Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
What’s new in Azure Active Directory at Microsoft Ignite 2019
Published Nov 04 2019 11:05 AM 54K Views

Howdy folks,

 

I'm really excited to be here in Orlando, Florida at Microsoft Ignite this week. It's an incredible opportunity to share with and learn from our customers. We're sharing a lot of exciting Azure AD enhancements designed around three core principles:

  • Start with industry-leading security
  • Deliver a simple, integrated and complete identity solution
  • Operate in an open and interoperable ecosystem

For those of you who can’t be here in person, here’s a quick overview of what we’re announcing.

 

Industry-leading security

Our top priority is to make it super easy for you to secure your Azure AD accounts. It’s the main reason we’ve invested so much in building our passwordless sign-in options like Windows Hello and the Microsoft Authenticator app.

 

To make it easy for everyone to adopt more secure and phishing-resistant authentication, today we announced that all customers can now enable MFA for free with the Microsoft Authenticator app. Starting later this month, MFA will be enabled as a security default in all new Azure Active Directory tenants for Microsoft 365, Office 365, Dynamics, and Azure. These news defaults will be rolling out gradually to new tenants over the next few months. Customers with more than 150 seats can also now contact Microsoft to set up MFA and security capabilities via FastTrack.

 

Next for security, refreshed Azure AD Identity Protection with new detections and capabilities is now generally available! This is a huge step forward across all our User and Entity Behavioral Analytics (UEBA) capabilities with added and enhanced signals, massively improved APIs for integration with your Security Operations Center (SOC ) environments, and a new user interface that makes you more efficient!

 

IGNITEFINAL1.png

 

In addition to this, Conditional Access report-only mode is now in public preview. It allows administrators to evaluate potential impact of new policies before rolling them out across the entire organization. Customers with an Azure Monitor subscription can monitor the impact of their Conditional Access policies using the new Conditional Access insights workbook. In case you missed it, the Global Reader role along with 15 other roles rolled out in public preview last month for further visibility into settings and policies without added risk.

 

Simple, integrated and complete identity solution

To help you simplify identity management across your environment Azure AD Connect cloud provisioning will be available in public preview by end of November. Cloud provisioning can sync user identities from Windows Server AD forests and Azure AD regardless of where the AD forest is located by using a light-weight agent. These agents are deployed to each forest instance and can sync users into a single, consolidated Azure AD tenant. And multiple agents can be deployed per forest for redundancy and high availability. For our customers with complex organizations this can really help employees to collaborate without barriers.

 

We are also announcing the public preview of inbound user provisioning from SAP SuccessFactors. You can implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios using SuccessFactors as the “system of record.” Your new employees can get up and running on their first day, and you can modify or revoke access automatically based on the employees role and status in SuccessFactors.

 

And more exciting news to share - Azure AD entitlement management is now generally available! For a truly complete solution most organizations need a way to govern employee and business partner access to resources at enterprise scale. Azure AD entitlement management removes barriers to internal and external collaboration by automating employee and partner access requests, approvals, auditing, and review for Office 365, for thousands of popular SaaS apps like Workday, Google Apps, and Salesforce.com as well as any line of business app. It is an important addition to Privileged Identity Management (PIM), Terms of use, and Access reviews to deliver core cloud-based Identity Governance capabilities.

 

Where all of this comes together is your employee and business partner experience. To help you with this, My Apps end user app launcher portal now shows all the apps a person has access to in a simplified user interface, now in public preview. Admins can now create and organize apps into workspaces for finer-grained discoverability, and delegate an employee to be an owner of a workspace so they can customize it and keep it updated for their team.

 

IGNITEFINAL2.png

 

Access rights and experiences for employees on the store floor, manufacturing or similar scenarios require simple tools with new kinds of workflows. Enable users to sign-in with a phone number and an SMS code for authentication using SMS sign-in. The new Delegated user management feature allows managers to manage users and credentials in the My Staff portal, reducing IT’s identity management responsibilities. We’ve also added a Global sign-out feature so workers can sign out of all their apps with just one click, making the use of shared tablets more secure and compliant. These industry leading features will start rolling out in early 2020.

 

Integrating your partner and customer identity solutions together is another key component of digital transformation to manage digital relationships that sometimes cross traditional identity type boundaries. Our partner and customer identity solutions have seen nearly 120% growth in monthly active users over the past year, helping customers like Centrica and Debeka grow their business. We’ve now made it easier for you to manage across relationship boundaries with an integrated B2B and B2C user creation experience in the Azure AD portal, now in public preview. Additionally, Google Federation is generally available which gives guest users the option to use their existing Google social ID to sign-in.

Open and interoperable platform

Identity can only be your control plane if it can connect everything across cloud and on-premises applications. This can only be done by partnering to create an open ecosystem. Today we announced secure hybrid access partnerships with Akamai, Citrix, F5 and Zscaler to simplify secure access to legacy-auth based applications that use protocols like header-based and Kerberos authentication. Now you can apply the same risk-based Azure AD Conditional Access policies and Identity Governance  for your legacy authentication-based applications as to for rest of your digital environment.

 

Ignite3.png

 

We continue to work with developers to integrate even more applications with Azure AD. Azure AD is now integrated with 1.4 million unique applications! Azure AD authenticates more customers for apps such as ServiceNow, Workplace by Facebook, and Zscaler than any other identity provider. We have more than 100 provisioning connectors for you to easily automate the process of creating, updating or deleting user accounts in cloud applications.

