You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.
5225
-
For listing your application in the Azure AD app gallery, please read the details here: https://aka.ms/AzureADAppRequest.
5226
-
5227
-
---
5228
-
5229
-
### API connectors for External Identities self-service sign-up are now in public preview
5230
-
5231
-
**Type:** New feature
5232
-
**Service category:** B2B
5233
-
**Product capability:** B2B/B2C
5234
-
5235
-
External Identities API connectors enable you to leverage web APIs to integrate self-service sign-up with external cloud systems. This means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows. For example, you can use API connectors to:
5236
-
5237
-
- Integrate with a custom approval workflows.
5238
-
- Perform identity proofing
5239
-
- Validate user input data
5240
-
- Overwrite user attributes
5241
-
- Run custom business logic
5242
-
5243
-
For more information about all of the experiences possible with API connectors, see [Use API connectors to customize and extend self-service sign-up](../external-identities/api-connectors-overview.md), or [Customize External Identities self-service sign-up with web API integrations](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/customize-external-identities-self-service-sign-up-with-web-api/ba-p/1257364#.XvNz2fImuQg.linkedin).
5244
-
5245
-
---
5246
-
5247
-
### Provision on-demand and get users into your apps in seconds
The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The [on-demand provisioning capability](https://aka.ms/provisionondemand) allows you to pick a user and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again.
5254
-
5255
-
---
5256
-
5257
-
### New permission for using Azure AD entitlement management in Graph
5258
-
5259
-
**Type:** New feature
5260
-
**Service category:** Other
5261
-
**Product capability:** Entitlement Management
5262
-
5263
-
A new delegated permission EntitlementManagement.Read.All is now available for use with the Entitlement Management API in Microsoft Graph beta. To find out more about the available APIs, see [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview).
The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they're available at the v1.0 endpoint, we invite you to use them in production. For more information, please check out the [Microsoft Graph docs](/graph/api/resources/identityprotectionroot).
5274
-
5275
-
---
5276
-
5277
-
### Sensitivity labels to apply policies to Microsoft 365 groups is now generally available
5278
-
5279
-
**Type:** New feature
5280
-
**Service category:** Group Management
5281
-
**Product capability:** Collaboration
5282
-
5283
-
5284
-
You can now create sensitivity labels and use the label settings to apply policies to Microsoft 365 groups, including privacy (Public or Private) and external user access policy. You can create a label with the privacy policy to be Private, and external user access policy to not allow to add guest users. When a user applies this label to a group, the group will be private, and no guest users are allowed to be added to the group.
5285
-
5286
-
Sensitivity labels are important to protect your business-critical data and enable you to manage groups at scale, in a compliant and secure fashion. For guidance on using sensitivity labels, refer to [Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory (preview)](../enterprise-users/groups-assign-sensitivity-labels.md).
5287
-
5288
-
---
5289
-
5290
-
### Updates to support for Microsoft Identity Manager for Azure AD Premium customers
Azure Support is now available for Azure AD integration components of Microsoft Identity Manager 2016, through the end of Extended Support for Microsoft Identity Manager 2016. Read more at [Support update for Azure AD Premium customers using Microsoft Identity Manager](/microsoft-identity-manager/support-update-for-azure-active-directory-premium-customers).
5297
-
5298
-
---
5299
-
5300
-
### The use of group membership conditions in SSO claims configuration is increased
5301
-
5302
-
**Type:** Changed feature
5303
-
**Service category:** Enterprise Apps
5304
-
**Product capability:** SSO
5305
-
5306
-
Previously, the number of groups you could use when you conditionally change claims based on group membership within any single application configuration was limited to 10. The use of group membership conditions in SSO claims configuration has now increased to a maximum of 50 groups. For more information on how to configure claims, refer to [Enterprise Applications SSO claims configuration](../develop/active-directory-saml-claims-customization.md).
5307
-
5308
-
---
5309
-
5310
-
### Enabling basic formatting on the Sign In Page Text component in Company Branding.
5311
-
5312
-
**Type:** Changed feature
5313
-
**Service category:** Authentications (Logins)
5314
-
**Product capability:** User Authentication
5315
-
5316
-
The Company Branding functionality on the Azure AD/Microsoft 365 login experience has been updated to allow the customer to add hyperlinks and simple formatting, including bold font, underline, and italics. For guidance on using this functionality, see [Add branding to your organization's Azure Active Directory sign-in page](./customize-branding.md).
The provisioning service has been updated to reduce the time for an [incremental cycle](../app-provisioning/how-provisioning-works.md#incremental-cycles) to complete. This means that users and groups will be provisioned into their applications faster than they were previously. All new provisioning jobs created after 6/10/2020 will automatically benefit from the performance improvements. Any applications configured for provisioning before 6/10/2020 will need to restart once after 6/10/2020 to take advantage of the performance improvements.
5327
-
5328
-
---
5329
-
5330
-
### Announcing the deprecation of ADAL and MS Graph Parity
Now that Microsoft Authentication Libraries (MSAL) is available, we'll no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. For more information on how to migrate to MSAL, refer to [Migrate applications to Microsoft Authentication Library (MSAL)](../develop/msal-migration.md).
