What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Azure Active Directory.

July 2022

Public Preview - ADFS to Azure AD: SAML App Multi-Instancing

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Users can now configure multiple instances of the same application within an Azure AD tenant. It's now supported for both IdP, and Service Provider (SP), initiated single sign-on requests. Multiple application accounts can now have a separate service principal to handle instance-specific claims mapping and roles assignment. For more information, see:


Public Preview - ADFS to Azure AD: Apply RegEx Replace to groups claim content

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Administrators up until recently has the capability to transform claims using many transformations, however using regular expression for claims transformation wasn't exposed to customers. With this public preview release, administrators can now configure and use regular expressions for claims transformation using portal UX. For more information, see:Customize app SAML token claims - Microsoft Entra | Microsoft Docs.


Public Preview - Azure AD Domain Services - Trusts for User Forests

Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

You can now create trusts on both user and resource forests. On-premises AD DS users can't authenticate to resources in the Azure AD DS resource forest until you create an outbound trust to your on-premises AD DS. An outbound trust requires network connectivity to your on-premises virtual network on which you have installed Azure AD Domain Service. On a user forest, trusts can be created for on-premises AD forests that aren't synchronized to Azure AD DS.

To learn more about trusts and how to deploy your own, visit How trust relationships work for forests in Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2022 we've added the following 28 new applications in our App gallery with Federation support:

Lunni Ticket Service, TESMA, Spring Health, Sorbet, Rainmaker UPS, Planview ID, Karbonalpha, Headspace, SeekOut, Stackby, Infrascale Cloud Backup, Keystone, LMS・教育管理システム Leaf, ZDiscovery, ラインズeライブラリアドバンス (Lines eLibrary Advance), Rootly, Articulate 360, Rise.com, SevOne Network Monitoring System (NMS), PGM, TouchRight Software, Tendium, Training Platform, Znapio, Preset, itslearning MS Teams sync, Veza, Trax

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


General Availability - No more waiting, provision groups on demand into your SaaS applications.

Type: New feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

Pick a group of up to five members and provision them into your third-party applications in seconds. Get started testing, troubleshooting, and provisioning to non-Microsoft applications such as ServiceNow, ZScaler, and Adobe. For more information, see: On-demand provisioning in Azure Active Directory.


General Availability – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


General Availability - Tenant-based service outage notifications

Type: New feature
Service category: Other
Product capability: Platform

Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure AD Admin Portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: What are Service Health notifications in Azure Active Directory?.


Public Preview - Multiple Passwordless Phone sign-in Accounts for iOS devices

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in either the same, or different, tenants. Guest accounts aren't supported for multiple account sign-ins from one device.

Note that end users are encouraged to enable the optional telemetry setting in the Authenticator App, if not done so already. For more information, see: Enable passwordless sign-in with Microsoft Authenticator


Public Preview - Azure AD Domain Services - Fine Grain Permissions

Type: Changed feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Previously to set up and administer your AAD-DS instance you needed top level permissions of Azure Contributor and Azure AD Global Admin. Now for both initial creation, and ongoing administration, you can utilize more fine grain permissions for enhanced security and control. The prerequisites now minimally require:

Check out these resources to learn more:


General Availability- Azure AD Connect update release with new functionality and bug fixes

Type: Changed feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

A new Azure AD Connect release fixes several bugs and includes new functionality. This release is also available for auto upgrade for eligible servers. For more information, see: Azure AD Connect: Version release history.


General Availability - Cross-tenant access settings for B2B collaboration

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now you’ll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. For more information, see: Cross-tenant access with Azure AD External Identities.


General Availability- Expression builder with Application Provisioning

Type: Changed feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in your apps or in your on-premises directory could be disastrous. We’re excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you visibility into the potential deletions. You can then accept or reject the deletions and have time to update the job’s scope if necessary. For more information, see Understand how expression builder in Application Provisioning works.


Public Preview - Improved app discovery view for My Apps portal

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

An improved app discovery view for My Apps is in public preview. The preview shows users more apps in the same space and allows them to scroll between collections. It doesn't currently support drag-and-drop and list view. Users can opt into the preview by selecting Try the preview and opt out by selecting Return to previous view. To learn more about My Apps, see My Apps portal overview.


Public Preview - New Azure AD Portal All Devices list

Type: Changed feature
Service category: Device Registration and Management
Product capability: End User Experiences

We're enhancing the All Devices list in the Azure AD Portal to make it easier to filter and manage your devices. Improvements include:

All Devices List:

  • Infinite scrolling
  • More devices properties can be filtered on
  • Columns can be reordered via drag and drop
  • Select all devices

For more information, see: Manage devices in Azure AD using the Azure portal.


Public Preview - ADFS to Azure AD: Persistent NameID for IDP-initiated Apps

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

Previously the only way to have persistent NameID value was to ​configure user attribute with an empty value. Admins can now explicitly configure the NameID value to be persistent ​along with the corresponding format.

For more information, see: Customize app SAML token claims - Microsoft identity platform | Microsoft Docs.


Public Preview - ADFS to Azure Active Directory: Customize attrname-format​

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

With this new parity update, customers can now integrate non-gallery applications such as Socure DevHub with Azure AD to have SSO via SAML.

For more information, see Claims mapping policy - Microsoft Entra | Microsoft Docs.


June 2022

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Public Preview - Roles are being assigned outside of Privileged Identity Management

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Customers can be alerted on assignments made outside PIM either directly on the Azure portal or also via email. For the current public preview, the assignments are being tracked at the subscription level. For more information, see Configure security alerts for Azure roles in Privileged Identity Management.


General Availability - Temporary Access Pass is now available

Type: New feature
Service category: MFA
Product capability: User Authentication

Temporary Access Pass (TAP) is now generally available. TAP can be used to securely register password-less methods such as Phone Sign-in, phishing resistant methods such as FIDO2, and even help Windows onboarding (AADJ and WHFB). TAP also makes recovery easier when a user has lost or forgotten their strong authentication methods and needs to sign in to register new authentication methods. For more information, see: Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods.


Public Preview of Dynamic Group support for MemberOf

Type: New feature
Service category: Group Management
Product capability: Directory

Create "nested" groups with Azure AD Dynamic Groups! This feature enables you to build dynamic Azure AD Security Groups and Microsoft 365 groups based on other groups! For example, you can now create Dynamic-Group-A with members of Group-X and Group-Y. For more information, see: Steps to create a memberOf dynamic group.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2022 we've added the following 22 new applications in our App gallery with Federation support:

Leadcamp Mailer, PULCE, Hive Learning, Planview LeanKit, Javelo, きょうしつでビスケット,Agile Provisioning, xCarrier®, Skillcast, JTRA, InnerSpace inTELLO, Seculio, XplicitTrust Partner Console, Veracity Single-Sign On, Guardium Data Protection, IntellicureEHR v7, BMIS - Battery Management Information System, Finbiosoft Cloud, Standard for Success K-12, E2open LSP, TVU Service, S4 - Digitsec.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, see the details here https://aka.ms/AzureADAppRequest


General Availability – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.


Public Preview - New Azure AD Portal All Users list and User Profile UI

Type: Changed feature
Service category: User Management
Product capability: User Management

We're enhancing the All Users list and User Profile in the Azure AD Portal to make it easier to find and manage your users. Improvements include:

All Users List:

  • Infinite scrolling (yes, no 'Load more')
  • More user properties can be added as columns and filtered on
  • Columns can be reordered via drag and drop
  • Default columns shown and their order can be managed via the column picker
  • The ability to copy and share the current view

User Profile:

  • A new Overview page that surfaces insights (that is, group memberships, account enabled, MFA capable, risky user, etc.)
  • A new monitoring tab
  • More user properties can be viewed and edited in the properties tab

For more information, see: User management enhancements in Azure Active Directory.


General Availability - More device properties supported for Dynamic Device groups

Type: Changed feature
Service category: Group Management
Product capability: Directory

You can now create or update dynamic device groups using the following properties:

  • deviceManagementAppId
  • deviceTrustType
  • extensionAttribute1-15
  • profileType

For more information on how to use this feature, see: Dynamic membership rule for device groups.


May 2022

General Availability: Tenant-based service outage notifications

Type: Plan for change
Service category: Other
Product capability: Platform

Azure Service Health will soon support service outage notifications to Tenant Admins for Azure Active Directory issues soon. These outages will also appear on the Azure AD admin portal overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information will be available when this capability is released. The expected release is for June 2022.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2022 we've added the following 25 new applications in our App gallery with Federation support:

UserZoom, AMX Mobile, i-Sight, Method InSight, Chronus SAML, Attendant Console for Microsoft Teams, Skopenow, Fidelity PlanViewer, Lyve Cloud, Framer, Authomize, gamba!, Datto File Protection Single Sign On, LONEALERT, Payfactors, deBroome Brand Portal, TeamSlide, Sensera Systems, YEAP, Monaca Education, Personify Inc, Phenom TXM, Forcepoint Cloud Security Gateway - User Authentication, GoalQuest, OpenForms.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


General Availability – My Apps users can make apps from URLs (add sites)

Type: New feature
Service category: My Apps
Product capability: End User Experiences

When editing a collection using the My Apps portal, users can now add their own sites, in addition to adding apps that have been assigned to them by an admin. To add a site, users must provide a name and URL. For more information on how to use this feature, see: Customize app collections in the My Apps portal.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


Public Preview: Confirm safe and compromised in sign-ins API beta

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

The sign-ins Microsoft Graph API now supports confirming safe and compromised on risky sign-ins. This public preview functionality is available at the beta endpoint. For more information, please check out the Microsoft Graph documentation: signIn: confirmSafe - Microsoft Graph beta | Microsoft Docs


Public Preview of Microsoft cloud settings for Azure AD B2B

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:

-Microsoft Azure global cloud and Microsoft Azure Government -Microsoft Azure global cloud and Microsoft Azure China 21Vianet

To learn more about Microsoft cloud settings for B2B collaboration, see: Cross-tenant access overview - Azure AD | Microsoft Docs.


General Availability of SAML and WS-Fed federation in External Identities

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

When setting up federation with a partner's IdP, new guest users from that domain can use their own IdP-managed organizational account to sign in to your Azure AD tenant and start collaborating with you. There's no need for the guest user to create a separate Azure AD account. To learn more about federating with SAML or WS-Fed identity providers in External Identities, see: Federation with a SAML/WS-Fed identity provider (IdP) for B2B - Azure AD | Microsoft Docs.


Public Preview - Create Group in Administrative Unit

Type: Changed feature
Service category: Directory Management
Product capability: Access Control

Groups Administrators assigned over the scope of an administrative unit can now create groups within the administrative unit. This enables scoped group administrators to create groups that they can manage directly, without needing to elevate to Global Administrator or Privileged Role Administrator. For more information, see: Administrative units in Azure Active Directory.


Public Preview - Dynamic administrative unit support for onPremisesDistinguishedName property

Type: Changed feature
Service category: Directory Management
Product capability: AuthZ/Access Delegation

The public preview of dynamic administrative units now supports the onPremisesDistinguishedName property for users. This makes it possible to create dynamic rules that incorporate the organizational unit of the user from on-premises AD. For more information, see: Manage users or devices for an administrative unit with dynamic membership rules (Preview).


General Availability - Improvements to Azure AD Smart Lockout

Type: Changed feature
Service category: Other
Product capability: User Management

Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold. For more information, see: Protect user accounts from attacks with Azure Active Directory smart lockout.


April 2022

General Availability - Entitlement management separation of duties checks for incompatible access packages

Type: Changed feature Service category: Other Product capability: Identity Governance

In Azure AD entitlement management, an administrator can now configure the incompatible access packages and groups of an access package in the Azure portal. This prevents a user who already has one of those incompatible access rights from being able to request further access. For more information, see: Configure separation of duties checks for an access package in Azure AD entitlement management.


General Availability - Microsoft Defender for Endpoint Signal in Identity Protection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against PRT theft detection. To learn more, see: What is risk? Azure AD Identity Protection | Microsoft Docs.


General Availability - Entitlement management 3 stages of approval

Type: Changed feature
Service category: Other
Product capability: Entitlement Management

This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This will be able to be configured via the Azure portal or Microsoft Graph. For more information, see: Change approval and requestor information settings for an access package in Azure AD entitlement management.


General Availability - Improvements to Azure AD Smart Lockout

Type: Changed feature
Service category: Identity Protection
Product capability: User Management

With a recent improvement, Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold. For more information, see: Protect user accounts from attacks with Azure Active Directory smart lockout.


Type: New feature
Service category: User Access Management
Product capability: AuthZ/Access Delegation

Microsoft 365 Certification status for an app is now available in Azure AD consent UX, and custom app consent policies. The status will later be displayed in several other Identity-owned interfaces such as enterprise apps. For more information, see: Understanding Azure AD application consent experiences.


Public preview - Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels. For more information, see: Include B2B direct connect users and teams accessing Teams Shared Channels in access reviews (preview).


Public Preview - New MS Graph APIs to configure federated settings when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're announcing the public preview of following MS Graph APIs and PowerShell cmdlets for configuring federated settings when federated with Azure AD:

Action MS Graph API PowerShell cmdlet
Get federation settings for a federated domain Get internalDomainFederation Get-MgDomainFederationConfiguration
Create federation settings for a federated domain Create internalDomainFederation New-MgDomainFederationConfiguration
Remove federation settings for a federated domain Delete internalDomainFederation Remove-MgDomainFederationConfiguration
Update federation settings for a federated domain Update internalDomainFederation Update-MgDomainFederationConfiguration

If using older MSOnline cmdlets (Get-MsolDomainFederationSettings and Set-MsolDomainFederationSettings), we highly recommend transitioning to the latest MS Graph APIs and PowerShell cmdlets.

For more information, see internalDomainFederation resource type - Microsoft Graph beta | Microsoft Docs.


Public Preview – Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

Type: New feature
Service category: RBAC role
Product capability: AuthZ/Access Delegation

Added functionality to session controls allowing admins to reauthenticate a user on every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a device in Intune. For more information, see Configure authentication session management with conditional Access.


Public Preview – Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: Third Party Integration

In April 2022 we added the following 24 new applications in our App gallery with Federation support: X-1FBO, select Armor, Smint.io Portals for SharePoint, Pluto, ADEM, Smart360, MessageWatcher SSO, Beatrust, AeyeScan, ABa Customer, Twilio Sendgrid, Vault Platform, Speexx, Clicksign, Per Angusta, EruditAI, MetaMoJi ClassRoom, Numici, MCB.CLOUD, DepositLink, Last9, ParkHere Corporate, Keepabl, Swit

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


General Availability - Customer data storage for Japan customers in Japanese data centers

Type: New feature
Service category: App Provisioning
Product capability: GoLocal

From April 15, 2022, Microsoft began storing Azure AD’s Customer Data for new tenants with a Japan billing address within the Japanese data centers. For more information, see: Customer data storage for Japan customers in Azure Active Directory.


Type: New feature
Service category: App Provisioning
Product capability: Third Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD


March 2022

Tenant enablement of combined security information registration for Azure Active Directory

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We announced in April 2020 General Availability of our new combined registration experience, enabling users to register security information for multi-factor authentication and self-service password reset at the same time, which was available for existing customers to opt in. We're happy to announce the combined security information registration experience will be enabled to all non-enabled customers after September 30, 2022. This change doesn't impact tenants created after August 15, 2020, or tenants located in the China region. For more information, see: Combined security information registration for Azure Active Directory overview.


Type: New feature
Service category: App Provisioning
Product capability: Third Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: Automate user provisioning to SaaS applications with Azure AD.


Public preview - Azure AD Recommendations

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD Recommendations is now in public preview. This feature provides personalized insights with actionable guidance to help you identify opportunities to implement Azure AD best practices, and optimize the state of your tenant. For more information, see: What is Azure Active Directory recommendations


Public Preview: Dynamic administrative unit membership for users and devices

Type: New feature
Service category: RBAC role
Product capability: Access Control

Administrative units now support dynamic membership rules for user and device members. Instead of manually assigning users and devices to administrative units, tenant admins can set up a query for the administrative unit. The membership will be automatically maintained by Azure AD. For more information, see:Administrative units in Azure Active Directory.


Public Preview: Devices in Administrative Units

Type: New feature
Service category: RBAC role
Product capability: AuthZ/Access Delegation

Devices can now be added as members of administrative units. This enables scoped delegation of device permissions to a specific set of devices in the tenant. Built-in and custom roles are also supported. For more information, see: Administrative units in Azure Active Directory.