 

We are committed to making it easier to integrate applications with any Microsoft identity across enterprise and consumer businesses. Last month we announced general availability of Microsoft Authentication Libraries (MSAL) for Android, iOS and MacOS. Today, we’re announcing that MSAL for Python and Java are now in public preview. We’ve also made improvements to help you programmatically manage all your identity needs by making more Azure AD capabilities available in Microsoft Graph. New APIs in Microsoft Graph include the app API, OrgContacts and Cert-based auth configurations.

 

If you are looking  to move your legacy authentication-based applications to the cloud, you can use Azure Active Directory Domain Services resource forest, now in public preview, to create an instance that has a one directional trust with your on-premise domains and eliminates the need to sync password hashes to Domain Services. We also made several enhancements to Azure AD Domain Services including additional availability zones, improved load balancer, Azure workbooks, audit logs, and a new set up experience.

 

Investing in the future of identity

Identity is your control plane for security, but we believe it should also be the control plane for individual privacy. As we look forward into the next wave of identity innovation, addressing privacy concerns is a top priority for our customers. The first step is to let individuals bring a digital identity that belongs just to them—verifiable, strong, and independent. We are making this concept of decentralized identity real with a proof-of-concept project sponsored by the National Health Service (NHS) in the U.K. Watch Joy Chik’s session today to get a sneak peek at what Truu and Blackpool Teaching Hospitals are doing to help graduating doctors spend more time with patients, and less time onboarding and managing credentials.

 

I look forward to meeting with many of you this week at Microsoft Ignite and getting your feedback on these new features and innovations. Join us online November 4-8, 2019 to livestream keynotes and watch selected sessions on-demand. We’ll go into more depth on these new announcements over the next few weeks, so stay tuned for more details!

 

 

Best Regards,

 

Alex Simons

Corporate Vice President Program Management

Microsoft Identity Division

 

 

13 Comments
Deleted
Not applicable

Thank you for the update Alex! Really nice to see Azure AD entitlement management released! Just watched the session "Microsofts roadmap for security, compliance, and identity" - where I think the IAM/IGA perspective was not covered well at all. Besides from decentralized identity where is Microsoft heading in regards to IAM/IGA? For the top of my head: Will we see any improvements in regards to a better consolidated management experience of identity and access for  hybrid environments? When can we control onprem from cloud? Will Azure PIM cover local AD in the future? Will we see group writeback for security groups any time so that entitlements also can cover some onprem usercases as well?  And is MIM all dead? 

 

Best regards

 

Audun

Copper Contributor

Great news, now they should focus their efforts on training Azure support to resolve tickets in a timely manner. After all, You're only as strong as your weakest link.

Copper Contributor

Thank you for the update Alex, for your comment "To help you simplify identity management across your environment Azure AD Connect cloud provisioning will be available in public preview by end of November. Cloud provisioning can sync user identities from Windows Server AD forests and Azure AD regardless of where the AD forest is located by using a light-weight agent. These agents are deployed to each forest instance and can sync users into a single, consolidated Azure AD tenant.", does that mean customers can have multiple AD forests or even same AD forest (with same objects or users) synced to multiple Azure AD tenants ? In short is this topology now supported ? 

clipboard_image_0.png

Copper Contributor

Hi, interesting features coming soon... 

but what about Improvements of GUESTS accounts (B2B scenarios) ??? 

We are still waiting a simple way to convert a GUEST Account with a SYNCHED account ?!!! -> This will help user experience during MERGE & ACQUISITIONS projects... !!! 

Microsoft

@Faraz_sidd You can sync multiple AD forests to the same tenant. This is the topology that is now supported:multiforestmultisyncunsupported.png

We do not support syncing the same object to multiple Azure AD tenants.

Copper Contributor

We have enabled the MyApps Preview on our tenant a few days ago, and we still do not seeing it show up for our users. We created some test workspaces too. 

 

Any idea how long it takes the new portal to show up after enabling it for your tenant?

Microsoft

@MKHJJ - have you tried visiting https://myapplications.microsoft.com?

 

Copper Contributor

Thanks Alex for the update. Question on the Azure AD Connect cloud provisioning? Does it replace Azure AD Connect? We currently sync about 500K+ Objects to Azure AD and having only one sync server is not good (we use staging mode as well). But if this makes it easier and with HA this will be awesome! Any update on when this will be available (its almost end of Nov)

Copper Contributor

Please inform whether a feature has been introduced like.. my customers devices can now to be added as a Managed Devices (Azure AD Domain Joined) in my Tenant ?

 

If yes.. reference links pls. 

Hi, any news on the availability of the mentioned Azure AD Connect cloud provisioning ? Many thanks!

Microsoft

@Ilse Van Criekinge - Thanks for reaching out. It will be available very soon! 

Microsoft

@Ron Argame - Azure AD Connect cloud provisioning and Azure AD Connect sync will coexist. Customers with Azure AD Connect sync can deploy cloud provisioning for new AD forests (especially disconnected ADs). The public preview will be available very soon!

Copper Contributor

Thank you, this is good news! Question on the free Azure MFA.

Will that also include using Azure MFA from on-prem ADFS?

 

Version history
Last update:
‎Jul 24 2020 01:30 AM
Updated by: