Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2020, on top of the announcements from Microsoft Ignite 2020:
What’s New
New provisioning connectors in the Azure AD Application Gallery Generally Available
Service category: App Provisioning
Product capability: 3rd Party Integration
You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
Audited BitLocker Recovery in Azure AD Public Preview
Service category: Device Access Management
Product capability: Device Lifecycle Management
When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.
End users can access their recovery keys via My Account. IT admins can access recovery keys via the BitLocker recovery key API in beta or via the Azure AD Portal.
Teams Devices Administrator built-in role
Service category: RBAC
Product capability: Access Control
Users with the Teams Devices Administrator role can manage Teams-certified devices from the Teams Admin Center.
This role allows the user to view all devices at single glance, with the ability to search and filter devices. The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device.
Advanced query capabilities for Directory Objects Generally Available
Service category: MS Graph
Product capability: Developer Experience
All the new query capabilities introduced for Directory Objects in Azure AD APIs are now available in the v1.0 endpoint and production-ready. Developers can Count, Search, Filter, and Sort Directory Objects and related links using the standard OData operators.
Continuous access evaluation for tenants who configured Conditional Access policies Public Preview
Service category: Authentications (Logins)
Product capability: Identity Security & Protection
Continuous access evaluation (CAE) is now available in public preview for Azure AD tenants with Conditional Access policies. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change.
Ask users requesting an access package additional questions to improve approval decisions
Service category: User Access Management
Product capability: Entitlement Management
Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision.
Enhanced user management Public Preview
Service category: User Management
Product capability: User Management
The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
- More visible user properties including object ID, directory sync status, creation type, and identity issuer.
- Search now allows combined search of names, emails, and object IDs.
- Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.
- New sorting capabilities on properties like name, user principal name and deletion date.
- A new total users count that updates with any searches or filters.
Notes field for Enterprise applications
Service category: Enterprise Apps
Product capability: Single Sign-on (SSO)
Admins can add free text notes to Enterprise applications. They can add any relevant information that will help them manage applications under Enterprise applications.
Federated Apps available in Azure AD Application gallery
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In September 2020 Microsoft has added following new applications in the Azure AD App gallery with Federation support:
- VMware Horizon – Unified Access Gateway
- Pulse Secure PCS
- Inventory360
- Frontitude
- BookWidgets
- ZVD_Server
- HashData for Business
- SecureLogin
- CyberSolutions MAILBASEΣ/CMSS
- CyberSolutions CYBERMAILΣ
- LimbleCMMS
- Glint Inc
- zeroheight
- Gender Fitness
- Coeo Portal
- Grammarly
- Fivetran
- Kumolus
- RSA Archer Suite
- TeamzSkill
- raumfürraum
- Saviynt
- BizMerlinHR
- Mobile Locker
- Zengine
- CloudCADI
- Simfoni Analytics
- Priva Identity & Access Management
- Nitro Pro
- Eventfinity
- Fexa
- Secured Signing Enterprise Portal
- Secured Signing Enterprise Portal AAD Setup
- Wistec Online
- Oracle PeopleSoft – Protected by F5 BIG-IP APM
New delegation role in Azure AD entitlement management: Access package assignment manager
Service category: User Access Management
Product capability: Entitlement Management
A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. Admins can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators.
With this new role, organizations benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations.
What’s Changed
Changes to Privileged Identity Management's onboarding flow
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
Previously, onboarding to Azure AD Privileged Identity Management (PIM) required user consent and an onboarding flow in PIM's blade that included enrollment in Azure MFA. With the recent integration of the PIM experience into the Azure AD roles and administrators blade, Microsoft is removing this experience. Any tenant with a valid Azure AD Premium P2 license will be auto-onboarded to PIM.
Onboarding to PIM does not have any direct adverse effect on a tenant. Organizations can expect the following changes:
- Additional assignment options such as active vs. eligible with start and end time when admins make an assignment in either PIM or Azure AD roles and administrators blade.
- Additional scoping mechanisms, like Administrative Units (AUs) and custom roles, introduced directly into the assignment experience.
- If you are a global administrator or privileged role administrator, you may start getting a few additional emails like the PIM weekly digest.
- Admins might also see a ms-pim service principal in the audit log related to role assignment. This expected change shouldn't affect your regular workflow.
Azure AD Entitlement Management: The Select pane of access package resources now shows the resources currently in the selected catalog by default
Service category: User Access Management
Product capability: Entitlement Management
In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog.
This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog. The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog.
The post What’s New in Azure Active Directory in September 2020 appeared first on The things that are better left unspoken.