Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Unlimited SSO and new Azure AD features to simplify secure access management
Published Apr 30 2020 06:00 AM 76.8K Views

BuildTeaser.png

 

Howdy folks,

 

It’s been a busy period for the IT community. From enabling secure remote access and secure remote collaboration  to empowering essential Firstline Workers—everything had to adjust to the challenges necessitated by COVID-19. We have continued working with customers in enabling their mission critical tasks and we have added several new capabilities that improve the identity experiences for IT as well as end users.

 

As Brad Anderson also shared in his Microsoft 365 news blog this morning, we're extending the ability to use Azure AD single sign-on (SSO) for an unlimited number of cloud apps at no extra cost. Whether you need gallery apps or non-gallery apps, using OIDC, SAML or password SSO, we have removed the limit on the number of apps each user can be assigned for SSO access in Azure AD. This means any Microsoft customer using a subscription of a commercial online service such as Azure, Office 365, Dynamics and Power Platform can enable SSO for all their cloud apps, even with Azure AD Free. This complements our earlier announcement that multi-factor authentication (MFA) along with security defaults is free across all Azure AD pricing tiers, so every one of your apps can also be protected.

 

We are also introducing a number of Azure AD enhancements to simplify identity and access management and improve the experiences for working remotely.

 

Streamline identity management

 

  • Dynamic groups rule validation (Public Preview)Dynamic groups allow administrators to set rules based on user attributes to populate group memberships. Now we have added the ability for you to validate your rules by checking if specific users will be members of a dynamic group or not. This will make it easier to troubleshoot and update rules for dynamic groups.  

  • Administrative units (Public Preview)Administrative units allow you to logically group users and devices and then delegate administration of those users and devices. For example, a User account admin can update profile information, reset passwords and assign licenses only for users in their administrative unit. This is especially useful for organizations with multiple independent departments, each having their own IT admins responsible for their department.

  • Bulk operations for users and groups (GA)You can now import or exports users and groups in the directory using a CSV file! This lets you create or delete users, update group memberships as well as download users, groups and group memberships. You can also use this to invite guest users or restore deleted users.  

Improve application configuration and security

  • Token configuration (GA)Azure AD issues tokens with a default set of claims. Token configuration allows you to customize access tokens, id tokens and SAML tokens to include additional claims. These additional claims allow you to get more details about a user when they get authenticated into your application. You can also configure how groups are represented in claims. For example, instead of using objectID of groups in the claims, you can choose group names as claims or have groups be emitted as roles for applications that require these to be role claims.   
  • SAML token encryption (GA)Azure AD already sends SAML tokens on an encrypted HTTPS transport channel. In addition to this, you can now also configure encryption of SAML tokens. This provides additional assurance where needed that the content of the token can't be intercepted, and personal or corporate data can’t be compromised.

 

Seamless and secure collaboration

  • Invite internal users to B2B collaboration (Public Preview)If you have been managing external users similar to regular users in your directory, you can now change them to guest users and take advantage of the benefits offered by Azure AD B2B. The users will retain their user ID, user principal name, group memberships as well as app assignments.. This provides better governance over your external users, without needing to manually delete and re-invite the user. Learn more about secure remote collaboration in our recent blog.

  • Redesigned B2B collaboration invitation emails (GA)External users invited through B2B collaboration will soon see a new design of the invitation email. The new design provides external users with more clarity to help make an informed decision for accepting the invitation.

  • Secure access to SAML-based applications with Azure AD B2C (GA)You can now integrate a SAML application with Azure AD B2C. Acting as a SAML identity provider (IdP), Azure AD B2C helps you offer many authentication options to your users without the need to change the application’s existing SAML authentication library. All OIDC, OAUTH, and SAML-based identity providers such as Salesforce, Facebook, Google, and Active Directory Federation Services (ADFS) can be offered to your users.

 

Safeguard identities with industry-leading security

  • Report-only mode for Azure AD Conditional Access (GA)Sometimes it is useful to understand how many users will be impacted if you deploy a new Conditional Access policy. With report-only mode, you can now evaluate the impact of a policy before you choose to enforce it. Testing your policies and making any corrections allows you to be more in control of how your policies are rolled out and how it affects your end users.

  • Combined MFA and password reset registration (GA)This new combined security information registration experience makes it easy for your users to register for MFA and Self-Service Password Reset (SSPR) in a simple step-by-step process.

  • Continuous Access Evaluation (GA)Continuous Access Evaluation (CAE) is a step towards further enhancing security in your environment. It allows timely response to policy violations or security issues that may occur after access is granted. We are implementing our initial approach to CAE in Exchange and Teams.

 

App gallery integration

 

Dynamic group rule validation, administrative units, report-only mode for Azure AD Conditional Access, and combined MFA and password reset registration require Azure AD P1 license, all other features referenced in this blog are available across all licensing tiers.


We hope these improvements will make it easier for you to keep your users secure and productive while enabling them to work remotely. As always, we’d love to hear your feedback or suggestionsplease leave them in the comments or reach out to us on Twitter (@azuread).


Stay safe and be well,


Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

14 Comments
Steel Contributor

Great set of security measure! great news for all your clients (and mine !)

Copper Contributor

Will this also include AAD to AD writeback?

 

And when can we expect the pricing matrix to reflect this? https://azure.microsoft.com/en-us/pricing/details/active-directory/

Copper Contributor

Administrative units are great but it would be cool if we could create licensing pools where the global admin can put licenses in (f.e 3x office, 2x visio etc) and the Administrative unit admin can take from.

Currently every admin can see all of the licenses and might choose the wrong ones (or shouldnt be allowed to see all of the licenses)

 

THAT would be really helpful.

Copper Contributor

Does this mean you can use the non-gallery SSO apps on the Azure AD free tier?

Copper Contributor

This looks like using AD groups for SAML membership will still be a paid feature?  For now the free version still only supports adding individual users?

Copper Contributor

So excited to see these items rolling out!  Especially the adminstrative groups.  

 

thanks Microsoft!

Copper Contributor

Is NPS Extension for Azure MFA included in this Unlimited SSO structure?

Microsoft

@Laggie : Yes!  You can do custom integrations of SAML apps in Free now.  The code change to allow it is still rolling out to all regions, but should be possible now for most people.
@O365AdminGuy : Yep, group assignment to apps is P1.

Copper Contributor

@Ilana Smith bummer - I need to setup a SaaS app with groups but the cost to add P1 to all of my users is far to high just for this simple function.  Would love to keep my SAML/SSO in Azure with my AD and O365 but there are much less expensive options out there rather than paying nearly $1000/mo when I don't need most of the 'features' of P1

Copper Contributor

Please reconsider making Self Service Password Reset with on-prem writeback a free feature.  Having this feature helps with security for hybrid customers.  

Copper Contributor

Any thoughts on Azure Hybrid support on SSO with no 365?

Copper Contributor

Does this mean you can do SCIM provisioning with Azure AD Free?

Microsoft

@mahue Thank you for the feedback. We are working with partner teams to bring a solution for delegated license management similar on the lines you expressed.

Copper Contributor

Please consider making Self Service Password Reset with on-prem writeback a free feature.  Having this feature helps with security for hybrid customers... and the calls to the Helpdesk - "the password reset link isn't working"...

 

Version history
Last update:
‎Jul 27 2020 07:12 PM
Updated by: