Tell us about your PDF experience.

Azure Active Directory fundamentals

documentation
Learn basic Azure Active Directory (Azure AD) concepts and processes, including how to
create a basic environment, basic users, and groups, to get started.

About Azure AD

ｅ OVERVIEW

What is Azure Active Directory?

What's new in Azure Active Directory

ｐ CONCEPT

Azure AD architecture

Get started

ｆ QUICKSTART

Access the portal and create a tenant

Create a group and add members

Add company branding

Create an Azure AD account

ｃ HOW-TO GUIDE

Sign up for Azure Active Directory Premium editions

Sign up for Azure AD as an organization

Add your custom domain name

Manage groups in Azure AD

ｐ CONCEPT

Learn about groups

ｃ HOW-TO GUIDE

Manage groups and group membership

Add users and assign roles and licenses

ｃ HOW-TO GUIDE

Create or delete users

Assign roles to users

Assign licenses to users

What is Azure Active Directory?
Article • 08/02/2023

Azure Active Directory (Azure AD) is a cloud-based identity and access management
service. Azure AD enables your employees access external resources, such as Microsoft
365, the Azure portal, and thousands of other SaaS applications. Azure Active Directory
also helps them access internal resources like apps on your corporate intranet, and any
cloud apps developed for your own organization. To learn how to create a tenant, see
Quickstart: Create a new tenant in Azure Active Directory.

To learn the differences between Active Directory and Azure Active Directory, see
Compare Active Directory to Azure Active Directory. You can also refer Microsoft Cloud
for Enterprise Architects Series posters to better understand the core identity services in
Azure like Azure AD and Microsoft-365.

Who uses Azure AD?

Azure AD provides different benefits to members of your organization based on their
role:

IT admins use Azure AD to control access to apps and app resources, based on
business requirements. For example, as an IT admin, you can use Azure AD to
require multi-factor authentication when accessing important organizational
resources. You could also use Azure AD to automate user provisioning between
your existing Windows Server AD and your cloud apps, including Microsoft 365.
Finally, Azure AD gives you powerful tools to automatically help protect user
identities and credentials and to meet your access governance requirements. To
get started, sign up for a free 30-day Azure Active Directory Premium trial .

App developers can use Azure AD as a standards-based authentication provider

that helps them add single sign-on (SSO) to apps that works with a user's existing
credentials. Developers can also use Azure AD APIs to build personalized
experiences using organizational data. To get started, sign up for a free 30-day
Azure Active Directory Premium trial . For more information, you can also see
Azure Active Directory for developers.

Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers already
use Azure AD as every Microsoft 365, Office 365, Azure, and Dynamics CRM Online
tenant is automatically an Azure AD tenant. You can immediately start managing
access to your integrated cloud apps.
What are the Azure AD licenses?
Microsoft Online business services, such as Microsoft 365 or Microsoft Azure, use Azure
AD for sign-in activities and to help protect your identities. If you subscribe to any
Microsoft Online business service, you automatically get access to Azure AD free .

To enhance your Azure AD implementation, you can also add paid features by
upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid
licenses are built on top of your existing free directory. The licenses provide self-service,
enhanced monitoring, security reporting, and secure access for your mobile users.

７ Note

For the pricing options of these licenses, see Azure Active Directory Pricing .

For more information about Azure AD pricing, contact the Azure Active Directory
Forum .

Azure Active Directory Free. Provides user and group management, on-premises
directory synchronization, basic reports, self-service password change for cloud
users, and single sign-on across Azure, Microsoft 365, and many popular SaaS
apps.

Azure Active Directory Premium P1. In addition to the Free features, P1 also lets
your hybrid users access both on-premises and cloud resources. It also supports
advanced administration, such as dynamic groups, self-service group management,
Microsoft Identity Manager, and cloud write-back capabilities, which allow self-
service password reset for your on-premises users.

Azure Active Directory Premium P2. In addition to the Free and P1 features, P2
also offers Azure Active Directory Identity Protection to help provide risk-based
Conditional Access to your apps and critical company data and Privileged Identity
Management to help discover, restrict, and monitor administrators and their access
to resources and to provide just-in-time access when needed.

"Pay as you go" feature licenses. You can also get licenses for features such as,
Azure Active Directory Business-to-Customer (B2C). B2C can help you provide
identity and access management solutions for your customer-facing apps. For
more information, see Azure Active Directory B2C documentation.

For more information about associating an Azure subscription to Azure AD, see
Associate or add an Azure subscription to Azure Active Directory. For more information
about assigning licenses to your users, see How to: Assign or remove Azure Active
Directory licenses.

Which features work in Azure AD?

After you choose your Azure AD license, you'll get access to some or all of the following
features:

Category Description

Application Manage your cloud and on-premises apps using Application Proxy, single
management sign-on, the My Apps portal, and Software as a Service (SaaS) apps. For
more information, see How to provide secure remote access to on-
premises applications and Application Management documentation.

Authentication Manage Azure Active Directory self-service password reset, Multi-Factor

Authentication, custom banned password list, and smart lockout. For more
information, see Azure AD Authentication documentation.

Azure Active Build apps that sign in all Microsoft identities, get tokens to call Microsoft
Directory for Graph, other Microsoft APIs, or custom APIs. For more information, see
developers Microsoft identity platform (Azure Active Directory for developers).

Business-to- Manage your guest users and external partners, while maintaining control
Business (B2B) over your own corporate data. For more information, see Azure Active
Directory B2B documentation.

Business-to- Customize and control how users sign up, sign in, and manage their
Customer (B2C) profiles when using your apps. For more information, see Azure Active
Directory B2C documentation.

Conditional Access Manage access to your cloud apps. For more information, see Azure AD
Conditional Access documentation.

Device Manage how your cloud or on-premises devices access your corporate
Management data. For more information, see Azure AD Device Management
documentation.

Domain services Join Azure virtual machines to a domain without using domain controllers.
For more information, see Azure AD Domain Services documentation.

Enterprise users Manage license assignments, access to apps, and set up delegates using
groups and administrator roles. For more information, see Azure Active
Directory user management documentation.

Hybrid identity Use Azure Active Directory Connect and Connect Health to provide a single
user identity for authentication and authorization to all resources,
regardless of location (cloud or on-premises). For more information, see
Hybrid identity documentation.
 Category Description

Identity governance Manage your organization's identity through employee, business partner,
vendor, service, and app access controls. You can also perform access
reviews. For more information, see Azure AD identity governance
documentation and Azure AD access reviews.

Identity protection Detect potential vulnerabilities affecting your organization's identities,

configure policies to respond to suspicious actions, and then take
appropriate action to resolve them. For more information, see Azure AD
Identity Protection.

Managed identities Provide your Azure services with an automatically managed identity in
for Azure resources Azure AD that can authenticate any Azure AD-supported authentication
service, including Key Vault. For more information, see What is managed
identities for Azure resources?.

Privileged identity Manage, control, and monitor access within your organization. This feature
management (PIM) includes access to resources in Azure AD and Azure, and other Microsoft
Online Services, like Microsoft 365 or Intune. For more information, see
Azure AD Privileged Identity Management.

Reports and Gain insights into the security and usage patterns in your environment. For
monitoring more information, see Azure Active Directory reports and monitoring.

Workload identities Give an identity to your software workload (such as an application, service,
script, or container) to authenticate and access other services and
resources. For more information, see workload identities faqs.

Terminology
To better understand Azure AD and its documentation, we recommend reviewing the
following terms.

Term or Description
concept

Identity A thing that can get authenticated. An identity can be a user with a username
and password. Identities also include applications or other servers that might
require authentication through secret keys or certificates.

Account An identity that has data associated with it. You can’t have an account without
an identity.

Azure AD An identity created through Azure AD or another Microsoft cloud service, such
account as Microsoft 365. Identities are stored in Azure AD and accessible to your
organization's cloud service subscriptions. This account is also sometimes
called a Work or school account.
Term or Description
concept

Account This classic subscription administrator role is conceptually the billing owner of
Administrator a subscription. This role enables you to manage all subscriptions in an account.
For more information, see Azure roles, Azure AD roles, and classic subscription
administrator roles.

Service This classic subscription administrator role enables you to manage all Azure
Administrator resources, including access. This role has the equivalent access of a user who is
assigned the Owner role at the subscription scope. For more information, see
Azure roles, Azure AD roles, and classic subscription administrator roles.

Owner This role helps you manage all Azure resources, including access. This role is
built on a newer authorization system called Azure role-based access control
(Azure RBAC) that provides fine-grained access management to Azure
resources. For more information, see Azure roles, Azure AD roles, and classic
subscription administrator roles.

Azure AD This administrator role is automatically assigned to whomever created the

Global Azure AD tenant. You can have multiple Global administrators, but only Global
administrator administrators can assign administrator roles (including assigning other Global
administrators) to users. For more information about the various administrator
roles, see Administrator role permissions in Azure Active Directory.

Azure Used to pay for Azure cloud services. You can have many subscriptions and
subscription they're linked to a credit card.

Azure tenant A dedicated and trusted instance of Azure AD. The tenant is automatically
created when your organization signs up for a Microsoft cloud service
subscription. These subscriptions include Microsoft Azure, Microsoft Intune, or
Microsoft 365. An Azure tenant represents a single organization.

Single tenant Azure tenants that access other services in a dedicated environment are
considered single tenant.

Multi-tenant Azure tenants that access other services in a shared environment, across
multiple organizations, are considered multi-tenant.

Azure AD Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure
directory AD directory includes the tenant's users, groups, and apps and is used to
perform identity and access management functions for tenant resources.

Custom domain Every new Azure AD directory comes with an initial domain name, for example
domainname.onmicrosoft.com . In addition to that initial name, you can also add
your organization's domain names. Your organization's domain names include
the names you use to do business and your users use to access your
organization's resources, to the list. Adding custom domain names helps you
to create user names that are familiar to your users, such as
alain@contoso.com.
Term or Description
concept

Microsoft Personal accounts that provide access to your consumer-oriented Microsoft

account (also products and cloud services. These products and services include Outlook,
called, MSA) OneDrive, Xbox LIVE, or Microsoft 365. Your Microsoft account is created and
stored in the Microsoft consumer identity account system that's run by
Microsoft.

Next steps
Sign up for Azure Active Directory Premium

Associate an Azure subscription to your Azure Active Directory

Azure Active Directory Premium P2 feature deployment checklist

New name for Azure Active Directory
Article • 07/11/2023

To unify the Microsoft Entra product family, reflect the progression to modern
multicloud identity security, and simplify secure access experiences for all, we're
renaming Azure Active Directory (Azure AD) to Microsoft Entra ID.

No action is required from you

If you're using Azure AD today or are currently deploying Azure AD in your
organizations, you can continue to use the service without interruption. All existing
deployments, configurations, and integrations will continue to function as they do today
without any action from you.

You can continue to use familiar Azure AD capabilities that you can access through the
Azure portal, Microsoft 365 admin center, and the Microsoft Entra admin center .

Only the name is changing

All features and capabilities are still available in the product. Licensing, terms, service-
level agreements, product certifications, support and pricing remain the same.

Service plan display names will change on October 1, 2023. Microsoft Entra ID Free,
Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone
offers, and all capabilities included in the current Azure AD plans remain the same.
Microsoft Entra ID – currently known as Azure AD – will continue to be included in
Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details
on pricing and what’s included are available on the pricing and free trials page .


During 2023, you may see both the current Azure AD name and the new Microsoft Entra
ID name in support area paths. For self-service support, look for the topic path of
"Microsoft Entra" or "Azure Active Directory/Microsoft Entra ID."

Identity developer and devops experiences

aren't impacted by the rename
To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and
Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences
and tooling.

Microsoft identity platform encompasses all our identity and access developer assets. It
will continue to provide the resources to help you build applications that your users and
customers can sign in to using their Microsoft identities or social accounts.

Naming is also not changing for:

Microsoft Authentication Library (MSAL) - Use to acquire security tokens from the
Microsoft identity platform to authenticate users and access secured web APIs to
provide secure access to Microsoft Graph, other Microsoft APIs, third-party web
APIs, or your own web API.
Microsoft Graph - Get programmatic access to organizations, user, and application
data stored in Microsoft Entra ID.
Microsoft Graph PowerShell - Acts as an API wrapper for the Microsoft Graph APIs
and helps administer every Microsoft Entra ID feature that has an API in Microsoft
Graph.
Windows Server Active Directory, commonly known as "Active Directory," and all
related Windows Server identity services associated with Active Directory.
Active Directory Federation Services (AD FS) nor Active Directory Domain Services
(AD DS) nor the product name "Active Directory" or any corresponding features.
Azure Active Directory B2C will continue to be available as an Azure service.
Any deprecated or retired functionality, feature, or service of Azure AD.

Frequently asked questions

When is the name change happening?

The name change will start appearing across Microsoft experiences after a 30-day
notification period, which started July 11, 2023. Display names for SKUs and service
plans will change on October 1, 2023. We expect most naming text string changes in
Microsoft experiences to be completed by the end of 2023.

Why is the name being changed?

As part of our ongoing commitment to simplify secure access experiences for everyone,
the renaming of Azure AD to Microsoft Entra ID is designed to make it easier to use and
navigate the unified and expanded Microsoft Entra product family.

What is Microsoft Entra?

Microsoft Entra helps you protect all identities and secure network access everywhere.
The expanded product family includes:

Identity and access management New identity categories Network access

Microsoft Entra ID (currently known Microsoft Entra Verified ID Microsoft Entra Internet
as Azure AD) Access

Microsoft Entra ID Governance Microsoft Entra Permissions Microsoft Entra Private

Management Access

Microsoft Entra External ID Microsoft Entra Workload ID

Where can I manage Microsoft Entra ID?

You can manage Microsoft Entra ID and all other Microsoft Entra solutions in the
Microsoft Entra admin center or the Azure portal .

What are the display names for service plans and SKUs?
Licensing, pricing, and functionality aren't changing. Display names will be updated
October 1, 2023 as follows.

Old display name for service plan New display name for service plan

Azure Active Directory Free Microsoft Entra ID Free

Azure Active Directory Premium P1 Microsoft Entra ID P1

Azure Active Directory Premium P2 Microsoft Entra ID P2

Azure Active Directory for education Microsoft Entra ID for education

 Old display name for service plan New display name for service plan

Old display name for product SKU New display name for product SKU

Azure Active Directory Premium P1 Microsoft Entra ID P1

Azure Active Directory Premium P1 for students Microsoft Entra ID P1 for students

Azure Active Directory Premium P1 for faculty Microsoft Entra ID P1 for faculty

Azure Active Directory Premium P1 for government Microsoft Entra ID P1 for government

Azure Active Directory Premium P2 Microsoft Entra ID P2

Azure Active Directory Premium P2 for students Microsoft Entra ID P2 for students

Azure Active Directory Premium P2 for faculty Microsoft Entra ID P2 for faculty

Azure Active Directory Premium P2 for government Microsoft Entra ID P2 for government

Azure Active Directory F2 Microsoft Entra ID F2

Is Azure AD going away?

No, only the name Azure AD is going away. Capabilities remain the same.

What will happen to the Azure AD capabilities and

features like App Gallery or Conditional Access?
The naming of features changes to Microsoft Entra. For example:

Azure AD tenant -> Microsoft Entra tenant

Azure AD account -> Microsoft Entra account
Azure AD joined -> Microsoft Entra joined
Azure AD Conditional Access -> Microsoft Entra Conditional Access

All features and capabilities remain unchanged aside from the name. Customers can
continue to use all features without any interruption.

Are licenses changing? Are there any changes to pricing?

No. Prices, terms and service level agreements (SLAs) remain the same. Pricing details
are available at https://www.microsoft.com/security/business/microsoft-entra-pricing .
Will Microsoft Entra ID be available as a free service with
an Azure subscription?
Customers currently using Azure AD Free as part of their Azure, Microsoft 365, Dynamics
365, Teams, or Intune subscription will continue to have access to the same capabilities.
It will be called Microsoft Entra ID Free. Get the free version at
https://www.microsoft.com/security/business/microsoft-entra-pricing .

