Microsoft has recently introduced a range of new security tools and features for the Entra product family, aimed at helping organizations to improve their security posture. With the ever-increasing sophistication of cyber attacks and the increasing use of cloud-based services and the proliferation of mobile devices, it is essential that organizations have effective tools in place to manage their security scope.
Today, we’re sharing the new feature releases for the last quarter (April – June 2023) and the changes to existing features (June 2023 change management train). We also communicate these changes on release notes and via email. We’re continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the new Entra admin center as well.
These recent updates have been organized into capability areas or , making it easy to quickly find and access the latest updates. With these new features, we aim to provide our customers with an identity and access solution for a connected world.
Product Updates Summary
- Azure Active Directory
- Microsoft Entra Permissions Management
- Microsoft Entra Workload Identities
- Microsoft Entra External ID
- Microsoft Entra Identity Governance
Azure Active Directory
New feature releases
- Azure AD Certificate-Based Authentication (CBA) on Mobile
- Microsoft Enterprise SSO for Apple Devices
- SAML Request Signature Verification for SP-initiated Flows
- Conditional Access authentication strength
- Conditional Access Granular control for external user types
- Azure AD Identity Protection: Verified threat actor IP sign-in detection
- Secure Defaults: Azure RBAC Role Picking Experience
- System-preferred multifactor authentication
- My Security-info now shows Microsoft Authenticator type
- Authenticator Lite (In Outlook)
- Report suspicious activity integrated with Identity Protection
- Devices Self-Help Capability for Pending Devices
- PowerShell and Web Services connector support through the Azure AD provisioning agent
- Admins can restrict their users from creating tenants
- Admins can now restrict users from self-service accessing their BitLocker keys
Existing feature changes
Improved experience for managing passwords in My Security Info
[No action is required]
Beginning October 2023 through a phased rollout, we're improving the end user experience of managing passwords and providing the capability to do so in the My Security Info management portal (My Sign-Ins | Security Info | Microsoft.com). Users will be able to change their password, and users that are capable of multifactor authentication (MFA) will be able to reset their passwords in My Security Info. By December 2023, the legacy experience to change passwords will be redirected to the new experience. This change will occur automatically for all customers and no action needs to be taken.
Introducing voice OTP
[Action may be required]
Voice call is our least secure authentication method; there are far better ways of doing MFA, including Microsoft Authenticator (which offers both MFA and Passwordless options), or even better: Windows Hello for Business. Although we encourage everyone to move away from voice, we’re making security improvements to the voice call method for those that are dependent on it. Rather than confirming the authentication by pressing “#” a one-time passcode (OTP) will be read out to the user during the voice call. We’ll introduce voice OTP as part of the “Phone OTP” authentication method, which will be an evolution of today’s SMS authentication method. This authentication method will have two delivery methods (SMS and voice OTP) and as such allows for delivery method optimization. You’ll be able to migrate from traditional voice to voice OTP, and we recommend you do so, as traditional voice will be deprecated.
Starting July 2023, all new tenants using Azure AD free licenses will have this new optimized channel. For existing tenants using Azure AD free licenses, we will begin rolling out this feature from early August. Customers with Azure AD Premium licenses will follow, once all the configurability in the Phone OTP authentication method is available. We’ll share timelines over the course of the next few months in another public announcement. Keep an eye on the Message center in the Microsoft 365 admin center where we’ll notify admins when this change will impact their specific organization.
Registration campaign improvements
[Action may be required]
To help your users move away from publicly switched telephone networks (PSTN) such as SMS and voice, we’re making improvements to the Registration campaign feature (aka Nudge). We’ll allow users to skip the prompt a maximum of three times, after which they will have to go through the registration flow.
Secondly, for Azure AD tenants that are Microsoft-managed, we’re enabling the feature for users that are fully dependent on PSTN methods (SMS and voice) today for their MFA. Beginning July 2023, we will initiate a phased rollout of this change starting with tenants with Azure AD free licenses and progressing to all organizations worldwide. We will share timelines in another public announcement. Keep an eye on the Message center in the Microsoft 365 admin center, where we’ll notify admins when this change will impact their specific organization.
IPv6 enablement in Azure AD may impact users
[Action may be required]
IPv6 rollout ends on June 30th across all Microsoft regions, which may impact Azure AD customers. Your users might experience blocks or receive more MFA requests than usual. In such cases, we recommend reviewing your tenant’s sign-in logs.
This impact on your tenant could be due to end users connecting from IPv6 ranges that are not configured in your tenant’s Named Locations. To address this, please follow the steps outlined on this page to identify IPv6 ranges in your tenant’s environment and configure the necessary settings.
Please share the following guidance with the relevant members of your IT administration team:
- IT / Security Admin: Use the sign-in report described in the Identifying IPv6 traffic with Azure AD Sign-in activity reports. Use the resulting address list to determine if any IPv6 ranges need to be added to your Azure AD Security Named Locations, following the steps provided. It’s also important to collaborate with your internal networking teams to verify IPv6 ranges for your organization, as required.
- Network admin: Collaborate with your IT/Security admin to identify known IPv6 ranges in your network infrastructure. Add these ranges to your tenant’s existing Azure AD Named Locations by following the steps provided.
My Account is replacing legacy profile page
[No action is required]
As part of ongoing service improvements, we’re replacing the legacy profile page
(https://account.activedirectory.windowsazure.com/r/#/profile) with a new, modernized My Account experience in October 2023. From July to October, notification banners on the Profile page will inform customers about the planned replacement.
In October, the Profile page URL will automatically redirect users to My Account. No action is required unless you have allow-listed or bookmarked the old URL. If your organization has set up an allow-list, you’ll need to update your allow-list to include My Account. My Account is available today at https://myaccount.microsoft.com.
Modernizing per-user Multifactor Authentication (MFA) Settings
[No action is required]
As part of ongoing service improvements, starting in October 2023, we'll be rolling out a modernized per-user MFA settings experiences which better align to the Microsoft Entra admin center look and feel. No functionalities will be removed as part of this user experience update. This change will automatically occur for all customers, and there is no action that needs to be taken.
Azure AD Graph Retirement and Powershell Module Deprecation
[Action may be required]
In 2019, we announced the deprecation of the Azure AD Graph service, and we have communicated that Azure AD Graph will stop functioning at some point after June 30, 2023. We’ve also previously communicated that three legacy PowerShell modules (Azure AD, Azure AD Preview, and MS Online) would be deprecated on June 30, 2023. We understand that many customers are not yet complete with these migrations, and we confirm our continued commitment to work with our customers during this migration period to minimize and avoid impact.
We’ve published updates on timelines and details for the Azure AD Graph retirement process and PowerShell module deprecation. The details can be read here.
In summary:
- PowerShell: We recognize that some scenarios supported by the legacy PowerShell modules are not yet available in Microsoft Graph PowerShell SDK, and we have postponed the deprecation date for the legacy PowerShell modules to March 30, 2024, accordingly.
- Azure AD Graph: As of June 30, 2023, we are entering a retirement cycle for Azure AD Graph. There will be no impact on applications on June 30, but Azure AD Graph APIs do not have SLA or maintenance commitments beyond security-related fixes. We’re committing to retiring Azure AD Graph in incremental steps, with three months of advance notice for each step. The first step of retirement will involve preventing newly created applications from using Azure AD Graph. Our next update will provide a timeline and details of this step.
We strongly encourage all customers to prioritize migrating applications using Azure AD Graph to Microsoft Graph APIs and begin planning for migrating PowerShell scripts using the legacy modules.
Microsoft Entra Permissions Management
New feature releases
- Microsoft Entra Permissions Management Azure Active Directory Insights
- Microsoft Entra Permissions Management: Billable Resources
Microsoft Entra Workload Identities
New feature releases
- Workload identity Federation for Managed Identities
- Managed Identity in Microsoft Authentication Library for .NET
Microsoft Entra External ID
Existing feature changes
Upcoming change in B2B sign-in experience
[No action is required]
Today, when a B2B guest user is prompted to sign in to a resource tenant, the background and logo branding reflects that of the resource tenant. As soon as the B2B guest enters their User Principal Name (UPN), the logo will change to that of the home tenant, but the background branding remains the same.
Microsoft is working on changing this branding experience for cross-tenant collaboration authentication requests. In the new experience, when a B2B guest user is prompted to sign in, after entering the UPN, they’ll be redirected to their home tenant login page, and the branding experience will reflect that of the home tenant instead of the resource tenant. After successfully signing in, the user will be signed into the app in the resource tenant.
We plan to roll out this change starting July 2023 and complete by October 2023, and there are no actions that need to be taken. To understand B2B collaboration, please see: Azure AD B2B collaboration overview - Microsoft Entra | Microsoft Learn.
Microsoft Entra Identity Governance
New feature releases
- Microsoft Entra ID Governance
- Lifecycle Workflows
- Cross-Tenant Synchronization for seamless application access
- PIM for Groups
- PIM role activation can require a Conditional Access Policy evaluation before activation
- Alert on active-permanent role assignments in Azure or assignments made outside of PIM
- Self Service Password Reset (SSPR) now supports PIM eligible users and indirect group role assignment
- Custom Extensions in Entitlement Management
- Include/exclude Entitlement Management in Conditional Access policies
- Support for Directory Extensions using Azure AD Cloud Sync
And speaking of announcements – don’t miss the digital event Reimagine secure access with Microsoft Entra on Tuesday, July 11, 2023. Hope to see you there!
Register today to watch live or get the replay.
Best regards,
Shobhit Sahay
Learn more about Microsoft identity:
- Related Articles:
- Microsoft Entra ID Governance is generally available
- See recent Microsoft Entra blogs
- Dive into Microsoft Entra technical documentation
- Join the conversation on the Microsoft Entra discussion space and Twitter
- Learn more about Microsoft Security