You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/whats-new-archive.md
-207Lines changed: 0 additions & 207 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7771,210 +7771,3 @@ Privileged Identity Management (PIM) administrators can now export all active an
7771
7771
For more information, see [View activity and audit history for Azure resource roles in PIM](../privileged-identity-management/azure-pim-resource-rbac.md).
7772
7772
7773
7773
---
7774
-
7775
-
## November/December 2018
7776
-
7777
-
### Users removed from synchronization scope no longer switch to cloud-only accounts
7778
-
7779
-
**Type:** Fixed
7780
-
**Service category:** User Management
7781
-
**Product capability:** Directory
7782
-
7783
-
>[!Important]
7784
-
>We've heard and understand your frustration because of this fix. Therefore, we've reverted this change until such time that we can make the fix easier for you to implement in your organization.
7785
-
7786
-
We've fixed a bug in which the DirSyncEnabled flag of a user would be erroneously switched to **False** when the Active Directory Domain Services (AD DS) object was excluded from synchronization scope and then moved to the Recycle Bin in Azure AD on the following sync cycle. As a result of this fix, if the user is excluded from sync scope and afterwards restored from Azure AD Recycle Bin, the user account remains as synchronized from on-premises AD, as expected, and cannot be managed in the cloud since its source of authority (SoA) remains as on-premises AD.
7787
-
7788
-
Prior to this fix, there was an issue when the DirSyncEnabled flag was switched to False. It gave the wrong impression that these accounts were converted to cloud-only objects and that the accounts could be managed in the cloud. However, the accounts still retained their SoA as on-premises and all synchronized properties (shadow attributes) coming from on-premises AD. This condition caused multiple issues in Azure AD and other cloud workloads (like Exchange Online) that expected to treat these accounts as synchronized from AD but were now behaving like cloud-only accounts.
7789
-
7790
-
At this time, the only way to truly convert a synchronized-from-AD account to cloud-only account is by disabling DirSync at the tenant level, which triggers a backend operation to transfer the SoA. This type of SoA change requires (but is not limited to) cleaning all the on-premises related attributes (such as LastDirSyncTime and shadow attributes) and sending a signal to other cloud workloads to have its respective object converted to a cloud-only account too.
7791
-
7792
-
This fix consequently prevents direct updates on the ImmutableID attribute of a user synchronized from AD, which in some scenarios in the past were required. By design, the ImmutableID of an object in Azure AD, as the name implies, is meant to be immutable. New features implemented in Azure AD Connect Health and Azure AD Connect Synchronization client are available to address such scenarios:
7793
-
7794
-
- **Large-scale ImmutableID update for many users in a staged approach**
7795
-
7796
-
For example, you need to do a lengthy AD DS inter-forest migration. Solution: Use Azure AD Connect to **Configure Source Anchor** and, as the user migrates, copy the existing ImmutableID values from Azure AD into the local AD DS user's ms-DS-Consistency-Guid attribute of the new forest. For more information, see [Using ms-DS-ConsistencyGuid as sourceAnchor](../hybrid/plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor).
7797
-
7798
-
- **Large-scale ImmutableID updates for many users in one shot**
7799
-
7800
-
For example, while implementing Azure AD Connect you make a mistake, and now you need to change the SourceAnchor attribute. Solution: Disable DirSync at the tenant level and clear all the invalid ImmutableID values. For more information, see [Turn off directory synchronization for Office 365](/office365/enterprise/turn-off-directory-synchronization).
7801
-
7802
-
- **Rematch on-premises user with an existing user in Azure AD**
7803
-
For example, a user that has been re-created in AD DS generates a duplicate in Azure AD account instead of rematching it with an existing Azure AD account (orphaned object). Solution: Use Azure AD Connect Health in the Azure portal to remap the Source Anchor/ImmutableID. For more information, see [Orphaned object scenario](../hybrid/how-to-connect-health-diagnose-sync-errors.md#orphaned-object-scenario).
7804
-
7805
-
### Breaking Change: Updates to the audit and sign-in logs schema through Azure Monitor
7806
-
7807
-
**Type:** Changed feature
7808
-
**Service category:** Reporting
7809
-
**Product capability:** Monitoring & Reporting
7810
-
7811
-
We're currently publishing both the Audit and Sign-in log streams through Azure Monitor, so you can seamlessly integrate the log files with your SIEM tools or with Log Analytics. Based on your feedback, and in preparation for this feature's general availability announcement, we're making the following changes to our schema. These schema changes and its related documentation updates will happen by the first week of January.
