Archive for What's new in Microsoft Entra ID?

The primary What's new in Microsoft Entra ID? release notes article contains updates for the last six months, while this article contains Information up to 18 months.

The What's new in Microsoft Entra ID? Release notes provide information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

March 2024

Public Preview - Convert external users to internal

Type: New feature
Service category: User Management
Product capability: User Management

External user conversion enables customers to convert external users to internal members without needing to delete and create new user objects. Maintaining the same underlying object ensures the user’s account, and access to resources, isn’t disrupted and that their history of activities remains intact as their relationship with the host organization changes.

The external to internal user conversion feature includes the ability to convert on-premises synchronized users as well. For more information, see: Convert external users to internal users (Preview).


Public Preview - Alternate Email Notifications for Lockbox Requests

Type: New feature
Service category: Other
Product capability: Access Control

Customer Lockbox for Azure is launching a new feature that enables customers to use alternate email IDs for getting lockbox notifications. This capability enables Lockbox customers to receive notifications in scenarios where their Azure account isn't email enabled, or if they have a service principal defined as the tenant admin or subscription owner.


Plan for change - Conditional Access location condition is moving up

Type: Plan for change
Service category: Conditional Access
Product capability: Identity Security & Protection

Beginning in mid-April 2024, the Conditional Access Locations condition is moving up. Locations become the Network assignment, with the new Global Secure Access assignment - All compliant network locations.

This change occurs automatically, so admins take no action. Here's more details:

  • The familiar Locations condition is unchanged, updating the policy in the Locations condition are reflected in the Network assignment, and vice versa.
  • No functionality changes, existing policies continue to work without changes.

Public Preview - Azure Lockbox Approver Role for Subscription Scoped Requests

Type: New feature
Service category: Other
Product capability: Identity Governance

Customer Lockbox for Azure is launching a new built-in Azure Role-based access control role that enables customers to use a lesser privileged role for users responsible for approving/rejecting Customer Lockbox requests. This feature is targeted to the customer admin workflow where a lockbox approver acts on the request from Microsoft Support engineer to access Azure resources in a customer subscription.

In this first phase, we're launching a new built-in Azure Role-based Access Control role. This role helps scope down the access possible for an individual with Azure Customer Lockbox approver rights on a subscription and its resources. A similar role for tenant-scoped requests is available in subsequent releases.


General Availability - TLS 1.3 support for Microsoft Entra

Type: New feature
Service category: Other
Product capability: Platform

We're excited to announce that Microsoft Entra, is rolling out support for Transport Layer Security (TLS) 1.3 for its endpoints to align with security best practices (NIST - SP 800-52 Rev. 2). With this change, the Microsoft Entra ID related endpoints support both TLS 1.2 and TLS 1.3 protocols. For more information, see: TLS 1.3 support for Microsoft Entra services.


General Availability - Changing Passwords in My Security Info

Type: New feature
Service category: My Security Info
Product capability: End User Experiences

Now Generally Available, My Sign Ins (My sign-ins (microsoft.com)) supports end users changing their passwords inline. When a user authenticates with a password and an MFA credential, they're able to are able to change their password without entering their existing password. Beginning April 1, through a phased rollout, traffic from the Change password (azure.cn) portal will redirect to the new My Sign Ins change experience. The Change password (azure.cn) will no longer be available after June 2024, but will continue to redirect to the new experience.

For more information, see:


February 2024

Public Preview - Expansion of the Conditional Access reauthentication policy for additional scenarios

Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Reauthentication policy lets you require users to interactively provide their credentials again, typically before accessing critical applications and taking sensitive actions. Combined with Conditional Access session control of Sign-in frequency, you can require reauthentication for users and sign-ins with risk, or for Intune enrollment. With this public preview, you can now require reauthentication on any resource protected by Conditional Access. For more information, see: Require reauthentication every time.


General Availability - Granular filtering of Conditional Access policy list

Type: New feature
Service category: Conditional Access
Product capability: Access Control

Conditional access policies can now be filtered on actor, target resources, conditions, grant control, and session control. The granular filtering experience can help admins quickly discover policies containing specific configurations. For more information, see: What is Conditional Access?.


End of support - Azure Active Directory Connector for Forefront Identity Manager (FIM WAAD Connector)

Type: Deprecated
Service category: Microsoft Identity Manager
Product capability: Inbound to Microsoft Entra ID

The Azure Active Directory Connector for Forefront Identity Manager (FIM WAAD Connector) from 2014 was deprecated in 2021. The standard support for this connector ended in April 2024. Customers must remove this connector from their MIM sync deployment, and instead use an alternative provisioning mechanism. For more information, see: Migrate a Microsoft Entra provisioning scenario from the FIM Connector for Microsoft Entra ID.