What's changing for Microsoft 365 or Azure AD for Office

365?
Microsoft Entra ID – currently known as Azure AD – will continue to be available within
Microsoft 365 enterprise and business premium offers. Office 365 was renamed
Microsoft 365 in 2022. Unique capabilities in the Azure AD for Office 365 apps (such as
company branding and self-service sign-in activity search) will now be available to all
Microsoft customers in Microsoft Entra ID Free.

What's changing for Microsoft 365 E3?

There are no changes to the identity features and functionality available in Microsoft
365 E3. Microsoft 365 E3 includes Microsoft Entra ID P1, currently known as Azure AD
Premium P1.

What's changing for Microsoft 365 E5?

In addition to the capabilities they already have, Microsoft 365 E5 customers will also
get access to new identity protection capabilities like token protection, Conditional
Access based on GPS-based location and step-up authentication for the most sensitive
actions. Microsoft 365 E5 includes Microsoft Entra P2, currently known as Azure AD
Premium P2.

How and when are customers being notified?

The name changes are publicly announced as of July 11, 2023.

Banners, alerts, and message center posts will notify users of the name change. These
will be displayed on the tenant overview page, portals including Azure, Microsoft 365,
and Microsoft Entra admin center, and Microsoft Learn.

What if I use the Azure AD name in my content or app?

We'd like your help spreading the word about the name change and implementing it in
your own experiences. If you're a content creator, author of internal documentation for
IT or identity security admins, developer of Azure AD–enabled apps, independent
software vendor, or Microsoft partner, we hope you use the naming guidance outlined
in the following section (Azure AD name changes and exceptions) to make the name
change in your content and product experiences by the end of 2023.

Azure AD name changes and exceptions

We encourage content creators, organizations with internal documentation for IT or
identity security admins, developers of Azure AD-enabled apps, independent software
vendors, or partners of Microsoft to stay current with the new naming guidance by
updating copy by the end of 2023. We recommend changing the name in customer-
facing experiences, prioritizing highly visible surfaces.

Product name
Replace the product name "Azure Active Directory" or "Azure AD" or "AAD" with
Microsoft Entra ID.

Microsoft Entra is the correct name for the family of identity and network access
solutions, one of which is Microsoft Entra ID.

Logo/icon
Azure AD is becoming Microsoft Entra ID, and the product icon is also being updated.
Work with your Microsoft partner organization to obtain the new product icon.

Feature names
Capabilities or services formerly known as "Azure Active Directory <feature name>" or
"Azure AD <feature name>" will be branded as Microsoft Entra product family features.
For example:

"Azure AD Conditional Access" is becoming "Microsoft Entra Conditional Access"

"Azure AD single sign-on" is becoming "Microsoft Entra single sign-on"
"Azure AD tenant" is becoming "Microsoft Entra tenant"

Exceptions to Azure AD name change

Products or features that are being deprecated aren't being renamed. These products or
features include:

Azure AD Authentication Library (ADAL), replaced by Microsoft Authentication

Library (MSAL)
Azure AD Graph, replaced by Microsoft Graph
Azure Active Directory PowerShell for Graph (Azure AD PowerShell), replaced by
Microsoft Graph PowerShell

Names that don't have "Azure AD" also aren't changing. These products or features
include Active Directory Federation Services (AD FS), Microsoft identity platform, and
Windows Server Active Directory Domain Services (AD DS).

End users shouldn't be exposed to the Azure AD or Microsoft Entra ID name. For sign-
ins and account user experiences, follow guidance for work and school accounts in Sign
in with Microsoft branding guidelines.

Next steps
Stay up-to-date with what's new in Azure AD/Microsoft Entra ID
Get started using Microsoft Entra ID at the Microsoft Entra admin center
Learn more about Microsoft Entra with content from Microsoft Learn
Identity and access management (IAM)
fundamental concepts
Article • 06/12/2023

This article provides fundamental concepts and terminology to help you understand
identity and access management (IAM).

What is identity and access management

(IAM)?
Identity and access management ensures that the right people, machines, and software
components get access to the right resources at the right time. First, the person,
machine, or software component proves they're who or what they claim to be. Then, the
person, machine, or software component is allowed or denied access to or use of certain
resources.

Here are some fundamental concepts to help you understand identity and access
management:

Identity
A digital identity is a collection of unique identifiers or attributes that represent a
human, software component, machine, asset, or resource in a computer system. An
identifier can be:

An email address
Sign-in credentials (username/password)
Bank account number
Government issued ID
MAC address or IP address

Identities are used to authenticate and authorize access to resources, communicate with
other humans, conduct transactions, and other purposes.

At a high level, there are three types of identities:

Human identities represent people such as employees (internal workers and front
line workers) and external users (customers, consultants, vendors, and partners).
Workload identities represent software workloads such as an application, service,
script, or container.
 Device identities represent devices such as desktop computers, mobile phones,
IoT sensors, and IoT managed devices. Device identities are distinct from human
identities.

Authentication
Authentication is the process of challenging a person, software component, or hardware
device for credentials in order to verify their identity, or prove they're who or what they
claim to be. Authentication typically requires the use of credentials (like username and
password, fingerprints, certificates, or one-time passcodes). Authentication is sometimes
shortened to AuthN.

Multi-factor authentication (MFA) is a security measure that requires users to provide

more than one piece of evidence to verify their identities, such as:

Something they know, for example a password.

Something they have, like a badge or security token.
Something they are, like a biometric (fingerprint or face).

Single sign-on (SSO) allows users to authenticate their identity once and then later
silently authenticate when accessing various resources that rely on the same identity.
Once authenticated, the IAM system acts as the source of identity truth for the other
resources available to the user. It removes the need for signing on to multiple, separate
target systems.

Authorization
Authorization validates that the user, machine, or software component has been granted
access to certain resources. Authorization is sometimes shortened to AuthZ.

Authentication vs. authorization

The terms authentication and authorization are sometimes used interchangeably,
because they often seem like a single experience to users. They're actually two separate
processes:

Authentication proves the identity of a user, machine, or software component

Authorization grants or denies the user, machine, or software component access to
certain resources
Here's a quick overview of authentication and authorization:

Authentication Authorization

Can be thought of as a gatekeeper, allowing access Can be thought of as a guard, ensuring

only to those who provide valid credentials. that only those with the proper clearance
can enter certain areas.

Verifies whether a user, machine, or software is who Determines if the user, machine, or
or what they claim to be. software is allowed to access a particular
resource.

Challenges the user, machine, or software for Determines what level of access a user,
verifiable credentials (for example, passwords, machine, or software has.
biometric identifiers, or certificates).

Done before authorization. Done after successful authentication.

Information is transferred in an ID token. Information is transferred in an access

token.

Often uses the OpenID Connect (OIDC) (which is Often uses the OAuth 2.0 protocol.
built on the OAuth 2.0 protocol) or SAML protocols.

For more detailed information, read Authentication vs. authorization.

Example
Suppose you want to spend the night in a hotel. You can think of authentication and
authorization as the security system for the hotel building. Users are people who want
to stay at the hotel, resources are the rooms or areas that people want to use. Hotel
staff is another type of user.
If you're staying at the hotel, you first go to reception to start the "authentication
process". You show an identification card and credit card and the receptionist matches
your ID against the online reservation. After the receptionist has verified who you are,
the receptionist grants you permission to access the room you've been assigned. You're
given a keycard and can go now to your room.

The doors to the hotel rooms and other areas have keycard sensors. Swiping the
keycard in front of a sensor is the "authorization process". The keycard only lets you
open the doors to rooms you're permitted to access, such as your hotel room and the
hotel exercise room. If you swipe your keycard to enter any other hotel guest room, your
access is denied. Individual permissions, such as accessing the exercise room and a
specific guest room, are collected into roles which can be granted to individual users.
When you're staying at the hotel, you're granted the Hotel Patron role. Hotel room
service staff would be granted the Hotel Room Service role. This role permits access to
all hotel guest rooms (but only between 11am and 4pm), the laundry room, and the
supply closets on each floor.
Identity provider
An identity provider creates, maintains, and manages identity information while offering
authentication, authorization, and auditing services.

With modern authentication, all services, including all authentication services, are
supplied by a central identity provider. Information that's used to authenticate the user
with the server is stored and managed centrally by the identity provider.

With a central identity provider, organizations can establish authentication and

authorization policies, monitor user behavior, identify suspicious activities, and reduce
malicious attacks.

Microsoft Azure Active Directory is an example of a cloud-based identity provider. Other

examples include Twitter, Google, Amazon, LinkedIn, and GitHub.
Next steps
Read Introduction to identity and access management to learn more.
Learn about Single sign-on (SSO).
Learn about Multi-factor authentication (MFA).
What is identity and access
management (IAM)?
Article • 06/12/2023

In this article, you learn some of the fundamental concepts of Identity and Access
Management (IAM), why it's important, and how it works.

Identity and access management ensures that the right people, machines, and software
components get access to the right resources at the right time. First, the person,
machine, or software component proves they're who or what they claim to be. Then, the
person, machine, or software component is allowed or denied access to or use of certain
resources.

To learn about the basic terms and concepts, see Identity fundamentals.

What does IAM do?

IAM systems typically provide the following core functionality:

Identity management - The process of creating, storing, and managing identity

information. Identity providers (IdP) are software solutions that are used to track
and manage user identities, as well as the permissions and access levels associated
with those identities.

Identity federation - You can allow users who already have passwords elsewhere
(for example, in your enterprise network or with an internet or social identity
provider) to get access to your system.

Provisioning and deprovisioning of users - The process of creating and managing

user accounts, which includes specifying which users have access to which
resources, and assigning permissions and access levels.

Authentication of users - Authenticate a user, machine, or software component by

confirming that they're who or what they say they are. You can add multi-factor
authentication (MFA) for individual users for extra security or single sign-on (SSO)
to allow users to authenticate their identity with one portal instead of many
different resources.

Authorization of users - Authorization ensures a user is granted the exact level

and type of access to a tool that they're entitled to. Users can also be portioned
into groups or roles so large cohorts of users can be granted the same privileges.
 Access control - The process of determining who or what has access to which
resources. This includes defining user roles and permissions, as well as setting up
authentication and authorization mechanisms. Access controls regulate access to
systems and data.

Reports and monitoring - Generate reports after actions taken on the platform
(like sign-in time, systems accessed, and type of authentication) to ensure
compliance and assess security risks. Gain insights into the security and usage
patterns of your environment.

How IAM works

This section provides an overview of the authentication and authorization process and
the more common standards.

Authenticating, authorizing, and accessing resources

Let's say you have an application that signs in a user and then accesses a protected
resource.

1. The user (resource owner) initiates an authentication request with the identity
provider/authorization server from the client application.

2. If the credentials are valid, the identity provider/authorization server first sends an
ID token containing information about the user back to the client application.
 3. The identity provider/authorization server also obtains end-user consent and
grants the client application authorization to access the protected resource.
Authorization is provided in an access token, which is also sent back to the client
application.

4. The access token is attached to subsequent requests made to the protected

resource server from the client application.

5. The identity provider/authorization server validates the access token. If successful

the request for protected resources is granted, and a response is sent back to the
client application.

For more information, read Authentication and authorization.

Authentication and authorization standards

These are the most well-known and commonly used authentication and authorization
standards:

OAuth 2.0
OAuth is an open-standards identity management protocol that provides secure access
for websites, mobile apps, and Internet of Things and other devices. It uses tokens that
are encrypted in transit and eliminates the need to share credentials. OAuth 2.0, the
latest release of OAuth, is a popular framework used by major social media platforms
and consumer services, from Facebook and LinkedIn to Google, PayPal, and Netflix. To
learn more, read about OAuth 2.0 protocol.

OpenID Connect (OIDC)

With the release of the OpenID Connect (which uses public-key encryption), OpenID
became a widely adopted authentication layer for OAuth. Like SAML, OpenID Connect
(OIDC) is widely used for single sign-on (SSO), but OIDC uses REST/JSON instead of
XML. OIDC was designed to work with both native and mobile apps by using REST/JSON
protocols. The primary use case for SAML, however, is web-based apps. To learn more,
read about OpenID Connect protocol.

JSON web tokens (JWTs)

JWTs are an open standard that defines a compact and self-contained way for securely
transmitting information between parties as a JSON object. JWTs can be verified and
trusted because they’re digitally signed. They can be used to pass the identity of
authenticated users between the identity provider and the service requesting the
authentication. They also can be authenticated and encrypted. To learn more, read JSON
Web Tokens.

Security Assertion Markup Language (SAML)

SAML is an open standard utilized for exchanging authentication and authorization

information between, in this case, an IAM solution and another application. This method
uses XML to transmit data and is typically the method used by identity and access
management platforms to grant users the ability to sign in to applications that have
been integrated with IAM solutions. To learn more, read SAML protocol.

System for Cross-Domain Identity Management (SCIM)

Created to simplify the process of managing user identities, SCIM provisioning allows
organizations to efficiently operate in the cloud and easily add or remove users,
benefitting budgets, reducing risk, and streamlining workflows. SCIM also facilitates
communication between cloud-based applications. To learn more, read Develop and
plan provisioning for a SCIM endpoint.

Web Services Federation (WS-Fed)

WS-Fed was developed by Microsoft and used extensively in their applications, this
standard defines the way security tokens can be transported between different entities
to exchange identity and authorization information. To learn more, read Web Services
Federation Protocol.

Next steps
To learn more, see:

Single sign-on (SSO)

Multi-factor authentication (MFA)
Authentication vs authorization
OAuth 2.0 and OpenID Connect
App types and authentication flows
Security tokens
Quickstart: Create a new tenant in Azure
Active Directory
Article • 06/30/2023

You can do all of your administrative tasks using the Azure Active Directory (Azure AD)
portal, including creating a new tenant for your organization.

In this quickstart, you'll learn how to get to the Azure portal and Azure Active Directory,
and you'll learn how to create a basic tenant for your organization.

If you don't have an Azure subscription, create a free account before you begin.

Create a new tenant for your organization

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

After you sign in to the Azure portal , you can create a new tenant for your
organization. Your new tenant represents your organization and helps you to manage a
specific instance of Microsoft cloud services for your internal and external users.

７ Note

If you're unable to create Azure AD or Azure AD B2C tenant, review your user
settings page to ensure that tenant creation isn't switched off. If tenant creation is
switched off, ask your Global Administrator to assign you a Tenant Creator role.

To create a new tenant

1. Sign in to the Azure portal .

2. From the Azure portal menu, select Azure Active Directory.

3. On the overview page, select Manage tenants

4. Select Create.
5. On the Basics tab, select the type of tenant you want to create, either Azure Active
Directory or Azure Active Directory (B2C).

6. Select Next: Configuration to move on to the Configuration tab.

7. On the Configuration tab, enter the following information:

Type your desired Organization name (for example Contoso Organization)

into the Organization name box.

Type your desired Initial domain name (for example Contosoorg) into the
Initial domain name box.

Select your desired Country/Region or leave the United States option in the
Country or region box.
 8. Select Next: Review + Create. Review the information you entered and if the
information is correct, select create.

Your new tenant is created with the domain contoso.onmicrosoft.com.

Your user account in the new tenant

When you create a new Azure AD tenant, you become the first user of that tenant. As
the first user, you're automatically assigned the Global Administrator role. Check out
your user account by navigating to the Users page.

By default, you're also listed as the technical contact for the tenant. Technical contact
information is something you can change in Properties .

２ Warning

Ensure your directory has at least two accounts with global administrator privileges
assigned to them. This will help in the case that one global administrator is locked
out. For more detail see the article, Manage emergency access accounts in Azure
AD.

Clean up resources
If you're not going to continue to use this application, you can delete the tenant using
the following steps:

Ensure that you're signed in to the directory that you want to delete through the
Directory + subscription filter in the Azure portal. Switch to the target directory if
needed.

Select Azure Active Directory, and then on the Contoso - Overview page, select
Delete directory.

The tenant and its associated information are deleted.

Next steps
Change or add other domain names, see How to add a custom domain name to
Azure Active Directory

Add users, see Add or delete a new user

Add groups and members, see Create a basic group and add members

Learn about Azure role-based access control (Azure RBAC) and Conditional Access
to help manage your organization's application and resource access.

Learn about Azure AD, including basic licensing information, terminology, and
associated features.
Add your custom domain name using
the Azure portal
Article • 03/10/2023

Azure Active Directory (Azure AD) tenants come with an initial domain name,
<domainname>.onmicrosoft.com. You can't change or delete the initial domain name,
but you can add your organization's names. Adding custom domain names helps you to
create user names that are familiar to your users, such as alain@contoso.com.

Before you begin

Before you can add a custom domain name, create your domain name with a domain
registrar. For an accredited domain registrar, see ICANN-Accredited Registrars .

Create your directory in Azure AD

After you get your domain name, you can create your first Azure AD directory. Sign in to
the Azure portal for your directory, using an account with the Owner role for the
subscription.

Create your new directory by following the steps in Create a new tenant for your
organization.

） Important

The person who creates the tenant is automatically the Global administrator for
that tenant. The Global administrator can add additional administrators to the
tenant.

For more information about subscription roles, see Azure roles.

 Tip

If you plan to federate your on-premises Windows Server AD with Azure AD, then
you need to select I plan to configure this domain for single sign-on with my
local Active Directory when you run the Azure AD Connect tool to synchronize
your directories.
 You also need to register the same domain name you select for federating with
your on-premises directory in the Azure AD Domain step in the wizard. To see what
that setup looks like, see Verify the Azure AD domain selected for federation. If
you don't have the Azure AD Connect tool, you can download it here .

Add your custom domain name to Azure AD

After you create your directory, you can add your custom domain name.

1. Sign in to the Azure portal using a Global administrator account for the
directory.

2. Search for and select Azure Active Directory from any page. Then select Custom
domain names > Add custom domain.

3. In Custom domain name, enter your organization's new name, in this example,
contoso.com. Select Add domain.
 ） Important

You must include .com, .net, or any other top-level extension for this to work.
When adding a custom domain, the Password Policy values will be inherited
from the initial domain.

The unverified domain is added. The contoso.com page appears showing your
DNS information. Save this information. You need it later to create a TXT record to
configure DNS.
Add your DNS information to the domain
registrar
After you add your custom domain name to Azure AD, you must return to your domain
registrar and add the Azure AD DNS information from your copied TXT file. Creating this
TXT record for your domain verifies ownership of your domain name.

Go back to your domain registrar and create a new TXT record for your domain based
on your copied DNS information. Set the time to live (TTL) to 3600 seconds (60
minutes), and then save the record.

） Important

You can register as many domain names as you want. However, each domain gets
its own TXT record from Azure AD. Be careful when you enter the TXT file
information at the domain registrar. If you enter the wrong or duplicate information
by mistake, you'll have to wait until the TTL times out (60 minutes) before you can
try again.

Verify your custom domain name

After you register your custom domain name, make sure it's valid in Azure AD. The
propagation from your domain registrar to Azure AD can be instantaneous or it can take
a few days, depending on your domain registrar.

To verify your custom domain name, follow these steps:

1. Sign in to the Azure portal using a Global administrator account for the
directory.

2. Search for and select Azure Active Directory from any page, then select Custom
domain names.

3. In Custom domain names, select the custom domain name. In this example, select
contoso.com.
 4. On the contoso.com page, select Verify to make sure your custom domain is
properly registered and is valid for Azure AD.

After you've verified your custom domain name, you can delete your verification TXT or
MX file.

Common verification issues

If Azure AD can't verify a custom domain name, try the following suggestions:
 Wait at least an hour and try again. DNS records must propagate before Azure
AD can verify the domain. This process can take an hour or more.

If you are trying to verify a child domain, verify the parent domain first. Make
sure the parent domain is created and verified first before you try to verify a child
domain.

Make sure the DNS record is correct. Go back to the domain name registrar site.
Make sure the entry is there, and that it matches the DNS entry information
provided by Azure AD.

If you can't update the record on the registrar site, share the entry with someone
who has permissions to add the entry and verify it's correct.

Make sure the domain name isn't already in use in another directory. A domain
name can only be verified in one directory. If your domain name is currently
verified in another directory, it can't also be verified in the new directory. To fix this
duplication problem, you must delete the domain name from the old directory. For
more information about deleting domain names, see Manage custom domain
names.

Make sure you don't have any unmanaged Power BI tenants. If your users have
activated Power BI through self-service sign-up and created an unmanaged tenant
for your organization, you must take over management as an internal or external
admin, using PowerShell. For more information, see Take over an unmanaged
directory as administrator in Azure Active Directory.

Next steps
Add another Global administrator to your directory. For more information, see
How to assign roles and administrators.

Add users to your domain. For more information, see How to add or delete users.

Manage your domain name information in Azure AD. For more information, see
Managing custom domain names.

If you have on-premises versions of Windows Server that you want to use
alongside Azure Active Directory, see Integrate your on-premises directories with
Azure Active Directory.
Associate or add an Azure subscription
to your Azure Active Directory tenant
Article • 06/30/2023

All Azure subscriptions have a trust relationship with an Azure Active Directory (Azure
AD) instance. Subscriptions rely on their trusted Azure AD to authenticate and authorize
security principals and devices. When a subscription expires, the trusted instance of the
Azure AD service remains, but the security principals lose access to Azure resources.
Subscriptions can only trust a single directory while one Azure AD may be trusted by
multiple subscriptions.

When a user signs up for a Microsoft cloud service, a new Azure AD tenant is created
and the user is made a member of the Global Administrator role. However, when an
owner of a subscription joins their subscription to an existing tenant, the owner isn't
assigned to the Global Administrator role.

While users may only have a single authentication home directory, users may participate
as guests in multiple directories. You can see both the home and guest directories for
each user in Azure AD.
 ） Important

When a subscription is associated with a different directory, users who have roles
assigned using Azure role-based access control lose their access. Classic
subscription administrators, including Service Administrator and Co-Administrators,
also lose access.

Moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or

moving the cluster-owning subscription to a new tenant, causes the cluster to lose
functionality due to lost role assignments and service principal's rights. For more
information about AKS, see Azure Kubernetes Service (AKS).

Before you begin

Before you can associate or add your subscription, do the following steps:

Review the following list of changes that will occur after you associate or add your
subscription, and how you might be affected:
Users that have been assigned roles using Azure RBAC will lose their access.
Service Administrator and Co-Administrators will lose access.
If you have any key vaults, they'll be inaccessible, and you'll have to fix them
after association.
If you have any managed identities for resources such as Virtual Machines or
Logic Apps, you must re-enable or recreate them after the association.
If you have a registered Azure Stack, you'll have to re-register it after
association.

For more information, see Transfer an Azure subscription to a different Azure AD

directory.

Sign in using an account that:

Has an Owner role assignment for the subscription. For information about how
to assign the Owner role, see Assign Azure roles using the Azure portal.
Exists in both the current directory and in the new directory. The current
directory is associated with the subscription. You'll associate the new directory
with the subscription. For more information about getting access to another
directory, see Add Azure Active Directory B2B collaboration users in the Azure
portal.
Make sure that you're not using an Azure Cloud Service Providers (CSP)
subscription (MS-AZR-0145P, MS-AZR-0146P, MS-AZR-159P), a Microsoft
 Internal subscription (MS-AZR-0015P), or a Microsoft Azure for Students Starter
subscription (MS-AZR-0144P).

Associate a subscription to a directory

To associate an existing subscription with your Azure AD, follow these steps:

1. Sign in and select the subscription you want to use from the Subscriptions page in
Azure portal .

2. Select Change directory.

3. Review any warnings that appear, and then select Change.

 After the directory is changed for the subscription, you'll get a success message.

4. Select Switch directories on the subscription page to go to your new directory.

 It can take several hours for everything to show up properly. If it seems to be
taking too long, check the Global subscription filter. Make sure the moved
subscription isn't hidden. You may need to sign out of the Azure portal and sign
back in to see the new directory.

Changing the subscription directory is a service-level operation, so it doesn't affect

subscription billing ownership. To delete the original directory, you must transfer the
subscription billing ownership to a new Account Admin. To learn more about
transferring billing ownership, see Transfer ownership of an Azure subscription to
another account.

Post-association steps
After you associate a subscription with a different directory, you might need to do the
following tasks to resume operations:

If you have any key vaults, you must change the key vault tenant ID. For more
information, see Change a key vault tenant ID after a subscription move.

If you used system-assigned Managed Identities for resources, you must re-enable
these identities. If you used user-assigned Managed Identities, you must re-create
these identities. After re-enabling or recreating the Managed Identities, you must
re-establish the permissions assigned to those identities. For more information, see
What are managed identities for Azure resources?.

If you've registered an Azure Stack using this subscription, you must re-register.
For more information, see Register Azure Stack Hub with Azure.

For more information, see Transfer an Azure subscription to a different Azure AD

directory.

Next steps
To create a new Azure AD tenant, see Quickstart: Create a new tenant in Azure
Active Directory.

To learn more about how Microsoft Azure controls resource access, see Azure
roles, Azure AD roles, and classic subscription administrator roles.

To learn more about how to assign roles in Azure AD, see Assign administrator and
non-administrator roles to users with Azure Active Directory.
Add your organization's privacy info
using Azure Active Directory
Article • 07/25/2023

This article explains how a tenant admin can add privacy-related info to an
organization's Azure Active Directory (Azure AD) tenant, through the Azure portal.

We strongly recommend you add both your global privacy contact and your
organization's privacy statement, so your internal employees and external guests can
review your policies. Because privacy statements are uniquely created and tailored for
each business, we strongly recommend you contact a lawyer for assistance.

７ Note

For information about viewing or deleting personal data, see Azure Data Subject
Requests for the GDPR. For more information about GDPR, see the GDPR section
of the Microsoft Trust Center and the GDPR section of the Service Trust
portal .

Add your privacy info on Azure AD

You add your organization's privacy information in the Properties area of Azure AD.

To access the Properties area and add your privacy

information

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

1. Sign in to the Azure portal as a tenant administrator.

2. On the left navbar, select Azure Active Directory, and then select Properties.

The Properties area appears.

3. Add your privacy info for your employees:

Technical contact. Type the email address for the person to contact for
technical support within your organization.

Global privacy contact. Type the email address for the person to contact for
inquiries about personal data privacy. This person is also who Microsoft
contacts if there's a data breach related to Azure Active Directory services. If
there's no person listed here, Microsoft contacts your global administrators.
For Microsoft 365 related privacy incident notifications, see Microsoft 365
Message center FAQs

Privacy statement URL. Type the link to your organization's document that
describes how your organization handles both internal and external guest's
data privacy.

） Important

If you don't include either your own privacy statement or your privacy
contact, your external guests will see text in the Review Permissions box
that says, <your org name> has not provided links to their terms for
you to review. For example, a guest user will see this message when
they receive an invitation to access an organization through B2B
collaboration.
 4. Select Save.

Next steps
Azure Active Directory B2B collaboration invitation redemption
Add or change profile information for a user in Azure Active Directory
Configure your company branding
Article • 07/13/2023

When users authenticate into your corporate intranet or web-based applications, Azure
Active Directory (Azure AD) provides the identity and access management (IAM) service.
You can add company branding that applies to all these sign-in experiences to create a
consistent experience for your users.

The default sign-in experience is the global look and feel that applies across all sign-ins
to your tenant. Before you customize any settings, the default Microsoft branding
appears in your sign-in pages. You can customize this default experience with a custom
background image and/or color, favicon, layout, header, and footer. You can also upload
a custom CSS.

７ Note

Instructions for how to manage the 'Stay signed in prompt?' can be found in the
Manage the 'Stay signed in?' prompt article.

License requirements
Adding custom branding requires one of the following licenses:

Azure AD Premium 1
Azure AD Premium 2
Office 365 (for Office apps)

For more information about licensing and editions, see the Sign up for Azure AD
Premium article.

Azure AD Premium editions are available for customers in China using the worldwide
instance of Azure AD. Azure AD Premium editions aren't currently supported in the
Azure service operated by 21Vianet in China

The Global Administrator role is required to customize company branding.

Before you begin

All branding elements are optional. Default settings will remain, if left unchanged. For
example, if you specify a banner logo but no background image, the sign-in page shows
your logo with a default background image from the destination site such as Microsoft
365. Additionally, sign-in page branding doesn't carry over to personal Microsoft
accounts. If your users or guests authenticate using a personal Microsoft account, the
sign-in page won't reflect the branding of your organization.

Images have different image and file size requirements. Take note of the image
requirements for each option. You may need to use a photo editor to create the right
size images. The preferred image type for all images is PNG, but JPG is accepted.

Use Microsoft Graph with Azure AD company branding. Company branding can be
viewed and managed using Microsoft Graph on the /beta endpoint and the
organizationalBranding resource type. For more information, see the organizational

branding API documentation.

The branding elements are called out in the following example. Text descriptions are
provided following the image.

1. Favicon: Small icon that appears on the left side of the browser tab.
2. Header logo: Space across the top of the web page, below the web browser
navigation area.
3. Background image: The entire space behind the sign-in box.
4. Page background color: The entire space behind the sign-in box.
 5. Banner logo: The logo that appears in the upper-left corner of the sign-in box.
6. Username hint and text: The text that appears before a user enters their
information.
7. Sign-in page text: Additional text you can add below the username field.
8. Self-service password reset: A link you can add below the sign-in page text for
password resets.
9. Template: The layout of the page and sign-in boxes.
10. Footer: Text in the lower-right corner of the page where you can add Terms of use
or privacy information.

User experience
When customizing the sign-in pages that users see when accessing your organization's
tenant-specific applications, there are some user experience scenarios you may need to
consider.

For Microsoft, Software as a Service (SaaS), and multi-tenant applications such as

https://myapps.microsoft.com , or https://outlook.com , the customized sign-in page
appears only after the user types their Email or Phone number and selects the Next
button.

Some Microsoft applications support Home Realm Discovery for authentication. In these
scenarios, when a customer signs in to an Azure AD common sign-in page, Azure AD
can use the customer's user name to determine where they should sign in.

For customers who access applications from a custom URL, the whr query string
parameter, or a domain variable, can be used to apply company branding at the initial
sign-in screen, not just after adding the email or phone number. For example,
whr=contoso.com would appear in the custom URL for the app. With the Home Realm

Discover and domain parameter included, the company branding appears immediately
in the first sign-in step. Other domain hints can be included.

In the following examples replace the contoso.com with your own tenant name, or
verified domain name:

For Microsoft Outlook https://outlook.com/contoso.com

For SharePoint online https://contoso.sharepoint.com
For my app portal https://myapps.microsoft.com/?whr=contoso.com
Self-service password reset https://passwordreset.microsoftonline.com/?
whr=contoso.com
 ７ Note

To manage the settings of the 'Stay signed in?' prompt, go to Azure AD > Users >
User settings.

How to navigate the company branding

process

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

1. Sign in to the Azure portal using a Global Administrator account for the
directory.

2. Go to Azure Active Directory > Company branding > Customize.

If you currently have a customized sign-in experience, the Edit button is

available.
The sign-in experience process is grouped into sections. At the end of each section,
select the Review + create button to review what you have selected and submit your
changes or the Next button to move to the next section.

Basics
Favicon: Select a PNG or JPG of your logo that appears in the web browser tab.

Background image: Select a PNG or JPG to display as the main image on your
sign-in page. This image scales and crops according to the window size, but may
be partially blocked by the sign-in prompt.

Page background color: If the background image isn't able to load because of a
slower connection, your selected background color appears instead.
Layout
Visual Templates: Customize the layout of your sign-in page using templates or
custom CSS.
Choose one of two Templates: Full-screen or partial-screen background. The
full-screen background could obscure your background image, so choose the
partial-screen background if your background image is important.
The details of the Header and Footer options are set on the next two sections
of the process.

Custom CSS: Upload custom CSS to replace the Microsoft default style of the
page.
Download the CSS template .
View the CSS template reference guide.
Header
If you haven't enabled the header, go to the Layout section and select Show header.
Once enabled, select a PNG or JPG to display in the header of the sign-in page.

Footer
If you haven't enabled the footer, go to the Layout section and select Show footer.
Once enabled, adjust the following settings.

Show 'Privacy & Cookies': This option is selected by default and displays the
Microsoft 'Privacy & Cookies' link.

Uncheck this option to hide the default Microsoft link. Optionally provide your own
Display text and URL. The text and links don't have to be related to privacy and
cookies.

Show 'Terms of Use': This option is also selected by default and displays the
Microsoft 'Terms of Use' link.

Uncheck this option to hide the default Microsoft link. Optionally provide your own
Display text and URL. The text and links don't have to be related to your terms of
use.

） Important

The default Microsoft 'Terms of Use' link is not the same as the Conditional
Access Terms of Use. Seeing the terms here doesn't mean you've accepted
those terms and conditions.
Sign-in form
Banner logo: Select a PNG or JPG image file of a banner-sized logo (short and
wide) to appear on the sign-in pages.

Square logo (light theme): Select a square PNG or JPG image file of your logo to
be used in browsers that are using a light color theme. This logo is used to
represent your organization on the Azure AD web interface and in Windows.

Square logo (dark theme) Select a square PNG or JPG image file of your logo to
be used in browsers that are using a dark color theme. This logo is used to
represent your organization on the Azure AD web interface and in Windows. If
your logo looks good on light and dark backgrounds, there's no need to add a
dark theme logo.

Username hint text: Enter hint text for the username input field on the sign-in
page. If guests use the same sign-in page, we don't recommend using hint text
here.
 Sign-in page text: Enter text that appears on the bottom of the sign-in page. You
can use this text to communicate additional information, such as the phone
number to your help desk or a legal statement. This page is public, so don't
provide sensitive information here. This text must be Unicode and can't exceed
1024 characters.

To begin a new paragraph, use the enter key twice. You can also change text
formatting to include bold, italics, an underline, or clickable link. Use the following
syntax to add formatting to text:

Hyperlink: [text](link)

Bold: **text** or __text__

Italics: *text* or _text_

Underline: ++text++

） Important

Hyperlinks that are added to the sign-in page text render as text in native
environments, such as desktop and mobile applications.

Self-service password reset:

Show self-service password reset (SSPR): Select the checkbox to turn on SSPR.
Common URL: Enter the destination URL for where your users reset their
passwords. This URL appears on the username and password collection screens.
Username collection display text: Replace the default text with your own custom
username collection text.
Password collection display text: Replace the default text with your own
customer password collection text.

Review
All of the available options appear in one list so you can review everything you've
customized or left at the default setting. When you're done, select the Create button.

Once your default sign-in experience is created, select the Edit button to make any
changes. You can't delete a default sign-in experience after it's created, but you can
remove all custom settings.

Customize the sign-in experience by browser

language
To create an inclusive experience for all of your users, you can customize the sign-in
experience based on browser language.

1. Sign in to the Azure portal using a Global Administrator account for the
directory.

2. Go to Azure Active Directory > Company branding > Add browser language.

The process for customizing the experience is the same as the default sign-in experience
process, except you must select a language from the dropdown list in the Basics section.
We recommend adding custom text in the same areas as your default sign-in
experience.

Azure AD supports right-to-left functionality for languages such as Arabic and Hebrew
that are read right-to-left. The layout adjusts automatically, based on the user's browser
settings.
Next steps
View the CSS template reference guide.
Learn more about default user permissions in Azure AD
Manage the 'stay signed in' prompt
How to create, invite, and delete users
(preview)
Article • 04/21/2023

This article explains how to create a new user, invite an external guest, and delete a user
in your Azure Active Directory (Azure AD) tenant.

The updated experience for creating new users covered in this article is available as an
Azure AD preview feature. This feature is enabled by default, but you can opt out by
going to Azure AD > Preview features and disabling the Create user experience
feature. For more information about previews, see Supplemental Terms of Use for
Microsoft Azure Previews .

Instructions for the legacy create user process can be found in the Add or delete users
article.

７ Note

For information about viewing or deleting personal data, please review Microsoft's
guidance on the Windows data subject requests for the GDPR site. For general
information about GDPR, see the GDPR section of the Microsoft Trust Center
and the GDPR section of the Service Trust portal .

Before you begin

Before you create or invite a new user, take some time to review the types of users, their
authentication methods, and their access within the Azure AD tenant. For example, do
you need to create an internal guest, an internal user, or an external guest? Does your
new user need guest or member privileges?

Internal member: These users are most likely full-time employees in your
organization.
Internal guest: These users have an account in your tenant, but have guest-level
privileges. It's possible they were created within your tenant prior to the availability
of B2B collaboration.
External member: These users authenticate using an external account, but have
member access to your tenant. These types of users are common in multi-tenant
organizations.
 External guest: These users are true guests of your tenant who authenticate using
an external method and who have guest-level privileges.

For more information abut the differences between internal and external guests and
members, see B2B collaboration properties.

Authentication methods vary based on the type of user you create. Internal guests and
members have credentials in your Azure AD tenant that can be managed by
administrators. These users can also reset their own password. External members
authenticate to their home Azure AD tenant and your Azure AD tenant authenticates the
user through a federated sign-in with the external member's Azure AD tenant. If external
members forget their password, the administrator in their Azure AD tenant can reset
their password. External guests set up their own password using the link they receive in
email when their account is created.

Reviewing the default user permissions may also help you determine the type of user
you need to create. For more information, see Set default user permissions

Required roles
The required role of least privilege varies based on the type of user you're adding and if
you need to assign Azure AD roles at the same time. Global Administrator can create
users and assign roles, but whenever possible you should use the least privileged role.

Role Task

Create a new user User Administrator

Invite an external guest Guest Inviter

Assign Azure AD roles Privileged Role Administrator

Create a new user

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

1. Sign in to the Azure portal in the User Administrator role.

 2. Navigate to Azure Active Directory > Users.

3. Select Create new user from the menu.

Basics
The Basics tab contains the core fields required to create a new user.

User principal name: Enter a unique username and select a domain from the menu
after the @ symbol. Select Domain not listed if you need to create a new domain.
For more information, see Add your custom domain name

Mail nickname: If you need to enter an email nickname that is different from the
user principal name you entered, uncheck the Derive from user principal name
option, then enter the mail nickname.

Display name: Enter the user's name, such as Chris Green or Chris A. Green

Password: Provide a password for the user to use during their initial sign-in.
Uncheck the Auto-generate password option to enter a different password.

Account enabled: This option is checked by default. Uncheck to prevent the new
user from being able to sign-in. You can change this setting after the user is
created. This setting was called Block sign in in the legacy create user process.

Either select the Review + create button to create the new user or Next: Properties to
complete the next section.
Either select the Review + create button to create the new user or Next: Properties to
complete the next section.

Properties
There are six categories of user properties you can provide. These properties can be
added or updated after the user is created. To manage these details, go to Azure AD >
Users and select a user to update.

Identity: Enter the user's first and last name. Set the User type as either Member or
Guest.

Job information: Add any job-related information, such as the user's job title,
department, or manager.

Contact information: Add any relevant contact information for the user.

Parental controls: For organizations like K-12 school districts, the user's age group
may need to be provided. Minors are 12 and under, Not adult are 13-18 years old,
 and Adults are 18 and over. The combination of age group and consent provided
by parent options determine the Legal age group classification. The Legal age
group classification may limit the user's access and authority.

Settings: Specify the user's global location.

Either select the Review + create button to create the new user or Next: Assignments to
complete the next section.

Assignments
You can assign the user to an administrative unit, group, or Azure AD role when the
account is created. You can assign the user to up to 20 groups or roles. You can only
assign the user to one administrative unit. Assignments can be added after the user is
created.

To assign a group to the new user:

1. Select + Add group.

2. From the menu that appears, choose up to 20 groups from the list and select the
Select button.

3. Select the Review + create button.

To assign a role to the new user:

1. Select + Add role.

2. From the menu that appears, choose up to 20 roles from the list and select the
Select button.
3. Select the Review + create button.

To add an administrative unit to the new user:

1. Select + Add administrative unit.

2. From the menu that appears, choose one administrative unit from the list and
select the Select button.
 3. Select the Review + create button.

Review and create

The final tab captures several key details from the user creation process. Review the
details and select the Create button if everything looks good.

Invite an external user

The overall process for inviting an external guest user is similar, except for a few details
on the Basics tab and the email invitation process. You can't assign external users to
administrative units.

1. Sign in to the Azure portal in the User Administrator role. A role with Guest
Inviter privileges can also invite external users.

2. Navigate to Azure Active Directory > Users.

3. Select Invite external user from the menu.

Basics for external users

In this section, you're inviting the guest to your tenant using their email address. If you
need to create a guest user with a domain account, use the create new user process but
change the User type to Guest.

