S
Shobhit Sahay
Microsoft has recently introduced a range of new security tools and features for the Microsoft Entra product family, aimed at helping organizations improve their security posture. With the ever-increasing sophistication of cyber-attacks and the increasing use of cloud-based services and the proliferation of mobile devices, it is essential that organizations have effective tools in place to manage their security scope.
Today, we’re sharing the new feature releases for the last quarter (July – September 2023) and the change announcements (September 2023 change management train). We also communicate these changes on release notes and via email. We’re continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the new Entra admin center as well.
These recent updates have been organized into Microsoft Entra product areas, making it easy to quickly find and access the latest updates. With these new features, we aim to provide our customers with an identity and access solution for a connected world.
Product Updates Summary
Microsoft Entra ID
New releases
Change announcements:
Changes to FIDO2 authentication methods
[Action may be required]
Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will expand the existing FIDO2 authentication methods policy and end user registration experience to support this preview release. If your organization requires or prefers FIDO2 authentication using physical security keys only, then please enforce key restrictions to only allow security key models that you accept in your FIDO2 policy. Otherwise, the new preview capabilities will enable your users to register for device-bound passkeys stored on Windows, macOS, iOS, and Android. Learn more about FIDO2 key restrictions here.
Azure AD Graph Updates
[Action may be required]
Following a three-year deprecation period, we announced in June 2023 that we are entering the retirement, or shut down, cycle for Azure AD Graph APIs, which are now out of support (other than security-related fixes). This aligns with our Breaking Change Policy that promises a minimum two (2) year deprecation period before API retirement. In June, we also described that this retirement would happen in stages and with advanced notice between each stage. The first stage will involve newly created Applications being unable to use Azure AD Graph APIs (by default).
While there are limited substantial updates to share at this point, we do want to provide an interim update. Our goal is to be transparent and establish a regular cadence of communication as we work with and support our customers through this service retirement.
September 2023 updates:
In a near-future update, we will provide more detail on the timeline and actions needed to avoid disruption for (new) Applications that are not yet migrated to Microsoft Graph. We have not yet set the date at which newly created Applications will be prevented from using Azure AD Graph APIs, but we are working diligently towards providing that clarity and to deliver experiences that will help support customer efforts in migrating applications away from this retiring API service.
Required Action:
Identify and migrate applications that are using Azure AD Graph to use equivalent Microsoft Graph APIs. Microsoft Graph is a feature rich API platform that provides a unified API surface for many Microsoft services, including Microsoft Entra, Exchange, Teams, SharePoint, and the full Microsoft 365 portfolio.
Reference: Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph
Additional Resources:
Migrate Sign-in risk policy and User risk policy and from Entra ID Protection to Conditional Access
[Action may be required]
If you have User risk policy or Sign-in risk policy enabled in Entra ID Protection (formerly Identity Protection) today, we invite you to migrate them to Conditional Access following these steps. The UX in Entra ID Protection for these two risk policies will be retired on October 1, 2026
Configuring Sign-in risk and User risk policies in Conditional Access provides these benefits:
Start migrating today and learn more about risk-based policies at Azure AD Identity Protection risk-based access policies - Microsoft Entra | Microsoft Learn.
Updated retirement date for managing authentication methods in legacy Multifactor Authentication (MFA) & Self-Service Password Reset (SSPR) policies
[Action may be required]
Back in the March 2023 change announcements train we announced we'd retire the ability to manage authentication methods in the legacy MFA and SSPR policies on September 30, 2024. This date is now getting pushed back to September 30, 2025.
Organizations should migrate their methods to the converged authentication methods policy where methods can be managed centrally for all authentication scenarios including passwordless, multi-factor authentication and self-service password reset. Learn more at Manage authentication methods for Azure AD.
Registration campaign improvements
[Action may be required]
To help your users move away from publicly switched telephone networks (PSTN) such as SMS and voice, we’re making improvements to the Registration campaign feature (aka Nudge). We’ll allow users to skip the prompt a maximum of three times, after which they will have to go through the registration flow. Note: admins can decide if they want to opt out of the “limited” 3 snooze configuration or give their end users the ability to snooze indefinitely.
Secondly, for Entra ID tenants that are Microsoft managed, we’re enabling the feature for users that are fully dependent on PSTN methods (SMS and voice) today for their MFA. Beginning September 2023, we will initiate a phased rollout of this change for Entra ID premium tenants.
Support for Authenticator Lite in the per-user MFA policy
[Action may be required]
Authenticator Lite is a relatively new feature that brings authentication push notifications, like Microsoft Authenticator, into other Microsoft applications. The first supported application is Outlook mobile. It’s a great alternative for users who can’t or aren’t willing to download another work app on their phone but already have Outlook set up on their mobile device.
Currently, Authenticator Lite is only available to organizations who manage Microsoft Authenticator in the modern authentication methods policy. We're now also making it available as a part of the "Notifications through mobile app" method in the per-user MFA policy. Starting mid-September 2023, we'll update the "Notification through mobile app" method in the per-user MFA policy such that if it's enabled, then Authenticator Lite is also enabled. Organizations that don't want to use Authenticator Lite will need to disable it following the instructions here.
Optimized MFA OTP delivery via WhatsApp
[Action may be required]
Today, Entra ID (Azure AD) MFA supports delivering one-time passcodes (OTPs) via text message. These texts get sent to the default messaging app on a user's phone depending on the phone's operating system. In many countries though, these default apps aren't users' primary messaging apps. To help deliver OTPs to users on their preferred messaging platforms, Entra ID will roll out OTP delivery to WhatsApp in select regions.
Starting mid-September 2023, users in India, Indonesia, and New Zealand may start receiving MFA text messages via WhatsApp. Users that fit the following criteria are subject, but not guaranteed, to receive the updated experience:
Organizations with users in the listed countries that don't want their users to receive MFA text messages through WhatsApp will need to disable text messages as an authentication method in their tenant(s). Depending on where they manage their authentication methods this means they need to disable "Text message to phone" in the per-user MFA policy and / or "SMS" in the Authentication methods policy.
Changes to My Groups admin controls
[No action is required]
Starting June 2024, the existing Self Service Group Management setting in the Microsoft Entra admin center which states, “Restrict user ability to access groups features in the Access,” will be retired. This means disabling My Groups will no longer be possible. In June, a new setting that enables admins to restrict end users from viewing and managing security groups in My Groups will take effect.
This change will occur automatically—admins and users won’t need to take any action:
To learn more, please see this documentation. Note: Admins can still manage end users' ability to create Microsoft 365 and security groups using the group settings.
Enable HTTP/2 on the Graph service endpoint
[Action may be required]
As previously announced in September of 2022, the Microsoft Graph engineering team plans to begin rollout of HTTP/2 support on the Microsoft Graph service endpoint on September 15, 2023. HTTP/2 support will be in addition to existing HTTP/1.1 version support. Once HTTP/2 is enabled on the Microsoft Graph endpoints, clients that support HTTP/2 will negotiate this version when making requests to Microsoft Graph. Focus for improvements in the HTTP/2 specification concern performance, including perceived latency, and network and service resource usage (reference HTTP/2), including multiplexing, parallelism, and efficiency through binary encoding and header compression. These benefits may offer substantial value to Microsoft Graph clients and customers. HTTP/2 is expected to be entirely backwards-compatible with HTTP/1.1 and to require no code changes in client applications. It's possible, in rare cases, that negative impact may occur with some client applications, if the application does not adhere to HTTP specifications concerning case-insensitive comparisons for Header keys.
Microsoft Entra ID Governance
New releases
Microsoft Entra Workload ID
New releases
Microsoft Entra External ID
New releases
Change announcements:
Upcoming change in B2B sign-in experience
[No action is required]
Starting on 30 September 2023, end-users performing cross-tenant sign-ins while using B2B collaboration will notice a branding change. During sign-in, instead of seeing the resource tenant’s branding, the branding will update to show their home tenant branding (even if there isn’t custom branding) to help make it clearer that the user is signing into their home account.
This notification is for awareness only, no further action required. Learn more.
Best regards,
Shobhit Sahay
Learn more about Microsoft identity:
Continue reading...
Today, we’re sharing the new feature releases for the last quarter (July – September 2023) and the change announcements (September 2023 change management train). We also communicate these changes on release notes and via email. We’re continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the new Entra admin center as well.
These recent updates have been organized into Microsoft Entra product areas, making it easy to quickly find and access the latest updates. With these new features, we aim to provide our customers with an identity and access solution for a connected world.
Product Updates Summary
- Microsoft Entra ID
- Microsoft Entra ID Governance
- Microsoft Entra Workload ID
- Microsoft Entra External ID
Microsoft Entra ID
New releases
- Authentication Methods Activity Dashboard
- FIDO2 support for iOS and macOS browsers
- Web Sign-In for Windows
- CA Overview Dashboard
- Conditional Access templates
- Support for Microsoft admin portals in Conditional Access
- Include/exclude My Apps in Conditional Access policies
- Identity Protection alerts in M365 Defender
- Conditional Access for Protected Actions
- Tenant Restrictions V2
- Enabling extended customization capabilities for sign-in and sign-up pages in company branding
- Enabling customization capabilities for the Self-Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icons in company branding
- Delegated user management using custom role
- Enhanced Create User and Invite User Experiences
- Revoke previously granted tenant-wide permissions
- New My Groups Experience
- New Azure AD Recommendation: Migrate from ADAL to MSAL
- Send the group name in the SAML token for SaaS applications
- Claims Customization UX for OIDC Enterprise Apps
- Restoring deleted applications or service principals
- Authentication methods reporting API
- Microsoft Authentication Library for .NET 4.55.0
- Microsoft Authentication Library for Python 1.23.0
Change announcements:
Changes to FIDO2 authentication methods
[Action may be required]
Beginning January 2024, Microsoft Entra ID will support device-bound passkeys stored on computers and mobile devices as an authentication method in public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.
We will expand the existing FIDO2 authentication methods policy and end user registration experience to support this preview release. If your organization requires or prefers FIDO2 authentication using physical security keys only, then please enforce key restrictions to only allow security key models that you accept in your FIDO2 policy. Otherwise, the new preview capabilities will enable your users to register for device-bound passkeys stored on Windows, macOS, iOS, and Android. Learn more about FIDO2 key restrictions here.
Azure AD Graph Updates
[Action may be required]
Following a three-year deprecation period, we announced in June 2023 that we are entering the retirement, or shut down, cycle for Azure AD Graph APIs, which are now out of support (other than security-related fixes). This aligns with our Breaking Change Policy that promises a minimum two (2) year deprecation period before API retirement. In June, we also described that this retirement would happen in stages and with advanced notice between each stage. The first stage will involve newly created Applications being unable to use Azure AD Graph APIs (by default).
While there are limited substantial updates to share at this point, we do want to provide an interim update. Our goal is to be transparent and establish a regular cadence of communication as we work with and support our customers through this service retirement.
September 2023 updates:
- Some customers have told us that it is hard to identify or find which applications are using the retiring Azure AD Graph APIs, and at what scale. We are now working to deliver an analytics experience through Identity Recommendations that will provide the information that you need to identify and prioritize applications that require update or modification to avoid further disruption. We will provide an estimated release date for this experience soon.
- As described in our prior communication, the first stage of retirement for Azure AD Graph APIs will involve a change that prevents newly-created Applications from using Azure AD Graph APIs (by default). We will provide a minimum of three (3) months advance notice before this date. At this first stage, only newly created Applications, and not existing Applications, will be impacted.