5337
-
5338
-
Additionally, we've finished the work to make all Azure AD Graph functionality available through MS Graph. So, Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. For more information, see [Update your applications to use Microsoft Authentication Library and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363)
5339
-
5340
-
---
5341
-
5342
-
5343
-
### Retirement of properties in signIns, riskyUsers, and riskDetections APIs
Currently, enumerated types are used to represent the riskType property in both the riskDetections API and riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the signIns API. Going forward we'll represent these properties as strings.
5350
-
5351
-
Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API, and to riskEventTypes_v2 property in the beta signIns API by September 9th, 2020. At that date, we'll be retiring the current riskType and riskEventTypes properties. For more information, refer to [Changes to risk event properties and Identity Protection APIs on Microsoft Graph](https://developer.microsoft.com/graph/blogs/changes-to-risk-event-properties-and-identity-protection-apis-on-microsoft-graph/).
5352
-
5353
-
---
5354
-
5355
-
### Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph
Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September 2020. In addition to impacting the preview APIs, this change will also impact the in-production signIns API.
5362
-
5363
-
We have introduced a new riskEventsTypes_v2 (string) property to the signIns v1.0 API. We'll retire the current riskEventTypes (enum) property on June 11, 2022 in accordance with our Microsoft Graph deprecation policy. Customers should transition to the riskEventTypes_v2 property in the v1.0 signIns API by June 11, 2022. For more information, see [Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph](https://developer.microsoft.com/graph/blogs/deprecation-of-riskeventtypes-property-in-signins-v1-0-api-on-microsoft-graph//).
5364
-
5365
-
---
5366
-
5367
-
### Upcoming changes to multifactor authentication (MFA) email notifications
We're making the following changes to the email notifications for cloud multifactor authentication (MFA):
5375
-
5376
-
E-mail notifications will be sent from the following address: [email protected] and [email protected]. We're updating the content of fraud alert emails to better indicate the required steps to unblock uses.
5377
-
5378
-
---
5379
-
5380
-
### New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't synced to Azure Active Directory.
5381
-
5382
-
**Type:** Plan for change
5383
-
**Service category:** Authentications (Logins)
5384
-
**Product capability:** User Authentication
5385
-
5386
-
5387
-
Currently, users who are in domains federated in Azure AD, but who aren't synced into the tenant, can't access Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign-up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign-up." This is an extension of the existing capability to do email verified self-sign up that users in managed domains can do and can be controlled using the same flag. This change will complete rolling out during the following two months. Watch for documentation updates [here](../enterprise-users/directory-self-service-signup.md).
5388
-
5389
-
---
5390
-
5391
-
### Upcoming fix: The OIDC discovery document for the Azure Government cloud is being updated to reference the correct Graph endpoints.
5392
-
5393
-
**Type:** Plan for change
5394
-
**Service category:** Sovereign Clouds
5395
-
**Product capability:** User Authentication
5396
-
5397
-
Starting in June, the OIDC discovery document [Microsoft identity platform and OpenID Connect protocol](../develop/v2-protocols-oidc.md) on the [Azure Government cloud](../develop/authentication-national-cloud.md) endpoint (login.microsoftonline.us), will begin to return the correct [National cloud graph](/graph/deployments) endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently provides the incorrect Graph endpoint (graph.microsoft.com) "msgraph_host" field.
5398
-
5399
-
This bug fix will be rolled out gradually over approximately 2 months.
5400
-
5401
-
---
5402
-
5403
-
### Azure Government users will no longer be able to sign in on login.microsoftonline.com
5404
-
5405
-
**Type:** Plan for Change
5406
-
**Service category:** Sovereign Clouds
5407
-
**Product capability:** User Authentication
5408
-
5409
-
On 1 June 2018, the official Azure Active Directory (Azure AD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the.us endpoint.
5410
-
5411
-
Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint (microsoftonline.com). Impacted apps will begin seeing an error AADSTS900439 - USGClientNotSupportedOnPublicEndpoint.
5412
-
5413
-
There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020. For more details, please see the [Azure Government blog post](https://devblogs.microsoft.com/azuregov/azure-government-aad-authority-endpoint-update/).
5414
-
5415
-
---
5416
-
5417
-
### SAML Single Logout request now sends NameID in the correct format
5418
-
5419
-
**Type:** Fixed
5420
-
**Service category:** Authentications (Logins)
5421
-
**Product capability:** User Authentication
5422
-
5423
-
When a user clicks on sign-out (for example, in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.
5424
-
5425
-
If the original SAML sign-in token used a different format for NameID (for example, email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.
5426
-
5427
-
---
5428
-
5429
-
### Hybrid Identity Administrator role is now available with Cloud Provisioning
IT Admins can start using the new "Hybrid Admin" role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, you no longer have to use the Global Administrator role to set up and configure Cloud Provisioning. [Learn more](../roles/delegate-by-task.md#connect).
0 commit comments