As Brad Anderson also shared in his Microsoft 365 news blog this morning, we're extending the ability to use Azure AD single sign-on (SSO) for an unlimited number of cloudappsat no extra cost. Whether you need gallery apps or non-gallery apps, using OIDC, SAML or password SSO, we have removed the limit on the number of apps each user can be assigned for SSO accessin Azure AD. This means any Microsoft customer using a subscription of a commercial online service such as Azure, Office 365, Dynamics and Power Platform can enable SSO for all their cloud apps, even with Azure AD Free.This complements our earlier announcement that multi-factor authentication (MFA)along with security defaultsis free across all Azure AD pricing tiers, so every one of your apps can also be protected.
We are also introducing a number of Azure AD enhancements to simplify identity and access management and improve the experiences for working remotely.
Streamline identity management
Dynamic groups rule validation (Public Preview)—Dynamic groups allow administrators to set rules based on user attributes to populate group memberships. Now we have added the ability for you to validate your rules by checking if specific users will be members of adynamic group or not. This will make it easier to troubleshoot and update rules for dynamic groups.
Administrative units (Public Preview)—Administrative units allow you to logically group users and devices and then delegate administration of those users and devices. For example, a User account admin can update profile information, reset passwords and assign licenses only for users in their administrative unit. This isespecially useful for organizationswith multiple independent departments, each having their own ITadmins responsible for their department.
Bulk operations for users and groups (GA)—You can now import or exports users and groups in the directory using a CSV file! This lets you create or delete users, update group membershipsas well as download users, groups and group memberships. You can also use this to invite guest users or restore deleted users.
Improve application configuration and security
Token configuration (GA)—Azure AD issues tokens with a default set of claims. Token configuration allows you to customize access tokens, id tokens and SAML tokens to include additional claims. These additional claims allow you to get more details about a user when they get authenticated into your application. You can also configure how groups are represented in claims. For example, instead of using objectID of groups in the claims, you can choose group names as claims or have groups be emitted as roles for applications that require these to be role claims.
SAML token encryption (GA)—Azure AD already sends SAML tokens on an encrypted HTTPS transport channel. In addition to this, you can now also configure encryption of SAML tokens. This provides additional assurance where needed that the content of the token can't be intercepted, and personal or corporate data can’t be compromised.
Seamless and secure collaboration
Invite internal users to B2B collaboration (Public Preview)—If you have been managing external users similar to regular users in your directory, you can now change them to guest users and take advantage of the benefits offered by Azure AD B2B.The users will retain their user ID, user principal name, group memberships as well as app assignments.. This providesbetter governance over your external users, without needing to manually delete and re-invite the user. Learn more about secure remote collaboration in our recent blog.
Redesigned B2B collaboration invitation emails (GA)—External users invited through B2B collaboration will soon see anewdesign of the invitation email. The new design provides external users withmore clarity to help make an informed decision for accepting the invitation.
Secure access to SAML-based applications with Azure AD B2C (GA)—You can now integrate a SAML application with Azure AD B2C. Acting as a SAML identity provider (IdP), Azure AD B2C helps you offer many authentication options to your users without the need to change the application’s existing SAML authentication library. All OIDC, OAUTH, and SAML-based identity providers such as Salesforce, Facebook, Google, and Active Directory Federation Services (ADFS) can be offered to your users.
Safeguard identities with industry-leading security
Report-only mode for Azure AD Conditional Access (GA)—Sometimes it is useful to understand how many users will be impacted if you deploy a new Conditional Access policy. With report-only mode, you can now evaluate the impact of a policy before you choose to enforce it. Testing your policies and making any correctionsallows you to be more in control of how your policies are rolled out and how it affects your end users.
Combined MFA and password reset registration (GA)—This new combined security information registration experience makes it easy for your users to register for MFA and Self-Service Password Reset (SSPR) in a simple step-by-step process.
Continuous Access Evaluation (GA)—Continuous Access Evaluation (CAE) is a step towards further enhancing security in your environment. It allows timely response to policy violations or security issues that may occur after access is granted. We are implementing our initial approach to CAE in Exchange and Teams.
Dynamic group rule validation, administrative units, report-only mode for Azure AD Conditional Access, and combined MFA and password reset registration require Azure AD P1 license, all other features referenced in this blog are available across all licensing tiers.
We hope these improvements will make it easier for you to keep your users secure and productive while enabling them to work remotely. As always, we’d love to hear your feedback or suggestions—please leave them in the comments or reach out to us on Twitter (@azuread).