What's new in Azure Active Directory?

Get notified about when to revisit this page for updates by copying and pasting this URL: https://docs.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Azure Active Directory.


December 2021

Tenant enablement of combined security information registration for Azure Active Directory

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multifactor authentication at the same time was generally available for existing customer to opt-in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting in 2022 Microsoft will be enabling the multifactor authentication and SSPR combined registration experience for existing customers. Learn more.


Public Preview - Number Matching now available to reduce accidental notification approvals

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an multifactor authentication notification in the Authenticator app. This feature adds an additional security measure to the Microsoft Authenticator app. Learn more.


Pre-authentication error events removed from Azure AD Sign-in Logs

Type: Deprecated
Service category: Reporting
Product capability: Monitoring & Reporting

We are no longer publishing sign-in logs with the following error codes because these events are pre-authentication events that occur before our service has authenticated a user. Because these events happen before authentication, our service is not always able to correctly identify the user. If a user continues on to authenticate, the user sign-in will show up in your tenant Sign-in logs. These logs are no longer visible in the Azure portal UX, and querying these error codes in the Graph API will no longer return results.

Error code Failure reason
50058 Session information is not sufficient for single-sign-on.
16000 Either multiple user identities are available for the current request or selected account is not supported for the scenario.
500581 Rendering JavaScript. Fetching sessions for single-sign-on on V2 with prompt=none requires JavaScript to verify if any MSA accounts are signed in.
81012 The user trying to sign in to Azure AD is different from the user signed into the device.

November 2021

Tenant enablement of combined security information registration for Azure Active Directory

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multifactor authentication at the same time was generally available for existing customer to opt-in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MFA/SSPR combined registration experience for existing customers. Learn more.


Windows users will see prompts more often when switching user accounts

Type: Fixed
Service category: Authentications (Logins)
Product capability: User Authentication

A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the prompt=login pattern, Azure AD will now trigger a fresh login at ADFS when a user is directed to ADFS with a login hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with.

For more information, see the change notice.


Public preview - Conditional Access Overview Dashboard

Type: New feature
Service category: Conditional Access
Product capability: Monitoring & Reporting

The new Conditional Access overview dashboard enables all tenants to see insights about the impact of their Conditional Access policies without requiring an Azure Monitor subscription. This built-in dashboard provides tutorials to deploy policies, a summary of the policies in your tenant, a snapshot of your policy coverage, and security recommendations. Learn more.


Public preview - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync

Type: New feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Lifecycle Management

The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to writeback a user’s password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.Learn more.


Public preview - Conditional Access for workload identities

Type: New feature
Service category: Conditional Access for workload identities
Product capability: Identity Security & Protection

Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. You can block service principals from accessing resources from outside trusted named locations or Azure Virtual Networks. Learn more.


Public preview - Additional attributes available as claims

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

Several user attributes have been added to the list of attributes available to map to claims to bring attributes available in claims more in line with what is available on the user object in Microsoft Graph. New attributes include mobilePhone and ProxyAddresses. Learn more.


Public preview - "Session Lifetime Policies Applied" property in the sign-in logs

Type: New feature
Service category: Authentications (Logins)
Product capability: Identity Security & Protection

We have recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multifactor authentication and Configurable token lifetime. Learn more.


Public preview - Enriched reviews on access packages in entitlement management

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

Entitlement Management’s enriched review experience allows even more flexibility on access packages reviews. Admins can now choose what happens to access if the reviewers don't respond, provide helper information to reviewers, or decide whether a justification is necessary. Learn more.


General availability - randomString and redact provisioning functions

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

The Azure AD Provisioning service now supports two new functions, randomString() and Redact():

  • randomString - generate a string based on the length and characters you would like to include or exclude in your string.
  • redact - remove the value of the attribute from the audit and provisioning logs. Learn more.

General availability - Now access review creators can select users and groups to receive notification on completion of reviews

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Now access review creators can select users and groups to receive notification on completion of reviews. Learn more.


General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. Users can also report any suspicious or unfamiliar activity, change their Azure AD account passwords, and update the account's security information.

For more information on how to use this feature visit View and search your recent sign-in activity from the My Sign-ins page.


General availability - New Microsoft Authenticator app icon

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

New updates have been made to the Microsoft Authenticator app icon. To learn more about these updates, see the Microsoft Authenticator app blog post.


General availability - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10/11

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. Learn more.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2021, we have added following 32 new applications in our App gallery with Federation support

Tide - Connector, Virtual Risk Manager - USA, Xorlia Policy Management, WorkPatterns, GHAE, Nodetrax Project, Touchstone Benchmarking, SURFsecureID - Azure MFA, AiDEA,R and D Tax Credit Services: 10-wk Implementation, Mapiq Essentials, Celtra Authentication Service, Compete HR, Snackmagic, FileOrbis, ClarivateWOS, RewardCo Engagement Cloud, ZoneVu, V-Client, Netpresenter Next, UserTesting, InfinityQS ProFicient on Demand, Feedonomics, Customer Voice, Zanders Inside, Connecter, Paychex Flex, InsightSquared, Kiteline Health, Fabrikam Enterprise Managed User (OIDC), PROXESS for Office365, Coverity Static Application Security Testing

You can also find the documentation of all the applications here.

For listing your application in the Azure AD app gallery, read the details here.


Updated "switch organizations" user experience in My Account.

Type: Changed feature
Service category: My Profile/Account
Product capability: End User Experiences

Updated "switch organizations" user interface in My Account. This visually improves the UI and provides the end-user with clear instructions. Added a manage organizations link to blade per customer feedback. Learn more.


October 2021

Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021

Type: Plan for change
Service category: Other
Product capability: Developer Experience

Sometimes, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, a limit on the total number of required permissions that can be configured for an app registration will be enforced.

The total number of required permissions for any single application registration mustn't exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out mid-October 2021. Applications exceeding the limit can't increase the number of permissions they are configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.

In the Azure portal, the required permissions are listed under API permissions for the application you wish to configure. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. Learn more.


Email one-time passcode on by default change beginning rollout in November 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

Previously, we announced that starting October 31, 2021, Microsoft Azure Active Directory email one-time passcode authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. However, because of deployment schedules, we'll begin rolling out on November 1, 2021. Most of the tenants will see the change rolled out in January 2022 to minimize disruptions during the holidays and deployment lock downs. After this change, Microsoft will no longer allow redemption of invitations using Azure Active Directory accounts that are unmanaged. Learn more.


Conditional Access Guest Access Blocking Screen

Type: Fixed
Service category: Conditional Access
Product capability: End User Experiences

If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, we have created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user. Learn more.


50105 Errors will now result in a UX error message instead of an error response to the application

Type: Fixed
Service category: Authentications (Logins)
Product capability: Developer Experience

Azure AD has fixed a bug in an error response that occurs when a user isn't assigned to an app that requires a user assignment. Previously, Azure AD would return error 50105 with the OIDC error code "interaction_required" even during interactive authentication. This would cause well-coded applications to loop indefinitely, as they do interactive authentication and receive an error telling them to do interactive authentication, which they would then do.

The bug has been fixed, so that during non-interactive auth an "interaction_required" error will still be returned. Also, during interactive authentication an error page will be directly displayed to the user.

For greater details, see the change notices for Azure AD protocols.


Public preview - New claims transformation capabilities

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

The following new capabilities have been added to the claims transformations available for manipulating claims in tokens issued from Azure AD:

  • Join() on NameID. Used to be restricted to joining an email format address with a verified domain. Now Join() can be used on the NameID claim in the same way as any other claim, so NameID transforms can be used to create Windows account style NameIDs or any other string. For now if the result is an email address, the Azure AD will still validate that the domain is one that is verified in the tenant.
  • Substring(). A new transformation in the claims configuration UI allows extraction of defined position substrings such as five characters starting at character three - substring(3,5)
  • Claims transformations. These transformations can now be performed on Multi-valued attributes, and can emit multi-valued claims. Microsoft Graph can now be used to read/write multi-valued directory schema extension attributes. Learn more.

Public Preview – Flagged Sign-ins

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Flagged sign-ins is a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Also to help admins and help desk workers find the right sign-in events quickly and efficiently. Learn more.


Public preview - Device overview

Type: New feature
Service category: Device Registration and Management
Product capability: Device Lifecycle Management

The new Device Overview feature provides actionable insights about devices in your tenant. Learn more.


Public preview - Azure Active Directory workload identity federation

Type: New feature
Service category: Enterprise Apps
Product capability: Developer Experience

Azure AD workload identity federation is a new capability that's in public preview. It frees developers from handling application secrets or certificates. This includes secrets in scenarios such as using GitHub Actions and building applications on Kubernetes. Rather than creating an application secret and using that to get tokens for that application, developers can instead use tokens provided by the respective platforms such as GitHub and Kubernetes without having to manage any secrets manually.Learn more.


Public Preview - Updates to Sign-in Diagnostic

Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting

With this update, the diagnostic covers more scenarios and is made more easily available to admins.

New scenarios covered when using the Sign-in Diagnostic:

  • Pass Through Authentication sign-in failures
  • Seamless Single-Sign On sign-in failures

Other changes include:

  • Flagged Sign-ins will automatically appear for investigation when using the Sign-in Diagnostic from Diagnose and Solve.
  • Sign-in Diagnostic is now available from the Enterprise Apps Diagnose and Solve blade.
  • The Sign-in Diagnostic is now available in the Basic Info tab of the Sign-in Log event view for all sign-in events. Learn more.

General Availability - Privileged Role Administrators can now create Azure AD access reviews on role-assignable groups

Type: Fixed
Service category: Access Reviews
Product capability: Identity Governance

Privileged Role Administrators can now create Azure AD access reviews on Azure AD role-assignable groups, in addition to Azure AD roles. Learn more.


General Availability - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10/11

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. Learn more.


General Availability - New app indicator in My Apps

Type: New feature
Service category: My Apps
Product capability: End User Experiences

Apps that have been recently assigned to the user show up with a "new" indicator. When the app is launched or the page is refreshed, this indicator disappears. Learn more.


General availability - Custom domain support in Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Azure AD B2C customers can now enable custom domains so their end-users are redirected to a custom URL domain for authentication. This is done via integration with Azure Front Door's custom domains capability. Learn more.


General availability - Edge Administrator built-in role

Type: New feature
Service category: RBAC
Product capability: Access Control

Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets. Learn more


General availability - Windows 365 Administrator built-in role

Type: New feature
Service category: RBAC
Product capability: Access Control

Users with this role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices to associate a policy, and create and manage groups. Learn more


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2021 we've added the following 10 new applications in our App gallery with Federation support:

Adaptive Shield, SocialChorus Search, Hiretual-SSO, TeamSticker by Communitio, embed signage, JoinedUp, VECOS Releezme Locker management system, Altoura, Dagster Cloud, Qualaroo

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the following article: https://aka.ms/AzureADAppRequest


Continuous Access Evaluation migration with Conditional Access

Type: Changed feature
Service category: Conditional Access
Product capability: User Authentication

A new user experience is available for our CAE tenants. Tenants will now access CAE as part of Conditional Access. Any tenants that were previously using CAE for some (but not all) user accounts under the old UX or had previously disabled the old CAE UX will now be required to undergo a one time migration experience.Learn more.


Improved group list blade

Type: Changed feature
Service category: Group Management
Product capability: Directory

The new group list blade offers more sort and filtering capabilities, infinite scrolling, and better performance. Learn more.


General availability - Google deprecation of Gmail sign-in support on embedded webviews on September 30, 2021

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Google has deprecated Gmail sign-ins on Microsoft Teams mobile and custom apps that run Gmail authentications on embedded webviews on Sept. 30th, 2021.

If you would like to request an extension, impacted customers with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by Jan 31, 2022.

To continue allowing your Gmail users to sign in and redeem, we strongly recommend that you refer to Embedded vs System Web UI in the MSAL.NET documentation and modify your apps to use the system browser for sign-in. All MSAL SDKs use the system web-view by default.

As a workaround, we are deploying the device login flow by October 8. Between today and until then, it is likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to your region.)

For more details on the device login flow and details on requesting extension to Google, see Add Google as an identity provider for B2B guest users.


Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications

Type: Changed feature
Service category: Access Reviews
Product capability: Identity Governance

Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications. Learn more.


September 2021

Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021

Type: Plan for change
Service category: Other
Product capability: Developer Experience

Occasionally, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, we're enforcing a limit on the total number of required permissions that can be configured for an app registration.

The total number of required permissions for any single application registration must not exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out no sooner than mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and can't exceed 50 APIs.

In the Azure portal, the required permissions are listed under Azure Active Directory > Application registrations > (select an application) > API permissions. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. Learn more.


My Apps performance improvements

Type: Fixed
Service category: My Apps
Product capability: End User Experiences

The load time of My Apps has been improved. Users going to myapps.microsoft.com load My Apps directly, rather than being redirected through another service. Learn more.


Single Page Apps using the spa redirect URI type must use a CORS enabled browser for auth

Type: Known issue
Service category: Authentications (Logins)
Product capability: Developer Experience

The modern Edge browser is now included in the requirement to provide an Origin header when redeeming a single page app authorization code. A compatibility fix accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the Origin header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the Origin header per HTTP spec, to ensure CORS is enforced. Learn more.


General availability - On the My Apps portal, users can choose to view their apps in a list

Type: New feature
Service category: My Apps
Product capability: End User Experiences

By default, My Apps displays apps in a grid view. Users can now toggle their My Apps view to display apps in a list. Learn more.


Type: New feature
Service category: Audit
Product capability: Device Lifecycle Management

Admins can now see various new and improved device-related audit logs. The new audit logs include the create and delete passwordless credentials (Phone sign-in, FIDO2 key, and Windows Hello for Business), register/unregister device and pre-create/delete pre-create device. Additionally, there have been minor improvements to existing device-related audit logs that include adding more device details. Learn more.


General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator

Type: New feature
Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. They can report any suspicious or unfamiliar activity based on the sign-in history and activity if necessary. Users also can change their Azure AD account passwords and update the account's security information. Learn more.


General availability - New MS Graph APIs for role management

Type: New feature
Service category: RBAC
Product capability: Access Control

New APIs for role management to MS Graph v1.0 endpoint are generally available. Instead of old directory roles, use unifiedRoleDefinition and unifiedRoleAssignment.


General availability - Access Packages can expire after number of hours

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

It's now possible in entitlement management to configure an access package that will expire in a matter of hours in addition to the previous support for days or specific dates. Learn more.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2021, we have added following 44 new applications in our App gallery with Federation support

Studybugs, Yello, LawVu, Formate eVo Mail, Revenue Grid, Orbit for Office 365, Upmarket, Alinto Protect, Cloud Concinnity, Matlantis, ModelGen for Visio (MG4V), NetRef: Classroom Management, VergeSense, iAuditor, Secutraq, Active and Thriving, Inova, TerraTrue, Facebook Work Accounts, Beyond Identity Admin Console, Visult, ENGAGE TAG, Appaegis Isolation Access Cloud, CrowdStrike Falcon Platform, MY Emergency Control, AlexisHR, Teachme Biz, Zero Networks, Mavim iMprove, Azumuta, Frankli, Amazon Managed Grafana, Productive, Create!Webフロー, Evercate, Ezra Coaching, Baldwin Safety and Compliance, Nulab Pass (Backlog,Cacoo,Typetalk), Metatask, Contrast Security, Animaker, Traction Guest, True Office Learning - LIO, Qiita Team

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Gmail users signing in on Microsoft Teams mobile and desktop clients will sign in with device login flow starting September 30, 2021

Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Starting on September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts will have an extra login step. Users will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. If you haven't already done so, make sure to modify your apps to use the system browser for sign-in. See Embedded vs System Web UI in the MSAL.NET documentation for more information. All MSAL SDKs use the system web-view by default.

As the device login flow will start September 30, 2021, it's may not be available in your region immediately. If it's not available yet, your end-users will be met with the error screen shown in the doc until it gets deployed to your region.) For more details on the device login flow and details on requesting extension to Google, see Add Google as an identity provider for B2B guest users.


Improved Conditional Access Messaging for Non-compliant Device

Type: Changed feature
Service category: Conditional Access
Product capability: End User Experiences

The text and design on the Conditional Access blocking screen shown to users when their device is marked as non-compliant has been updated. Users will be blocked until they take the necessary actions to meet their company's device compliance policies. Additionally, we have streamlined the flow for a user to open their device management portal. These improvements apply to all conditional access supported OS platforms. Learn more


August 2021

New major version of AADConnect available

Type: Fixed
Service category: AD Connect
Product capability: Identity Lifecycle Management

We've released a new major version of Azure Active Directory Connect. This version contains several updates of foundational components to the latest versions and is recommended for all customers using Azure AD Connect. Learn more.


Public Preview - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10

Type: New feature
Service category: Authentications (Logins)
Product capability: SSO

We now support native single sign-on (SSO) support and device-based Conditional Access to the Firefox browser on Windows 10 and Windows Server 2019. Support is available in Firefox version 91. Learn more.


Public preview - beta MS Graph APIs for Azure AD access reviews returns list of contacted reviewer names

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

We've released beta MS Graph API for Azure AD access reviews. The API has methods to return a list of contacted reviewer names in addition to the reviewer type. Learn more.


General Availability - "Register or join devices" user action in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

The "Register or join devices" user action is generally available in Conditional access. This user action allows you to control multifactor authentication policies for Azure Active Directory (AD) device registration. Currently, this user action only allows you to enable multifactor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. Learn more.


General Availability - customers can scope reviews of privileged roles to eligible or permanent assignments

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Administrators can now create access reviews of only permanent or eligible assignments to privileged Azure AD or Azure resource roles. Learn more.


General availability - assign roles to Azure Active Directory (AD) groups

Type: New feature
Service category: RBAC
Product capability: Access Control

Assigning roles to Azure AD groups is now generally available. This feature can simplify the management of role assignments in Azure AD for Global Administrators and Privileged Role Administrators. Learn more.


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In August 2021, we have added following 46 new applications in our App gallery with Federation support:

Siriux Customer Dashboard, STRUXI, Autodesk Construction Cloud - Meetings, Eccentex AppBase for Azure, Bookado, FilingRamp, BenQ IAM, Rhombus Systems, CorporateExperience, TutorOcean, Bookado Device, HiFives-AD-SSO, Darzin, Simply Stakeholders, KACTUS HCM - Smart People, Five9 UC Adapter for Microsoft Teams V2, Automation Center, Cirrus Identity Bridge for Azure AD, ShiftWizard SAML, Safesend Returns, Brushup, directprint.io Cloud Print Administration, plain-x,X-point Cloud, SmartHub INFER, Fresh Relevance, FluentPro G.A. Suite, Clockwork Recruiting, WalkMe SAML2.0, Sideways 6, Kronos Workforce Dimensions, SysTrack Cloud Edition, mailworx Dynamics CRM Connector, Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service, Peripass, JobDiva, Sanebox For Office365, Tulip, HP Wolf Security, Genesys Engage cloud Email, Meta Wiki, Palo Alto Networks Cloud Identity Engine Directory Sync, Valarea, LanSchool Air, Catalyst, Webcargo

You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial

For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD.


Multifactor fraud report – new audit event

Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection

To help administrators understand that their users are blocked for multifactor authentication as a result of fraud report, we have added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see multifactor authentication Fraud alert.


Improved Low-Risk Detections

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

To improve the quality of low risk alerts that Identity Protection issues, we've modified the algorithm to issue fewer low risk Risky Sign-Ins. Organizations may see a significant reduction in low risk sign-in in their environment. Learn more.


Non-interactive risky sign-ins

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection now emits risky sign-ins on non-interactive sign-ins. Admins can find these risky sign-ins using the sign-in type filter in the risky sign-ins report. Learn more.


Change from User Administrator to Identity Governance Administrator in Entitlement Management

Type: Changed feature
Service category: Roles
Product capability: Identity Governance

The permissions assignments to manage access packages and other resources in Entitlement Management are moving from the User Administrator role to the Identity Governance administrator role.

Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they will need a new assignment. You should instead assign these users the Identity Governance administrator role. Learn more


Windows Azure Active Directory connector is deprecated

Type: Deprecated
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

The Windows Azure AD Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to Azure AD Connect, Azure AD Connect Sync, or the Microsoft Graph Connector, as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. Learn more.


Retirement of older Azure AD Connect versions

Type: Deprecated
Service category: AD Connect
Product capability: User Management

Starting August 31 2022, all V1 versions of Azure AD Connect will be retired. If you haven't already done so, you need to update your server to Azure AD Connect V2.0. You need to make sure you're running a recent version of Azure AD Connect to receive an optimal support experience.

If you run a retired version of Azure AD Connect it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs.

See Azure Active Directory Connect V2.0, what has changed in V2.0 and how this change impacts you.


Retirement of support for installing MIM on Windows Server 2008 R2 or SQL Server 2008 R2

Type: Deprecated
Service category: Microsoft Identity Manager
Product capability: Identity Lifecycle Management

Deploying MIM Sync, Service, Portal or CM on Windows Server 2008 R2, or using SQL Server 2008 R2 as the underlying database, is deprecated as these platforms are no longer in mainstream support. Installing MIM Sync and other components on Windows Server 2016 or later, and with SQL Server 2016 or later, is recommended.

Deploying MIM for Privileged Access Management with a Windows Server 2012 R2 domain controller in the PRIV forest is deprecated. Use Windows Server 2016 or later Active Directory, with Windows Server 2016 functional level, for your PRIV forest domain. The Windows Server 2012 R2 functional level is still permitted for a CORP forest's domain. Learn more.


July 2021

New Google sign-in integration for Azure AD B2C and B2B self-service sign-up and invited external users will stop working starting July 12, 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

Previously we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021.

On July 7, 2021, we learned from Google that some of these restrictions will apply starting July 12, 2021. Azure AD B2B and B2C customers who set up a new Google ID sign-in in their custom or line of business applications to invite external users or enable self-service sign-up will have the restrictions applied immediately. As a result, end-users will be met with an error screen that blocks their Gmail sign-in if the authentication is not moved to a system webview. See the docs linked below for details.

Most apps use system web-view by default, and will not be impacted by this change. This only applies to customers using embedded webviews (the non-default setting.) We advise customers to move their application's authentication to system browsers instead, prior to creating any new Google integrations. To learn how to move to system browsers for Gmail authentications, read the Embedded vs System Web UI section in the Using web browsers (MSAL.NET) documentation. All MSAL SDKs use the system web-view by default. Learn more.


Google sign-in on embedded web-views expiring September 30, 2021

Type: Plan for change
Service category: B2B
Product capability: B2B/B2C

About two months ago we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021.

Recently, Google has specified the date to be September 30, 2021.

Rolling out globally beginning September 30, 2021, Azure AD B2B guests signing in with their Gmail accounts will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. This applies to invited guests and guests who signed up using Self-Service Sign-Up.

Azure AD B2C customers who have set up embedded webview Gmail authentications in their custom/line of business apps or have existing Google integrations, will no longer can let their users sign in with Gmail accounts. To mitigate this, make sure to modify your apps to use the system browser for sign-in. For more information, read the Embedded vs System Web UI section in the Using web browsers (MSAL.NET) documentation. All MSAL SDKs use the system web-view by default.

As the device login flow will start rolling out on September 30, 2021, it is likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.)

For details on known impacted scenarios and what experience your users can expect, read Add Google as an identity provider for B2B guest users.


Bug fixes in My Apps

Type: Fixed
Service category: My Apps
Product capability: End User Experiences

  • Previously, the presence of the banner recommending the use of collections caused content to scroll behind the header. This issue has been resolved.
  • Previously, there was another issue when adding apps to a collection, the order of apps in All Apps collection would get randomly reordered. This issue has also been resolved.

For more information on My Apps, read Sign in and start apps from the My Apps portal.


Public preview - Application authentication method policies

Type: New feature
Service category: MS Graph
Product capability: Developer Experience

Application authentication method policies in MS Graph which allow IT admins to enforce lifetime on application password secret credential or block the use of secrets altogether. Policies can be enforced for an entire tenant as a default configuration and it can be scoped to specific applications or service principals. Learn more.


Public preview - Authentication Methods registration campaign to download Microsoft Authenticator

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

The Authenticator registration campaign helps admins to move their organizations to a more secure posture by prompting users to adopt the Microsoft Authenticator app. Prior to this feature, there was no way for an admin to push their users to set up the Authenticator app.

The registration campaign comes with the ability for an admin to scope users and groups by including and excluding them from the registration campaign to ensure a smooth adoption across the organization. Learn more


Public preview - Separation of duties check

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request more access. Learn more.


Public preview - Identity Protection logs in Log Analytics, Storage Accounts, and Event Hubs

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

You can now send the risky users and risk detections logs to Azure Monitor, Storage Accounts, or Log Analytics using the Diagnostic Settings in the Azure AD blade. Learn more.


Public preview - Application Proxy API addition for backend SSL certificate validation

Type: New feature
Service category: App Proxy
Product capability: Access Control

The onPremisesPublishing resource type now includes the property, "isBackendCertificateValidationEnabled" which indicates whether backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property will be set to true by default. For all existing apps, the property will be set to false. For more information, read the onPremisesPublishing resource type api.


General availability - Improved Authenticator setup experience for add Azure AD account in Microsoft Authenticator app by directly signing into the app.

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Users can now use their existing authentication methods to directly sign into the Microsoft Authenticator app to set up their credential. Users don't need to scan a QR Code anymore and can use a Temporary Access Pass (TAP) or Password + SMS (or other authentication method) to configure their account in the Authenticator app.

This improves the user credential provisioning process for the Microsoft Authenticator app and gives the end user a self-service method to provision the app. Learn more.


General availability - Set manager as reviewer in Azure AD entitlement management access packages

Type: New feature
Service category: User Access Management
Product capability: Entitlement Management

Access packages in Azure AD entitlement management now support setting the user's manager as the reviewer for regularly occurring access reviews. Learn more.


General availability - Enable external users to self-service sign-up in Azure AD using MSA accounts

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Users can now enable external users to self-service sign-up in Azure Active Directory using Microsoft accounts. Learn more.


General availability - External Identities Self-Service Sign-Up with Email One-time Passcode

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Now users can enable external users to self-service sign-up in Azure Active Directory using their email and one-time passcode. Learn more.


General availability - Anomalous token

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Anomalous token detection is now available in Identity Protection. This feature can detect that there are abnormal characteristics in the token such as time active and authentication from unfamiliar IP address. Learn more.


General availability - Register or join devices in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

The Register or join devices user action in Conditional access is now in general availability. This user action allows you to control multifactor authentication (MFA) policies for Azure AD device registration.

Currently, this user action only allows you to enable multifactor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. Learn more.


Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, read Automate user provisioning to SaaS applications with Azure AD.


Changes to security and Microsoft 365 group settings in Azure portal

Type: Changed feature
Service category: Group Management
Product capability: Directory

In the past, users could create security groups and Microsoft 365 groups in the Azure portal. Now users will have the ability to create groups across Azure portals, PowerShell, and API. Customers are required to verify and update the new settings have been configured for their organization. Learn More.


"All Apps" collection has been renamed to "Apps"

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

In the My Apps portal, the collection that was called "All Apps" has been renamed to be called "Apps". As the product evolves, "Apps" is a more fitting name for this default collection. Learn more.