January 2024

Generally Availability - New Microsoft Entra Home page

Type: Changed feature
Service category: N/A
Product capability: Directory

We redesigned the Microsoft Entra admin center's homepage to help you do the following tasks:

  • Learn about the product suite
  • Identify opportunities to maximize feature value
  • Stay up to date with recent announcements, new features, and more!

See the new experience here: https://entra.microsoftonline.cn/


Generally Availability - Conditional Access filters for apps

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Filters for apps in Conditional Access simplify policy management by allowing admins to tag applications with custom security, and target them in Conditional Access policies, instead of using direct assignments. With this feature, customers can scale up their policies, and protect any number of apps. For more information, see: Conditional Access: Filter for applications


December 2023

Public Preview - Configurable redemption order for B2B collaboration

Type: New feature
Service category: B2B
Product capability: B2B/B2C

With configurable redemption, you can customize the order of identity providers that your guest users can sign in with when they accept your invitation. This option lets your override the default configuration order set by Microsoft and use your own. This option can be used to help with scenarios like prioritizing a SAML/WS-fed federation above a Microsoft Entra ID verified domain. This option disables certain identity providers during redemption, or even only using something like email one-time pass-code as a redemption option. For more information, see: Configurable redemption (Preview).


General Availability - Edits to Dynamic Group Rule Builder

Type: Changed feature
Service category: Group Management
Product capability: Directory

The dynamic group rule builder is updated to no longer include the 'contains' and 'notContains' operators, as they're less performant. If needed, you can still create rules for dynamic membership groups with those operators by typing directly into the text box. For more information, see: Rule builder in the Azure portal.


November 2023

General Availability - Guest Governance: Inactive Guest Insights

Type: New feature
Service category: Reporting
Product capability: Identity Governance

Monitor guest accounts at scale with intelligent insights into inactive guest users in your organization. Customize the inactivity threshold depending on your organization’s needs, narrow down the scope of guest users you want to monitor, and identify the guest users that might be inactive. For more information, see: Monitor and clean up stale guest accounts using access reviews.


Public Preview - lastSuccessfulSignIn property in signInActivity API

Type: New feature
Service category: MS Graph
Product capability: End User Experiences

An extra property is added to signInActivity API to display the last successful sign in time for a specific user, regardless if the sign in was interactive or non-interactive. The data won't be backfilled for this property, so you should expect to be returned only successful sign in data starting on December 8, 2023.


General Availability - Autorollout of Conditional Access policies

Type: New feature
Service category: Conditional Access
Product capability: Access Control

Starting in November 2023, Microsoft begins automatically protecting customers with Microsoft managed Conditional Access policies. Microsoft creates and enables these policies in external tenants. The following policies are rolled out to all eligible tenants, who are notified before policy creation:

  1. Multifactor authentication for admin portals: This policy covers privileged admin roles and requires multifactor authentication when an admin signs into a Microsoft admin portal.
  2. Multifactor authentication for per-user multifactor authentication users: This policy covers users with per-user multifactor authentication and requires multifactor authentication for all cloud apps.
  3. Multifactor authentication for high-risk sign-ins: This policy covers all users and requires multifactor authentication and reauthentication for high-risk sign-ins.

For more information, see:


General Availability - Custom security attributes in Microsoft Entra ID

Type: New feature
Service category: Directory Management
Product capability: Directory

Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. Custom security attributes can be used with Azure attribute-based access control (Azure ABAC). For more information, see: What are custom security attributes in Microsoft Entra ID?.

Changes were made to custom security attribute audit logs for general availability that might affect your daily operations. If you have been using custom security attribute audit logs during the preview, there are the actions you must take before February 2024 to ensure your audit log operations aren't disrupted. For more information, see: Custom security attribute audit logs.


October 2023

Public Preview - Managing and Changing Passwords in My Security Info

Type: New feature
Service category: My Profile/Account
Product capability: End User Experiences

My Sign Ins (My Sign-Ins (microsoft.com)) now supports end users managing and changing their passwords. Users are able to manage passwords in My Security Info and change their password inline. If a user authenticates with a password and an MFA credential, they're able to are able to change their password without entering their existing password.

For more information, see: Combined security information registration for Microsoft Entra overview.


General Availability - Enhanced Devices List Management Experience

Type: Changed feature
Service category: Device Access Management
Product capability: End User Experiences

Several changes were made to the All Devices list since announcing public preview, including:

  • Prioritized consistency and accessibility across the different components
  • Modernized the list and addressed top customer feedback
    • Added infinite scrolling, column reordering, and the ability to select all devices
    • Added filters for OS Version and Autopilot devices
  • Created more connections between Microsoft Entra and Intune
    • Added links to Intune in Compliant and MDM columns
    • Added Security Settings Management column

For more information, see: View and filter your devices.


General Availability - Microsoft Security email update and Resources for Azure Active Directory rename to Microsoft Entra ID

Type: Plan for change
Service category: Other
Product capability: End User Experiences

Microsoft Entra ID is the new name for Azure Active Directory (Azure AD). The rename and new product icon are now being deployed across experiences from Microsoft. Most updates are complete by mid-November of this year. As previously announced, it's a new name change, with no effect on deployments or daily work. There are no changes to capabilities, licensing, terms of service, or support.

From October 15 to November 15, Azure AD emails previously sent from azure-noreply@microsoft.com will start being sent from MSSecurity-noreply@microsoft.com. You might need to update your Outlook rules to match this change.

Additionally, we update email content to remove all references of Azure AD where relevant, and include an informational banner that announces this change.

Here are some resources to guide you rename your own product experiences or content where necessary:


General Availability - Restrict Microsoft Entra ID Tenant Creation To Only Paid Subscription

Type: Changed feature
Service category: Managed identities for Azure resources
Product capability: End User Experiences

The ability to create new tenants from the Microsoft Entra admin center allows users in your organization to create test and demo tenants from your Microsoft Entra ID tenant, Learn more about creating tenants. When used incorrectly this feature can allow the creation of tenants that aren't managed or viewable by your organization. We recommend that you restrict this capability so that only trusted admins can use this feature, Learn more about restricting member users' default permissions. We also recommend you use the Microsoft Entra audit log to monitor for the Directory Management: Create Company event that signals a new tenant created by a user in your organization.

To further protect your organization, Microsoft is now limiting this functionality to only paid customers. Customers on trial subscriptions are unable to create more tenants from the Microsoft Entra admin center. Customers in this situation who need a new trial tenant can sign up for a Free Azure Account.


General Availability - Users can't modify GPS location when using location based access control

Type: Plan for change
Service category: Conditional Access
Product capability: User Authentication

In an ever-evolving security landscape, the Microsoft Authenticator is updating its security baseline for Location Based Access Control (LBAC) conditional access policies. Microsoft does this to disallow authentications where the user might be using a different location than the actual GPS location of the mobile device. Today, it's possible for users to modify the location reported by the device on iOS and Android devices. The Authenticator app starts to deny LBAC authentications where we detect that the user isn't using the actual location of the mobile device where the Authenticator is installed.

In the November 2023 release of the Authenticator app, users who are modifying the location of their device sees a denial message in the app when doing an LBAC authentication. Microsoft ensures that users aren’t using older app versions to continue authenticating with a modified location. Beginning January 2024, any users that are on Android Authenticator 6.2309.6329 version or prior and iOS Authenticator version 6.7.16 or prior are blocked from using LBAC. To determine which users are using older versions of the Authenticator app, you can use our MSGraph APIs.


Public Preview - Overview page in My Access portal

Type: New feature
Service category: Entitlement Management
Product capability: Identity Governance

Today, when users navigate to myaccess.microsoftonline.cn, they land on a list of available access packages in their organization. The new Overview page provides a more relevant place for users to land. The Overview page points them to the tasks they need to complete and helps familiarize users with how to complete tasks in My Access.

Admins can enable/disable the Overview page preview by signing into the Microsoft Entra admin center and navigating to Entitlement management > Settings > Opt-in Preview Features and locating My Access overview page in the table.

For more information, see: My Access Overview page (preview).


Public Preview - Microsoft Graph Activity Logs

Type: New feature
Service category: Microsoft Graph
Product capability: Monitoring & Reporting

The MicrosoftGraphActivityLogs provides administrators full visibility into all HTTP requests accessing your tenant’s resources through the Microsoft Graph API. These logs can be used to find activity from compromised accounts, identify anomalous behavior, or investigate application activity. For more information, see: Access Microsoft Graph activity logs (preview).


September 2023

General Availability - Recovery of deleted application and service principals is now available

Type: New feature
Service category: Enterprise Apps
Product capability: Identity Lifecycle Management

With this release, you can now recover applications along with their original service principals, eliminating the need for extensive reconfiguration and code changes (Learn more). It significantly improves the application recovery story and addresses a long-standing customer need. This change is beneficial to you on:

  • Faster Recovery: You can now recover their systems in a fraction of the time it used to take, reducing downtime and minimizing disruptions.
  • Cost Savings: With quicker recovery, you can save on operational costs associated with extended outages and labor-intensive recovery efforts.
  • Preserved Data: Previously lost data, such as SMAL configurations, is now retained, ensuring a smoother transition back to normal operations.
  • Improved User Experience: Faster recovery times translate to improved user experience and customer satisfaction, as applications are backed up and running swiftly.

General Availability - Web Sign-In for Windows

Type: Changed feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're thrilled to announce that as part of the Windows 11 September moment, we're releasing a new Web Sign-In experience that will expand the number of supported scenarios and greatly improve security, reliability, performance, and overall end-to-end experience for our users.

Web Sign-In (WSI) is a credential provider on the Windows lock/sign-in screen for AADJ joined devices that provide a web experience used for authentication and returns an auth token back to the operating system to allow the user to unlock/sign-in to the machine.

Web Sign-In was initially intended to be used for a wide range of auth credential scenarios; however, it was only previously released for limited scenarios such as: Simplified EDU Web Sign-In and recovery flows via Temporary Access Password (TAP).

The underlying provider for Web Sign-In is rewritten from the ground up with security and improved performance in mind. This release moves the Web Sign-in infrastructure from the Cloud Host Experience (CHX) WebApp to a newly written sign in Web Host (LWH) for the September moment. This release provides better security and reliability to support previous EDU & TAP experiences and new workflows enabling using various Auth Methods to unlock/sig in to the desktop.


General Availability - Support for Microsoft admin portals in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:

  • Azure portal
  • Exchange admin center
  • Microsoft 365 admin center
  • Microsoft 365 Defender portal
  • Microsoft Entra admin center
  • Microsoft Intune admin center
  • Microsoft Purview compliance portal

For more information, see: Microsoft Admin Portals.


August 2023

General Availability - Tenant Restrictions V2

Type: New feature
Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Tenant Restrictions V2 (TRv2) is now generally available for authentication plane via proxy.

TRv2 allows organizations to enable safe and productive cross-company collaboration while containing data exfiltration risk. With TRv2, you can control what external tenants your users can access from your devices or network using externally issued identities and provide granular access control on a per org, user, group, and application basis.

TRv2 uses the cross-tenant access policy, and offers both authentication and data plane protection. It enforces policies during user authentication, and on data plane access with Exchange Online, SharePoint Online, Teams, and MSGraph. While the data plane support with Windows GPO and Global Secure Access is still in public preview, authentication plane support with proxy is now generally available.

Visit Set up tenant restrictions v2 for more information on tenant restriction V2.


Public Preview - Cross-tenant access settings supports custom Role-Based Access Controls roles and protected actions

Type: New feature
Service category: B2B
Product capability: B2B/B2C

Cross-tenant access settings can be managed with custom roles defined by your organization. This capability enables you to define your own finely scoped roles to manage cross-tenant access settings instead of using one of the built-in roles for management. Learn more about creating your own custom roles.

You can also now protect privileged actions inside of cross-tenant access settings using Conditional Access. For example, you can require MFA before allowing changes to default settings for B2B collaboration. Learn more about Protected actions.


General Availability - Additional settings in Entitlement Management autoassignment policy

Type: Changed feature
Service category: Entitlement Management
Product capability: Entitlement Management

In the Microsoft Entra ID Governance entitlement management autoassignment policy, there are three new settings. This capability allows a customer to select to not have the policy create assignments, not remove assignments, and to delay assignment removal.


Public Preview - Setting for guest losing access

Type: Changed feature
Service category: Entitlement Management
Product capability: Entitlement Management

An administrator can configure that when a guest brought in through entitlement management has lost their last access package assignment, they're deleted after a specified number of days. For more information, see: Govern access for external users in entitlement management.


July 2023

General Availability: Azure Active Directory (Azure AD) is being renamed.

Type: Changed feature
Service category: N/A
Product capability: End User Experiences

No action is required from you, but you might need to update some of your own documentation.

Azure AD is being renamed to Microsoft Entra ID. The name change rolls out across all Microsoft products and experiences throughout the second half of 2023.

Capabilities, licensing, and usage of the product isn't changing. To make the transition seamless for you, the pricing, terms, service level agreements, URLs, APIs, PowerShell cmdlets, Microsoft Authentication Library (MSAL) and developer tooling remain the same.

Learn more and get renaming details: New name for Azure Active Directory.


General Availability - Include/exclude My Apps in Conditional Access policies

Type: Fixed
Service category: Conditional Access
Product capability: End User Experiences

My Apps can now be targeted in Conditional Access policies. This solves a top customer blocker. The functionality is available in all clouds. GA also brings a new app launcher, which improves app launch performance for both SAML and other app types.

Learn More about setting up Conditional Access policies here: Azure AD Conditional Access documentation.


General Availability - Conditional Access for Protected Actions

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Protected actions are high-risk operations, such as altering access policies or changing trust settings, that can significantly impact an organization's security. To add an extra layer of protection, Conditional Access for Protected Actions lets organizations define specific conditions for users to perform these sensitive tasks. For more information, see: What are protected actions in Azure AD?.


General Availability - Access Reviews for Inactive Users

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This new feature, part of the Microsoft Entra ID Governance SKU, allows admins to review and address stale accounts that haven’t been active for a specified period. Admins can set a specific duration to determine inactive accounts that weren't used for either interactive or non-interactive sign-in activities. As part of the review process, stale accounts can automatically be removed. For more information, see: Microsoft Entra ID Governance Introduces Two New Features in Access Reviews.


General Availability - Automatic assignments to access packages in Microsoft Entra ID Governance

Type: Changed feature
Service category: Entitlement Management
Product capability: Entitlement Management

Microsoft Entra ID Governance includes the ability for a customer to configure an assignment policy in an entitlement management access package that includes an attribute-based rule, similar to dynamic membership groups, of the users who should be assigned access. For more information, see: Configure an automatic assignment policy for an access package in entitlement management.


General Availability - Custom Extensions in Entitlement Management

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

Custom extensions in Entitlement Management are now generally available, and allow you to extend the access lifecycle with your organization-specific processes and business logic when access is requested or about to expire. With custom extensions you can create tickets for manual access provisioning in disconnected systems, send custom notifications to other stakeholders, or automate other access-related configuration in your business applications such as assigning the correct sales region in Salesforce. You can also use custom extensions to embed external governance, risk, and compliance (GRC) checks in the access request.

For more information, see:


General Availability - Conditional Access templates

Type: Plan for change
Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access templates are predefined set of conditions and controls that provide a convenient method to deploy new policies aligned with Microsoft recommendations. Customers are assured that their policies reflect modern best practices for securing corporate assets, promoting secure, optimal access for their hybrid workforce. For more information, see: Conditional Access templates.


General Availability - Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities.

Type: New feature
Service category: User Experience and Management
Product capability: User Authentication

Update the Microsoft Entra ID and Microsoft 365 sign in experience with new Company Branding capabilities. You can apply your company’s brand guidance to authentication experiences with predefined templates. For more information, see: Company Branding


Type: Changed feature
Service category: User Experience and Management
Product capability: End User Experiences

Update the Company Branding functionality on the Microsoft Entra ID/Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks, and a browser icon. For more information, see: Company Branding


General Availability - User-to-Group Affiliation recommendation for group Access Reviews

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This feature provides Machine Learning based recommendations to the reviewers of Access Reviews to make the review experience easier and more accurate. The recommendation uses machine learning based scoring mechanism and compares users’ relative affiliation with other users in the group, based on the organization’s reporting structure. For more information, see: Review recommendations for Access reviews and Introducing Machine Learning based recommendations in Access reviews


Public Preview - Inactive guest insights

Type: New feature
Service category: Reporting
Product capability: Identity Governance

Monitor guest accounts at scale with intelligent insights into inactive guest users in your organization. Customize the inactivity threshold depending on your organization’s needs, narrowing down the scope of guest users you want to monitor and identify the guest users that might be inactive. For more information, see: Monitor and clean up stale guest accounts using access reviews.


Public Preview - Graph beta API for PIM security alerts on Azure Active Directory roles

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Announcing API support (beta) for managing PIM security alerts for Azure Active Directory roles. Azure Privileged Identity Management (PIM) generates alerts when there's suspicious or unsafe activity in your organization in Azure Active Directory, part of Microsoft Entra. You can now manage these alerts using REST APIs. These alerts can also be managed through the Azure portal. For more information, see: unifiedRoleManagementAlert resource type.


General Availability - Reset Password on Azure Mobile App

Type: New feature
Service category: Other
Product capability: End User Experiences

The Azure mobile app is enhanced to empower admins with specific permissions to conveniently reset their users' passwords. Self Service Password Reset isn't supported at this time. However, users can still more efficiently control and streamline their own sign-in and auth methods. The mobile app can be downloaded for each platform here:


Public Preview - Dynamic Groups based on EmployeeHireDate User attribute

Type: New feature
Service category: Group Management
Product capability: Directory

This feature enables admins to create rules for dynamic membership groups based on the user objects' employeeHireDate attribute. For more information, see: Properties of type string.


General Availability - Enhanced Create User and Invite User Experiences

Type: Changed feature
Service category: User Management
Product capability: User Management

We've increased the number of properties admins are able to define when creating and inviting a user in the Entra admin portal, bringing our UX to parity with our Create User APIs. Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: Add or delete users using Azure Active Directory.


General Availability - All Users and User Profile

Type: Changed feature
Service category: User Management
Product capability: User Management

The All Users list now features an infinite scroll, and admins can now modify more properties in the User Profile. For more information, see: How to create, invite, and delete users.


General Availability - Microsoft Authentication Library for .NET 4.55.0

Type: New feature
Service category: Other
Product capability: User Authentication

Earlier this month we announced the release of MSAL.NET 4.55.0, the latest version of the Microsoft Authentication Library for the .NET platform. The new version introduces support for user-assigned managed identity being specified through object IDs, CIAM authorities in the WithTenantId API, better error messages when dealing with cache serialization, and improved logging when using the Windows authentication broker.


General Availability - Microsoft Authentication Library for Python 1.23.0

Type: New feature
Service category: Other
Product capability: User Authentication

Earlier this month, the Microsoft Authentication Library team announced the release of MSAL for Python version 1.23.0. The new version of the library adds support for better caching when using client credentials, eliminating the need to request new tokens repeatedly when cached tokens exist.

To learn more about MSAL for Python, see: Microsoft Authentication Library (MSAL) for Python.


June 2023

General Availability - Include/exclude Entitlement Management in Conditional Access policies

Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

The Entitlement Management service can now be targeted in the Conditional Access policy for inclusion or exclusion of applications. To target the Entitlement Management service, select “Azure AD Identity Governance - Entitlement Management” in the cloud apps picker. The Entitlement Management app includes the entitlement management part of My Access, the Entitlement Management part of the Microsoft Entra and Azure portals, and the Entitlement Management part of MS Graph. For more information, see: Review your Conditional Access policies.


General Availability - Azure Active Directory User and Group capabilities on Azure Mobile are now available

Type: New feature
Service category: Azure Mobile App
Product capability: End User Experiences

The Azure Mobile app now includes a section for Azure Active Directory. Within Azure Active Directory on mobile, user can search for and view more details about user and groups. Additionally, permitted users can invite guest users to their active tenant, assign group membership and ownership for users, and view user sign-in logs. For more information, see: Get the Azure mobile app.


Plan for change - Modernizing Terms of Use Experiences

Type: Plan for change
Service category: Terms of Use
Product capability: AuthZ/Access Delegation

Recently we announced the modernization of terms of use end-user experiences as part of ongoing service improvements. As previously communicated the end user experiences is updated with a new PDF viewer and are moving from https://account.activedirectory.windowsazure.cn to https://myaccount.windowsazure.cn.

Starting today the modernized experience for viewing previously accepted terms of use is available via https://myaccount.windowsazure.cn/termsofuse/myacceptances. We encourage you to check out the modernized experience, which follows the same updated design pattern as the upcoming modernization of accepting or declining terms of use as part of the sign-in flow. We would appreciate your feedback before we begin to modernize the sign-in flow.


General Availability - Privileged Identity Management for Groups

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management for Groups is now generally available. With this feature, you have the ability to grant users just-in-time membership in a group, which in turn provides access to Azure Active Directory roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications. Through one activation, you can conveniently assign a combination of permissions across different applications and Role-Based Access Control systems.

PIM for Groups offers can also be used for just-in-time ownership. As the owner of the group, you can manage group properties, including membership. For more information, see: Privileged Identity Management (PIM) for Groups.


General Availability - Privileged Identity Management and Conditional Access integration

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

The Privileged Identity Management (PIM) integration with Conditional Access authentication context is generally available. You can require users to meet various requirements during role activation such as:

  • Activate from a compliant device
  • Validate location based on GPS
  • Meet other requirements defined in Conditional Access policies

The integration is available for all providers: PIM for Azure AD roles, PIM for Azure resources, PIM for groups. For more information, see:


General Availability - Updated look and feel for Per-user MFA

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

As part of ongoing service improvements, we're making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change doesn't include any changes to the core functionality and only includes visual improvements. For more information, see: Enable per-user Microsoft Entra multifactor authentication to secure sign-in events.


Public Preview - Restricted Management Administrative Units

Type: New feature
Service category: Directory Management
Product capability: Access Control

Restricted Management Administrative Units allow you to restrict modification of users, security groups, and device in Azure AD so that only designated administrators can make changes. Global Administrators and other tenant-level administrators can't modify the users, security groups, or devices that are added to a restricted management admin unit. For more information, see: Restricted management administrative units in Azure Active Directory (Preview).


May 2023

General Availability - SAML/Ws-Fed based identity provider authentication for Azure Active Directory B2B users in US Sec and US Nat clouds

Type: New feature
Service category: B2B
Product capability: B2B/B2C

SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in US Sec, US Nat and China clouds. For more information, see: Federation with SAML/WS-Fed identity providers for guest users.


Public Preview(Refresh) - Custom Extensions in Entitlement Management

Type: New feature
Service category: Entitlement management
Product capability: Identity Governance

Last year we announced the public preview of custom extensions in Entitlement Management allowing you to automate complex processes when access is requested or about to expire. We have recently expanded the public preview to allow for the access package assignment request to be paused while your external process is running. In addition, the external process can now provide feedback to Entitlement Management to either surface additional information to end users in MyAccess or even stop the access request. This expands the scenarios of custom extension from notifications to additional stakeholders or the generation of tickets to advanced scenarios such as external governance, risk, and compliance checks. In the course of this update, we've also improved the audit logs, token security, and the payload sent to the Logic App. To learn more about the preview refresh, see:


General Availability - Managed Identity in Microsoft Authentication Library for .NET

Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

The latest version of MSAL.NET graduates the Managed Identity APIs into the General Availability mode of support, which means that developers can integrate them safely in production workloads.

Managed identities are a part of the Azure infrastructure, simplifying how developers handle credentials and secrets to access cloud resources. With Managed Identities, developers don't need to manually handle credential retrieval and security. Instead, they can rely on an automatically managed set of identities to connect to resources that support Azure Active Directory authentication. You can learn more in What are managed identities for Azure resources?

With MSAL.NET 4.54.0, the Managed Identity APIs are now stable. There are a few changes that we added that make them easier to use and integrate that might require tweaking your code if you’ve used our experimental implementation:

  • When using Managed Identity APIs, developers need to specify the identity type when creating an ManagedIdentityApplication.
  • When acquiring tokens with Managed Identity APIs and using the default HTTP client, MSAL retries the request for certain exception codes.
  • We added a new MsalManagedIdentityException class that represents any Managed Identity-related exceptions. It includes general exception information, including the Azure source from which the exception originates.
  • MSAL are now proactively refresh tokens acquired with Managed Identity.

To get started with Managed Identity in MSAL.NET, you can use the Microsoft.Identity.Client package together with the ManagedIdentityApplicationBuilder class.


Public Preview - New My Groups Experience

Type: Changed feature
Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at myaccount.microsoft.com/groups. This experience replaces the existing My Groups experience at mygroups.microsoft.com in May. For more information, see: Update your Groups info in the My Groups portal.


General Availability - Admins can restrict their users from creating tenants

Type: New feature
Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Managed Tenant overview is present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings pane allows admins to restrict their users from being able to create new tenants. There's also a new Tenant Creator role to allow specific users to create tenants. For more information, see Default user permissions.


General Availability - Devices Self-Help Capability for Pending Devices

Type: New feature
Service category: Device Access Management
Product capability: End User Experiences

In the All Devices view under the Registered column, you can now select any pending devices you have, and it opens a context pane to help troubleshoot why a device might be pending. You can also offer feedback on if the summarized information is helpful or not. For more information, see: Pending devices in Azure Active Directory.


General Availability - Admins can now restrict users from self-service accessing their BitLocker keys

Type: New feature
Service category: Device Access Management
Product capability: User Management

Admins can now restrict their users from self-service accessing their BitLocker keys through the Devices Settings page. Turning on this capability hides the BitLocker key(s) of all non-admin users. This capability helps to control BitLocker access management at the admin level. For more information, see: Restrict member users' default permissions.


Public Preview - In portal guide to configure multifactor authentication

Type: New feature
Service category: MFA
Product capability: Identity Security & Protection

The in portal guide for configuring multifactor authentication helps you get started with Azure Active Directory's MFA capabilities. You can find this guide under the Tutorials tab in the Azure AD Overview.


General Availability - Conditional Access Granular control for external user types

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

When you configure a Conditional Access policy, customers now have granular control over the types of external users they want to apply the policy to. External users are categorized based on how they authenticate (internally or externally) and their relationship to your organization (guest or member). For more information, see: Assigning Conditional Access policies to external user types.


General Availability - My Security-info now shows Microsoft Authenticator type

Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection

We've improved My Sign-ins and My Security-Info to give you more clarity on the types of Microsoft Authenticator or other Authenticator apps a user registers. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI). For other Authenticator apps (Software OATH) we now indicate they're registered as a Time-based One-time password method. For more information, see: Set up the Microsoft Authenticator app as your verification method.


