April is here!

It’s time for this month’s highlights:

• Check out this post from Levent Besik: on How the Microsoft identity platform helps developers manage identity risk!

• ADAL Deprecation: ADAL end of life is now June 30, 2023, no support or security fixes will be provided past end-of-life, so prioritize migration to Microsoft Authentication Library (MSAL). Check Migrate to the Microsoft Authentication Library (MSAL) for guidance and this blog post from Den Delimarsky for details.

• Join our public community call series on April 20^th: Check out our platform community calls section for more information. If you missed it, here’s our previous platform community call from February 2023 Get your Apps ready for Zero Trust.

• Let’s connect: Check out our events page to community calls, events, workshops and follow our newsletter for regular product updates and more.

NOTE: Visit What’s deprecated in Azure Active Directory? for information about all deprecations.

What’s new in libraries

Developer-focused guidance

• New applications added to Azure AD app gallery in March 2023 supporting user provisioning.

• Stay up to date with the recently added RSS feeds for the version release history of Azure AD Connect cloud provisioning agent and Azure AD Connect.

• Start your journey to deprecate your voice and SMS based MFA methods in favor of more secure options leveraging the new end user communication template Deprecate SMS and vMFA.docx available within Microsoft Entra end-user rollout templates and materials in the Download Center.

• Understand how to deploy Azure AD Identity Protection.

• Get answers to your Workload Identities licensing and capability related questions.

• Check out the latest additions to the Zero Trust Developer Guidance center introducing the application registration process and its requirements, and don’t forget how to authenticate users for Zero Trust and Managing tokens for Zero Trust.

• Learn how to configure Trusona Authentication Cloud with Azure AD B2C.

Generally Available (GA) since March 2023

• Authentication methods policy convergence – Enables you to manage all authentication methods used for Multi-Factor Authentication (MFA) and self-service password reset (SSPR) in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant.

• Provisioning insights workbook – This workbook makes it easier to investigate and gain insights into your provisioning workflows. This includes HR-driven provisioning, Azure AD Connect cloud sync, app provisioning, on-premises hybrid sync, and cross-tenant sync. It automatically surfaces both source and target that provisioning connects to.

Product updates

• We have postponed the removal of admin controls and the enforcement of the tenant-wide number match experience for all users of the Microsoft Authenticator push notifications from February 27^th to May 8^th. We highly recommend enabling number matching in the near term for improved sign-in security.

Identity YouTube Channel

Latest videos on the Identity YouTube channel:

• Cross-tenant synchronization

• Remediating Super Identities with Microsoft Entra Permissions Management

Microsoft identity platform community calls

The Microsoft identity platform developer community call is on the 3^rd Thursday of each month with an interesting topic and speaker every month.

To join the call, click here: https://aka.ms/IDDEVCommunityCall-join

Check out our previous call: Staying Up to Date with Authentication for JavaScript Applications

NOTE: There has been an update to the calendar series. To download the new series, go to https://aka.ms/IDDEVCommunityCall

Check out our YouTube playlist of all the previously recorded calls Microsoft identity platform community calls.

Workshops and Events

Check the events page to find about all opportunities to connect with us! Events page

Features for public preview

• Microsoft Authenticator Lite for Outlook mobile (also known as Companion App) – Enables a subset of Microsoft Authenticator features in Outlook mobile. This enhanced capability in Outlook provides the security benefits of push-based multifactor authentication with the convenience of using an application users already have downloaded to their device.

• Custom claims provider – Formerly known as token augmentation, this capability allows you to customize the Azure AD authentication experience by integrating with external systems. During the authentication flow an API is called using a custom extension to fetch and map custom claims into the token. The API call is made after the user has completed all their authentication, and a token is about to be issued to the app.

• Conditional Access (CA): token protection – Token protection attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. By creating a cryptographically secure tie between the token and the device (client secret) it’s issued to, the bound token is useless without the client secret.

• App-health related recommendations – Provide you with personalized insights and actionable guidance to improve the hygiene of apps in your tenant. The recommendations are based on best practices, and can help create a clean, manageable, and healthy app portfolio of active applications. The app-health related recommendations include: remove unused applications, remove unused credentials from apps, renew expiring application credentials and renew expiring service principal credentials.

• Azure AD Application Proxy complex application scenario – Using complex application publishing on Azure AD Application Proxy allows you to create only one application that is made up of multiple URLs across various domains as opposed to having to have several different apps in the past.

• Azure AD Application Proxy maintenance mode – Provides the ability to enable and disable a maintenance mode for applications integrated with Azure AD Application Proxy, giving application administrators a choice to retain application configurations while blocking access temporarily.

• Pending devices in Azure AD – In the All devices blade under the Registered column, you can now click on any pending devices you have, and it will open a context pane to help troubleshoot why a device may be pending.

• Application instance lock for workload identities – Allows app developers to protect their multi-tenant apps from having critical properties tampered by attackers.

• Azure AD Domain Services (DS): Support for custom attributes – Adds support to synchronize the on-premises Active Directory attributes onPremisesExtensionAttributes and Directory Extensions to Azure AD DS.

• Role-based access control (RBAC) scoping using administrative units in Microsoft Purview – Allows you to scope Microsoft Purview Data Loss Prevention administrative roles to a user for an administrative unit so this administrator can perform administrative tasks such as creating and managing policies and investigating alerts for the users in their administrative units.

• Refresh: Lifecycle Workflows (LCW) – With the public preview refresh, we have added new capabilities including the ability to customize email notifications (company branding/logo, domain, subject, body, language and add cc recipients), a new workflow settings UI, extended the trigger offset range, more audit logs, and the ability to view the users in scope for the next workflow run.

• Conditional Access for My Access – Allows guests to enter the My Access portal to be onboarded into your directory even when you have blocked them from accessing all other resources through a CA policy. In addition, you can now request end users to perform MFA when they enter My Access as well as apply other capabilities that CA offers.

• Refresh: Microsoft Entra Identity Governance Entitlement Management custom extensions to Logic Apps – With the public preview refresh, we have added new capabilities including a launch and wait feature, a fully redesigned custom extension UI, new custom extension types, a proof of possession authentication model, an enhanced payload, and more audit logs.

• Verified IDs in Microsoft Entra Identity Governance Entitlement Management – you can now include Microsoft Entra Verified ID requirements during Microsoft Entra Identity Governance Entitlement Management access requests, providing verified attestations for users from a wide set of issuers during the request process. This capability further automates scenarios like onboarding, helps create stronger compliance, and makes it easier for employees and guests to start collaborating right away.

Tell us what you think

This is YOUR newsletter!

We would love your input, please let us know your thoughts leaving a comment below.