7812
-
7813
-
#### New fields in the Audit schema
7814
-
We're adding a new **Operation Type** field, to provide the type of operation performed on the resource. For example, **Add**, **Update**, or **Delete**.
7815
-
7816
-
#### Changed fields in the Audit schema
7817
-
The following fields are changing in the Audit schema:
7818
-
7819
-
|Field name|What changed|Old values|New Values|
7820
-
|----------|------------|----------|----------|
7821
-
|Category|This was the **Service Name** field. It's now the **Audit Categories** field. **Service Name** has been renamed to the **loggedByService** field.|<ul><li>Account Provisioning</li><li>Core Directory</li><li>Self-service Password Reset</li></ul>|<ul><li>User Management</li><li>Group Management</li><li>App Management</li></ul>|
7822
-
|targetResources|Includes **TargetResourceType** at the top level.| |<ul><li>Policy</li><li>App</li><li>User</li><li>Group</li></ul>|
7823
-
|loggedByService|Provides the name of the service that generated the audit log.|Null|<ul><li>Account Provisioning</li><li>Core Directory</li><li>Self-service password reset</li></ul>|
7824
-
|Result|Provides the result of the audit logs. Previously, this was enumerated, but we now show the actual value.|<ul><li>0</li><li>1</li></ul>|<ul><li>Success</li><li>Failure</li></ul>|
7825
-
7826
-
#### Changed fields in the Sign-in schema
7827
-
The following fields are changing in the Sign-in schema:
7828
-
7829
-
|Field name|What changed|Old values|New Values|
7830
-
|----------|------------|----------|----------|
7831
-
|appliedConditionalAccessPolicies|This was the **conditionalaccessPolicies** field. It's now the **appliedConditionalAccessPolicies** field.|No change|No change|
7832
-
|conditionalAccessStatus|Provides the result of the Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.|<ul><li>0</li><li>1</li><li>2</li><li>3</li></ul>|<ul><li>Success</li><li>Failure</li><li>Not Applied</li><li>Disabled</li></ul>|
7833
-
|appliedConditionalAccessPolicies: result|Provides the result of the individual Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.|<ul><li>0</li><li>1</li><li>2</li><li>3</li></ul>|<ul><li>Success</li><li>Failure</li><li>Not Applied</li><li>Disabled</li></ul>|
7834
-
7835
-
For more information about the schema, see [Interpret the Azure AD audit logs schema in Azure Monitor (preview)](../reports-monitoring/overview-reports.md)
7836
-
7837
-
---
7838
-
7839
-
### Identity Protection improvements to the supervised machine learning model and the risk score engine
7840
-
7841
-
**Type:** Changed feature
7842
-
**Service category:** Identity Protection
7843
-
**Product capability:** Risk Scores
7844
-
7845
-
Improvements to the Identity Protection-related user and sign-in risk assessment engine can help to improve user risk accuracy and coverage. Administrators may notice that user risk level is no longer directly linked to the risk level of specific detections, and that there's an increase in the number and level of risky sign-in events.
7846
-
7847
-
Risk detections are now evaluated by the supervised machine learning model, which calculates user risk by using additional features of the user's sign-ins and a pattern of detections. Based on this model, the administrator might find users with high risk scores, even if detections associated with that user are of low or medium risk.
7848
-
7849
-
---
7850
-
7851
-
### Administrators can reset their own password using the Microsoft Authenticator app (Public preview)
7852
-
7853
-
**Type:** Changed feature
7854
-
**Service category:** Self Service Password Reset
7855
-
**Product capability:** User Authentication
7856
-
7857
-
Azure AD administrators can now reset their own password using the Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. To reset their own password, administrators will now be able to use two of the following methods:
7858
-
7859
-
- Microsoft Authenticator app notification
7860
-
7861
-
- Other mobile authenticator app / Hardware token code
7862
-
7863
-
- Email
7864
-
7865
-
- Phone call
7866
-
7867
-
- Text message
7868
-
7869
-
For more information about using the Microsoft Authenticator app to reset passwords, see [Azure AD self-service password reset - Mobile app and SSPR (Preview)](../authentication/concept-sspr-howitworks.md#mobile-app-and-sspr)
7870
-
7871
-
---
7872
-
7873
-
### New Azure AD Cloud Device Administrator role (Public preview)
7874
-
7875
-
**Type:** New feature
7876
-
**Service category:** Device Registration and Management
7877
-
**Product capability:** Access control
7878
-
7879
-
Administrators can assign users to the new Cloud Device Administrator role to perform cloud device administrator tasks. Users assigned the Cloud Device Administrators role can enable, disable, and delete devices in Azure AD, along with being able to read Windows 10 BitLocker keys (if present) in the Azure portal.
7880
-
7881
-
For more information about roles and permissions, see [Assigning administrator roles in Azure Active Directory](../roles/permissions-reference.md)
7882
-
7883
-
---
7884
-
7885
-
### Manage your devices using the new activity timestamp in Azure AD (Public preview)
7886
-
7887
-
**Type:** New feature
7888
-
**Service category:** Device Registration and Management
We realize that over time you must refresh and retire your organizations' devices in Azure AD, to avoid having stale devices in your environment. To help with this process, Azure AD now updates your devices with a new activity timestamp, helping you to manage your device lifecycle.
7892
-
7893
-
For more information about how to get and use this timestamp, see [How To: Manage the stale devices in Azure AD](../devices/manage-stale-devices.md)
7894
-
7895
-
---
7896
-
7897
-
### Administrators can require users to accept a terms of use on each device
7898
-
7899
-
**Type:** New feature
7900
-
**Service category:** Terms of use
7901
-
**Product capability:** Governance
7902
-
7903
-
Administrators can now turn on the **Require users to consent on every device** option to require your users to accept your terms of use on every device they're using on your tenant.
7904
-
7905
-
For more information, see the [Per-device terms of use section of the Azure Active Directory terms of use feature](../conditional-access/terms-of-use.md#per-device-terms-of-use).
7906
-
7907
-
---
7908
-
7909
-
### Administrators can configure a terms of use to expire based on a recurring schedule
7910
-
7911
-
**Type:** New feature
7912
-
**Service category:** Terms of use
7913
-
**Product capability:** Governance
7914
-
7915
-
7916
-
Administrators can now turn on the **Expire consents** option to make a terms of use expire for all of your users based on your specified recurring schedule. The schedule can be annually, bi-annually, quarterly, or monthly. After the terms of use expire, users must reaccept.
7917
-
7918
-
For more information, see the [Add terms of use section of the Azure Active Directory terms of use feature](../conditional-access/terms-of-use.md#add-terms-of-use).
7919
-
7920
-
---
7921
-
7922
-
### Administrators can configure a terms of use to expire based on each user's schedule
7923
-
7924
-
**Type:** New feature
7925
-
**Service category:** Terms of use
7926
-
**Product capability:** Governance
7927
-
7928
-
Administrators can now specify a duration that user must reaccept a terms of use. For example, administrators can specify that users must reaccept a terms of use every 90 days.
7929
-
7930
-
For more information, see the [Add terms of use section of the Azure Active Directory terms of use feature](../conditional-access/terms-of-use.md#add-terms-of-use).
7931
-
7932
-
---
7933
-
7934
-
### New Azure AD Privileged Identity Management (PIM) emails for Azure Active Directory roles
Customers using Azure AD Privileged Identity Management (PIM) can now receive a weekly digest email, including the following information for the last seven days:
7941
-
7942
-
- Overview of the top eligible and permanent role assignments
7943
-
7944
-
- Number of users activating roles
7945
-
7946
-
- Number of users assigned to roles in PIM
7947
-
7948
-
- Number of users assigned to roles outside of PIM
7949
-
7950
-
- Number of users "made permanent" in PIM
7951
-
7952
-
For more information about PIM and the available email notifications, see [Email notifications in PIM](../privileged-identity-management/pim-email-notifications.md).
7953
-
7954
-
---
7955
-
7956
-
### Group-based licensing is now generally available
7957
-
7958
-
**Type:** Changed feature
7959
-
**Service category:** Other
7960
-
**Product capability:** Directory
7961
-
7962
-
Group-based licensing is out of public preview and is now generally available. As part of this general release, we've made this feature more scalable and have added the ability to reprocess group-based licensing assignments for a single user and the ability to use group-based licensing with Office 365 E3/A3 licenses.
7963
-
7964
-
For more information about group-based licensing, see [What is group-based licensing in Azure Active Directory?](./active-directory-licensing-whatis-azure-portal.md)
7965
-
7966
-
---
7967
-
7968
-
### New Federated Apps available in Azure AD app gallery - November 2018
7969
-
7970
-
**Type:** New feature
7971
-
**Service category:** Enterprise Apps
7972
-
**Product capability:** 3rd Party Integration
7973
-
7974
-
In November 2018, we've added these 26 new apps with Federation support to the app gallery:
For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments