May is here!

It’s time for this month’s highlights:

• Check out this post: Scope App Permissions for Secure Automation using Microsoft Azure Active Directory and watch for other great content coming to our blog!

• ADAL Deprecation: ADAL end of life is now June 30, 2023, no support or security fixes will be provided past end-of-life, so prioritize migration to Microsoft Authentication Library (MSAL). Check Migrate to the Microsoft Authentication Library (MSAL) for guidance and this blog post from Den Delimarsky for details.

• Join our public community call series on May 18^th: Check out our platform community calls section for more information. If you missed it, here’s our previous platform community call from April 2023 (recording available soon, check our playlist) Mastering Azure AD App Security: Safeguarding Service Principals for Smooth and Secure Automation

• Let’s connect: Check out our events page to community calls, events, workshops and follow our newsletter for regular product updates and more.

NOTE: Visit What’s deprecated in Azure Active Directory? for information about all deprecations.

What’s new in libraries

Developer-focused guidance

• New applications added to Azure AD app gallery in April 2023 supporting user provisioning and SSO.

• Since Google Chrome version 111, Azure AD authentication works seamlessly after enabling the policy, removing the need to install the Chrome plug-in.

• Understand how to manage tokens for Zero Trust.

• Read our blog post summarizing our announcements made at RSA Conference 2023 in San Francisco regarding new ISV product integrations with Microsoft Entra in key areas such as FIDO2 authentication, authentication strength, device access, identity protection, and new Azure AD Gallery applications.

• Find the major update to our guidance that helps you configure and provide user lifecycle management in Azure AD multiple tenant environments. This guidance helps you achieve a consistent state of user lifecycle management, including provisioning, managing, and deprovisioning users across tenants by using Azure AD B2B collaboration and cross-tenant synchronization.

• Check out the guidance for healthcare architects who configure Azure AD to meet identity-related requirements for the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

  • Configuring Azure AD for HIPAA compliance
  • Access control safeguard guidance
  • Audit controls safeguard guidance
  • Other safeguard guidance

• Retail companies that accept payment via payment cards such as Visa and American Express need to comply with Payment Card Industry Standards Council security requirements. These requirements are defined in the Payment Card Industry Data Security Standard (PCI DSS v4), which ensures the security of customer payment transactions. We are excited to release guidance, organized according to PCI DSS requirement areas, to help you configure Azure AD to meet this standard.

• Research universities need to collaborate with one another, and this means they need to be able to support authentication and access across differing identity management systems and protocols. The University Multilateral Federation guidance provides best practices to implement three solutions for this scenario.

• Read up on the new articles for the global identity framework with Azure AD B2C.

Generally Available (GA) since last month

• signInActivity resource type in Microsoft Graph API – Provides the last interactive and non-interactive sign-in time for a specific user. For GA, this feature was redesigned improving resilience and mitigating throttling issues. Make sure to check out how to manage inactive user accounts in Azure AD.

• System preferred multi-factor method – Enables IT admins to make the decision to prompt their users for the most secure multi-factor authentication method users have registered. As a part of this effort, we evaluate the different methods a given user has at run time, and present them with the most secure method. If users cannot access the method they are prompted for they can select another option. With going GA, this feature is set to Microsoft managed by default: disabled. In around 6 months, we plan to disable the toggle switch and enable this feature by default for all organizations.

• Microsoft Enterprise SSO plug-in for Apple devices – Provides single sign-on (SSO) for applications on macOS, iOS, and iPadOS through the use of broker applications. The Microsoft Authenticator app is used on iOS and iPadOS to provide SSO to Microsoft apps as well as other apps on the system that use Apple’s native frameworks, such as Safari. The Microsoft Intune Company Portal application is used on macOS to provide SSO, both to Microsoft apps and other apps like Safari, VPN clients, and others. This feature is deployed via MDM.

• Conditional Access for My Apps – Allows you to specifically target the My Apps application in Conditional Access policies. With GA, we also improved the app launch performance when launching apps through My Apps. If you do not use the My Apps portal to launch apps and instead use user access URLs (deep links) to Azure AD (https://account.activedirectory.windowsazure.com/), make sure to update your deep links. The new user access URL can be found in the Azure and Entra portal.

• Alert on Azure subscription role assignments made outside of Privileged Identity Management (PIM) – Provides an alert in PIM for Azure subscription assignments made outside of PIM. An owner or User Access Administrator can take a quick remediation action to remove those assignments.

• Application authentication methods policy for workload identities via Microsoft Graph API – Allows you to configure policies for application authentication methods such as certificates and client secrets. For example, an admin might configure a policy to block the use of or limit the lifetime of client secrets and use the creation date of the object to enforce the policy. This feature allows organizations to enforce the use of stronger authentication mechanisms in applications and promotes application credential hygiene.

• Azure AD workload identity with Azure Kubernetes Service (AKS) – Integrates with the capabilities native to Kubernetes to federate with external identity providers by using Service Account Token Volume Projection enabling pods to use a Kubernetes identity, that is, a service account.

Identity YouTube Channel

Latest videos on the Identity YouTube channel:

• Introduction to Azure AD Custom claims providers (part one)
• Configure Azure AD Custom claims provider (part two)
• Azure Active Directory | ADAL Retirement

Microsoft identity platform community calls

The Microsoft identity platform developer community call is on the 3^rd Thursday of each month with an interesting topic and speaker every month.

To join the call, click here: https://aka.ms/IDDEVCommunityCall-join

Check out our previous call: Mastering Azure AD App Security: Safeguarding Service Principals for Smooth and Secure Automation (Recording will be available soon).

NOTE: There has been an update to the calendar series. To download the new series, go to https://aka.ms/IDDEVCommunityCall

Check out our YouTube playlist of all the previously recorded calls Microsoft identity platform community calls.

Workshops and Events

Check the events page to find about all opportunities to connect with us! Events page

Features for public preview

• Windows Local Administrator Password Solution (LAPS) with Microsoft Entra (Azure AD) and Microsoft Intune – With Windows LAPS you can automatically manage and back up the password of a local administrator account on your Azure AD joined or Hybrid Azure AD joined devices.

• Protected actions in Conditional Access – Protected actions in Azure AD are permissions that have been assigned Conditional Access policies. When a user attempts to perform a protected action, they must first satisfy the Conditional Access policies assigned to the required permissions. For example, to allow administrators to update Conditional Access policies, you can require that they first satisfy the Phishing resistant MFA policy. The security bar for these policies can be set very high, because they are only enforced at the time of use, so they are not enforced at user sign-in, which would impact day-to-day productivity.

• New search experience in My Access – Enables search of access packages based on keywords in access package names, descriptions, or resource names.

• Azure AD Application Proxy backend SSL verification – Enables SSL certificate validation for the backend application by having the connector check if there is a certificate, and if there is one checks are performed on the expiry date, self-signed certificate and if the certificate is signed by a trusted Certificate Authority.

• Azure AD Application Proxy Open ID Connect (OIDC) and OAuth2 support – Leverage Azure AD Application Proxy to publish private web apps and APIs using OIDC or OAuth2.

• Azure Databricks support for managed identities – You can use either system-assigned managed identities or user-assigned managed identities to access customer storage containers and further improve the security posture of the product. With managed identities you don’t need to maintain credentials or rotate secrets and furthermore you can use managed identities in storage firewalls to prevent data exfiltration.

• Microsoft Entra Permissions Management Azure AD Insights – Provides visibility into the human and workload identities that are assigned to privileged Azure AD roles allowing you to review permanent global admin assignments and highly privileged role assignments for users and service principals. These insights will be provided through a new Azure AD Insights tab in the Microsoft Entra Permissions Management portal.

• Azure AD B2C GoLocal Japan – Starting in April 2023, Japan has been added to the available locations list to select local data residency. Now, Microsoft customers in Japan can opt-in to GoLocal, which is the local data residency option, to ensure storing Azure AD B2C tenant data only in Japan.

Tell us what you think

This is YOUR newsletter!

We would love your input, please let us know your thoughts leaving a comment below.