Edit

What's new in Microsoft Entra ID?

  • Article

Get notified about when to revisit this page for updates by copying and pasting this URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us into your RSS feed reader icon feed reader.

Microsoft Entra ID (previously known as Azure Active Directory) receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Bug fixes
  • Deprecated functionality
  • Plans for changes

Note

If you're currently using Azure Active Directory today or are have previously deployed Azure Active Directory in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you.

This page updates monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in Archive for What's new in Microsoft Entra ID?.

March 2024

Public Preview - Convert external users to internal

Type: New feature
Service category: User Management
Product capability: User Management

External user conversion enables customers to convert external users to internal members without needing to delete and create new user objects. Maintaining the same underlying object ensures the user’s account, and access to resources, isn’t disrupted and that their history of activities remains intact as their relationship with the host organization changes.

The external to internal user conversion feature includes the ability to convert on-premises synchronized users as well. For more information, see: Convert external users to internal users (Preview).

Public Preview - Alternate Email Notifications for Lockbox Requests

Type: New feature
Service category: Other
Product capability: Access Control

Customer Lockbox for Microsoft Azure is launching a new feature that enables customers to use alternate email IDs for getting lockbox notifications. This enables Lockbox customers to receive notifications in scenarios where their Azure account isn't email enabled, or if they have a service principal defined as the tenant admin or subscription owner.

Plan for change - Conditional Access location condition is moving up

Type: Plan for change
Service category: Conditional Access
Product capability: Identity Security & Protection

Starting mid-April 2024, the Conditional Access ‘Locations’ condition is moving up. Locations will become the 'Network' assignment, with the new Global Secure Access assignment - 'All compliant network locations'.

This change will occur automatically, and admins won’t need to take any action. Here's more details:

  • The familiar ‘Locations’ condition is unchanged, updating the policy in the ‘Locations’ condition are reflected in the ‘Network’ assignment, and vice versa.
  • No functionality changes, existing policies will continue to work without changes.

General Availability - Just-in-time application access with PIM for Groups

Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Provide just-in-time access to non-Microsoft applications such as AWS & GCP. This capability integrates PIM for groups, and application provisioning to reduce the activation time from 40+ minutes to roughly 2 minutes when requesting just-in-time access to a role in a non-Microsoft app.

For more information, see:

Public Preview - Azure Lockbox Approver Role for Subscription Scoped Requests

Type: New feature
Service category: Other
Product capability: Identity Governance

Customer Lockbox for Microsoft Azure is launching a new built-in Azure Role-based access control role that enables customers to use a lesser privileged role for users responsible for approving/rejecting Customer Lockbox requests. This feature is targeted to the customer admin workflow where a lockbox approver acts on the request from Microsoft Support engineer to access Azure resources in a customer subscription.

In this first phase, we're launching a new built-in Azure RBAC role that helps scope down the access possible for an individual with Azure Customer Lockbox approver rights on a subscription and its resources. A similar role for tenant-scoped requests is available in subsequent releases.

General Availability - New provisioning connectors in the Microsoft Entra Application Gallery - March 2024

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: What is app provisioning in Microsoft Entra ID?.

General Availability - TLS 1.3 support for Microsoft Entra

Type: New feature
Service category: Other
Product capability: Platform

We're excited to announce that Microsoft Entra, is rolling out support for Transport Layer Security (TLS) 1.3 for its endpoints to align with security best practices (NIST - SP 800-52 Rev. 2). With this change, the Microsoft Entra ID related endpoints will support both TLS 1.2 and TLS 1.3 protocols. For more information, see: TLS 1.3 support for Microsoft Entra services.

General Availability - API driven inbound provisioning

Type: New feature
Service category: Provisioning
Product capability: Inbound to Microsoft Entra ID

With API-driven inbound provisioning, Microsoft Entra ID provisioning service now supports integration with any system of record. Customers, and partners, can use any automation tool of their choice to retrieve workforce data from any system of record for provisioning into Microsoft Entra ID and connected on-premises Active Directory domains. The IT admin has full control on how the data is processed and transformed with attribute mappings. Once the workforce data is available in Microsoft Entra ID, the IT admin can configure appropriate joiner-mover-leaver business processes using Microsoft Entra ID Governance Lifecycle Workflows. For more information, see: API-driven inbound provisioning concepts.

General Availability - Changing Passwords in My Security Info

Type: New feature
Service category: My Security Info
Product capability: End User Experiences

Now Generally Available, My Sign Ins (My Sign-Ins (microsoft.com)) supports end users changing their passwords inline. When a user authenticates with a password and an MFA credential, they're able to are able to change their password without entering their existing password. Beginning April 1st, through a phased rollout, traffic from the Change password (windowsazure.com) portal will redirect to the new My Sign Ins change experience. The Change password (windowsazure.com) will no longer be available after June 2024, but will continue to redirect to the new experience.

For more information, see:

February 2024

General Availability - Identity Protection and Risk Remediation on the Azure Mobile App

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Previously supported only on the portal, Identity Protection is a powerful tool that empowers administrators to proactively manage identity risks. Now available on the Azure Mobile app, administrators can respond to potential threats with ease and efficiency. This feature includes comprehensive reporting, offering insights into risky behaviors such as compromised user accounts and suspicious sign-ins.

With the Risky users report, administrators gain visibility into accounts flagged as compromised or vulnerable. Actions such as blocking/unblocking sign-ins, confirming the legitimacy of compromises, or resetting passwords are conveniently accessible, ensuring timely risk mitigation.

Additionally, the Risky sign-ins report provides a detailed overview of suspicious sign-in activities, aiding administrators in identifying potential security breaches. While capabilities on mobile are limited to viewing sign-in details, administrators can take necessary actions through the portal, such as blocking sign-ins. Alternatively, admins can choose to manage the corresponding risky user's account until all risks are mitigated.

Stay ahead of identity risks effortlessly with Identity Protection on the Azure Mobile app. These capabilities are intended to provide user with the tools to maintain a secure environment and peace of mind for their organization.

The mobile app can be downloaded at the following links:

Plan for change - Microsoft Entra ID Identity protection: "Low" risk age out

Type: Plan for change
Service category: Identity Protection
Product capability: Identity Security & Protection

Starting March 31st, 2024, all "low" risk detections and users in Microsoft Entra ID Identity Protection that are older than 6 months will be automatically aged out and dismissed. This allows customers to focus on more relevant risk and provide a cleaner investigation environment. For more information, see: What are risk detections?.

Public Preview - Expansion of the Conditional Access reauthentication policy for additional scenarios

Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Reauthentication policy lets you require users to interactively provide their credentials again, typically before accessing critical applications and taking sensitive actions. Combined with Conditional Access session control of Sign-in frequency, you can require reauthentication for users and sign-ins with risk, or for Intune enrollment. With this public preview, you can now require reauthentication on any resource protected by Conditional Access. For more information, see: Require reauthentication every time.

General Availability - New premium user risk detection, Suspicious API Traffic, is available in Identity Protection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

We've released a new premium user risk detection in Identity Protection called Suspicious API Traffic. This detection is reported when Identity Protection detects anomalous Graph traffic by a user. Suspicious API traffic might suggest that a user is compromised and conducting reconnaissance in their environment. For more information about Identity Protection detections including this one, visit our public documentation at the following link: What are risks detections?.

General Availability - Granular filtering of Conditional Access policy list

Type: New feature
Service category: Conditional Access
Product capability: Access Control

Conditional access policies can now be filtered on actor, target resources, conditions, grant control and session control. The granular filtering experience can help admins quickly discover policies containing specific configurations. For more information, see: What is Conditional Access?.

End of support - Windows Azure Active Directory Connector for Forefront Identity Manager (FIM WAAD Connector)

Type: Deprecated
Service category: Microsoft Identity Manager
Product capability: Inbound to Microsoft Entra ID

The Windows Azure Active Directory Connector for Forefront Identity Manager (FIM WAAD Connector) from 2014 was deprecated in 2021. The standard support for this connector ends in April 2024. Customers should remove this connector from their MIM sync deployment, and instead use an alternative provisioning mechanism. For more information, see: Migrate a Microsoft Entra provisioning scenario from the FIM Connector for Microsoft Entra ID.

General Availability - New provisioning connectors in the Microsoft Entra Application Gallery - February 2024

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: What is app provisioning in Microsoft Entra ID?.

General Availability - New Federated Apps available in Microsoft Entra Application gallery - February 2024

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2024 we added the following 10 new applications in our App gallery with Federation support:

Presswise, Stonebranch Universal Automation Center (SaaS Cloud), ProductPlan, Bigtincan for Outlook, Blinktime, Stargo, Garage Hive BC v2, Avochato, Luscii, LEVR, XM Discover, Sailsdock, Mercado Eletronico SAML, Moveworks, Silbo, Alation Data Catalog, Papirfly SSO, Secure Cloud User Integration, AlbertStudio, Automatic Email Manager, Streamboxy, NewHotel PMS, Ving Room, Trevanna Tracks, Alteryx Server, RICOH Smart Integration, Genius, Othership Workplace Scheduler, GitHub Enterprise Managed User - ghe.com,Thumb Technologies, Freightender SSO for TRP (Tender Response Platform), BeWhere Portal (UPS Access), Flexiroute, SEEDL, Isolocity, SpotDraft, Blinq, Cisco Phone OBTJ, Applitools Eyes.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Microsoft Entra ID app gallery, read the details here https://aka.ms/AzureADAppRequest.

January 2024

Generally Availability - New Microsoft Entra Home page

Type: Changed feature
Service category: N/A
Product capability: Directory

We redesigned the Microsoft Entra admin center's homepage to help you do the following:

  • Learn about the product suite
  • Identify opportunities to maximize feature value
  • Stay up to date with recent announcements, new features, and more!

See the new experience here: https://entra.microsoft.com/

Public Preview - Granular Certificate-Based Authentication Configuration in Conditional Access

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

With the authentication strength capability in Conditional Access, you can now create a custom authentication strength policy, with advanced certificate-based authentication (CBA) options to allow access based on certificate issuer or policy OIDs. For external users whose MFA is trusted from partners' Microsoft Entra ID tenant, access can also be restricted based on these properties. For more information, see: Custom Conditional Access authentication strengths.

Generally Availability - Conditional Access filters for apps

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Filters for apps in Conditional Access simplify policy management by allowing admins to tag applications with custom security, and target them in Conditional Access policies, instead of using direct assignments. With this feature, customers can scale up their policies, and protect any number of apps. For more information, see: Conditional Access: Filter for applications

Public preview - Cross-tenant manager synchronization

Type: New feature
Service category: Provisioning
Product capability: Identity Governance

Cross-tenant synchronization now supports synchronizing the manager attribute across tenants. For more information, see: Attributes.

General Availability- Microsoft Defender for Office alerts in Identity Protection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

The Suspicious sending patterns risk detection type is discovered using information provided by Microsoft Defender for Office (MDO). This alert is generated when someone in your organization has sent suspicious email, and is either at risk of being restricted from sending email, or has already been restricted from sending email. This detection moves users to medium risk, and only fires in organizations that have deployed MDO. For more information, see: What are risk detections?.

Public preview - New Microsoft Entra recommendation to migrate off MFA Server

Type: New feature
Service category: MFA
Product capability: User Authentication

We've released a new recommendation in the Microsoft Entra admin center for customers to move off MFA Server to Microsoft Entra multifactor authentication. MFA Server will be retired on September 30, 2024. Any customers with MFA Server activity in the last seven days see the recommendation that includes details about their current usage, and steps on how to move to Microsoft Entra multifactor authentication. For more information, see: Migrate from MFA Server to Microsoft Entra multifactor authentication.

Public Preview - New provisioning connectors in the Microsoft Entra Application Gallery - January 2024

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: What is app provisioning in Microsoft Entra ID?.

General Availability - New Federated Apps available in Microsoft Entra Application gallery - January 2024

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2024 we added the following new applications in our App gallery with Federation support:

Boeing ToolBox, Kloud Connect Practice Management, トーニチ・ネクスタ・メイシ ( Tonichi Nexta Meishi ), Vinkey, Cognito Forms, Ocurus, Magister, eFlok, GoSkills, FortifyData, Toolsfactory platform, Briq, Mailosaur, Astro, JobDiva / Teams VOIP Integration, Colossyan SAML, CallTower Connect, Jellyfish, MetLife Legal Plans Member App, Navigo Cloud SAML, Delivery Scheduling Tool, Highspot for MS Teams, Reach 360, Fareharbor SAML SSO, HPE Aruba Networking EdgeConnect Orchestrator, Terranova Security Awareness Platform.

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Microsoft Entra ID app gallery, read the details here https://aka.ms/AzureADAppRequest.

December 2023

Public Preview - Configurable redemption order for B2B collaboration

Type: New feature
Service category: B2B
Product capability: B2B/B2C

With configurable redemption, you can customize the order of identity providers that your guest users can sign in with when they accept your invitation. This lets your override the default configuration order set by Microsoft and use your own. This can be used to help with scenarios like prioritizing a SAML/WS-fed federation above a Microsoft Entra ID verified domain, disabling certain identity providers as an option during redemption, or even only using something like email one-time pass-code as a redemption option. For more information, see: Configurable redemption (Preview).

General Availability - Edits to Dynamic Group Rule Builder

Type: Changed feature
Service category: Group Management
Product capability: Directory

The dynamic group rule builder is updated to no longer include the 'contains' and 'notContains' operators, as they're less performant. If needed, you can still create dynamic group rules with those operators by typing directly into the text box. For more information, see: Rule builder in the Azure portal.

November 2023

Decommissioning of Group Writeback V2 (Public Preview) in Entra Connect Sync

Type: Plan for change
Service category: Provisioning
Product capability: Microsoft Entra Connect Sync

The public preview of Group Writeback V2 (GWB) in Entra Connect Sync will no longer be available after June 30, 2024. After this date, Connect Sync will no longer support provisioning cloud security groups to Active Directory.

Another similar functionality is offered in Entra Cloud Sync, called “Group Provision to AD”, that maybe used instead of GWB V2 for provisioning cloud security groups to AD. Enhanced functionality in Cloud Sync, along with other new features, are being developed.

Customers who use this preview feature in Connect Sync should switch their configuration from Connect Sync to Cloud Sync. Customers can choose to move all their hybrid sync to Cloud Sync (if it supports their needs) or Cloud Sync can be run side-by-side and move only cloud security group provisioning to AD onto Cloud Sync.

Customers who provision Microsoft 365 groups to AD can continue using GWB V1 for this capability.

Customers can evaluate moving exclusively to Cloud Sync by using this wizard: https://aka.ms/EvaluateSyncOptions

General Availability - Microsoft Entra Cloud Sync now supports ability to enable Exchange Hybrid configuration for Exchange customers

Type: New feature
Service category: Provisioning
Product capability: Microsoft Entra Connect

Exchange hybrid capability allows for the coexistence of Exchange mailboxes both on-premises and in Microsoft 365. Microsoft Entra Cloud Sync synchronizes a specific set of Exchange-related attributes from Microsoft Entra ID back into your on-premises directory and to any forests that's disconnected (no network trust needed between them). With this capability, existing customers who have this feature enabled in Microsoft Entra Connect sync can now migrate, and apply, this feature with Microsoft Entra cloud sync. For more information, see: Exchange hybrid writeback with cloud sync.

General Availability - Guest Governance: Inactive Guest Insights

Type: New feature
Service category: Reporting
Product capability: Identity Governance

Monitor guest accounts at scale with intelligent insights into inactive guest users in your organization. Customize the inactivity threshold depending on your organization’s needs, narrow down the scope of guest users you want to monitor, and identify the guest users that might be inactive. For more information, see: Monitor and clean up stale guest accounts using access reviews.

Public Preview - lastSuccessfulSignIn property in signInActivity API

Type: New feature
Service category: MS Graph
Product capability: End User Experiences

An extra property is added to signInActivity API to display the last successful sign in time for a specific user, regardless if the sign in was interactive or non-interactive. The data won't be backfilled for this property, so you should expect to be returned only successful sign in data starting on December 8, 2023.

General Availability - Auto-rollout of Conditional Access policies

Type: New feature
Service category: Conditional Access
Product capability: Access Control

Starting in November 2023, Microsoft begins automatically protecting customers with Microsoft managed Conditional Access policies. These are policies that Microsoft creates and enables in external tenants. The following policies are rolled out to all eligible tenants, who are notified before policy creation:

  1. Multifactor authentication for admin portals: This policy covers privileged admin roles and requires multifactor authentication when an admin signs into a Microsoft admin portal.
  2. Multifactor authentication for per-user multifactor authentication users: This policy covers users with per-user multifactor authentication and requires multifactor authentication for all cloud apps.
  3. Multifactor authentication for high-risk sign-ins: This policy covers all users and requires multifactor authentication and reauthentication for high-risk sign-ins.

For more information, see:

General Availability - Custom security attributes in Microsoft Entra ID

Type: New feature
Service category: Directory Management
Product capability: Directory

Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. Custom security attributes can be used with Azure attribute-based access control (Azure ABAC). For more information, see: What are custom security attributes in Microsoft Entra ID?.

Changes were made to custom security attribute audit logs for general availability that might impact your daily operations. If you have been using custom security attribute audit logs during the preview, there are the actions you must take before February 2024 to ensure your audit log operations aren't disrupted. For more information, see: Custom security attribute audit logs.

Public Preview - New provisioning connectors in the Microsoft Entra Application Gallery - November 2023

Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

For more information about how to better secure your organization by using automated user account provisioning, see: What is app provisioning in Microsoft Entra ID?.

General Availability - New Federated Apps available in Microsoft Entra Application gallery - November 2023

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2023 we added the following 10 new applications in our App gallery with Federation support:

Citrix Cloud, Freight Audit, Movement by project44, Alohi, AMCS Fleet Maintenance, Real Links Campaign App, Propely, Contentstack, Jasper AI, IANS Client Portal, Avionic Interface Technologies LSMA, CultureHQ, Hone, Collector Systems, NetSfere, Spendwise, Stage and Screen

You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

For listing your application in the Microsoft Entra ID app gallery, read the details here https://aka.ms/AzureADAppRequest.

Note

In new updates from the previous version of the release notes: Microsoft Authenticator is not yet FIPS 140 compliant on Android. Microsoft Authenticator on Android is currently pending FIPS compliance certification to support our customers that may require FIPS validated cryptography.