In a near-future update, we will provide more detail on the timeline and actions needed to avoid disruption for (new) Applications that are not yet migrated to Microsoft Graph. We have not yet set the date at which newly created Applications will be prevented from using Azure AD Graph APIs, but we are working diligently towards providing that clarity and to deliver experiences that will help support customer efforts in migrating applications away from this retiring API service.
Required Action:
Identify and migrate applications that are using Azure AD Graph to use equivalent Microsoft Graph APIs. Microsoft Graph is a feature rich API platform that provides a unified API surface for many Microsoft services, including Microsoft Entra, Exchange, Teams, SharePoint, and the full Microsoft 365 portfolio.
Reference: Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph
Additional Resources:
- Azure AD Graph app migration planning checklist
- Script to identify Apps that might be using Azure AD Graph
Migrate Sign-in risk policy and User risk policy and from Entra ID Protection to Conditional Access
[Action may be required]
If you have User risk policy or Sign-in risk policy enabled in Entra ID Protection (formerly Identity Protection) today, we invite you to migrate them to Conditional Access following these steps. The UX in Entra ID Protection for these two risk policies will be retired on October 1, 2026
Configuring Sign-in risk and User risk policies in Conditional Access provides these benefits:
- Manage all access policies in one place.
- Report-only mode and Graph API support.
- Greater flexibility by combining risk conditions with other conditions like location for granular access control.
- Enhanced security with multiple risk-based policies targeting different user groups or risk levels.
- Improved diagnostics experience by viewing which risk-based policy applied in Sign-in Logs.
Start migrating today and learn more about risk-based policies at Azure AD Identity Protection risk-based access policies - Microsoft Entra | Microsoft Learn.
Updated retirement date for managing authentication methods in legacy Multifactor Authentication (MFA) & Self-Service Password Reset (SSPR) policies
[Action may be required]
Back in the March 2023 change announcements train we announced we'd retire the ability to manage authentication methods in the legacy MFA and SSPR policies on September 30, 2024. This date is now getting pushed back to September 30, 2025.
Organizations should migrate their methods to the converged authentication methods policy where methods can be managed centrally for all authentication scenarios including passwordless, multi-factor authentication and self-service password reset. Learn more at Manage authentication methods for Azure AD.
Registration campaign improvements
[Action may be required]
To help your users move away from publicly switched telephone networks (PSTN) such as SMS and voice, we’re making improvements to the Registration campaign feature (aka Nudge). We’ll allow users to skip the prompt a maximum of three times, after which they will have to go through the registration flow. Note: admins can decide if they want to opt out of the “limited” 3 snooze configuration or give their end users the ability to snooze indefinitely.
Secondly, for Entra ID tenants that are Microsoft managed, we’re enabling the feature for users that are fully dependent on PSTN methods (SMS and voice) today for their MFA. Beginning September 2023, we will initiate a phased rollout of this change for Entra ID premium tenants.
Support for Authenticator Lite in the per-user MFA policy
[Action may be required]
Authenticator Lite is a relatively new feature that brings authentication push notifications, like Microsoft Authenticator, into other Microsoft applications. The first supported application is Outlook mobile. It’s a great alternative for users who can’t or aren’t willing to download another work app on their phone but already have Outlook set up on their mobile device.
Currently, Authenticator Lite is only available to organizations who manage Microsoft Authenticator in the modern authentication methods policy. We're now also making it available as a part of the "Notifications through mobile app" method in the per-user MFA policy. Starting mid-September 2023, we'll update the "Notification through mobile app" method in the per-user MFA policy such that if it's enabled, then Authenticator Lite is also enabled. Organizations that don't want to use Authenticator Lite will need to disable it following the instructions here.
Optimized MFA OTP delivery via WhatsApp
[Action may be required]
Today, Entra ID (Azure AD) MFA supports delivering one-time passcodes (OTPs) via text message. These texts get sent to the default messaging app on a user's phone depending on the phone's operating system. In many countries though, these default apps aren't users' primary messaging apps. To help deliver OTPs to users on their preferred messaging platforms, Entra ID will roll out OTP delivery to WhatsApp in select regions.
Starting mid-September 2023, users in India, Indonesia, and New Zealand may start receiving MFA text messages via WhatsApp. Users that fit the following criteria are subject, but not guaranteed, to receive the updated experience:
- Enabled for text messages / SMS as an authentication method
- Already use WhatsApp
- Have a phone number with a country code in one of the listed countries
Organizations with users in the listed countries that don't want their users to receive MFA text messages through WhatsApp will need to disable text messages as an authentication method in their tenant(s). Depending on where they manage their authentication methods this means they need to disable "Text message to phone" in the per-user MFA policy and / or "SMS" in the Authentication methods policy.
Changes to My Groups admin controls
[No action is required]
Starting June 2024, the existing Self Service Group Management setting in the Microsoft Entra admin center which states, “Restrict user ability to access groups features in the Access,” will be retired. This means disabling My Groups will no longer be possible. In June, a new setting that enables admins to restrict end users from viewing and managing security groups in My Groups will take effect.
This change will occur automatically—admins and users won’t need to take any action:
- If the existing setting for Restrict user ability to access groups features in the Access Panel is configured as Yes, the new setting will restrict users' ability to see and edit security groups in My Groups.
- If the existing setting is configured as No, the new setting will expose security groups in My Groups.
To learn more, please see this documentation. Note: Admins can still manage end users' ability to create Microsoft 365 and security groups using the group settings.
Enable HTTP/2 on the Graph service endpoint
[Action may be required]
As previously announced in September of 2022, the Microsoft Graph engineering team plans to begin rollout of HTTP/2 support on the Microsoft Graph service endpoint on September 15, 2023. HTTP/2 support will be in addition to existing HTTP/1.1 version support. Once HTTP/2 is enabled on the Microsoft Graph endpoints, clients that support HTTP/2 will negotiate this version when making requests to Microsoft Graph. Focus for improvements in the HTTP/2 specification concern performance, including perceived latency, and network and service resource usage (reference HTTP/2), including multiplexing, parallelism, and efficiency through binary encoding and header compression. These benefits may offer substantial value to Microsoft Graph clients and customers. HTTP/2 is expected to be entirely backwards-compatible with HTTP/1.1 and to require no code changes in client applications. It's possible, in rare cases, that negative impact may occur with some client applications, if the application does not adhere to HTTP specifications concerning case-insensitive comparisons for Header keys.
Microsoft Entra ID Governance
New releases
- Configuring Verified ID checks in entitlement management
- Entitlement Management support in Conditional Access
- Machine Learning-based recommendations for reviewers
- Access Review for inactive users
- Assigning access automatically to access packages instead of requiring users to request access
- Extending the access lifecycle with your organization-specific processes and business logic
- My Access search improvements
- Entitlement Management Graph API
Microsoft Entra Workload ID
New releases
- Continuous access evaluation for workload identities
- Application instance lock for Workload Identities
Microsoft Entra External ID
New releases
- Create custom roles and protect cross-tenant access settings administration
- No more limits on number of partners in cross-tenant access settings
- B2B Invitations respect cross-tenant access settings
Change announcements:
Upcoming change in B2B sign-in experience
[No action is required]
Starting on 30 September 2023, end-users performing cross-tenant sign-ins while using B2B collaboration will notice a branding change. During sign-in, instead of seeing the resource tenant’s branding, the branding will update to show their home tenant branding (even if there isn’t custom branding) to help make it clearer that the user is signing into their home account.
This notification is for awareness only, no further action required. Learn more.
Best regards,
Shobhit Sahay
Learn more about Microsoft identity:
- See recent Microsoft Entra blogs
- Dive into Microsoft Entra technical documentation
- Join the conversation on the Microsoft Entra discussion space and Twitter
- Learn more about Microsoft Security
Continue reading...