Archive for What's new in Azure Active Directory?

The primary What's new in Azure Active Directory? release notes article contains updates for the last six months, while this article contains all the older information.

The What's new in Azure Active Directory? release notes provide information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

April 2019

New Azure AD threat intelligence detection is now available as part of Azure AD Identity Protection

Type: New feature
Service category: Azure AD Identity Protection
Product capability: Identity Security & Protection

Azure AD threat intelligence detection is now available as part of the updated Azure AD Identity Protection feature. This new functionality helps to indicate unusual user activity for a specific user or activity that’s consistent with known attack patterns based on Microsoft’s internal and external threat intelligence sources.

For more information about the refreshed version of Azure AD Identity Protection, see the Four major Azure AD Identity Protection enhancements are now in public preview blog and the What is Azure Active Directory Identity Protection (refreshed)? article. For more information about Azure AD threat intelligence detection, see the Azure Active Directory Identity Protection risk detections article.


Azure AD entitlement management is now available (Public preview)

Type: New feature
Service category: Identity Governance
Product capability: Identity Governance

Azure AD entitlement management, now in public preview, helps customers to delegate management of access packages, which defines how employees and business partners can request access, who must approve, and how long they have access. Access packages can manage membership in Azure AD and Office 365 groups, role assignments in enterprise applications, and role assignments for SharePoint Online sites. Read more about entitlement management at the overview of Azure AD entitlement management. To learn more about the breadth of Azure AD Identity Governance features, including Privileged Identity Management, access reviews and terms of use, see What is Azure AD Identity Governance?.


Configure a naming policy for Office 365 groups in Azure AD portal (Public preview)

Type: New feature
Service category: Group Management
Product capability: Collaboration

Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.

You can configure naming policy for Office 365 groups in two different ways:

  • Define prefixes or suffixes, which are automatically added to a group name.

  • Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, “CEO, Payroll, HR”).

For more information, see Enforce a Naming Policy for Office 365 groups.


Azure AD Activity logs are now available in Azure Monitor (General availability)

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

To help address your feedback about visualizations with the Azure AD Activity logs, we're introducing a new Insights feature in Log Analytics. This feature helps you gain insights about your Azure AD resources by using our interactive templates, called Workbooks. These pre-built Workbooks can provide details for apps or users, and include:

  • Sign-ins. Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins.

  • Legacy authentication and Conditional Access. Provides details for apps and users using legacy authentication, including Multi-Factor Authentication usage triggered by Conditional Access policies, apps using Conditional Access policies, and so on.

  • Sign-in failure analysis. Helps you to determine if your sign-in errors are occurring due to a user action, policy issues, or your infrastructure.

  • Custom reports. You can create new, or edit existing Workbooks to help customize the Insights feature for your organization.

For more information, see How to use Azure Monitor workbooks for Azure Active Directory reports.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2019, we've added these 21 new apps with Federation support to the app gallery:

SAP Fiori, HRworks Single Sign-On, Percolate, MobiControl, Citrix NetScaler, Shibumi, Benchling, MileIQ, PageDNA, EduBrite LMS, RStudio Connect, AMMS, Mitel Connect, Alibaba Cloud (Role-based SSO), Certent Equity Management, Sectigo Certificate Manager, GreenOrbit, Workgrid, monday.com, SurveyMonkey Enterprise, Indiggo

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New access reviews frequency option and multiple role selection

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

New updates in Azure AD access reviews allow you to:

  • Change the frequency of your access reviews to semi-annually, in addition to the previously existing options of weekly, monthly, quarterly, and annually.

  • Select multiple Azure AD and Azure resource roles when creating a single access review. In this situation, all roles are set up with the same settings and all reviewers are notified at the same time.

For more information about how to create an access review, see Create an access review of groups or applications in Azure AD access reviews.


Azure AD Connect email alert system(s) are transitioning, sending new email sender information for some customers

Type: Changed feature
Service category: AD Sync
Product capability: Platform

Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, you must add azure-noreply@microsoft.com to your organization's allow list or you won't be able to continue receiving important alerts from your Office 365, Azure, or your Sync services.


UPN suffix changes are now successful between Federated domains in Azure AD Connect

Type: Fixed
Service category: AD Sync
Product capability: Platform

You can now successfully change a user's UPN suffix from one Federated domain to another Federated domain in Azure AD Connect. This fix means you should no longer experience the FederatedDomainChangeError error message during the synchronization cycle or receive a notification email stating, "Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services".

For more information, see Troubleshooting Errors during synchronization.


Increased security using the app protection-based Conditional Access policy in Azure AD (Public preview)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

App protection-based Conditional Access is now available by using the Require app protection policy. This new policy helps to increase your organization's security by helping to prevent:

  • Users gaining access to apps without a Microsoft Intune license.

  • Users being unable to get a Microsoft Intune app protection policy.

  • Users gaining access to apps without a configured Microsoft Intune app protection policy.

For more information, see How to Require app protection policy for cloud app access with Conditional Access.


New support for Azure AD single sign-on and Conditional Access in Microsoft Edge (Public preview)

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

We've enhanced our Azure AD support for Microsoft Edge, including providing new support for Azure AD single sign-on and Conditional Access. If you've previously used Microsoft Intune Managed Browser, you can now use Microsoft Edge instead.

For more information about setting up and managing your devices and apps using Conditional Access, see Require managed devices for cloud app access with Conditional Access and Require approved client apps for cloud app access with Conditional Access. For more information about how to manage access using Microsoft Edge with Microsoft Intune policies, see Manage Internet access using a Microsoft Intune policy-protected browser.


March 2019

Identity Experience Framework and custom policy support in Azure Active Directory B2C is now available (GA)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now create custom policies in Azure AD B2C, including the following tasks, which are supported at-scale and under our Azure SLA:

  • Create and upload custom authentication user journeys by using custom policies.

  • Describe user journeys step-by-step as exchanges between claims providers.

  • Define conditional branching in user journeys.

  • Transform and map claims for use in real-time decisions and communications.

  • Use REST API-enabled services in your custom authentication user journeys. For example, with email providers, CRMs, and proprietary authorization systems.

  • Federate with identity providers who are compliant with the OpenIDConnect protocol. For example, with multi-tenant Azure AD, social account providers, or two-factor verification providers.

For more information about creating custom policies, see Developer notes for custom policies in Azure Active Directory B2C and read Alex Simon’s blog post, including case studies.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2019, we've added these 14 new apps with Federation support to the app gallery:

ISEC7 Mobile Exchange Delegate, MediusFlow, ePlatform, Fulcrum, ExcelityGlobal, Explanation-Based Auditing System, Lean, Powerschool Performance Matters, Cinode, Iris Intranet, Empactis, SmartDraw, Confirmit Horizons, TAS

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

Automate creating, updating, and deleting user accounts for the following apps:

Zscaler, Zscaler Beta, Zscaler One, Zscaler Two, Zscaler Three, Zscaler ZSCloud, Atlassian Cloud

For more information about how to better secure your organization through automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Restore and manage your deleted Office 365 groups in the Azure AD portal

Type: New feature
Service category: Group Management
Product capability: Collaboration

You can now view and manage your deleted Office 365 groups from the Azure AD portal. This change helps you to see which groups are available to restore, along with letting you permanently delete any groups that aren’t needed by your organization.

For more information, see Restore expired or deleted groups.


Single sign-on is now available for Azure AD SAML-secured on-premises apps through Application Proxy (public preview)

Type: New feature
Service category: App Proxy
Product capability: Access Control

You can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through Application Proxy. For more information about how to set up SAML SSO with your on-premises apps, see SAML single sign-on for on-premises applications with Application Proxy (Preview).


Client apps in request loops will be interrupted to improve reliability and user experience

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Client apps can incorrectly issue hundreds of the same login requests over a short period of time. These requests, whether they're successful or not, all contribute to a poor user experience and heightened workloads for the IDP, increasing latency for all users and reducing the availability of the IDP.

This update sends an invalid_grant error: AADSTS50196: The server terminated an operation because it encountered a loop while processing a request to client apps that issue duplicate requests multiple times over a short period of time, beyond the scope of normal operation. Client apps that encounter this issue should show an interactive prompt, requiring the user to sign in again. For more information about this change and about how to fix your app if it encounters this error, see What's new for authentication?.


New Audit Logs user experience now available

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We've created a new Azure AD Audit logs page to help improve both readability and how you search for your information. To see the new Audit logs page, select Audit logs in the Activity section of Azure AD.

New Audit logs page, with sample info

For more information about the new Audit logs page, see Audit activity reports in the Azure Active Directory portal.


New warnings and guidance to help prevent accidental administrator lockout from misconfigured Conditional Access policies

Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

To help prevent administrators from accidentally locking themselves out of their own tenants through misconfigured Conditional Access policies, we've created new warnings and updated guidance in the Azure portal. For more information about the new guidance, see What are service dependencies in Azure Active Directory Conditional Access.


Improved end-user terms of use experiences on mobile devices

Type: Changed feature
Service category: Terms of use
Product capability: Governance

We've updated our existing terms of use experiences to help improve how you review and consent to terms of use on a mobile device. You can now zoom in and out, go back, download the information, and select hyperlinks. For more information about the updated terms of use, see Azure Active Directory terms of use feature.


New Azure AD Activity logs download experience available

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

You can now download large amounts of activity logs directly from the Azure portal. This update lets you:

  • Download up to 250,000 rows.

  • Get notified after the download completes.

  • Customize your file name.

  • Determine your output format, either JSON or CSV.

For more information about this feature, see Quickstart: Download an audit report using the Azure portal


Breaking change: Updates to condition evaluation by Exchange ActiveSync (EAS)

Type: Plan for change
Service category: Conditional Access
Product capability: Access Control

We’re in the process of updating how Exchange ActiveSync (EAS) evaluates the following conditions:

  • User location, based on country, region, or IP address

  • Sign-in risk

  • Device platform

If you’ve previously used these conditions in your Conditional Access policies, be aware that the condition behavior might change. For example, if you previously used the user location condition in a policy, you might find the policy now being skipped based on the location of your user.


February 2019

Configurable Azure AD SAML token encryption (Public preview)

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

You can now configure any supported SAML app to receive encrypted SAML tokens. When configured and used with an app, Azure AD encrypts the emitted SAML assertions using a public key obtained from a certificate stored in Azure AD.

For more information about configuring your SAML token encryption, see Configure Azure AD SAML token encryption.


Create an access review for groups or apps using Azure AD Access Reviews

Type: New feature
Service category: Access Reviews
Product capability: Governance

You can now include multiple groups or apps in a single Azure AD access review for group membership or app assignment. Access reviews with multiple groups or apps are set up using the same settings and all included reviewers are notified at the same time.

For more information about how create an access review using Azure AD Access Reviews, see Create an access review of groups or applications in Azure AD Access Reviews


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2019, we've added these 27 new apps with Federation support to the app gallery:

Euromonitor Passport, MindTickle, FAT FINGER, AirStack, Oracle Fusion ERP, IDrive, Skyward Qmlativ, Brightidea, AlertOps, Soloinsight-CloudGate SSO, Permission Click, Brandfolder, StoregateSmartFile, Pexip, Stormboard, Seismic, Share A Dream, Bugsnag, webMethods Integration Cloud, Knowledge Anywhere LMS, OU Campus, Periscope Data, Netop Portal, smartvid.io, PureCloud by Genesys, ClickUp Productivity Platform

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Enhanced combined MFA/SSPR registration

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

In response to customer feedback, we’ve enhanced the combined MFA/SSPR registration preview experience, helping your users to more quickly register their security info for both MFA and SSPR.

To turn on the enhanced experience for your users' today, follow these steps:

  1. As a global administrator or user administrator, sign in to the Azure portal and go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  2. In the Users who can use the preview features for registering and managing security info – refresh option, choose to turn on the features for a Selected group of users or for All users.

Over the next few weeks, we’ll be removing the ability to turn on the old combined MFA/SSPR registration preview experience for tenants that don’t already have it turned on.

To see if the control will be removed for your tenant, follow these steps:

  1. As a global administrator or user administrator, sign in to the Azure portal and go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  2. If the Users who can use the preview features for registering and managing security info option is set to None, the option will be removed from your tenant.

Regardless of whether you previously turned on the old combined MFA/SSPR registration preview experience for users or not, the old experience will be turned off at a future date. Because of that, we strongly suggest that you move to the new, enhanced experience as soon as possible.

For more information about the enhanced registration experience, see the Cool enhancements to the Azure AD combined MFA and password reset registration experience.


Updated policy management experience for user flows

Type: Changed feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

We've updated the policy creation and management process for user flows (previously known as, built-in policies) easier. This new experience is now the default for all of your Azure AD tenants.

You can provide additional feedback and suggestions by using the smile or frown icons in the Send us feedback area at the top of the portal screen.

For more information about the new policy management experience, see the Azure AD B2C now has JavaScript customization and many more new features blog.


Choose specific page element versions provided by Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now choose a specific version of the page elements provided by Azure AD B2C. By selecting a specific version, you can test your updates before they appear on a page and you can get predictable behavior. Additionally, you can now opt in to enforce specific page versions to allow JavaScript customizations. To turn on this feature, go to the Properties page in your user flows.

For more information about choosing specific versions of page elements, see the Azure AD B2C now has JavaScript customization and many more new features blog.


Configurable end-user password requirements for B2C (GA)

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now set up your organization's password complexity for your end users, instead of having to use your native Azure AD password policy. From the Properties blade of your user flows (previously known as your built-in policies), you can choose a password complexity of Simple or Strong, or you can create a Custom set of requirements.

For more information about password complexity requirement configuration, see Configure complexity requirements for passwords in Azure Active Directory B2C.


New default templates for custom branded authentication experiences

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can use our new default templates, located on the Page layouts blade of your user flows (previously known as built-in policies), to create a custom branded authentication experience for your users.

For more information about using the templates, see Azure AD B2C now has JavaScript customization and many more new features.


January 2019

Active Directory B2B collaboration using one-time passcode authentication (Public preview)

Type: New feature
Service category: B2B
Product capability: B2B/B2C

We've introduced one-time passcode authentication (OTP) for B2B guest users who can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. This new authentication method means that guest users don't have to create a new Microsoft account. Instead, while redeeming an invitation or accessing a shared resource, a guest user can request a temporary code to be sent to an email address. Using this temporary code, the guest user can continue to sign in.

For more information, see Email one-time passcode authentication (preview) and the blog, Azure AD makes sharing and collaboration seamless for any user with any account.

Type: New feature
Service category: App Proxy
Product capability: Access Control

We've introduced three new cookie settings, available for your apps that are published through Application Proxy:

  • Use HTTP-Only cookie. Sets the HTTPOnly flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, such as helping to prevent copying or modifying of cookies through client-side scripting. We recommend you turn on this flag (choose Yes) for the added benefits.

  • Use secure cookie. Sets the Secure flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, by making sure cookies are only transmitted over TLS secure channels, such as HTTPS. We recommend you turn on this flag (choose Yes) for the added benefits.

  • Use persistent cookie. Prevents access cookies from expiring when the web browser is closed. These cookies last for the lifetime of the access token. However, the cookies are reset if the expiration time is reached or if the user manually deletes the cookie. We recommend you keep the default setting No, only turning on the setting for older apps that don't share cookies between processes.

For more information about the new cookies, see Cookie settings for accessing on-premises applications in Azure Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2019, we've added these 35 new apps with Federation support to the app gallery:

Firstbird, Folloze, Talent Palette, Infor CloudSuite, Cisco Umbrella, Zscaler Internet Access Administrator, Expiration Reminder, InstaVR Viewer, CorpTax, Verb, OpenLattice, TheOrgWiki, Pavaso Digital Close, GoodPractice Toolkit, Cloud Service PICCO, AuditBoard, iProva, Workable, CallPlease, GTNexus SSO System, CBRE ServiceInsight, Deskradar, Coralogixv, Signagelive, ARES for Enterprise, K2 for Office 365, Xledger, iDiD Manager, HighGear, Visitly, Korn Ferry ALP, Acadia, Adoddle cSaas Platform

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New Azure AD Identity Protection enhancements (Public preview)

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We're excited to announce that we've added the following enhancements to the Azure AD Identity Protection public preview offering, including:

  • An updated and more integrated user interface

  • Additional APIs

  • Improved risk assessment through machine learning

  • Product-wide alignment across risky users and risky sign-ins

For more information about the enhancements, see What is Azure Active Directory Identity Protection (refreshed)? to learn more and to share your thoughts through the in-product prompts.


New App Lock feature for the Microsoft Authenticator app on iOS and Android devices

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

To keep your one-time passcodes, app information, and app settings more secure, you can turn on the App Lock feature in the Microsoft Authenticator app. Turning on App Lock means you’ll be asked to authenticate using your PIN or biometric every time you open the Microsoft Authenticator app.

For more information, see the Microsoft Authenticator app FAQ.


Enhanced Azure AD Privileged Identity Management (PIM) export capabilities

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management (PIM) administrators can now export all active and eligible role assignments for a specific resource, which includes role assignments for all child resources. Previously, it was difficult for administrators to get a complete list of role assignments for a subscription and they had to export role assignments for each specific resource.

For more information, see View activity and audit history for Azure resource roles in PIM.


November/December 2018

Users removed from synchronization scope no longer switch to cloud-only accounts

Type: Fixed
Service category: User Management
Product capability: Directory

Important

We've heard and understand your frustration because of this fix. Therefore, we've reverted this change until such time that we can make the fix easier for you to implement in your organization.

We’ve fixed a bug in which the DirSyncEnabled flag of a user would be erroneously switched to False when the Active Directory Domain Services (AD DS) object was excluded from synchronization scope and then moved to the Recycle Bin in Azure AD on the following sync cycle. As a result of this fix, if the user is excluded from sync scope and afterwards restored from Azure AD Recycle Bin, the user account remains as synchronized from on-premises AD, as expected, and cannot be managed in the cloud since its source of authority (SoA) remains as on-premises AD.

Prior to this fix, there was an issue when the DirSyncEnabled flag was switched to False. It gave the wrong impression that these accounts were converted to cloud-only objects and that the accounts could be managed in the cloud. However, the accounts still retained their SoA as on-premises and all synchronized properties (shadow attributes) coming from on-premises AD. This condition caused multiple issues in Azure AD and other cloud workloads (like Exchange Online) that expected to treat these accounts as synchronized from AD but were now behaving like cloud-only accounts.

At this time, the only way to truly convert a synchronized-from-AD account to cloud-only account is by disabling DirSync at the tenant level, which triggers a backend operation to transfer the SoA. This type of SoA change requires (but is not limited to) cleaning all the on-premises related attributes (such as LastDirSyncTime and shadow attributes) and sending a signal to other cloud workloads to have its respective object converted to a cloud-only account too.

This fix consequently prevents direct updates on the ImmutableID attribute of a user synchronized from AD, which in some scenarios in the past were required. By design, the ImmutableID of an object in Azure AD, as the name implies, is meant to be immutable. New features implemented in Azure AD Connect Health and Azure AD Connect Synchronization client are available to address such scenarios:

  • Large-scale ImmutableID update for many users in a staged approach

    For example, you need to do a lengthy AD DS inter-forest migration. Solution: Use Azure AD Connect to Configure Source Anchor and, as the user migrates, copy the existing ImmutableID values from Azure AD into the local AD DS user’s ms-DS-Consistency-Guid attribute of the new forest. For more information, see Using ms-DS-ConsistencyGuid as sourceAnchor.

  • Large-scale ImmutableID updates for many users in one shot

    For example, while implementing Azure AD Connect you make a mistake, and now you need to change the SourceAnchor attribute. Solution: Disable DirSync at the tenant level and clear all the invalid ImmutableID values. For more information, see Turn off directory synchronization for Office 365.

  • Rematch on-premises user with an existing user in Azure AD For example, a user that has been re-created in AD DS generates a duplicate in Azure AD account instead of rematching it with an existing Azure AD account (orphaned object). Solution: Use Azure AD Connect Health in the Azure portal to remap the Source Anchor/ImmutableID. For more information, see Orphaned object scenario.

Breaking Change: Updates to the audit and sign-in logs schema through Azure Monitor

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're currently publishing both the Audit and Sign-in log streams through Azure Monitor, so you can seamlessly integrate the log files with your SIEM tools or with Log Analytics. Based on your feedback, and in preparation for this feature's general availability announcement, we're making the following changes to our schema. These schema changes and its related documentation updates will happen by the first week of January.

New fields in the Audit schema

We're adding a new Operation Type field, to provide the type of operation performed on the resource. For example, Add, Update, or Delete.

Changed fields in the Audit schema

The following fields are changing in the Audit schema:

Field name What changed Old values New Values
Category This was the Service Name field. It's now the Audit Categories field. Service Name has been renamed to the loggedByService field.
  • Account Provisioning
  • Core Directory
  • Self-service Password Reset
  • User Management
  • Group Management
  • App Management
targetResources Includes TargetResourceType at the top level.  
  • Policy
  • App
  • User
  • Group
loggedByService Provides the name of the service that generated the audit log. Null
  • Account Provisioning
  • Core Directory
  • Self-service password reset
Result Provides the result of the audit logs. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • Success
  • Failure

Changed fields in the Sign-in schema

The following fields are changing in the Sign-in schema:

Field name What changed Old values New Values
appliedConditionalAccessPolicies This was the conditionalaccessPolicies field. It's now the appliedConditionalAccessPolicies field. No change No change
conditionalAccessStatus Provides the result of the Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • 2
  • 3
  • Success
  • Failure
  • Not Applied
  • Disabled
appliedConditionalAccessPolicies: result Provides the result of the individual Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.
  • 0
  • 1
  • 2
  • 3
  • Success
  • Failure
  • Not Applied
  • Disabled

For more information about the schema, see Interpret the Azure AD audit logs schema in Azure Monitor (preview)


Identity Protection improvements to the supervised machine learning model and the risk score engine

Type: Changed feature
Service category: Identity Protection
Product capability: Risk Scores

Improvements to the Identity Protection-related user and sign-in risk assessment engine can help to improve user risk accuracy and coverage. Administrators may notice that user risk level is no longer directly linked to the risk level of specific detections, and that there's an increase in the number and level of risky sign-in events.

Risk detections are now evaluated by the supervised machine learning model, which calculates user risk by using additional features of the user’s sign-ins and a pattern of detections. Based on this model, the administrator might find users with high risk scores, even if detections associated with that user are of low or medium risk.


Administrators can reset their own password using the Microsoft Authenticator app (Public preview)

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

Azure AD administrators can now reset their own password using the Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. To reset their own password, administrators will now be able to use two of the following methods:

  • Microsoft Authenticator app notification

  • Other mobile authenticator app / Hardware token code

  • Email

  • Phone call

  • Text message

For more information about using the Microsoft Authenticator app to reset passwords, see Azure AD self-service password reset - Mobile app and SSPR (Preview)


New Azure AD Cloud Device Administrator role (Public preview)

Type: New feature
Service category: Device Registration and Management
Product capability: Access control

Administrators can assign users to the new Cloud Device Administrator role to perform cloud device administrator tasks. Users assigned the Cloud Device Administrators role can enable, disable, and delete devices in Azure AD, along with being able to read Windows 10 BitLocker keys (if present) in the Azure portal.

For more information about roles and permissions, see Assigning administrator roles in Azure Active Directory


Manage your devices using the new activity timestamp in Azure AD (Public preview)

Type: New feature
Service category: Device Registration and Management
Product capability: Device Lifecycle Management

We realize that over time you must refresh and retire your organizations' devices in Azure AD, to avoid having stale devices in your environment. To help with this process, Azure AD now updates your devices with a new activity timestamp, helping you to manage your device lifecycle.

For more information about how to get and use this timestamp, see How To: Manage the stale devices in Azure AD


Administrators can require users to accept a terms of use on each device

Type: New feature
Service category: Terms of use
Product capability: Governance

Administrators can now turn on the Require users to consent on every device option to require your users to accept your terms of use on every device they're using on your tenant.

For more information, see the Per-device terms of use section of the Azure Active Directory terms of use feature.


Administrators can configure a terms of use to expire based on a recurring schedule

Type: New feature
Service category: Terms of use
Product capability: Governance

Administrators can now turn on the Expire consents option to make a terms of use expire for all of your users based on your specified recurring schedule. The schedule can be annually, bi-annually, quarterly, or monthly. After the terms of use expire, users must reaccept.

For more information, see the Add terms of use section of the Azure Active Directory terms of use feature.


Administrators can configure a terms of use to expire based on each user’s schedule

Type: New feature
Service category: Terms of use
Product capability: Governance

Administrators can now specify a duration that user must reaccept a terms of use. For example, administrators can specify that users must reaccept a terms of use every 90 days.

For more information, see the Add terms of use section of the Azure Active Directory terms of use feature.


New Azure AD Privileged Identity Management (PIM) emails for Azure Active Directory roles

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Customers using Azure AD Privileged Identity Management (PIM) can now receive a weekly digest email, including the following information for the last seven days:

  • Overview of the top eligible and permanent role assignments

  • Number of users activating roles

  • Number of users assigned to roles in PIM

  • Number of users assigned to roles outside of PIM

  • Number of users "made permanent" in PIM

For more information about PIM and the available email notifications, see Email notifications in PIM.


Group-based licensing is now generally available

Type: Changed feature
Service category: Other
Product capability: Directory

Group-based licensing is out of public preview and is now generally available. As part of this general release, we've made this feature more scalable and have added the ability to reprocess group-based licensing assignments for a single user and the ability to use group-based licensing with Office 365 E3/A3 licenses.

For more information about group-based licensing, see What is group-based licensing in Azure Active Directory?


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2018, we've added these 26 new apps with Federation support to the app gallery:

CoreStack, HubSpot, GetThere, Gra-Pe, eHour, Consent2Go, Appinux, DriveDollar, Useall, Infinite Campus, Alaya, HeyBuddy, Wrike SAML, Drift, Zenegy for Business Central 365, Everbridge Member Portal, IDEO, Ivanti Service Manager (ISM), Peakon, Allbound SSO, Plex Apps - Classic Test, Plex Apps – Classic, Plex Apps - UX Test, Plex Apps – UX, Plex Apps – IAM, CRAFTS - Childcare Records, Attendance, & Financial Tracking System

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


October 2018

Azure AD Logs now work with Azure Log Analytics (Public preview)

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

We're excited to announce that you can now forward your Azure AD logs to Azure Log Analytics! This top-requested feature helps give you even better access to analytics for your business, operations, and security, as well as a way to help monitor your infrastructure. For more information, see the Azure Active Directory Activity logs in Azure Log Analytics now available blog.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2018, we've added these 14 new apps with Federation support to the app gallery:

My Award Points, Vibe HCM, ambyint, MyWorkDrive, BorrowBox, Dialpad, ON24 Virtual Environment, RingCentral, Zscaler Three, Phraseanet, Appraisd, Workspot Control, Shuccho Navi, Glassfrog

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Azure AD Domain Services Email Notifications

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Azure AD Domain Services provides alerts on the Azure portal about misconfigurations or problems with your managed domain. These alerts include step-by-step guides so you can try to fix the problems without having to contact support.

Starting in October, you'll be able to customize the notification settings for your managed domain so when new alerts occur, an email is sent to a designated group of people, eliminating the need to constantly check the portal for updates.

For more information, see Notification settings in Azure AD Domain Services.


Azure AD portal supports using the ForceDelete domain API to delete custom domains

Type: Changed feature
Service category: Directory Management
Product capability: Directory

We're pleased to announce that you can now use the ForceDelete domain API to delete your custom domain names by asynchronously renaming references, like users, groups, and apps from your custom domain name (contoso.com) back to the initial default domain name (contoso.onmicrosoft.com).

This change helps you to more quickly delete your custom domain names if your organization no longer uses the name, or if you need to use the domain name with another Azure AD.

For more information, see Delete a custom domain name.


September 2018

Updated administrator role permissions for dynamic groups

Type: Fixed
Service category: Group Management
Product capability: Collaboration

We've fixed an issue so specific administrator roles can now create and update dynamic membership rules, without needing to be the owner of the group.

The roles are:

  • Global administrator

  • Intune administrator

  • User administrator

For more information, see Create a dynamic group and check status


Simplified Single Sign-On (SSO) configuration settings for some third-party apps

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

We realize that setting up Single Sign-On (SSO) for Software as a Service (SaaS) apps can be challenging due to the unique nature of each apps configuration. We've built a simplified configuration experience to auto-populate the SSO configuration settings for the following third-party SaaS apps:

  • Zendesk

  • ArcGis Online

  • Jamf Pro

To start using this one-click experience, go to the Azure portal > SSO configuration page for the app. For more information, see SaaS application integration with Azure Active Directory


Azure Active Directory - Where is your data located? page

Type: New feature
Service category: Other
Product capability: GoLocal

Select your company's region from the Azure Active Directory - Where is your data located page to view which Azure datacenter houses your Azure AD data at rest for all Azure AD services. You can filter the information by specific Azure AD services for your company's region.

To access this feature and for more information, see Azure Active Directory - Where is your data located.


New deployment plan available for the My Apps Access panel

Type: New feature
Service category: My Apps
Product capability: SSO

Check out the new deployment plan that's available for the My Apps Access panel (https://aka.ms/deploymentplans). The My Apps Access panel provides users with a single place to find and access their apps. This portal also provides users with self-service opportunities, such as requesting access to apps and groups, or managing access to these resources on behalf of others.

For more information, see What is the My Apps portal?


New Troubleshooting and Support tab on the Sign-ins Logs page of the Azure portal

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

The new Troubleshooting and Support tab on the Sign-ins page of the Azure portal, is intended to help admins and support engineers troubleshoot issues related to Azure AD sign-ins. This new tab provides the error code, error message, and remediation recommendations (if any) to help solve the problem. If you're unable to resolve the problem, we also give you a new way to create a support ticket using the Copy to clipboard experience, which populates the Request ID and Date (UTC) fields for the log file in your support ticket.

Sign-in logs showing the new tab


Enhanced support for custom extension properties used to create dynamic membership rules

Type: Changed feature
Service category: Group Management
Product capability: Collaboration

With this update, you can now click the Get custom extension properties link from the dynamic user group rule builder, enter your unique app ID, and receive the full list of custom extension properties to use when creating a dynamic membership rule for users. This list can also be refreshed to get any new custom extension properties for that app.

For more information about using custom extension properties for dynamic membership rules, see Extension properties and custom extension properties


New approved client apps for Azure AD app-based Conditional Access

Type: Plan for change
Service category: Conditional Access
Product capability: Identity security and protection

The following apps are on the list of approved client apps:

  • Microsoft To-Do

  • Microsoft Stream

For more information, see:


New support for Self-Service Password Reset from the Windows 7/8/8.1 Lock screen

Type: New feature
Service category: SSPR
Product capability: User Authentication

After you set up this new feature, your users will see a link to reset their password from the Lock screen of a device running Windows 7, Windows 8, or Windows 8.1. By clicking that link, the user is guided through the same password reset flow as through the web browser.

For more information, see How to enable password reset from Windows 7, 8, and 8.1


Change notice: Authorization codes will no longer be available for reuse

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

Starting on November 15, 2018, Azure AD will stop accepting previously used authentication codes for apps. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.

If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code to get a refresh token, and then use that refresh token to acquire additional tokens for other resources. Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple resources. An app that attempts to reuse an authentication code during the OAuth code flow will get an invalid_grant error.

For this and other protocols-related changes, see the full list of what's new for authentication.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2018, we've added these 16 new apps with Federation support to the app gallery:

Uberflip, Comeet Recruiting Software, Workteam, ArcGIS Enterprise, Nuclino, JDA Cloud, Snowflake, NavigoCloud, Figma, join.me, ZephyrSSO, Silverback, Riverbed Xirrus EasyPass, Rackspace SSO, Enlyft SSO for Azure, SurveyMonkey, Convene, dmarcian

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Support for additional claims transformations methods

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

We've introduced new claim transformation methods, ToLower() and ToUpper(), which can be applied to SAML tokens from the SAML-based Single Sign-On Configuration page.

For more information, see How to customize claims issued in the SAML token for enterprise applications in Azure AD


Updated SAML-based app configuration UI (preview)

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

As part of our updated SAML-based app configuration UI, you'll get:

  • An updated walkthrough experience for configuring your SAML-based apps.

  • More visibility about what's missing or incorrect in your configuration.

  • The ability to add multiple email addresses for expiration certificate notification.

  • New claim transformation methods, ToLower() and ToUpper(), and more.

  • A way to upload your own token signing certificate for your enterprise apps.

  • A way to set the NameID Format for SAML apps, and a way to set the NameID value as Directory Extensions.

To turn on this updated view, click the Try out our new experience link from the top of the Single Sign-On page. For more information, see Tutorial: Configure SAML-based single sign-on for an application with Azure Active Directory.


August 2018

Changes to Azure Active Directory IP address ranges

Type: Plan for change
Service category: Other
Product capability: Platform

We're introducing larger IP ranges to Azure AD, which means if you've configured Azure AD IP address ranges for your firewalls, routers, or Network Security Groups, you'll need to update them. We're making this update so you won't have to change your firewall, router, or Network Security Groups IP range configurations again when Azure AD adds new endpoints.

Network traffic is moving to these new ranges over the next two months. To continue with uninterrupted service, you must add these updated values to your IP Addresses before September 10, 2018:

  • 20.190.128.0/18

  • 40.126.0.0/18

We strongly recommend not removing the old IP Address ranges until all of your network traffic has moved to the new ranges. For updates about the move and to learn when you can remove the old ranges, see Office 365 URLs and IP address ranges.


Change notice: Authorization codes will no longer be available for reuse

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

Starting on November 15, 2018, Azure AD will stop accepting previously used authentication codes for apps. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.

If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code to get a refresh token, and then use that refresh token to acquire additional tokens for other resources. Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple resources. An app that attempts to reuse an authentication code during the OAuth code flow will get an invalid_grant error.

For this and other protocols-related changes, see the full list of what's new for authentication.


Converged security info management for self-service password (SSPR) and Multi-Factor Authentication (MFA)

Type: New feature
Service category: SSPR
Product capability: User Authentication

This new feature helps people manage their security info (such as, phone number, mobile app, and so on) for SSPR and MFA in a single location and experience; as compared to previously, where it was done in two different locations.

This converged experience also works for people using either SSPR or MFA. Additionally, if your organization doesn't enforce MFA or SSPR registration, people can still register any MFA or SSPR security info methods allowed by your organization from the My Apps portal.

This is an opt-in public preview. Administrators can turn on the new experience (if desired) for a selected group or for all users in a tenant. For more information about the converged experience, see the Converged experience blog


New HTTP-Only cookies setting in Azure AD Application proxy apps

Type: New feature
Service category: App Proxy
Product capability: Access Control

There's a new setting called, HTTP-Only Cookies in your Application Proxy apps. This setting helps provide extra security by including the HTTPOnly flag in the HTTP response header for both Application Proxy access and session cookies, stopping access to the cookie from a client-side script and further preventing actions like copying or modifying the cookie. Although this flag hasn't been used previously, your cookies have always been encrypted and transmitted using an SSL connection to help protect against improper modifications.

This setting isn't compatible with apps using ActiveX controls, such as Remote Desktop. If you're in this situation, we recommend that you turn off this setting.

For more information about the HTTP-Only Cookies setting, see Publish applications using Azure AD Application Proxy.


Privileged Identity Management (PIM) for Azure resources supports Management Group resource types

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Just-In-Time activation and assignment settings can now be applied to Management Group resource types, just like you already do for Subscriptions, Resource Groups, and Resources (such as VMs, App Services, and more). In addition, anyone with a role that provides administrator access for a Management Group can discover and manage that resource in PIM.

For more information about PIM and Azure resources, see Discover and manage Azure resources by using Privileged Identity Management


Application access (preview) provides faster access to the Azure AD portal

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Today, when activating a role using PIM, it can take over 10 minutes for the permissions to take effect. If you choose to use Application access, which is currently in public preview, administrators can access the Azure AD portal as soon as the activation request completes.

Currently, Application access only supports the Azure AD portal experience and Azure resources. For more information about PIM and Application access, see What is Azure AD Privileged Identity Management?


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2018, we've added these 16 new apps with Federation support to the app gallery:

Hornbill, Bridgeline Unbound, Sauce Labs - Mobile and Web Testing, Meta Networks Connector, Way We Do, Spotinst, ProMaster (by Inlogik), SchoolBooking, 4me, Dossier, N2F - Expense reports, Comm100 Live Chat, SafeConnect, ZenQMS, eLuminate, Dovetale.

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Native Tableau support is now available in Azure AD Application Proxy

Type: Changed feature
Service category: App Proxy
Product capability: Access Control

With our update from the OpenID Connect to the OAuth 2.0 Code Grant protocol for our pre-authentication protocol, you no longer have to do any additional configuration to use Tableau with Application Proxy. This protocol change also helps Application Proxy better support more modern apps by using only HTTP redirects, which are commonly supported in JavaScript and HTML tags.

For more information about our native support for Tableau, see Azure AD Application Proxy now with native Tableau support.


New support to add Google as an identity provider for B2B guest users in Azure Active Directory (preview)

Type: New feature
Service category: B2B
Product capability: B2B/B2C

By setting up federation with Google in your organization, you can let invited Gmail users sign in to your shared apps and resources using their existing Google account, without having to create a personal Microsoft Account (MSAs) or an Azure AD account.

This is an opt-in public preview. For more information about Google federation, see Add Google as an identity provider for B2B guest users.


July 2018

Improvements to Azure Active Directory email notifications

Type: Changed feature
Service category: Other
Product capability: Identity lifecycle management

Azure Active Directory (Azure AD) emails now feature an updated design, as well as changes to the sender email address and sender display name, when sent from the following services:

  • Azure AD Access Reviews
  • Azure AD Connect Health
  • Azure AD Identity Protection
  • Azure AD Privileged Identity Management
  • Enterprise App Expiring Certificate Notifications
  • Enterprise App Provisioning Service Notifications

The email notifications will be sent from the following email address and display name:

  • Email address: azure-noreply@microsoft.com
  • Display name: Microsoft Azure

For an example of some of the new e-mail designs and more information, see Email notifications in Azure AD PIM.


Azure AD Activity Logs are now available through Azure Monitor

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

The Azure AD Activity Logs are now available in public preview for the Azure Monitor (Azure's platform-wide monitoring service). Azure Monitor offers you long-term retention and seamless integration, in addition to these improvements:

  • Long-term retention by routing your log files to your own Azure storage account.

  • Seamless SIEM integration, without requiring you to write or maintain custom scripts.

  • Seamless integration with your own custom solutions, analytics tools, or incident management solutions.

For more information about these new capabilities, see our blog Azure AD activity logs in Azure Monitor diagnostics is now in public preview and our documentation, Azure Active Directory activity logs in Azure Monitor (preview).


Conditional Access information added to the Azure AD sign-ins report

Type: New feature
Service category: Reporting
Product capability: Identity Security & Protection

This update lets you see which policies are evaluated when a user signs in along with the policy outcome. In addition, the report now includes the type of client app used by the user, so you can identify legacy protocol traffic. Report entries can also now be searched for a correlation ID, which can be found in the user-facing error message and can be used to identify and troubleshoot the matching sign-in request.


View legacy authentications through Sign-ins activity logs

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

With the introduction of the Client App field in the Sign-in activity logs, customers can now see users that are using legacy authentications. Customers will be able to access this information using the Sign-ins MS Graph API or through the Sign-in activity logs in Azure AD portal where you can use the Client App control to filter on legacy authentications. Check out the documentation for more details.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2018, we've added these 16 new apps with Federation support to the app gallery:

Innovation Hub, Leapsome, Certain Admin SSO, PSUC Staging, iPass SmartConnect, Screencast-O-Matic, PowerSchool Unified Classroom, Eli Onboarding, Bomgar Remote Support, Nimblex, Imagineer WebVision, Insight4GRC, SecureW2 JoinNow Connector, Kanbanize, SmartLPA, Skills Base

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New user provisioning SaaS app integrations - July 2018

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

Azure AD allows you to automate the creation, maintenance, and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow, and more. For July 2018, we have added user provisioning support for the following applications in the Azure AD app gallery:

For a list of all applications that support user provisioning in the Azure AD gallery, see SaaS application integration with Azure Active Directory.


Connect Health for Sync - An easier way to fix orphaned and duplicate attribute sync errors

Type: New feature
Service category: AD Connect
Product capability: Monitoring & Reporting

Azure AD Connect Health introduces self-service remediation to help you highlight and fix sync errors. This feature troubleshoots duplicated attribute sync errors and fixes objects that are orphaned from Azure AD. This diagnosis has the following benefits:

  • Narrows down duplicated attribute sync errors, providing specific fixes

  • Applies a fix for dedicated Azure AD scenarios, resolving errors in a single step

  • No upgrade or configuration is required to turn on and use this feature

For more information, see Diagnose and remediate duplicated attribute sync errors


Visual updates to the Azure AD and MSA sign-in experiences

Type: Changed feature
Service category: Azure AD
Product capability: User Authentication

We've updated the UI for Microsoft's online services sign-in experience, such as for Office 365 and Azure. This change makes the screens less cluttered and more straightforward. For more information about this change, see the Upcoming improvements to the Azure AD sign-in experience blog.


New release of Azure AD Connect - July 2018

Type: Changed feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management

The latest release of Azure AD Connect includes:

  • Bug fixes and supportability updates

  • General Availability of the Ping-Federate integration

  • Updates to the latest SQL 2012 client

For more information about this update, see Azure AD Connect: Version release history


Updates to the terms of use end-user UI

Type: Changed feature
Service category: Terms of use
Product capability: Governance

We're updating the acceptance string in the TOU end-user UI.

Current text. In order to access [tenantName] resources, you must accept the terms of use.
New text. In order to access [tenantName] resource, you must read the terms of use.

Current text: Choosing to accept means that you agree to all of the above terms of use.
New text: Please click Accept to confirm that you have read and understood the terms of use.


Pass-through Authentication supports legacy protocols and applications

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

Pass-through Authentication now supports legacy protocols and apps. The following limitations are now fully supported:

  • User sign-ins to legacy Office client applications, Office 2010 and Office 2013, without requiring modern authentication.

  • Access to calendar sharing and free/busy information in Exchange hybrid environments on Office 2010 only.

  • User sign-ins to Skype for Business client applications without requiring modern authentication.

  • User sign-ins to PowerShell version 1.0.

  • The Apple Device Enrollment Program (Apple DEP), using the iOS Setup Assistant.


Converged security info management for self-service password reset and Multi-Factor Authentication

Type: New feature
Service category: SSPR
Product capability: User Authentication

This new feature lets users manage their security info (for example, phone number, email address, mobile app, and so on) for self-service password reset (SSPR) and Multi-Factor Authentication (MFA) in a single experience. Users will no longer have to register the same security info for SSPR and MFA in two different experiences. This new experience also applies to users who have either SSPR or MFA.

If an organization isn't enforcing MFA or SSPR registration, users can register their security info through the My Apps portal. From there, users can register any methods enabled for MFA or SSPR.

This is an opt-in public preview. Admins can turn on the new experience (if desired) for a selected group of users or all users in a tenant.


Use the Microsoft Authenticator app to verify your identity when you reset your password

Type: Changed feature
Service category: SSPR
Product capability: User Authentication

This feature lets non-admins verify their identity while resetting a password using a notification or code from Microsoft Authenticator (or any other authenticator app). After admins turn on this self-service password reset method, users who have registered a mobile app through aka.ms/mfasetup or aka.ms/setupsecurityinfo can use their mobile app as a verification method while resetting their password.

Mobile app notification can only be turned on as part of a policy that requires two methods to reset your password.


June 2018

Change notice: Security fix to the delegated authorization flow for apps using Azure AD Activity Logs API

Type: Plan for change
Service category: Reporting
Product capability: Monitoring & Reporting

Due to our stronger security enforcement, we’ve had to make a change to the permissions for apps that use a delegated authorization flow to access Azure AD Activity Logs APIs. This change will occur by June 26, 2018.

If any of your apps use Azure AD Activity Log APIs, follow these steps to ensure the app doesn’t break after the change happens.

To update your app permissions

  1. Sign in to the Azure portal, select Azure Active Directory, and then select App Registrations.

  2. Select your app that uses the Azure AD Activity Logs API, select Settings, select Required permissions, and then select the Windows Azure Active Directory API.

  3. In the Delegated permissions area of the Enable access blade, select the box next to Read directory data, and then select Save.

  4. Select Grant permissions, and then select Yes.

    Note

    You must be a Global administrator to grant permissions to the app.

For more information, see the Grant permissions area of the Prerequisites to access the Azure AD reporting API article.


Configure TLS settings to connect to Azure AD services for PCI DSS compliance

Type: New feature
Service category: N/A
Product capability: Platform

Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications and is the most widely deployed security protocol used today.

The PCI Security Standards Council has determined that early versions of TLS and Secure Sockets Layer (SSL) must be disabled in favor of enabling new and more secure app protocols, with compliance starting on June 30, 2018. This change means that if you connect to Azure AD services and require PCI DSS-compliance, you must disable TLS 1.0. Multiple versions of TLS are available, but TLS 1.2 is the latest version available for Azure Active Directory Services. We highly recommend moving directly to TLS 1.2 for both client/server and browser/server combinations.

Out-of-date browsers might not support newer TLS versions, such as TLS 1.2. To see which versions of TLS are supported by your browser, go to the Qualys SSL Labs site and click Test your browser. We recommend you upgrade to the latest version of your web browser and preferably enable only TLS 1.2.

To enable TLS 1.2, by browser

  • Microsoft Edge and Internet Explorer (both are set using Internet Explorer)

    1. Open Internet Explorer, select Tools > Internet Options > Advanced.
    2. In the Security area, select use TLS 1.2, and then select OK.
    3. Close all browser windows and restart Internet Explorer.
  • Google Chrome

    1. Open Google Chrome, type chrome://settings/ into the address bar, and press Enter.
    2. Expand the Advanced options, go to the System area, and select Open proxy settings.
    3. In the Internet Properties box, select the Advanced tab, go to the Security area, select use TLS 1.2, and then select OK.
    4. Close all browser windows and restart Google Chrome.
  • Mozilla Firefox

    1. Open Firefox, type about:config into the address bar, and then press Enter.

    2. Search for the term, TLS, and then select the security.tls.version.max entry.

    3. Set the value to 3 to force the browser to use up to version TLS 1.2, and then select OK.

      Note

      Firefox version 60.0 supports TLS 1.3, so you can also set the security.tls.version.max value to 4.

    4. Close all browser windows and restart Mozilla Firefox.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2018, we've added these 15 new apps with Federation support to the app gallery:

Skytap, Settling music, SAML 1.1 Token enabled LOB App, Supermood, Autotask, Endpoint Backup, Skyhigh Networks, Smartway2, TonicDM, Moconavi, Zoho One, SharePoint on-premises, ForeSee CX Suite, Vidyard, ChronicX

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Azure AD Password Protection is available in public preview

Type: New feature
Service category: Identity Protection
Product capability: User Authentication

Use Azure AD Password Protection to help eliminate easily guessed passwords from your environment. Eliminating these passwords helps to lower the risk of compromise from a password spray type of attack.

Specifically, Azure AD Password Protection helps you:

  • Protect your organization's accounts in both Azure AD and Windows Server Active Directory (AD).
  • Stops your users from using passwords on a list of more than 500 of the most commonly used passwords, and over 1 million character substitution variations of those passwords.
  • Administer Azure AD Password Protection from a single location in the Azure AD portal, for both Azure AD and on-premises Windows Server AD.

For more information about Azure AD Password Protection, see Eliminate bad passwords in your organization.


New "all guests" Conditional Access policy template created during terms of use creation

Type: New feature
Service category: Terms of use
Product capability: Governance

During the creation of your terms of use, a new Conditional Access policy template is also created for "all guests" and "all apps". This new policy template applies the newly created ToU, streamlining the creation and enforcement process for guests.

For more information, see Azure Active Directory Terms of use feature.


New "custom" Conditional Access policy template created during terms of use creation

Type: New feature
Service category: Terms of use
Product capability: Governance

During the creation of your terms of use, a new “custom” Conditional Access policy template is also created. This new policy template lets you create the ToU and then immediately go to the Conditional Access policy creation blade, without needing to manually navigate through the portal.

For more information, see Azure Active Directory Terms of use feature.


New and comprehensive guidance about deploying Azure Multi-Factor Authentication

Type: New feature
Service category: Other
Product capability: Identity Security & Protection

We've released new step-by-step guidance about how to deploy Azure Multi-Factor Authentication (MFA) in your organization.

To view the MFA deployment guide, go to the Identity Deployment Guides repo on GitHub. To provide feedback about the deployment guides, use the Deployment Plan Feedback form. If you have any questions about the deployment guides, contact us at IDGitDeploy.


Azure AD delegated app management roles are in public preview

Type: New feature
Service category: Enterprise Apps
Product capability: Access Control

Admins can now delegate app management tasks without assigning the Global Administrator role. The new roles and capabilities are:

  • New standard Azure AD admin roles:

    • Application Administrator. Grants the ability to manage all aspects of all apps, including registration, SSO settings, app assignments and licensing, App proxy settings, and consent (except to Azure AD resources).

    • Cloud Application Administrator. Grants all of the Application Administrator abilities, except for App proxy because it doesn't provide on-premises access.

    • Application Developer. Grants the ability to create app registrations, even if the allow users to register apps option is turned off.

  • Ownership (set up per-app registration and per-enterprise app, similar to the group ownership process:

    • App Registration Owner. Grants the ability to manage all aspects of owned app registration, including the app manifest and adding additional owners.

    • Enterprise App Owner. Grants the ability to manage many aspects of owned enterprise apps, including SSO settings, app assignments, and consent (except to Azure AD resources).

For more information about public preview, see the Azure AD delegated application management roles are in public preview! blog. For more information about roles and permissions, see Assigning administrator roles in Azure Active Directory.


May 2018

ExpressRoute support changes

Type: Plan for change
Service category: Authentications (Logins)
Product capability: Platform

Software as a Service offering, like Azure Active Directory (Azure AD) are designed to work best by going directly through the Internet, without requiring ExpressRoute or any other private VPN tunnels. Because of this, on August 1, 2018, we will stop supporting ExpressRoute for Azure AD services using Azure public peering and Azure communities in Microsoft peering. Any services impacted by this change might notice Azure AD traffic gradually shifting from ExpressRoute to the Internet.

While we're changing our support, we also know there are still situations where you might need to use a dedicated set of circuits for your authentication traffic. Because of this, Azure AD will continue to support per-tenant IP range restrictions using ExpressRoute and services already on Microsoft peering with the "Other Office 365 Online services" community. If your services are impacted, but you require ExpressRoute, you must do the following:

  • If you're on Azure public peering. Move to Microsoft peering and sign up for the Other Office 365 Online services (12076:5100) community. For more info about how to move from Azure public peering to Microsoft peering, see the Move a public peering to Microsoft peering article.

  • If you're on Microsoft peering. Sign up for the Other Office 365 Online service (12076:5100) community. For more info about routing requirements, see the Support for BGP communities section of the ExpressRoute routing requirements article.

If you must continue to use dedicated circuits, you'll need to talk to your Microsoft Account team about how to get authorization to use the Other Office 365 Online service (12076:5100) community. The MS Office-managed review board will verify whether you need those circuits and make sure you understand the technical implications of keeping them. Unauthorized subscriptions trying to create route filters for Office 365 will receive an error message.


Microsoft Graph APIs for administrative scenarios for TOU

Type: New feature
Service category: Terms of use
Product capability: Developer Experience

We've added Microsoft Graph APIs for administration operation of Azure AD terms of use. You are able to create, update, delete the terms of use object.


Add Azure AD multi-tenant endpoint as an identity provider in Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Using custom policies, you can now add the Azure AD common endpoint as an identity provider in Azure AD B2C. This allows you to have a single point of entry for all Azure AD users that are signing into your applications. For more information, see Azure Active Directory B2C: Allow users to sign in to a multi-tenant Azure AD identity provider using custom policies.


Use Internal URLs to access apps from anywhere with our My Apps Sign-in Extension and the Azure AD Application Proxy

Type: New feature
Service category: My Apps
Product capability: SSO

Users can now access applications through internal URLs even when outside your corporate network by using the My Apps Secure Sign-in Extension for Azure AD. This will work with any application that you have published using Azure AD Application Proxy, on any browser that also has the Access Panel browser extension installed. The URL redirection functionality is automatically enabled once a user logs into the extension. The extension is available for download on Microsoft Edge, Chrome, and Firefox.


Azure Active Directory - Data in Europe for Europe customers

Type: New feature
Service category: Other
Product capability: GoLocal

Customers in Europe require their data to stay in Europe and not replicated outside of European datacenters for meeting privacy and European laws. This article provides the specific details on what identity information will be stored within Europe and also provide details on information that will be stored outside European datacenters.


New user provisioning SaaS app integrations - May 2018

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

Azure AD allows you to automate the creation, maintenance, and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow, and more. For May 2018, we have added user provisioning support for the following applications in the Azure AD app gallery:

For a list of all applications that support user provisioning in the Azure AD gallery, see https://aka.ms/appstutorial.


Azure AD access reviews of groups and app access now provides recurring reviews

Type: New feature
Service category: Access Reviews
Product capability: Governance

Access review of groups and apps is now generally available as part of Azure AD Premium P2. Administrators will be able to configure access reviews of group memberships and application assignments to automatically recur at regular intervals, such as monthly or quarterly.


Azure AD Activity logs (sign-ins and audit) are now available through MS Graph

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD Activity logs, which, includes Sign-ins and Audit logs, are now available through MS Graph. We have exposed two end points through MS Graph to access these logs. Check out our documents for programmatic access to Azure AD Reporting APIs to get started.


Improvements to the B2B redemption experience and leave an org

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Just in time redemption: Once you share a resource with a guest user using B2B API – you don’t need to send out a special invitation email. In most cases, the guest user can access the resource and will be taken through the redemption experience just in time. No more impact due to missed emails. No more asking your guest users “Did you click on that redemption link the system sent you?”. This means once SPO uses the invitation manager – cloudy attachments can have the same canonical URL for all users – internal and external – in any state of redemption.

Modern redemption experience: No more split screen redemption landing page. Users will see a modern consent experience with the inviting organization's privacy statement, just like they do for third-party apps.

Guest users can leave the org: Once a user’s relationship with an org is over, they can self-serve leaving the organization. No more calling the inviting org’s admin to “be removed”, no more raising support tickets.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2018, we've added these 18 new apps with Federation support to our app gallery:

AwardSpring, Infogix Data3Sixty Govern, Yodeck, Jamf Pro, KnowledgeOwl, Envi MMIS, LaunchDarkly, Adobe Captivate Prime, Montage Online, まなびポケット, OpenReel, Arc Publishing - SSO, PlanGrid, iWellnessNow, Proxyclick, Riskware, Flock, Reviewsnap

For more information about the apps, see SaaS application integration with Azure Active Directory.

For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


New step-by-step deployment guides for Azure Active Directory

Type: New feature
Service category: Other
Product capability: Directory

New, step-by-step guidance about how to deploy Azure Active Directory (Azure AD), including self-service password reset (SSPR), single sign-on (SSO), Conditional Access (CA), App proxy, User provisioning, Active Directory Federation Services (ADFS) to Pass-through Authentication (PTA), and ADFS to Password hash sync (PHS).

To view the deployment guides, go to the Identity Deployment Guides repo on GitHub. To provide feedback about the deployment guides, use the Deployment Plan Feedback form. If you have any questions about the deployment guides, contact us at IDGitDeploy.


Enterprise Applications Search - Load More Apps

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Having trouble finding your applications / service principals? We've added the ability to load more applications in your enterprise applications all applications list. By default, we show 20 applications. You can now click, Load more to view additional applications.


The May release of AADConnect contains a public preview of the integration with PingFederate, important security updates, many bug fixes, and new great new troubleshooting tools.

Type: Changed feature
Service category: AD Connect
Product capability: Identity Lifecycle Management

The May release of AADConnect contains a public preview of the integration with PingFederate, important security updates, many bug fixes, and new great new troubleshooting tools. You can find the release notes here.


Azure AD access reviews: auto-apply

Type: Changed feature
Service category: Access Reviews
Product capability: Governance

Access reviews of groups and apps are now generally available as part of Azure AD Premium P2. An administrator can configure to automatically apply the reviewer's changes to that group or app as the access review completes. The administrator can also specify what happens to the user's continued access if reviewers didn't respond, remove access, keep access, or take system recommendations.


ID tokens can no longer be returned using the query response_mode for new apps.

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

Apps created on or after April 25, 2018 will no longer be able to request an id_token using the query response_mode. This brings Azure AD inline with the OIDC specifications and helps reduce your apps attack surface. Apps created before April 25, 2018 are not blocked from using the query response_mode with a response_type of id_token. The error returned, when requesting an id_token from AAD, is AADSTS70007: ‘query’ is not a supported value of ‘response_mode’ when requesting a token.

The fragment and form_post response_modes continue to work - when creating new application objects (for example, for App Proxy usage), ensure use of one of these response_modes before they create a new application.


April 2018

Azure AD B2C Access Token are GA

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now access Web APIs secured by Azure AD B2C using access tokens. The feature is moving from public preview to GA. The UI experience to configure Azure AD B2C applications and web APIs has been improved, and other minor improvements were made.

For more information, see Azure AD B2C: Requesting access tokens.


Test single sign-on configuration for SAML-based applications

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

When configuring SAML-based SSO applications, you're able to test the integration on the configuration page. If you encounter an error during sign in, you can provide the error in the testing experience and Azure AD provides you with resolution steps to solve the specific issue.

For more information, see:


Azure AD terms of use now has per user reporting

Type: New feature
Service category: Terms of use
Product capability: Compliance

Administrators can now select a given ToU and see all the users that have consented to that ToU and what date/time it took place.

For more information, see the Azure AD terms of use feature.


Azure AD Connect Health: Risky IP for AD FS extranet lockout protection

Type: New feature
Service category: Other
Product capability: Monitoring & Reporting

Connect Health now supports the ability to detect IP addresses that exceed a threshold of failed U/P logins on an hourly or daily basis. The capabilities provided by this feature are:

  • Comprehensive report showing IP address and the number of failed logins generated on an hourly/daily basis with customizable threshold.
  • Email-based alerts showing when a specific IP address has exceeded the threshold of failed U/P logins on an hourly/daily basis.
  • A download option to do a detailed analysis of the data

For more information, see Risky IP Report.


Easy app config with metadata file or URL

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

On the Enterprise applications page, administrators can upload a SAML metadata file to configure SAML based sign-on for AAD Gallery and Non-Gallery application.

Additionally, you can use Azure AD application federation metadata URL to configure SSO with the targeted application.

For more information, see Configuring single sign-on to applications that are not in the Azure Active Directory application gallery.


Azure AD Terms of use now generally available

Type: New feature
Service category: Terms of use
Product capability: Compliance

Azure AD terms of use have moved from public preview to generally available.

For more information, see the Azure AD terms of use feature.


Allow or block invitations to B2B users from specific organizations

Type: New feature
Service category: B2B
Product capability: B2B/B2C

You can now specify which partner organizations you want to share and collaborate with in Azure AD B2B Collaboration. To do this, you can choose to create list of specific allow or deny domains. When a domain is blocked using these capabilities, employees can no longer send invitations to people in that domain.

This helps you to control access to your resources, while enabling a smooth experience for approved users.

This B2B Collaboration feature is available for all Azure Active Directory customers and can be used in conjunction with Azure AD Premium features like Conditional Access and identity protection for more granular control of when and how external business users sign in and gain access.

For more information, see Allow or block invitations to B2B users from specific organizations.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2018, we've added these 13 new apps with Federation support to our app gallery:

Criterion HCM, FiscalNote, Secret Server (On-Premises), Dynamic Signal, mindWireless, OrgChart Now, Ziflow, AppNeta Performance Monitor, Elium , Fluxx Labs, Cisco Cloud, Shelf, SafetyNet

For more information about the apps, see SaaS application integration with Azure Active Directory.

For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Grant B2B users in Azure AD access to your on-premises applications (public preview)

Type: New feature
Service category: B2B
Product capability: B2B/B2C

As an organization that uses Azure Active Directory (Azure AD) B2B collaboration capabilities to invite guest users from partner organizations to your Azure AD, you can now provide these B2B users access to on-premises apps. These on-premises apps can use SAML-based authentication or Integrated Windows Authentication (IWA) with Kerberos constrained delegation (KCD).

For more information, see Grant B2B users in Azure AD access to your on-premises applications.


Get SSO integration tutorials from the Azure Marketplace

Type: Changed feature
Service category: Other
Product capability: 3rd Party Integration

If an application that is listed in the Azure marketplace supports SAML based single sign-on, clicking Get it now provides you with the integration tutorial associated with that application.


Faster performance of Azure AD automatic user provisioning to SaaS applications

Type: Changed feature
Service category: App Provisioning
Product capability: 3rd Party Integration

Previously, customers using the Azure Active Directory user provisioning connectors for SaaS applications (for example Salesforce, ServiceNow, and Box) could experience slow performance if their Azure AD tenants contained over 100,000 combined users and groups, and they were using user and group assignments to determine which users should be provisioned.

On April 2, 2018, significant performance enhancements were deployed to the Azure AD provisioning service that greatly reduce the amount of time needed to perform initial synchronizations between Azure Active Directory and target SaaS applications.

As a result, many customers that had initial synchronizations to apps that took many days or never completed, are now completing within a matter of minutes or hours.

For more information, see What happens during provisioning?


Self-service password reset from Windows 10 lock screen for hybrid Azure AD joined machines

Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication

We have updated the Windows 10 SSPR feature to include support for machines that are hybrid Azure AD joined. This feature is available in Windows 10 RS4 allows users to reset their password from the lock screen of a Windows 10 machine. Users who are enabled and registered for self-service password reset can utilize this feature.

For more information, see Azure AD password reset from the login screen.


March 2018

Certificate expire notification

Type: Fixed
Service category: Enterprise Apps
Product capability: SSO

Azure AD sends a notification when a certificate for a gallery or non-gallery application is about to expire.

Some users did not receive notifications for enterprise applications configured for SAML-based single sign-on. This issue was resolved. Azure AD sends notification for certificates expiring in 7, 30 and 60 days. You are able to see this event in the audit logs.

For more information, see:


Twitter and GitHub identity providers in Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

You can now add Twitter or GitHub as an identity provider in Azure AD B2C. Twitter is moving from public preview to GA. GitHub is being released in public preview.

For more information, see What is Azure AD B2B collaboration?.


Restrict browser access using Intune Managed Browser with Azure AD application-based Conditional Access for iOS and Android

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Now in public preview!

Intune Managed Browser SSO: Your employees can use single sign-on across native clients (like Microsoft Outlook) and the Intune Managed Browser for all Azure AD-connected apps.

Intune Managed Browser Conditional Access Support: You can now require employees to use the Intune Managed browser using application-based Conditional Access policies.

Read more about this in our blog post.

For more information, see:


App Proxy Cmdlets in Powershell GA Module

Type: New feature
Service category: App Proxy
Product capability: Access Control

Support for Application Proxy cmdlets is now in the Powershell GA Module! This does require you to stay updated on Powershell modules - if you become more than a year behind, some cmdlets may stop working.

For more information, see AzureAD.


Office 365 native clients are supported by Seamless SSO using a non-interactive protocol

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

User using Office 365 native clients (version 16.0.8730.xxxx and above) get a silent sign-on experience using Seamless SSO. This support is provided by the addition a non-interactive protocol (WS-Trust) to Azure AD.

For more information, see How does sign-in on a native client with Seamless SSO work?


Users get a silent sign-on experience, with Seamless SSO, if an application sends sign-in requests to Azure AD's tenant endpoints

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Users get a silent sign-on experience, with Seamless SSO, if an application (for example, https://contoso.sharepoint.com) sends sign-in requests to Azure AD's tenant endpoints - that is, https://login.microsoftonline.com/contoso.com/<..> or https://login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint (https://login.microsoftonline.com/common/<...>).

For more information, see Azure Active Directory Seamless Single Sign-On.


Need to add only one Azure AD URL, instead of two URLs previously, to users' Intranet zone settings to roll out Seamless SSO

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

To roll out Seamless SSO to your users, you need to add only one Azure AD URL to the users' Intranet zone settings by using group policy in Active Directory: https://autologon.microsoftazuread-sso.com. Previously, customers were required to add two URLs.

For more information, see Azure Active Directory Seamless Single Sign-On.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In March 2018, we've added these 15 new apps with Federation support to our app gallery:

Boxcryptor, CylancePROTECT, Wrike, SignalFx, Assistant by FirstAgenda, YardiOne, Vtiger CRM, inwink, Amplitude, Spacio, ContractWorks, Bersin, Mercell, Trisotech Digital Enterprise Server, Qumu Cloud.

For more information about the apps, see SaaS application integration with Azure Active Directory.

For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


PIM for Azure Resources is generally available

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

If you are using Azure AD Privileged Identity Management for directory roles, you can now use PIM's time-bound access and assignment capabilities for Azure Resource roles such as Subscriptions, Resource Groups, Virtual Machines, and any other resource supported by Azure Resource Manager. Enforce Multi-Factor Authentication when activating roles Just-In-Time, and schedule activations in coordination with approved change windows. In addition, this release adds enhancements not available during public preview including an updated UI, approval workflows, and the ability to extend roles expiring soon and renew expired roles.

For more information, see PIM for Azure resources (Preview)


Adding Optional Claims to your apps tokens (public preview)

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Your Azure AD app can now request custom or optional claims in JWTs or SAML tokens. These are claims about the user or tenant that are not included by default in the token, due to size or applicability constraints. This is currently in public preview for Azure AD apps on the v1.0 and v2.0 endpoints. See the documentation for information on what claims can be added and how to edit your application manifest to request them.

For more information, see Optional claims in Azure AD.


Azure AD supports PKCE for more secure OAuth flows

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

Azure AD docs have been updated to note support for PKCE, which allows for more secure communication during the OAuth 2.0 Authorization Code grant flow. Both S256 and plaintext code_challenges are supported on the v1.0 and v2.0 endpoints.

For more information, see Request an authorization code.


Support for provisioning all user attribute values available in the Workday Get_Workers API

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

The public preview of inbound provisioning from Workday to Active Directory and Azure AD now supports the ability to extract and provisioning all attribute values available in the Workday Get_Workers API. This adds supports for hundreds of additional standard and custom attributes beyond the ones shipped with the initial version of the Workday inbound provisioning connector.

For more information, see: Customizing the list of Workday user attributes


Changing group membership from dynamic to static, and vice versa

Type: New feature
Service category: Group Management
Product capability: Collaboration

It is possible to change how membership is managed in a group. This is useful when you want to keep the same group name and ID in the system, so any existing references to the group are still valid; creating a new group would require updating those references. We've updated the Azure AD Admin center to support this functionality. Now, customers can convert existing groups from dynamic membership to assigned membership and vice-versa. The existing PowerShell cmdlets are also still available.

For more information, see Dynamic membership rules for groups in Azure Active Directory


Improved sign-out behavior with Seamless SSO

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

Previously, even if users explicitly signed out of an application secured by Azure AD, they would be automatically signed back in using Seamless SSO if they were trying to access an Azure AD application again within their corpnet from their domain joined devices. With this change, sign out is supported. This allows users to choose the same or different Azure AD account to sign back in with, instead of being automatically signed in using Seamless SSO.

For more information, see Azure Active Directory Seamless Single Sign-On


Application Proxy Connector Version 1.5.402.0 Released

Type: Changed feature
Service category: App Proxy
Product capability: Identity Security & Protection

This connector version is gradually being rolled out through November. This new connector version includes the following changes:

  • The connector now sets domain level cookies instead subdomain level. This ensures a smoother SSO experience and avoids redundant authentication prompts.
  • Support for chunked encoding requests
  • Improved connector health monitoring
  • Several bug fixes and stability improvements

For more information, see Understand Azure AD Application Proxy connectors.


February 2018

Improved navigation for managing users and groups

Type: Plan for change
Service category: Directory Management
Product capability: Directory

The navigation experience for managing users and groups has been streamlined. You can now navigate from the directory overview directly to the list of all users, with easier access to the list of deleted users. You can also navigate from the directory overview directly to the list of all groups, with easier access to group management settings. And also from the directory overview page, you can search for a user, group, enterprise application, or app registration.


Availability of sign-ins and audit reports in Microsoft Azure operated by 21Vianet (Azure China 21Vianet)

Type: New feature
Service category: Azure Stack
Product capability: Monitoring & Reporting

Azure AD Activity log reports are now available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) instances. The following logs are included:

  • Sign-ins activity logs - Includes all the sign-ins logs associated with your tenant.

  • Self service Password Audit Logs - Includes all the SSPR audit logs.

  • Directory Management Audit logs - Includes all the directory management-related audit logs like User management, App Management, and others.

With these logs, you can gain insights into how your environment is doing. The provided data enables you to:

  • Determine how your apps and services are utilized by your users.

  • Troubleshoot issues preventing your users from getting their work done.

For more information about how to use these reports, see Azure Active Directory reporting.


Use "Report Reader" role (non-admin role) to view Azure AD Activity Reports

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

As part of customers feedback to enable non-admin roles to have access to Azure AD activity logs, we have enabled the ability for users who are in the "Report Reader" role to access Sign-ins and Audit activity within the Azure portal as well as using our Graph APIs.

For more information, how to use these reports, see Azure Active Directory reporting.


EmployeeID claim available as user attribute and user identifier

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

You can configure EmployeeID as the User identifier and User attribute for member users and B2B guests in SAML-based sign-on applications from the Enterprise application UI.

For more information, see Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory.


Simplified Application Management using Wildcards in Azure AD Application Proxy

Type: New feature
Service category: App Proxy
Product capability: User Authentication

To make application deployment easier and reduce your administrative overhead, we now support the ability to publish applications using wildcards. To publish a wildcard application, you can follow the standard application publishing flow, but use a wildcard in the internal and external URLs.

For more information, see Wildcard applications in the Azure Active Directory application proxy


New cmdlets to support configuration of Application Proxy

Type: New feature
Service category: App Proxy
Product capability: Platform

The latest release of the AzureAD PowerShell Preview module contains new cmdlets that allow customers to configure Application Proxy Applications using PowerShell.

The new cmdlets are:

  • Get-AzureADApplicationProxyApplication
  • Get-AzureADApplicationProxyApplicationConnectorGroup
  • Get-AzureADApplicationProxyConnector
  • Get-AzureADApplicationProxyConnectorGroup
  • Get-AzureADApplicationProxyConnectorGroupMembers
  • Get-AzureADApplicationProxyConnectorMemberOf
  • New-AzureADApplicationProxyApplication
  • New-AzureADApplicationProxyConnectorGroup
  • Remove-AzureADApplicationProxyApplication
  • Remove-AzureADApplicationProxyApplicationConnectorGroup
  • Remove-AzureADApplicationProxyConnectorGroup
  • Set-AzureADApplicationProxyApplication
  • Set-AzureADApplicationProxyApplicationConnectorGroup
  • Set-AzureADApplicationProxyApplicationCustomDomainCertificate
  • Set-AzureADApplicationProxyApplicationSingleSignOn
  • Set-AzureADApplicationProxyConnector
  • Set-AzureADApplicationProxyConnectorGroup

New cmdlets to support configuration of groups

Type: New feature
Service category: App Proxy
Product capability: Platform

The latest release of the AzureAD PowerShell module contains cmdlets to manage groups in Azure AD. These cmdlets were previously available in the AzureADPreview module and are now added to the AzureAD module

The Group cmdlets that are now release for General Availability are:

  • Get-AzureADMSGroup
  • New-AzureADMSGroup
  • Remove-AzureADMSGroup
  • Set-AzureADMSGroup
  • Get-AzureADMSGroupLifecyclePolicy
  • New-AzureADMSGroupLifecyclePolicy
  • Remove-AzureADMSGroupLifecyclePolicy
  • Add-AzureADMSLifecyclePolicyGroup
  • Remove-AzureADMSLifecyclePolicyGroup
  • Reset-AzureADMSLifeCycleGroup
  • Get-AzureADMSLifecyclePolicyGroup

A new release of Azure AD Connect is available

Type: New feature
Service category: AD Sync
Product capability: Platform

Azure AD Connect is the preferred tool to synchronize data between Azure AD and on premises data sources, including Windows Server Active Directory and LDAP.

Important

This build introduces schema and sync rule changes. The Azure AD Connect Synchronization Service triggers a Full Import and Full Synchronization steps after an upgrade. For information on how to change this behavior, see How to defer full synchronization after upgrade.

This release has the following updates and changes:

Fixed issues

  • Fix timing window on background tasks for Partition Filtering page when switching to next page.

  • Fixed a bug that caused Access violation during the ConfigDB custom action.

  • Fixed a bug to recover from sql connection timeout.

  • Fixed a bug where certificates with SAN wildcards fail pre-req check.

  • Fixed a bug that causes miiserver.exe crash during AAD connector export.

  • Fixed a bug where a bad password attempt logged on DC when running caused the AAD connect wizard to change configuration

New features and improvements

  • Application telemetry - Administrators can switch this class of data on/off.

  • Azure AD Health data - Administrators must visit the health portal to control their health settings. Once the service policy has been changed, the agents will read and enforce it.

  • Added device writeback configuration actions and a progress bar for page initialization.

  • Improved general diagnostics with HTML report and full data collection in a ZIP-Text / HTML Report.

  • Improved reliability of auto upgrade and added additional telemetry to ensure the health of the server can be determined.

  • Restrict permissions available to privileged accounts on AD Connector account. For new installations, the wizard restricts the permissions that privileged accounts have on the MSOL account after creating the MSOL account. The changes affect express installations and custom installations with Auto-Create account.

  • Changed the installer to not require SA privilege on clean install of AADConnect.

  • New utility to troubleshoot synchronization issues for a specific object. Currently, the utility checks for the following things:

    • UserPrincipalName mismatch between synchronized user object and the user account in Azure AD Tenant.

    • If the object is filtered from synchronization due to domain filtering

    • If the object is filtered from synchronization due to organizational unit (OU) filtering

  • New utility to synchronize the current password hash stored in the on-premises Active Directory for a specific user account. The utility does not require a password change.


Applications supporting Intune App Protection policies added for use with Azure AD application-based Conditional Access

Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

We have added more applications that support application-based Conditional Access. Now, you can get access to Office 365 and other Azure AD-connected cloud apps using these approved client apps.

The following applications will be added by the end of February:

  • Microsoft Power BI

  • Microsoft Launcher

  • Microsoft Invoicing

For more information, see:


Terms of use update to mobile experience

Type: Changed feature
Service category: Terms of use
Product capability: Compliance

When the terms of use are displayed, you can now click Having trouble viewing? Click here. Clicking this link opens the terms of use natively on your device. Regardless of the font size in the document or the screen size of device, you can zoom and read the document as needed.


January 2018

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2018, the following new apps with federation support were added in the app gallery:

IBM OpenPages, OneTrust Privacy Management Software, Dealpath, [IriusRisk Federated Directory, and Fidelity NetBenefits.

For more information about the apps, see SaaS application integration with Azure Active Directory.

For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Sign in with additional risk detected

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

The insight you get for a detected risk detection is tied to your Azure AD subscription. With the Azure AD Premium P2 edition, you get the most detailed information about all underlying detections.

With the Azure AD Premium P1 edition, detections that are not covered by your license appear as the risk detection Sign-in with additional risk detected.

For more information, see Azure Active Directory risk detections.


Hide Office 365 applications from end user's access panels

Type: New feature
Service category: My Apps
Product capability: SSO

You can now better manage how Office 365 applications show up on your user's access panels through a new user setting. This option is helpful for reducing the number of apps in a user's access panels if you prefer to only show Office apps in the Office portal. The setting is located in the User Settings and is labeled, Users can only see Office 365 apps in the Office 365 portal.

For more information, see Hide an application from user's experience in Azure Active Directory.


Seamless sign into apps enabled for Password SSO directly from app's URL

Type: New feature
Service category: My Apps
Product capability: SSO

The My Apps browser extension is now available via a convenient tool that gives you the My Apps single-sign on capability as a shortcut in your browser. After installing, user's will see a waffle icon in their browser that provides them quick access to apps. Users can now take advantage of:

  • The ability to directly sign in to password-SSO based apps from the app’s sign-in page
  • Launch any app using the quick search feature
  • Shortcuts to recently used apps from the extension
  • The extension is available for Microsoft Edge, Chrome, and Firefox.

For more information, see My Apps Secure Sign-in Extension.


Azure AD administration experience in Azure Classic Portal has been retired

Type: Deprecated
Service category: Azure AD
Product capability: Directory

As of January 8, 2018, the Azure AD administration experience in the Azure classic portal has been retired. This took place in conjunction with the retirement of the Azure classic portal itself. In the future, you should use the Azure AD admin center for all your portal-based administration of Azure AD.


The PhoneFactor web portal has been retired

Type: Deprecated
Service category: Azure AD
Product capability: Directory

As of January 8, 2018, the PhoneFactor web portal has been retired. This portal was used for the administration of MFA server, but those functions have been moved into the Azure portal at portal.azure.com.

The MFA configuration is located at: Azure Active Directory > MFA Server


Deprecate Azure AD reports

Type: Deprecated
Service category: Reporting
Product capability: Identity Lifecycle Management

With the general availability of the new Azure Active Directory Administration console and new APIs now available for both activity and security reports, the report APIs under "/reports" endpoint have been retired as of end of December 31, 2017.

What's available?

As part of the transition to the new admin console, we have made 2 new APIs available for retrieving Azure AD Activity Logs. The new set of APIs provides richer filtering and sorting functionality in addition to providing richer audit and sign-in activities. The data previously available through the security reports can now be accessed through the Identity Protection risk detections API in Microsoft Graph.

For more information, see:


December 2017

Terms of use in the Access Panel

Type: New feature
Service category: Terms of use
Product capability: Compliance

You now can go to the Access Panel and view the terms of use that you previously accepted.

Follow these steps:

  1. Go to the MyApps portal, and sign in.

  2. In the upper-right corner, select your name, and then select Profile from the list.

  3. On your Profile, select Review terms of use.

  4. Now you can review the terms of use you accepted.

For more information, see the Azure AD terms of use feature (preview).


New Azure AD sign-in experience

Type: New feature
Service category: Azure AD
Product capability: User authentication

The Azure AD and Microsoft account identity system UIs were redesigned so that they have a consistent look and feel. In addition, the Azure AD sign-in page collects the user name first, followed by the credential on a second screen.

For more information, see The new Azure AD sign-in experience is now in public preview.


Fewer sign-in prompts: A new "keep me signed in" experience for Azure AD sign-in

Type: New feature
Service category: Azure AD
Product capability: User authentication

The Keep me signed in check box on the Azure AD sign-in page was replaced with a new prompt that shows up after you successfully authenticate.

If you respond Yes to this prompt, the service gives you a persistent refresh token. This behavior is the same as when you selected the Keep me signed in check box in the old experience. For federated tenants, this prompt shows after you successfully authenticate with the federated service.

For more information, see Fewer sign-in prompts: The new "keep me signed in" experience for Azure AD is in preview.


Add configuration to require the terms of use to be expanded prior to accepting

Type: New feature
Service category: Terms of use
Product capability: Compliance

An option for administrators requires their users to expand the terms of use prior to accepting the terms.

Select either On or Off to require users to expand the terms of use. The On setting requires users to view the terms of use prior to accepting them.

For more information, see the Azure AD terms of use feature (preview).


Scoped activation for eligible role assignments

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

You can use scoped activation to activate eligible Azure resource role assignments with less autonomy than the original assignment defaults. An example is if you're assigned as the owner of a subscription in your tenant. With scoped activation, you can activate the owner role for up to five resources contained within the subscription (such as resource groups and virtual machines). Scoping your activation might reduce the possibility of executing unwanted changes to critical Azure resources.

For more information, see What is Azure AD Privileged Identity Management?.


Type: New feature
Service category: Enterprise apps
Product capability: 3rd Party Integration

In December 2017, we've added these new apps with Federation support to our app gallery:

Accredible, Adobe Experience Manager, EFI Digital StoreFront, Communifire CybSafe, FactSet, IMAGE WORKS, MOBI, MobileIron Azure AD integration, Reflektive, SAML SSO for Bamboo by resolution GmbH, SAML SSO for Bitbucket by resolution GmbH, Vodeclic, WebHR, Zenegy Azure AD Integration.

For more information about the apps, see SaaS application integration with Azure Active Directory.

For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.


Approval workflows for Azure AD directory roles

Type: Changed feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Approval workflow for Azure AD directory roles is generally available.

With approval workflow, privileged-role administrators can require eligible-role members to request role activation before they can use the privileged role. Multiple users and groups can be delegated approval responsibilities. Eligible role members receive notifications when approval is finished and their role is active.


Pass-through authentication: Skype for Business support

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User authentication

Pass-through authentication now supports user sign-ins to Skype for Business client applications that support modern authentication, which includes online and hybrid topologies.

For more information, see Skype for Business topologies supported with modern authentication.


Updates to Azure AD Privileged Identity Management for Azure RBAC (preview)

Type: Changed feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

With the public preview refresh of Azure AD Privileged Identity Management (PIM) for Azure Role-Based Access Control (RBAC), you can now:

  • Use Just Enough Administration.
  • Require approval to activate resource roles.
  • Schedule a future activation of a role that requires approval for both Azure AD and Azure RBAC roles.

For more information, see Privileged Identity Management for Azure resources (preview).


November 2017

Access Control service retirement

Type: Plan for change
Service category: Access Control service
Product capability: Access Control service

Azure Active Directory Access Control (also known as the Access Control service) will be retired in late 2018. More information that includes a detailed schedule and high-level migration guidance will be provided in the next few weeks. You can leave comments on this page with any questions about the Access Control service, and a team member will answer them.


Restrict browser access to the Intune Managed Browser

Type: Plan for change
Service category: Conditional Access
Product capability: Identity security and protection

You can restrict browser access to Office 365 and other Azure AD-connected cloud apps by using the Intune Managed Browser as an approved app.

You now can configure the following condition for application-based Conditional Access:

Client apps: Browser

What is the effect of the change?

Today, access is blocked when you use this condition. When the preview is available, all access will require the use of the managed browser application.

Look for this capability and more information in upcoming blogs and release notes.

For more information, see Conditional Access in Azure AD.


New approved client apps for Azure AD app-based Conditional Access

Type: Plan for change
Service category: Conditional Access
Product capability: Identity security and protection

The following apps are on the list of approved client apps:

For more information, see:


Terms-of-use support for multiple languages

Type: New feature
Service category: Terms of use
Product capability: Compliance

Administrators now can create new terms of use that contain multiple PDF documents. You can tag these PDF documents with a corresponding language. Users are shown the PDF with the matching language based on their preferences. If there is no match, the default language is shown.


Real-time password writeback client status

Type: New feature
Service category: Self-service password reset
Product capability: User authentication

You now can review the status of your on-premises password writeback client. This option is available in the On-premises integration section of the Password reset page.

If there are issues with your connection to your on-premises writeback client, you see an error message that provides you with:

  • Information on why you can't connect to your on-premises writeback client.
  • A link to documentation that assists you in resolving the issue.

For more information, see on-premises integration.


Azure AD app-based Conditional Access

Type: New feature
Service category: Azure AD
Product capability: Identity security and protection

You now can restrict access to Office 365 and other Azure AD-connected cloud apps to approved client apps that support Intune app protection policies by using Azure AD app-based Conditional Access. Intune app protection policies are used to configure and protect company data on these client applications.

By combining app-based with device-based Conditional Access policies, you have the flexibility to protect data for personal and company devices.

The following conditions and controls are now available for use with app-based Conditional Access:

Supported platform condition

  • iOS
  • Android

Client apps condition

  • Mobile apps and desktop clients

Access control

  • Require approved client app

For more information, see Azure AD app-based Conditional Access.


Manage Azure AD devices in the Azure portal

Type: New feature
Service category: Device registration and management
Product capability: Identity security and protection

You now can find all your devices connected to Azure AD and the device-related activities in one place. There is a new administration experience to manage all your device identities and settings in the Azure portal. In this release, you can:

  • View all your devices that are available for Conditional Access in Azure AD.
  • View properties, which include your hybrid Azure AD-joined devices.
  • Find BitLocker keys for your Azure AD-joined devices, manage your device with Intune, and more.
  • Manage Azure AD device-related settings.

For more information, see Manage devices by using the Azure portal.


Support for macOS as a device platform for Azure AD Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity security and protection

You now can include (or exclude) macOS as a device platform condition in your Azure AD Conditional Access policy. With the addition of macOS to the supported device platforms, you can:

  • Enroll and manage macOS devices by using Intune. Similar to other platforms like iOS and Android, a company portal application is available for macOS to do unified enrollments. You can use the new company portal app for macOS to enroll a device with Intune and register it with Azure AD.
  • Ensure macOS devices adhere to your organization's compliance policies defined in Intune. In Intune on the Azure portal, you now can set up compliance policies for macOS devices.
  • Restrict access to applications in Azure AD to only compliant macOS devices. Conditional Access policy authoring has macOS as a separate device platform option. Now you can author macOS-specific Conditional Access policies for the targeted application set in Azure.

For more information, see:


Network Policy Server extension for Azure Multi-Factor Authentication

Type: New feature
Service category: Multi-factor authentication
Product capability: User authentication

The Network Policy Server extension for Azure Multi-Factor Authentication adds cloud-based Multi-Factor Authentication capabilities to your authentication infrastructure by using your existing servers. With the Network Policy Server extension, you can add phone call, text message, or phone app verification to your existing authentication flow. You don't have to install, configure, and maintain new servers.

This extension was created for organizations that want to protect virtual private network connections without deploying the Azure Multi-Factor Authentication Server. The Network Policy Server extension acts as an adapter between RADIUS and cloud-based Azure Multi-Factor Authentication to provide a second factor of authentication for federated or synced users.

For more information, see Integrate your existing Network Policy Server infrastructure with Azure Multi-Factor Authentication.


Restore or permanently remove deleted users

Type: New feature
Service category: User management
Product capability: Directory

In the Azure AD admin center, you can now:

  • Restore a deleted user.
  • Permanently delete a user.

To try it out:

  1. In the Azure AD admin center, select All users in the Manage section.

  2. From the Show list, select Recently deleted users.

  3. Select one or more recently deleted users, and then either restore them or permanently delete them.


New approved client apps for Azure AD app-based Conditional Access

Type: Changed feature
Service category: Conditional Access
Product capability: Identity security and protection

The following apps were added to the list of approved client apps:

  • Microsoft Planner
  • Azure Information Protection

For more information, see:


Use "OR" between controls in a Conditional Access policy

Type: Changed feature
Service category: Conditional Access
Product capability: Identity security and protection

You now can use "OR" (require one of the selected controls) for Conditional Access controls. You can use this feature to create policies with "OR" between access controls. For example, you can use this feature to create a policy that requires a user to sign in by using Multi-Factor Authentication "OR" to be on a compliant device.

For more information, see Controls in Azure AD Conditional Access.


Aggregation of real-time risk detections

Type: Changed feature
Service category: Identity protection
Product capability: Identity security and protection

In Azure AD Identity Protection, all real-time risk detections that originated from the same IP address on a given day are now aggregated for each risk detection type. This change limits the volume of risk detections shown without any change in user security.

The underlying real-time detection works each time the user signs in. If you have a sign-in risk security policy set up to Multi-Factor Authentication or block access, it is still triggered during each risky sign-in.


October 2017

Deprecate Azure AD reports

Type: Plan for change
Service category: Reporting
Product capability: Identity Lifecycle Management

The Azure portal provides you with:

  • A new Azure AD administration console.
  • New APIs for activity and security reports.

Due to these new capabilities, the report APIs under the /reports endpoint were retired on December 10, 2017.


Automatic sign-in field detection

Type: Fixed
Service category: My Apps
Product capability: Single sign-on

Azure AD supports automatic sign-in field detection for applications that render an HTML user name and password field. These steps are documented in How to automatically capture sign-in fields for an application. You can find this capability by adding a Non-Gallery application on the Enterprise Applications page in the Azure portal. Additionally, you can configure the Single Sign-on mode on this new application to Password-based Single Sign-on, enter a web URL, and then save the page.

Due to a service issue, this functionality was temporarily disabled. The issue was resolved, and the automatic sign-in field detection is available again.


New Multi-Factor Authentication features

Type: New feature
Service category: Multi-factor authentication
Product capability: Identity security and protection

Multi-factor authentication (MFA) is an essential part of protecting your organization. To make credentials more adaptive and the experience more seamless, the following features were added:

  • Multi-factor challenge results are directly integrated into the Azure AD sign-in report, which includes programmatic access to MFA results.
  • The MFA configuration is more deeply integrated into the Azure AD configuration experience in the Azure portal.

With this public preview, MFA management and reporting are an integrated part of the core Azure AD configuration experience. Now you can manage the MFA management portal functionality within the Azure AD experience.

For more information, see Reference for MFA reporting in the Azure portal.


Terms of use

Type: New feature
Service category: Terms of use
Product capability: Compliance

You can use Azure AD terms of use to present information such as relevant disclaimers for legal or compliance requirements to users.

You can use Azure AD terms of use in the following scenarios:

  • General terms of use for all users in your organization
  • Specific terms of use based on a user's attributes (for example, doctors vs. nurses or domestic vs. international employees, done by dynamic groups)
  • Specific terms of use for accessing high-impact business apps, like Salesforce

For more information, see Azure AD terms of use.


Enhancements to Privileged Identity Management

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

With Azure AD Privileged Identity Management, you can manage, control, and monitor access to Azure resources (preview) within your organization to:

  • Subscriptions
  • Resource groups
  • Virtual machines

All resources within the Azure portal that use the Azure RBAC functionality can take advantage of all the security and lifecycle management capabilities that Azure AD Privileged Identity Management has to offer.

For more information, see Privileged Identity Management for Azure resources.


Access reviews

Type: New feature
Service category: Access reviews
Product capability: Compliance

Organizations can use access reviews (preview) to efficiently manage group memberships and access to enterprise applications:

  • You can recertify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can efficiently decide whether to allow guests continued access based on the insights provided by the access reviews.
  • You can recertify employee access to applications and group memberships with access reviews.

You can collect the access review controls into programs relevant for your organization to track reviews for compliance or risk-sensitive applications.

For more information, see Azure AD access reviews.


Hide third-party applications from My Apps and the Office 365 app launcher

Type: New feature
Service category: My Apps
Product capability: Single sign-on

You now can better manage apps that show up on your users' portals through a new hide app property. You can hide apps to help in cases where app tiles show up for back-end services or duplicate tiles and clutter users' app launchers. The toggle is in the Properties section of the third-party app and is labeled Visible to user? You also can hide an app programmatically through PowerShell.

For more information, see Hide a third-party application from a user's experience in Azure AD.

What's available?

As part of the transition to the new admin console, two new APIs for retrieving Azure AD activity logs are available. The new set of APIs provides richer filtering and sorting functionality in addition to providing richer audit and sign-in activities. The data previously available through the security reports now can be accessed through the Identity Protection Risk Detections API in Microsoft Graph.

September 2017

Hotfix for Identity Manager

Type: Changed feature
Service category: Identity Manager
Product capability: Identity lifecycle management

A hotfix roll-up package (build 4.4.1642.0) is available as of September 25, 2017, for Identity Manager 2016 Service Pack 1. This roll-up package:

  • Resolves issues and adds improvements.
  • Is a cumulative update that replaces all Identity Manager 2016 Service Pack 1 updates up to build 4.4.1459.0 for Identity Manager 2016.
  • Requires you to have Identity Manager 2016 build 4.4.1302.0.

For more information, see Hotfix rollup package (build 4.4.1642.0) is available for Identity Manager 2016 Service Pack 1.