April 2023

Public Preview - Custom attributes for Azure Active Directory Domain Services

Type: New feature
Service category: Azure Active Directory Domain Services
Product capability: Azure Active Directory Domain Services

Azure Active Directory Domain Services now support synchronizing custom attributes from Azure AD for on-premises accounts. For more information, see: Custom attributes for Azure Active Directory Domain Services.


General Availability - Enablement of combined security information registration for MFA and self-service password reset (SSPR)

Type: New feature
Service category: MFA
Product capability: Identity Security & Protection

Last year, we announced the combined registration user experience for MFA and self-service password reset (SSPR) was rolling out as the default experience for all organizations. We're happy to announce that the combined security information registration experience is now fully rolled out. This change doesn't affect tenants located in the China region. For more information, see: Combined security information registration for Azure Active Directory overview.


General Availability - PIM alert: Alert on active-permanent role assignments in Azure or assignments made outside of PIM

Type: Fixed
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Alert on Azure subscription role assignments made outside of Privileged Identity Management (PIM) provides an alert in PIM for Azure subscription assignments made outside of PIM. An owner or User Access Administrator can take a quick remediation action to remove those assignments.


Public Preview - Enhanced Create User and Invite User Experiences

Type: Changed feature
Service category: User Management
Product capability: User Management

We've increased the number of properties that admins are able to define when creating and inviting a user in the Microsoft Entra admin portal. This capability brings our UX to parity with our Create User APIs. Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: How to create, invite, and delete users.


Public Preview - Azure Active Directory Conditional Access protected actions

Type: Changed feature
Service category: RBAC
Product capability: Access Control

The protected actions public preview introduces the ability to apply Conditional Access to select permissions. When a user performs a protected action, they must satisfy Conditional Access policy requirements. For more information, see: What are protected actions in Azure AD? (preview).


Public Preview - Token Protection for Sign-in Sessions

Type: New feature
Service category: Conditional Access
Product capability: User Authentication

Token Protection for sign-in sessions is our first release on a road-map to combat attacks involving token theft and replay. It provides Conditional Access enforcement of token proof-of-possession for supported clients and services that ensure that access to specified resources is only from a device to which the user signed into. For more information, see: Conditional Access: Token protection (preview).


General Availability- New limits on number and size of group secrets starting June 2023

Type: Plan for change
Service category: Group Management
Product capability: Directory

Starting in June 2023, the secrets stored on a single group can't exceed 48 individual secrets, or have a total size greater than 10 KB across all secrets on a single group. Groups with more than 10 KB of secrets will immediately stop working in June 2023. In June, groups exceeding 48 secrets are unable to increase the number of secrets they have, though they could still update or delete those secrets. We highly recommend reducing to fewer than 48 secrets by January 2024.

Group secrets are typically created when a group is assigned credentials to an app using Password-based single sign-on. To reduce the number of secrets assigned to a group, we recommend creating additional groups, and splitting up group assignments to your Password-based SSO applications across those new groups.


General Availability - Updated look and feel for Per-user MFA

Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

As part of ongoing service improvements, we're making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change doesn't include any changes to the core functionality and only includes visual improvements. For more information, see: Enable per-user Azure AD Multifactor Authentication to secure sign-in events.


General Availability - Additional terms of use audit logs will be turned off

Type: Fixed
Service category: Terms of Use
Product capability: AuthZ/Access Delegation

Due to a technical issue, we recently started to emit additional audit logs for terms of use. The additional audit logs will be turned off by May 1 and are tagged with the core directory service and the agreement category. If you built a dependency on the additional audit logs, you must switch to the regular audit logs tagged with the terms of use service.


Public Preview - New PIM Azure resource picker

Type: Changed feature
Service category: Privileged Identity Management
Product capability: End User Experiences

With this new experience, PIM now automatically manages any type of resource in a tenant, so discovery and activation is no longer required. With the new resource picker, users can directly choose the scope they want to manage from the Management Group down to the resources themselves, making it faster and easier to locate the resources they need to administer. For more information, see: Assign Azure resource roles in Privileged Identity Management.


General availability - Self Service Password Reset (SSPR) now supports PIM eligible users and indirect group role assignment

Type: Changed feature
Service category: Self Service Password Reset
Product capability: Identity Security & Protection

Self Service Password Reset (SSPR) can now check for PIM eligible users, and evaluate group-based memberships, along with direct memberships when checking if a user is in a particular administrator role. This capability provides more accurate SSPR policy enforcement by validating if users are in scope for the default SSPR admin policy or your organizations SSPR user policy.

For more information, see: