What's new in Microsoft Entra ID?
Get notified about when to revisit this page for updates by copying and pasting this URL:
https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us
into your feed reader.
Microsoft Entra ID (previously known as Azure Active Directory) receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:
- The latest releases
- Known issues
- Bug fixes
- Deprecated functionality
- Plans for changes
Note
If you're currently using Azure Active Directory today or are have previously deployed Azure Active Directory in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you.
This page updates monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Microsoft Entra ID?.
September 2024
Public preview - New Conditional Access Template Requiring Device Compliance
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
A new Conditional Access template requiring device compliance is now available in Public Preview. This template restricts access to company resources exclusively to devices enrolled in mobile device management (MDM) and compliant with company policy. Requiring device compliance improves data security, reducing risk of data breaches, malware infections, and unauthorized access. This is a recommended best practice for users and devices targeted by compliance policy through MDM. For more information, see: Common policy: Create a Conditional Access policy requiring device compliance.
Public Preview - Request on behalf of
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
Entitlement Management enables admins to create access packages to manage their organization’s resources. Admins can either directly assign users to an access package, or configure an access package policy that allows users and group members to request access. This option to create self-service processes is useful, especially as organizations scale and hire more employees. However, new employees joining an organization might not always know what they need access to, or how they can request access. In this case, a new employee would likely rely on their manager to guide them through the access request process.
Instead of having new employees navigate the request process, managers can request access packages for their employees, making onboarding faster and more seamless. To enable this functionality for managers, admins can select an option when setting up an access package policy that allows managers to request access on their employees' behalf.
Expanding self-service request flows to allow requests on behalf of employees ensures that users have timely access to necessary resources, and increases productivity. For more information, see: Request access package on-behalf-of other users (Preview).
August 2024
General Availability - restricted permissions on Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync
Type: Changed feature
Service category: Provisioning
Product capability: Microsoft Entra Connects
As part of ongoing security hardening, Microsoft removes unused permissions from the privileged Directory Synchronization Accounts role. This role is exclusively used by Microsoft Entra Connect Sync to synchronize Active Directory objects with Microsoft Entra ID. There's no action required by customers to benefit from this hardening, and the revised role permissions are documented here: Directory Synchronization Accounts.
Plan for change - My Security-Info Add sign-in method picker UX update
Type: Plan for change
Service category: MFA
Product capability: End User Experiences
Starting Mid-October 2024, the Add sign-in method dialog on the My Security-Info page will be updated with a modern look and feel. With this change, new descriptors will be added under each method which provides detail to users on how the sign-in method is used (ex. Microsoft Authenticator - Approve sign-in requests or use one-time codes).
Early next year the Add sign-in method, dialog will be enhanced to show an initially recommended sign-in method instead of initially showing the full list of sign-in methods available to register. The recommended sign-in method will default to the strongest method available to the user based on the organization’s authentication method policy. Users can select Show more options and choose from all available sign-in methods allowed by their policy.
This change will occur automatically, so admins take no action.
Change Announcement - Deferred Changes to My Groups Admin Controls
Type: Plan for change
Service category: Group Management
Product capability: AuthZ/Access Delegation
In October 2023, we shared that, starting June 2024, the existing Self Service Group Management setting in the Microsoft Entra Admin Center that states restrict user ability to access groups features in My Groups retires. These changes are under review, and might take place as originally planned. A new deprecation date will be announced in the future.
General Availability - Device based conditional access to M365/Azure resources on Red Hat Enterprise Linux
Type: New feature
Service category: Conditional Access
Product capability: SSO
Since October 2022, users on Ubuntu Desktop 20.04 LTS & Ubuntu 22.04 LTS with Microsoft Edge browser could register their devices with Microsoft Entra ID, enroll into Microsoft Intune management, and securely access corporate resources using device-based Conditional Access policies.
This release extends support to Red Hat Enterprise Linux 8.x and 9.x (LTS) which makes these capabilities possible:
- Microsoft Entra ID registration & enrollment of RedHat LTS (8/9) desktops.
- Conditional Access policies protecting web applications via Microsoft Edge. -Provides SSO for native & web applications (ex: Azure CLI, Microsoft Edge browser, Teams progressive web app (PWA), etc.) to access M365/Azure protected resources.
- Standard Intune compliance policies.
- Support for Bash scripts with custom compliance policies.
- Package Manager now supports RHEL RPM packages in addition to Debian DEB packages.
To learn more, see: Microsoft Entra registered devices.
July 2024
General Availability - Easy authentication with Azure App Service and Microsoft Entra External ID
Type: Changed feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C
An improved experience when using Microsoft Entra External ID as an identity provider for Azure App Service’s built-in authentication, simplifying the process of configuring authentication and authorization for external-facing apps. You can complete initial configuration directly from the App Service authentication setup without switching into the external tenant. For more information, see: Quickstart: Add app authentication to your web app running on Azure App Service.
June 2024
Public Preview - MS Graph API support for per-user multifactor authentication
Type: New feature
Service category: MFA
Product capability: Identity Security & Protection
MS Graph API support for per-user multifactor authentication
Starting June 2024, we're releasing the capability to manage user status (Enforced, Enabled, Disabled) for per-user multifactor authentication through MS Graph API. This update replaces the legacy MSOnline PowerShell module that is being retired. The recommended approach to protect users with Microsoft Entra multifactor authentication is Conditional Access (for licensed organizations) and security defaults (for unlicensed organizations). For more information, see: Enable per-user Microsoft Entra multifactor authentication to secure sign-in events.
Public Preview - Easy authentication with Azure App Service and Microsoft Entra External ID
Type: Changed feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C
We improved the experience when using Microsoft Entra External ID as an identity provider for Azure App Service’s built-in authentication, simplifying the process of configuring authentication and authorization for external-facing apps. You can complete initial configuration directly from the App Service authentication setup without switching into the external tenant. For more information, see: Quickstart: Add app authentication to your web app running on Azure App Service
General Availability - Refactored account details screen in Microsoft Authenticator
Type: Plan for change
Service category: Microsoft Authenticator App
Product capability: User Authentication
In July, enhancements for the Microsoft Authenticator app UX roll-out. The account details page of a user account is reorganized to help users better understand, and interact with, the information and buttons on the screen. Key actions that a user can do today are available in the refactored page, but they're organized in three sections or categories that help better communicate to users:
- Credentials configured in the app
- More sign in methods they can configure
- Account management options in the app
General Availability - SLA Attainment Report at the Tenant Level
Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting
In addition to providing global SLA performance, Microsoft Entra ID reports tenant-level SLA performance for organizations with at least 5,000 monthly active users. This feature entered general availability in May 2024. The Service Level Agreement (SLA) sets a minimum bar of 99.99% for the availability of Microsoft Entra ID user authentication, reported on a monthly basis in the Microsoft Entra admin center.
Preview - QR code sign-in, a new authentication method for Frontline Workers
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication
We're introducing a new simple way for Frontline Workers to authenticate in Microsoft Entra ID with a QR code and PIN. This capability eliminates the need for users to enter and reenter long UPNs and alphanumeric passwords.
Beginning in August 2024, all users in your tenant now see a new link Sign in with QR code when navigating to https://login.partner.microsoftonline.cn > Sign-in options > Sign in to an organization. This new link, Sign in with QR code, is visible only on mobile devices (Android/iOS/iPadOS). If you aren't participating in the preview, users from your tenant can't sign in through this method while we're still in review. They receive an error message if they try to sign-in.
The feature has a preview tag until it's generally available. Your organization needs to be enabled to test this feature. Broad testing is available in public preview, to be announced later.
While the feature is in preview, no technical support is provided. Learn more about support during previews here: Microsoft Entra ID preview program information.
May 2024
General Availability - Microsoft Azure operated by 21Vianet now supports My sign-ins and MFA/SSPR Combined Registration
Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection
Beginning end of June 2024, all organizations utilizing Microsoft Azure operated by 21Vianet now has access to My Sign-ins activity reporting. They're required to use the combined security information registration end-user experience for MFA and SSPR. As a result of this enablement, users now see a unified SSPR and MFA registration experience when prompted to register for SSPR or MFA. For more information, see: Combined security information registration for Microsoft Entra overview.
General Availability - $select in signIn
API
Type: New feature
Service category: MS Graph
Product capability: Monitoring & Reporting
The long-awaited $select
property is now implemented into the signIn
API. Utilize the $select
to reduce the number of attributes that are returned for each log. This update should greatly help customers who deal with throttling issues, and allow every customer to run faster, more efficient queries.
Public Preview - Bicep templates support for Microsoft Graph
Type: New feature
Service category: MS Graph
Product capability: Developer Experience
The Microsoft Graph Bicep extension brings declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. It allows you to author, deploy, and manage core Microsoft Entra ID resources using Bicep template files, alongside Azure resources.
- Existing Azure customers can now use familiar tools to deploy Azure resources and the Microsoft Entra resources they depend on, such as applications and service principals, IaC and DevOps practices.
- It also opens the door for existing Microsoft Entra customers to use Bicep templates and IaC practices to deploy and manage their tenant's Microsoft Entra resources.
For more information, see: Bicep templates for Microsoft Graph resources
Public Preview - Platform Single Sign-on for macOS with Microsoft Entra ID
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication
Today we’re announcing that Platform SSO for macOS is available in public preview with Microsoft Entra ID. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in for Apple Devices that makes usage and management of Mac devices more seamless and secure than ever. At the start of public preview, Platform SSO works with Microsoft Intune. Other Mobile Device Management (MDM) providers are coming soon. Contact your MDM provider for more information on support and availability. For more information, see: macOS Platform Single Sign-on overview (preview).
General Availability - LastSuccessfulSignIn
Type: Changed feature
Service category: MS Graph
Product capability: Monitoring & Reporting
Due to popular demand and increased confidence in the stability of the properties, the update adds LastSuccessfulSignIn
& LastSuccessfulSigninDateTime
into V1. Feel free to take dependencies on these properties in your production environments now. For more information, see: signInActivity resource type.
General Availability - Changing default accepted token version for new applications
Type: Plan for change
Service category: Other
Product capability: Developer Experience
Beginning in August 2024, new Microsoft Entra applications created using any interface (including the Microsoft Entra admin center, Azure portal, Powershell/CLI, or the Microsoft Graph application API) has the default value of the requestedAccessTokenVersion
property in the app registration set to 2. This capability is a change from the previous default of null` (meaning 1). This means that new resource applications receive v2 access tokens instead of v1 by default. This update improves the security of apps. For more information on differences between token versions, see: Access tokens in the Microsoft identity platform and Access token claims reference.
General Availability - Windows Account extension is now Microsoft Single Sign On
Type: Changed feature
Service category: Authentications (Logins)
Product capability: SSO
The Windows Account extension is now the Microsoft Single Sign On extension in docs and Chrome store. The Windows Account extension is updated to represent the new macOS compatibility. This capability is now known as the Microsoft Single Sign On (SSO) extension for Chrome, offering single sign-on and device identity features with the Enterprise SSO plug-in for Apple devices. This update is only a name change for the extension, there are no software changes to the extension itself.
April 2024
General availability - PIM approvals and activations on the Azure mobile app (iOS and Android) are available now
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
PIM is now available on the Azure mobile app in both iOS and Android. Customers can now approve or deny incoming PIM activation requests. Customers can also activate Microsoft Entra ID and Azure resource role assignments directly from an app on their devices. For more information, see: Activate PIM roles using the Azure mobile app.
General Availability - Dynamic Groups quota increased to 15,000.
Type: Changed feature
Service category: Group Management
Product capability: Directory
Microsoft Entra organizations could previously have a maximum of 15,000 dynamic membership groups and dynamic administrative units combined.
This quota is increased to 15,000. For example, you can now have 15,000 dynamic membership groups and 10,000 dynamic AUs (or any other combination that adds up to 15k). You don't need to do anything to take advantage of this change - this update is available right now. For more information, see: Microsoft Entra service limits and restrictions.
General Availability - Microsoft Graph activity logs
Type: New feature
Service category: Microsoft Graph
Product capability: Monitoring & Reporting
The Microsoft Graph activity logs is now generally available! Microsoft Graph activity logs give you visibility into HTTP requests made to the Microsoft Graph service in your tenant. With rapidly growing security threats, and an increasing number of attacks, this log data source allows you to perform security analysis, threat hunting, and monitor application activity in your tenant. For more information, see: Access Microsoft Graph activity logs.
Public Preview - Assign Microsoft Entra roles using Entitlement Management
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management
By assigning Microsoft Entra roles to employees, and guests, using Entitlement Management, you can look at a user's entitlements to quickly determine which roles are assigned to that user. When you include a Microsoft Entra role as a resource in an access package, you can also specify whether that role assignment is eligible or active.
Assigning Microsoft Entra roles through access packages helps to efficiently manage role assignments at scale and improves the role. For more information, see: Assign Microsoft Entra roles (Preview).
General Availability - Self-service password reset Admin policy expansion to include more roles
Type: Changed feature
Service category: Self Service Password Reset
Product capability: Identity Security & Protection
Self-service password reset (SSPR) policy for Admins expands to include three extra built-in admin roles. These extra roles include:
- Teams Administrator
- Teams Communications Administrator
- Teams Devices Administrator
For more information on Self-service password reset for admins, including the full list of in-scope admin roles, see Administrator reset policy differences.