policies.

  • Describe user journeys step-by-step as exchanges between claims providers.

  • Define conditional branching in user journeys.

  • Transform and map claims for use in real-time decisions and communications.

  • Use REST API-enabled services in your custom authentication user journeys. For example, with email providers, CRMs, and proprietary authorization systems.

  • Federate with identity providers who are compliant with the OpenIDConnect protocol. For example, with multi-tenant Azure AD, social account providers, or two-factor verification providers.

For more information about creating custom policies, see Developer notes for custom policies in Azure Active Directory B2C and read Alex Simon’s blog post, including case studies.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2019, we've added these 14 new apps with Federation support to the app gallery:

ISEC7 Mobile Exchange Delegate, MediusFlow, ePlatform, Fulcrum, ExcelityGlobal, Explanation-Based Auditing System, Lean, Powerschool Performance Matters, Cinode, Iris Intranet, Empactis, SmartDraw, Confirmit Horizons, TAS

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

Automate creating, updating, and deleting user accounts for the following apps:

Zscaler, Zscaler Beta, Zscaler One, Zscaler Two, Zscaler Three, Zscaler ZSCloud, Atlassian Cloud

For more information about how to better secure your organization through automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Restore and manage your deleted Office 365 groups in the Azure AD portal

Type: New feature
Service category: Group Management
Product capability: Collaboration

You can now view and manage your deleted Office 365 groups from the Azure AD portal. This change helps you to see which groups are available to restore, along with letting you permanently delete any groups that aren’t needed by your organization.

For more information, see Restore expired or deleted groups.


Single sign-on is now available for Azure AD SAML-secured on-premises apps through Application Proxy (public preview)

Type: New feature
Service category: App Proxy
Product capability: Access Control

You can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through Application Proxy. For more information about how to set up SAML SSO with your on-premises apps, see SAML single sign-on for on-premises applications with Application Proxy (Preview).


Client apps in request loops will be interrupted to improve reliability and user experience

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Client apps can incorrectly issue hundreds of the same login requests over a short period of time. These requests, whether they're successful or not, all contribute to a poor user experience and heightened workloads for the IDP, increasing latency for all users and reducing the availability of the IDP.

This update sends an invalid_grant error: AADSTS50196: The server terminated an operation because it encountered a loop while processing a request to client apps that issue duplicate requests multiple times over a short period of time, beyond the scope of normal operation. Client apps that encounter this issue should show an interactive prompt, requiring the user to sign in again. For more information about this change and about how to fix your app if it encounters this error, see What's new for authentication?.


New Audit Logs user experience now available

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We've created a new Azure AD Audit logs page to help improve both readability and how you search for your information. To see the new Audit logs page, select Audit logs in the Activity section of Azure AD.

New Audit logs page, with sample info

For more information about the new Audit logs page, see Audit activity reports in the Azure Active Directory portal.


New warnings and guidance to help prevent accidental administrator lockout from misconfigured Conditional Access policies

Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

To help prevent administrators from accidentally locking themselves out of their own tenants through misconfigured Conditional Access policies, we've created new warnings and updated guidance in the Azure portal. For more information about the new guidance, see What are service dependencies in Azure Active Directory conditional access.


Improved end-user Terms of use experiences on mobile devices

Type: Changed feature
Service category: Terms of Use
Product capability: Governance

We've updated our existing Terms of use experiences to help improve how you review and consent to Terms of use on a mobile device. You can now zoom in and out, go back, download the information, and select hyperlinks. For more information about the updated Terms of use, see Azure Active Directory Terms of use feature.


New Azure AD Activity logs download experience available

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

You can now download large amounts of activity logs directly from the Azure portal. This update lets you:

  • Download up to 250,000 rows.

  • Get notified after the download completes.

  • Customize your file name.

  • Determine your output format, either JSON or CSV.

For more details about this feature, see Quickstart: Download an audit report using the Azure portal


Breaking change: Updates to condition evaluation by Exchange ActiveSync (EAS)

Type: Plan for change
Service category: Conditional Access
Product capability: Access Control

We’re in the process of updating how Exchange ActiveSync (EAS) evaluates the following conditions:

  • User location, based on country, region, or IP address

  • Sign-in risk

  • Device platform

If you’ve previously used these conditions in your Conditional Access policies, be aware that the condition behavior might change. For example, if you previously used the user location condition in a policy, you might find the policy now being skipped based on the location of your user.


February 2019

Configurable Azure AD SAML token encryption (Public preview)

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

You can now configure any supported SAML app to receive encrypted SAML tokens. When configured and used with an app, Azure AD encrypts the emitted SAML assertions using a public key obtained from a certificate stored in Azure AD.

For more information about configuring your SAML token encryption, see Configure Azure AD SAML token encryption.


Create an access review for groups or apps using Azure AD Access Reviews

Type: New feature
Service category: Access Reviews
Product capability: Governance

You can now include multiple groups or apps in a single Azure AD access review for group membership or app assignment. Access reviews with multiple groups or apps are set up using the same settings and all included reviewers are notified at the same time.

For more information about how create an access review using Azure AD Access Reviews, see Create an access review of groups or applications in Azure AD Access Reviews


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2019, we've added these 27 new apps with Federation support to the app gallery:

Euromonitor Passport, MindTickle, FAT FINGER, AirStack, Oracle Fusion ERP, IDrive, Skyward Qmlativ, Brightidea, AlertOps, Soloinsight-CloudGate SSO, Permission Click, Brandfolder, StoregateSmartFile, Pexip, Stormboard, Seismic, Share A Dream, Bugsnag, webMethods Integration Cloud, Knowledge Anywhere LMS, OU Campus, Periscope Data, Netop Portal, smartvid.io, PureCloud by Genesys, ClickUp Productivity Platform

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Enhanced combined MFA/SSPR registration

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

In response to customer feedback, we’ve enhanced the combined MFA/SSPR registration preview experience, helping your users to more quickly register their security info for both MFA and SSPR.

To turn on the enhanced experience for your users today, follow these steps:

  1. As a global administrator or user administrator, sign in to the Azure portal and go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  2. In the Users who can use the preview features for registering and managing security info – refresh option, choose to turn on the features for a Selected group of users or for All users.

Over the next few weeks, we’ll be removing the ability to turn on the old combined MFA/SSPR registration preview experience for tenants that don’t already have it turned on.

To see if the control will be removed for your tenant, follow these steps:

  1. As a global administrator or user administrator, sign in to the Azure portal and go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  2. If the Users who can use the preview features for registering and managing security info option is set to None, the option will be removed from your tenant.

Regardless of whether you previously turned on the old combined MFA/SSPR registration preview experience for users or not, the old experience will be turned off at a future date. Because of that, we strongly suggest that you move to the new, enhanced experience as soon as possible.

For more information about the enhanced registration experience, see the Cool enhancements to the Azure AD combined MFA and password reset registration experience.


Updated policy management experience for user flows

Type: Changed feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

We've updated the policy creation and management process for user flows (previously known as, built-in policies) easier. This new experience is now the default for all of your Azure AD tenants.

You can provide additional feedback and suggestions by using the smile or frown icons in the Send us feedback area at the top of the portal screen.

For more information about the new policy management experience, see the Azure AD B2C now has JavaScript customization and many more new features blog.


Choose specific page element versions provided by Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now choose a specific version of the page elements provided by Azure AD B2C. By selecting a specific version, you can test your updates before they appear on a page and you can get predictable behavior. Additionally, you can now opt in to enforce specific page versions to allow JavaScript customizations. To turn on this feature, go to the Properties page in your user flows.

For more information about choosing specific versions of page elements, see the Azure AD B2C now has JavaScript customization and many more new features blog.


Configurable end-user password requirements for B2C (GA)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now set up your organization's password complexity for your end users, instead of having to use your native Azure AD password policy. From the Properties blade of your user flows (previously known as your built-in policies), you can choose a password complexity of Simple or Strong, or you can create a Custom set of requirements.

For more information about password complexity requirement configuration, see Configure complexity requirements for passwords in Azure Active Directory B2C.


New default templates for custom branded authentication experiences

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can use our new default templates, located on the Page layouts blade of your user flows (previously known as built-in policies), to create a custom branded authentication experience for your users.

For more information about using the templates, see Azure AD B2C now has JavaScript customization and many more new features.


January 2019

Active Directory B2B collaboration using one-time passcode authentication (Public preview)

Type: New feature
Service category: B2B
Product capability: B2B/B2C

We've introduced one-time passcode authentication (OTP) for B2B guest users who can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. This new authentication method means that guest users don't have to create a new Microsoft account. Instead, while redeeming an invitation or accessing a shared resource, a guest user can request a temporary code to be sent to an email address. Using this temporary code, the guest user can continue to sign in.

For more information, see Email one-time passcode authentication (preview) and the blog, Azure AD makes sharing and collaboration seamless for any user with any account.

Type: New feature
Service category: App Proxy
Product capability: Access Control

We've introduced three new cookie settings, available for your apps that are published through Application Proxy:

  • Use HTTP-Only cookie. Sets the HTTPOnly flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, such as helping to prevent copying or modifying of cookies through client-side scripting. We recommend you turn on this flag (choose Yes) for the added benefits.

  • Use secure cookie. Sets the Secure flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, by making sure cookies are only transmitted over TLS secure channels, such as HTTPS. We recommend you turn on this flag (choose Yes) for the added benefits.

  • Use persistent cookie. Prevents access cookies from expiring when the web browser is closed. These cookies last for the lifetime of the access token. However, the cookies are reset if the expiration time is reached or if the user manually deletes the cookie. We recommend you keep the default setting No, only turning on the setting for older apps that don't share cookies between processes.

For more information about the new cookies, see Cookie settings for accessing on-premises applications in Azure Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2019, we've added these 35 new apps with Federation support to the app gallery:

Firstbird, Folloze, Talent Palette, Infor CloudSuite, Cisco Umbrella, Zscaler Internet Access Administrator, Expiration Reminder, InstaVR Viewer, CorpTax, Verb, OpenLattice, TheOrgWiki, Pavaso Digital Close, GoodPractice Toolkit, Cloud Service PICCO, AuditBoard, iProva, Workable, CallPlease, GTNexus SSO System, CBRE ServiceInsight, Deskradar, Coralogixv, Signagelive, ARES for Enterprise, K2 for Office 365, Xledger, iDiD Manager, HighGear, Visitly, Korn Ferry ALP, Acadia, Adoddle cSaas Platform

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New Azure AD Identity Protection enhancements (Public preview)

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We're excited to announce that we've added the following enhancements to the Azure AD Identity Protection public preview offering, including:

  • An updated and more integrated user interface

  • Additional APIs

  • Improved risk assessment through machine learning

  • Product-wide alignment across risky users and risky sign-ins

For more information about the enhancements, see What is Azure Active Directory Identity Protection (refreshed)? to learn more and to share your thoughts through the in-product prompts.


New App Lock feature for the Microsoft Authenticator app on iOS and Android devices

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

To keep your one-time passcodes, app information, and app settings more secure, you can turn on the App Lock feature in the Microsoft Authenticator app. Turning on App Lock means you’ll be asked to authenticate using your PIN or biometric every time you open the Microsoft Authenticator app.

For more information, see the Microsoft Authenticator app FAQ.


Enhanced Azure AD Privileged Identity Management (PIM) export capabilities

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management (PIM) administrators can now export all active and eligible role assignments for a specific resource, which includes role assignments for all child resources. Previously, it was difficult for administrators to get a complete list of role assignments for a subscription and they had to export role assignments for each specific resource.

For more information, see View activity and audit history for Azure resource roles in PIM.


November/December 2018

Users removed from synchronization scope no longer switch to cloud-only accounts

Type: Fixed
Service category: User Management
Product capability: Directory

Important

We've heard and understand your frustration because of this fix. Therefore, we've reverted this change until such time that we can make the fix easier for you to implement in your organization.

We’ve fixed a bug in which the DirSyncEnabled flag of a user would be erroneously switched to False when the Active Directory Domain Services (AD DS) object was excluded from synchronization scope and then moved to the Recycle Bin in Azure AD on the following sync cycle. As a result of this fix, if the user is excluded from sync scope and afterwards restored from Azure AD Recycle Bin, the user account remains as synchronized from on-premises AD, as expected, and cannot be managed in the cloud since its source of authority (SoA) remains as on-premises AD.

Prior to this fix, there was an issue when the DirSyncEnabled flag was switched to False. It gave the wrong impression that these accounts were converted to cloud-only objects and that the accounts could be managed in the cloud. However, the accounts still retained their SoA as on-premises and all synchronized properties (shadow attributes) coming from on-premises AD. This condition caused multiple issues in Azure AD and other cloud workloads (like Exchange Online) that expected to treat these accounts as synchronized from AD but were now behaving like cloud-only accounts.

At this time, the only way to truly convert a synchronized-from-AD account to cloud-only account is by disabling DirSync at the tenant level, which triggers a backend operation to transfer the SoA. This type of SoA change requires (but is not limited to) cleaning all the on-premises related attributes (such as LastDirSyncTime and shadow attributes) and sending a signal to other cloud workloads to have its respective object converted to a cloud-only account too.

This fix consequently prevents direct updates on the ImmutableID attribute of a user synchronized from AD, which in some scenarios in the past were required. By design, the ImmutableID of an object in Azure AD, as the name implies, is meant to be immutable. New features implemented in Azure AD Connect Health and Azure AD Connect Synchronization client are available to address such scenarios:

  • Large-scale ImmutableID update for many users in a staged approach

    For example, you need to do a lengthy AD DS inter-forest migration. Solution: Use Azure AD Connect to Configure Source Anchor and, as the user migrates, copy the existing ImmutableID values from Azure AD into the local AD DS user’s ms-DS-Consistency-Guid attribute of the new forest. For more information, see Using ms-DS-ConsistencyGuid as sourceAnchor.

  • Large-scale ImmutableID updates for many users in one shot

    For example, while implementing Azure AD Connect you make a mistake, and now you need to change the SourceAnchor attribute. Solution: Disable DirSync at the tenant level and clear all the invalid ImmutableID values. For more information, see Turn off directory synchronization for Office 365.

  • Rematch on-premises user with an existing user in Azure AD For example, a user that has been re-created in AD DS generates a duplicate in Azure AD account instead of rematching it with an existing Azure AD account (orphaned object). Solution: Use Azure AD Connect Health in the Azure portal to remap the Source Anchor/ImmutableID. For more information, see Orphaned object scenario.

Breaking Change: Updates to the audit and sign-in logs schema through Azure Monitor

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're currently publishing both the Audit and Sign-in log streams through Azure Monitor, so you can seamlessly integrate the log files with your SIEM tools or with Log Analytics. Based on your feedback, and in preparation for this feature's general availability announcement, we're making the following changes to our schema. These schema changes and its related documentation updates will happen by the first week of January.

New fields in the Audit schema

We're adding a new Operation Type field, to provide the type of operation performed on the resource. For example, Add, Update, or Delete.

Changed fields in the Audit schema

The following fields are changing in the Audit schema:

Field name What changed Old values New Values
Category This was the Service Name field. It's now the Audit Categories field. Service Name has been renamed to the loggedByService field.
  • Account Provisioning
  • Core Directory
  • Self-service Password Reset
  • User Management
  • Group Management
  • App Management
targetResources Includes TargetResourceType at the top level.  
  • Policy
  • App
  • User
  • Group
loggedByService Provides the name of the service that generated the audit log. Null
  • Account Provisioning
  • Core Directory
  • Self-service password reset
Result Provides the result of the audit logs. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • Success
  • Failure

Changed fields in the Sign-in schema

The following fields are changing in the Sign-in schema:

Field name What changed Old values New Values
appliedConditionalAccessPolicies This was the conditionalaccessPolicies field. It's now the appliedConditionalAccessPolicies field. No change No change
conditionalAccessStatus Provides the result of the Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • 2
  • 3
  • Success
  • Failure
  • Not Applied
  • Disabled
appliedConditionalAccessPolicies: result Provides the result of the individual Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • 2
  • 3
  • Success
  • Failure
  • Not Applied
  • Disabled

For more information about the schema, see Interpret the Azure AD audit logs schema in Azure Monitor (preview)


Identity Protection improvements to the supervised machine learning model and the risk score engine

Type: Changed feature
Service category: Identity Protection
Product capability: Risk Scores

Improvements to the Identity Protection-related user and sign-in risk assessment engine can help to improve user risk accuracy and coverage. Administrators may notice that user risk level is no longer directly linked to the risk level of specific detections, and that there's an increase in the number and level of risky sign-in events.

Risk detections are now evaluated by the supervised machine learning model, which calculates user risk by using additional features of the user’s sign-ins and a pattern of detections. Based on this model, the administrator might find users with high risk scores, even if detections associated with that user are of low or medium risk.


Administrators can reset their own password using the Microsoft Authenticator app (Public preview)

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

Azure AD administrators can now reset their own password using the Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. To reset their own password, administrators will now be able to use two of the following methods:

  • Microsoft Authenticator app notification

  • Other mobile authenticator app / Hardware token code

  • Email

  • Phone call

  • Text message

For more information about using the Microsoft Authenticator app to reset passwords, see Azure AD self-service password reset - Mobile app and SSPR (Preview)


New Azure AD Cloud Device Administrator role (Public preview)

Type: New feature
Service category: Device Registration and Management
Product capability: Access control

Administrators can assign users to the new Cloud Device Administrator role to perform cloud device administrator tasks. Users assigned the Cloud Device Administrators role can enable, disable, and delete devices in Azure AD, along with being able to read Windows 10 BitLocker keys (if present) in the Azure portal.

For more information about roles and permissions, see Assigning administrator roles in Azure Active Directory


Manage your devices using the new activity timestamp in Azure AD (Public preview)

Type: New feature
Service category: Device Registration and Management
Product capability: Device Lifecycle Management

We realize that over time you must refresh and retire your organizations' devices in Azure AD, to avoid having stale devices in your environment. To help with this process, Azure AD now updates your devices with a new activity timestamp, helping you to manage your device lifecycle.

For more information about how to get and use this timestamp, see How To: Manage the stale devices in Azure AD


Administrators can require users to accept a Terms of use on each device

Type: New feature
Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Require users to consent on every device option to require your users to accept your Terms of use on every device they're using on your tenant.

For more information, see the Per-device Terms of use section of the Azure Active Directory Terms of use feature.


Administrators can configure a Terms of use to expire based on a recurring schedule

Type: New feature
Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Expire consents option to make a Terms of use expire for all of your users based on your specified recurring schedule. The schedule can be annually, bi-annually, quarterly, or monthly. After the Terms of use expire, users must reaccept.

For more information, see the Add Terms of use section of the Azure Active Directory Terms of use feature.


Administrators can configure a Terms of use to expire based on each user’s schedule

Type: New feature
Service category: Terms of Use
Product capability: Governance

Administrators can now specify a duration that user must reaccept a Terms of use. For example, administrators can specify that users must reaccept a Terms of use every 90 days.

For more information, see the Add Terms of use section of the Azure Active Directory Terms of use feature.


New Azure AD Privileged Identity Management (PIM) emails for Azure Active Directory roles

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Customers using Azure AD Privileged Identity Management (PIM) can now receive a weekly digest email, including the following information for the last seven days:

  • Overview of the top eligible and permanent role assignments

  • Number of users activating roles

  • Number of users assigned to roles in PIM

  • Number of users assigned to roles outside of PIM

  • Number of users "made permanent" in PIM

For more information about PIM and the available email notifications, see Email notifications in PIM.


Group-based licensing is now generally available

Type: Changed feature
Service category: Other
Product capability: Directory

Group-based licensing is out of public preview and is now generally available. As part of this general release, we've made this feature more scalable and have added the ability to reprocess group-based licensing assignments for a single user and the ability to use group-based licensing with Office 365 E3/A3 licenses.

For more information about group-based licensing, see What is group-based licensing in Azure Active Directory?


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2018, we've added these 26 new apps with Federation support to the app gallery:

CoreStack, HubSpot, GetThere, Gra-Pe, eHour, Consent2Go, Appinux, DriveDollar, Useall, Infinite Campus, Alaya, HeyBuddy, Wrike SAML, Drift, Zenegy for Business Central 365, Everbridge Member Portal, IDEO, Ivanti Service Manager (ISM), Peakon, Allbound SSO, Plex Apps - Classic Test, Plex Apps – Classic, Plex Apps - UX Test, Plex Apps – UX, Plex Apps – IAM, CRAFTS - Childcare Records, Attendance, & Financial Tracking System

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


October 2018

Azure AD Logs now work with Azure Log Analytics (Public preview)

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're excited to announce that you can now forward your Azure AD logs to Azure Log Analytics! This top-requested feature helps give you even better access to analytics for your business, operations, and security, as well as a way to help monitor your infrastructure. For more information, see the Azure Active Directory Activity logs in Azure Log Analytics now available blog.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2018, we've added these 14 new apps with Federation support to the app gallery:

My Award Points, Vibe HCM, ambyint, MyWorkDrive, BorrowBox, Dialpad, ON24 Virtual Environment, RingCentral, Zscaler Three, Phraseanet, Appraisd, Workspot Control, Shuccho Navi, Glassfrog

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Azure AD Domain Services Email Notifications

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Azure AD Domain Services provides alerts on the Azure portal about misconfigurations or problems with your managed domain. These alerts include step-by-step guides so you can try to fix the problems without having to contact support.

Starting in October, you'll be able to customize the notification settings for your managed domain so when new alerts occur, an email is sent to a designated group of people, eliminating the need to constantly check the portal for updates.

For more information, see Notification settings in Azure AD Domain Services.


Azure AD portal supports using the ForceDelete domain API to delete custom domains

Type: Changed feature
Service category: Directory Management
Product capability: Directory

We're pleased to announce that you can now use the ForceDelete domain API to delete your custom domain names by asynchronously renaming references, like users, groups, and apps from your custom domain name (contoso.com) back to the initial default domain name (contoso.onmicrosoft.com).

This change helps you to more quickly delete your custom domain names if your organization no longer uses the name, or if you need to use the domain name with another Azure AD.

For more information, see Delete a custom domain name.