What's new in Microsoft Entra

With the ever-increasing sophistication of cyber-attacks, the increasing use of cloud-based services, and the proliferation of mobile devices, it’s essential that organizations secure access for both human and non-human identities to all on-premises and cloud resources, while working continuously to improve their security posture. 

 

Today, we’re sharing feature release information for January – March 2024, and first quarter change announcements. We also communicate these via release notes, email, and the Microsoft Entra admin center.  

 

The blog is organized by Microsoft Entra products, so you can quickly scan what’s relevant for your deployment. This quarter’s updates include: 

 

• Microsoft Entra ID 
• Microsoft Entra ID Governance 
• Microsoft Entra External ID 
• Microsoft Entra Permissions Management 
• Microsoft Entra Workload ID 

 

Microsoft Entra ID 

New releases 

 

• Microsoft Defender for Office alerts in Identity Protection 
• Microsoft Entra ID Protection: Real-time threat intelligence 
• New premium user risk detection, Suspicious API Traffic, is available in Identity Protection 
• Identity Protection and Risk Remediation on the Azure Mobile App 
• Granular filtering of Conditional Access policy list 
• Conditional Access filters for apps 
• Microsoft Entra CBA as Most Recently Used (MRU) method 
• FIPS 140-3 enterprise compliance for Microsoft Authenticator app on Android 
• Define Azure custom roles with data actions at Management Group scope 

 

Change announcements 

 

Update: Azure AD Graph Retirement  

[Action may be required] 

 

In June of 2023, we shared an update on completion of a three-year notice period for the deprecation of the Azure AD Graph API service. The service is now in the retirement cycle and retirement (shut down) will be done with incremental stages. In the first stage of this retirement cycle, applications that are created after June 30, 2024, will receive an error (HTTP 403) for any requests to Azure AD Graph APIs (https://graph.windows.net).  

 

We understand that some apps may not have fully completed migration to Microsoft Graph. We are providing an optional configuration that will allow an application created after June 30, 2024, to resume use of Azure AD Graph APIs through June 2025.  If you develop or distribute software that requires applications to be created as part of the installation or setup, and these applications will need to access Azure AD Graph APIs, you must prepare now to avoid interruption.  

 

We have recently begun rollout of Microsoft Entra recommendations to help monitor the status of your tenant, plus provide information about applications and service principals that are using Azure AD Graph APIs in your tenant. These new recommendations provide information to support your efforts to migrate the impacted applications and service principals to Microsoft Graph. 

 

For more information on Azure AD Graph retirement, the new recommendations for Azure AD Graph, and configuring applications created after June 30, 2024, for an extension of Azure AD Graph APIs, please reference this post.  

 

Resources 

• Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph  
• Azure AD Graph app migration planning checklist  
• Azure AD Graph to Microsoft Graph migration FAQ

 

Important update: Azure AD PowerShell and MS Online PowerShell modules are deprecated 

[Action may be required] 

 

In 2021, we described our plans to invest in Microsoft Graph PowerShell SDK as the PowerShell experience for Entra going forward, and that we would wind-down investment in Azure AD and MS Online PowerShell modules. In June of 2023, we announced that the planned deprecation of Azure AD and MS Online PowerShell modules would be deferred to March 30, 2024. We have since made substantial progress closing remaining parity gaps in Microsoft Graph PowerShell SDK. 

 

As of March 30, 2024, these PowerShell modules are deprecated: 

 

• Azure AD PowerShell (AzureAD) 
• Azure AD PowerShell Preview (AzureADPreview) 
• MS Online (MSOnline) 

 

Microsoft Graph PowerShell SDK is the replacement for these modules and you should migrate your scripts to Microsoft Graph PowerShell SDK as soon as possible. Information about the retirement of these modules can be found below.  
 
Azure AD PowerShell, Azure AD PowerShell Preview, and MS Online will continue to function through March 30, 2025, when they are retired. Note: MS Online versions before 1.1.166.0 (2017) can no longer be maintained and use of these versions may experience disruptions after June 30, 2024.  

 

We are making substantial new and future investments in the PowerShell experience for managing Entra. Please continue to watch this space as we announce exciting improvements in the coming months. 

For more information, please reference this post.  

 

Resources 

• Microsoft Graph PowerShell SDK overview  
• Migrate from Azure AD PowerShell to Microsoft Graph PowerShell 
• Azure AD PowerShell to Microsoft Graph PowerShell migration FAQ  
• Find Azure AD and MSOnline cmdlets in Microsoft Graph PowerShell 

 

Azure Multi-Factor Authentication Server - 6-month notice  

[Action may be required] 

 
Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. MFA Server will have limited SLA and MFA Activity Report in the Azure Portal will no longer be available. To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service using the latest Migration Utility included in the most recent Azure MFA Server update. Learn more at Azure MFA Server Migration. 

 

Microsoft Entra Connect 2.x version retirement 

[Action may be required] 

 

In March of 2023, Microsoft started retiring past versions of Microsoft Entra Connect Sync 2.x 12 months from the date they were superseded by a newer version. Currently only builds 2.1.20.0 (release November 9, 2022) or later are supported.  For more information see Retiring Microsoft Entra Connect 2.x versions. 

 

Use Microsoft Entra Conditional Access to create and manage risk-based policies 

[Action may be required] 

 

As announced in October 2023, we invite customers to upgrade your legacy Entra ID Protection user risk policy and sign-in risk policy to modern risk-based policies in Conditional Access following these steps for a list of benefits. The legacy risk policies are being retired. 

 

Starting May 1, 2024, no new legacy user risk policy or sign-in risk policy can be created in Entra ID Protection. To create and enable new risk-based policies, please use Conditional Access. 

 

Starting July 1, 2024, existing legacy user risk policy or sign-in risk policy in Entra ID Protection will not be editable anymore. To modify them, please migrate them to Conditional Access following these steps and manage them there.  

 

Start migrating today and learn more about risk-based policies at  Microsoft Entra ID Protection risk-based access policies.. 

 

My Apps Secure Sign-in Extension 

[Action may be required] 

 

In June 2024, users using unsupported versions of the My Apps Secure Sign-in Extension will experience breakages. If you are utilizing Microsoft Edge and Chrome extensions, you will experience no change in functionality. If you are using the unsupported Firefox versions of this extension, all functionalities will stop working in June 2024 (please note, Firefox support ceased in September 2021). Our recommendation is to use the Edge or Chrome versions of this extension. 

 

Changes in Dynamic Group rule builder 

[Action may be required] 

 

To encourage efficient dynamic group rules, the dynamic group rule builder UX in both Entra and Intune Admin Centers has been updated. As of July 2024, the 'match' and 'notMatch' operators have been removed from the rule builder because they are less efficient and should only be used when necessary. However, we want to assure you that these operators are still supported by the API and can be written into rules via the text box in both admin centers. So, if you need to use them, you still can! Please refer to this document for instructions on how to write rules using the text box. 

 

Conditional Access 'Locations' condition is moving 

[No action is required] 

 

Starting mid-April 2024, the Conditional Access ‘Locations’ condition is moving up. Locations will become the 'Network' assignment, with the new Global Secure Access assignment - 'All compliant network locations'. 

 

This change will occur automatically, admins won’t need to take any action. Here's more details: 

 

• The familiar ‘Locations’ condition is unchanged, updating the policy in the ‘Locations’ condition will be reflected in the ‘Network’ assignment and vice versa. 
• No functionality changes, existing policies will continue to work without changes. 

 

Click here to learn more. 

 

Microsoft Entra ID Protection: "Low" risk age-out 

[No action is required] 

 

As communicated earlier, starting March 31, 2024, all "low" risk detections and users in Microsoft Entra ID Identity Protection that are older than 6 months will be automatically aged out and dismissed. This will allow customers to focus on more relevant risks and provide a cleaner investigation environment. For more information, see: What are risk detections?. 

 

Change password in My Security Info replacing legacy change password experience 

[No action is required] 

 

As communicated earlier, the capability to manage and change passwords in the My Security Info management portal is now Generally Available. As part of ongoing service improvements, we're replacing the legacy Change password (windowsazure.com) experience with the new, modernized My Security Info experience beginning April 2024. From April to June, through a phased rollout, traffic from the legacy change password experience will redirect users to My Security Info. No additional action is required, and this change will occur automatically. The legacy Change Password page will no longer be available after June 2024. 

 

Microsoft Entra ID Governance 

New releases 

 

• API driven inbound provisioning 
• Just-in-time application access with PIM for Groups 
• Support for hybrid Exchange Server deployments with Microsoft Entra Connect cloud sync 

 

Change announcements 

 

End of support - Windows Azure Active Directory Connector for Forefront Identity Manager (FIM WAAD Connector) 

[Action may be required] 

 

The Windows Azure Active Directory Connector for Forefront Identity Manager(FIM WAAD Connector) from 2014 was deprecated in 2021. The standard support for this connector will end in April 2024. Customers should remove this connector from their MIM sync deployment, and instead use an alternative provisioning mechanism. For more information, see: Migrate a Microsoft Entra provisioning scenario from the FIM Connector for Microsoft Entra ID. 

 

Microsoft Entra External ID 

Change announcements 

 

Upcoming changes to B2B Invitation Email 

[No action is required] 

 

Starting June 2024, in the invitation from an organization, the footer will no longer contain an option to block future invitations. A guest user who had unsubscribed before will be subscribed moving forward as we roll out this change. User's will no longer be added to the unsubscribed list which was maintained here in the past: https://invitations.microsoft.com/unsubscribe/manage. 

  

This change will occur automatically—admins and users won’t need to take any action. Here’s more details: 

 

• Email will not have the unsubscribe link moving forward. 
• The link in the already sent email will not work. 
• Customers who have already unsubscribed would become subscribed. 

 

To learn more, please see this Elements of the B2B invitation email | Microsoft Learn 

 

Microsoft Entra Permissions Management 

New releases 

• Microsoft Entra Permissions Management: Permissions Analytics Report (PAR) PDF  

 

Microsoft Entra Workload ID 

New releases 

• Soft Delete capability for Managed Service Identity 

 

 

Best regards,  

Shobhit Sahay 

 

 

Learn more about Microsoft identity: 

• See recent Microsoft Entra blogs 
• Dive into Microsoft Entra technical documentation 
• Learn more at Azure Active Directory (Azure AD) rename to Microsoft Entra ID 
• Join the conversation on the Microsoft Entra discussion space 
• Learn more about Microsoft Security