Type: New feature
Service category: Enterprise Apps
Product capability: Third Party Integration

In March 2022 we've added the following 29 new applications in our App gallery with Federation support:

Informatica Platform, Buttonwood Central SSO, Blockbax, Datto Workplace Single Sign On, Atlas by Workland, Simply.Coach, Benevity, Engage Absence Management, LitLingo App Authentication, ADP EMEA French HR Portal mon.adp.com, Ready Room, Rainmaker UPSMQDEV, Axway CSOS, Alloy, U.S. Bank Prepaid, EdApp, GoSimplo, Snow Atlas SSO, Abacus.AI, Culture Shift, StaySafe Hub, OpenLearning, Draup, Inc, Air, Regulatory Lab, SafetyLine, Zest, iGrafx Platform, Tracker Software Technologies

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest


Public Preview - New APIs for fetching transitive role assignments and role permissions

Type: New feature
Service category: RBAC role
Product capability: Access Control

  1. transitiveRoleAssignments - Last year the ability to assign Azure AD roles to groups was created. Originally it took four calls to fetch all direct, and transitive, role assignments of a user. This new API call allows it all to be done via one API call. For more information, see: List transitiveRoleAssignment - Microsoft Graph beta | Microsoft Docs.

  2. unifiedRbacResourceAction - Developers can use this API to list all role permissions and their descriptions in Azure AD. This API can be thought of as a dictionary that can help build custom roles without relying on UX. For more information, see: List resourceActions - Microsoft Graph beta | Microsoft Docs.


February 2022


General Availability - France digital accessibility requirement

Type: Plan for change
Service category: Other
Product capability: End User Experiences

This change provides users who are signing into Azure Active Directory on iOS, Android, and Web UI flavors information about the accessibility of Microsoft's online services via a link on the sign-in page. This ensures that the France digital accessibility compliance requirements are met. The change will only be available for French language experiences.Learn more


General Availability - Downloadable access review history report

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

With Azure Active Directory (Azure AD) Access Reviews, you can create a downloadable review history to help your organization gain more insight. The report pulls the decisions that were taken by reviewers when a report is created. These reports can be constructed to include specific access reviews, for a specific time frame, and can be filtered to include different review types and review results.Learn more



Public Preview of Identity Protection for Workload Identities

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Azure AD Identity Protection is extending its core capabilities of detecting, investigating, and remediating identity-based risk to workload identities. This allows organizations to better protect their applications, service principals, and managed identities. We are also extending Conditional Access so you can block at-risk workload identities. Learn more


Public Preview - Cross-tenant access settings for B2B collaboration

Type: New feature
Service category: B2B
Product capability: Collaboration

Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now you’ll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. Learn more


Public preview - Create Azure AD access reviews with multiple stages of reviewers

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Use multi-stage reviews to create Azure AD access reviews in sequential stages, each with its own set of reviewers and configurations. Supports multiple stages of reviewers to satisfy scenarios such as: independent groups of reviewers reaching quorum, escalations to other reviewers, and reducing burden by allowing for later stage reviewers to see a filtered-down list. For public preview, multi-stage reviews are only supported on reviews of groups and applications. Learn more


Type: New feature
Service category: Enterprise Apps
Product capability: Third Party Integration

In February 2022 we added the following 20 new applications in our App gallery with Federation support:

Embark, FENCE-Mobile RemoteManager SSO, カオナビ, Adobe Identity Management (OIDC), AppRemo, Live Center, Offishall, MoveWORK Flow, Cirros SL, ePMX Procurement Software, Vanta O365, Hubble, Medigold Gateway, クラウドログ,Amazing People Schools, Salus, XplicitTrust Network Access, Spike Email - Mail & Team Chat, AltheaSuite, Balsamiq Wireframes.

You can also find the documentation of all the applications from here: https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here: https://aka.ms/AzureADAppRequest


Two new MDA detections in Identity Protection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection has added two new detections from Microsoft Defender for Cloud Apps, (formerly MCAS). The Mass Access to Sensitive Files detection detects anomalous user activity, and the Unusual Addition of Credentials to an OAuth app detects suspicious service principal activity.Learn more


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


General Availability - Privileged Identity Management (PIM) role activation for SharePoint Online enhancements

Type: Changed feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

We've improved the Privileged Identity management (PIM) time to role activation for SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should be able to use your permissions right away in SharePoint Online. This change will roll out in stages, so you might not yet see these improvements in your organization. Learn more