Email: Enter the email address for the guest user you're inviting.

Display name: Provide the display name.

 Invitation message: Select the Send invite message checkbox to customize a brief
message to the guest. Provide a Cc recipient, if necessary.

Guest user invitations

When you invite an external guest user by sending an email invitation, you can check
the status of the invitation from the user's details.

1. Go to Azure AD > Users and select the invited guest user.

2. In the My Feed section, locate the B2B collaboration tile.

If the invitation state is PendingAcceptance, select the Resend invitation link

to send another email.
You can also select the Properties for the user and view the Invitation state.
Add other users
There might be scenarios in which you want to manually create consumer accounts in
your Azure Active Directory B2C (Azure AD B2C) directory. For more information about
creating consumer accounts, see Create and delete consumer users in Azure AD B2C.

If you have an environment with both Azure Active Directory (cloud) and Windows
Server Active Directory (on-premises), you can add new users by syncing the existing
user account data. For more information about hybrid environments and users, see
Integrate your on-premises directories with Azure Active Directory.

Delete a user
You can delete an existing user using Azure portal.

You must have a Global Administrator, Privileged Authentication Administrator, or

User Administrator role assignment to delete users in your organization.
Global Administrators and Privileged Authentication Administrators can delete any
users including other administrators.
User Administrators can delete any non-admin users, Helpdesk Administrators, and
other User Administrators.
For more information, see Administrator role permissions in Azure AD.
To delete a user, follow these steps:

1. Sign in to the Azure portal using one of the appropriate roles.

2. Go to Azure Active Directory > Users.

3. Search for and select the user you want to delete from your Azure AD tenant.

4. Select Delete user.

The user is deleted and no longer appears on the Users - All users page. The user can
be seen on the Deleted users page for the next 30 days and can be restored during that
time. For more information about restoring a user, see Restore or remove a recently
deleted user using Azure Active Directory.

When a user is deleted, any licenses consumed by the user are made available for other
users.

７ Note

To update the identity, contact information, or job information for users whose
source of authority is Windows Server Active Directory, you must use Windows
Server Active Directory. After you complete the update, you must wait for the next
synchronization cycle to complete before you'll see the changes.

Next steps
Learn about B2B collaboration users
Review the default user permissions
Add a custom domain
Assign or remove licenses in the Azure
portal
Article • 07/25/2023

Many Azure Active Directory (Azure AD) services require you to license each of your
users or groups (and associated members) for that service. Only users with active
licenses will be able to access and use the licensed Azure AD services for which that's
true. Licenses are applied per tenant and don't transfer to other tenants.

Available license plans

There are several Azure AD license plans:

Azure AD Free

Azure AD Premium P1

Azure AD Premium P2

For specific information about each license plan and the associated licensing details, see
What license do I need? . To sign up for Azure AD premium license plans see here.

Not all Microsoft services are available in all locations. Before a license can be assigned
to a group, you must specify the Usage location for all members. You can set this value
in the Azure Active Directory > Users > select a user > Properties > Settings area in
Azure AD. When assigning licenses to a group or bulk updates such as disabling the
synchronization status for the organization, any user whose usage location isn't
specified inherits the location of the Azure AD organization.

View license plans and plan details

You can view your available service plans, including the individual licenses, check
pending expiration dates, and view the number of available assignments.

To find your service plan and plan details

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
 months.

1. Sign in to the Azure portal using a License administrator account in your Azure
AD organization.

2. Select Azure Active Directory, and then select Licenses.

3. Select All products to view the All Products page and to see the Total, Assigned,
Available, and Expiring soon numbers for your license plans.

７ Note

The numbers are defined as:

Total: Total number of licenses purchased

Assigned: Number of licenses assigned to users
Available: Number of licenses available for assignment including expiring
soon
Expiring soon: Number of licenses expiring soon

4. Select a plan name to see its licensed users and groups.

Assign licenses to users or groups

Anyone who has a business need to use a licensed Azure AD service must have the
required licenses. You can add licensing rights to users or to an entire group.

To assign a license to a user

1. On the Products page, select the name of the license plan you want to assign to
the user.

2. After you select the license plan, select Assign.

3. On the Assign page, select Users and groups, and then search for and select the
user you're assigning the license.

4. Select Assignment options, make sure you have the appropriate license options
turned on, and then select OK.

The Assign license page updates to show that a user is selected and that the
assignments are configured.
 ７ Note

Not all Microsoft services are available in all locations. Before a license can be
assigned to a user, you must specify the Usage location. You can set this value
in the Azure Active Directory > Users > Profile > Settings area in Azure AD.
When assigning licenses to a group or bulk updates such as disabling the
synchronization status for the organization, any user whose usage location
isn't specified inherits the location of the Azure AD organization.

5. Select Assign.

The user is added to the list of licensed users and has access to the included Azure
AD services.

７ Note

Licenses can also be assigned directly to a user from the user's Licenses page.
If a user has a license assigned through a group membership and you want to
assign the same license to the user directly, it can be done only from the
Products page mentioned in step 1 only.

To assign a license to a group

1. On the Products page, select the name of the license plan you want to assign to
the user.

2. On the Azure Active Directory Premium Plan 2 page, select Assign.

3. On the Assign page, select Users and groups, and then search for and select the
group you're assigning the license.

4. Select Assignment options, make sure you have the appropriate license options
turned on, and then select OK.
 The Assign license page updates to show that a user is selected and that the
assignments are configured.

5. Select Assign.

The group is added to the list of licensed groups and all of the members have
access to the included Azure AD services.

Remove a license
You can remove a license from a user's Azure AD user page, from the group overview
page for a group assignment, or starting from the Azure AD Licenses page to see the
users and groups for a license.

To remove a license from a user

1. On the Licensed users page for the service plan, select the user that should no
longer have the license. For example, Alain Charon.

2. Select Remove license.

） Important
 Licenses that a user inherits from a group can't be removed directly. Instead, you
have to remove the user from the group from which they're inheriting the license.

To remove a license from a group

1. On the Licensed groups page for the license plan, select the group that should no
longer have the license.

2. Select Remove license.

７ Note

When an on-premises user account synced to Azure AD falls out of scope for
the sync or when the sync is removed, the user is soft-deleted in Azure AD.
When this occurs, licenses assigned to the user directly or via group-based
licensing will be marked as suspended rather than deleted.

Next steps
After you've assigned your licenses, you can perform the following processes:

Identify and resolve license assignment problems

Add licensed users to a group for licensing

Scenarios, limitations, and known issues using groups to manage licensing in Azure
Active Directory

Add or change profile information

Assign user roles with Azure Active
Directory
Article • 07/25/2023

The ability to manage Azure resources is granted by assigning roles that provide the
required permissions. Roles can be assigned to individual users or groups. To align with
the Zero Trust guiding principles, use Just-In-Time and Just-Enough-Access policies
when assigning roles.

Before assigning roles to users, review the following Microsoft Learn articles:

Learn about Azure AD roles

Learn about role based access control
Explore the Azure built-in roles

Assign roles
There are two main steps to the role assignment process. First you'll select the role to
assign. Then you'll adjust the role settings and duration.

Select the role to assign

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

1. Sign in to the Azure portal using the Privileged Role Administrator role for the
directory.

2. Go to Azure Active Directory > Users.

3. Search for and select the user getting the role assignment.
 4. Select Assigned roles from the side menu, then select Add assignments.

5. Select a role to assign from the dropdown list and select the Next button.

Adjust the role settings

You can assign roles as either eligible or active. Eligible roles are assigned to a user but
must be elevated Just-In-Time by the user through Privileged Identity Management
(PIM). For more information about how to use PIM, see Privileged Identity Management.

1. From the Setting section of the Add assignments page, select an Assignment type
option.

2. Leave the Permanently eligible option selected if the role should always be
available to elevate for the user.

If you uncheck this option, you can specify a date range for the role eligibility.

3. Select the Assign button.

Assigned roles appear in the associated section for the user, so eligible and active
roles are listed separately.
Update roles
You can change the settings of a role assignment, for example to change an active role
to eligible.

1. Go to Azure Active Directory > Users.

2. Search for and select the user getting their role updated.

3. Go to the Assigned roles page and select the Update link for the role that needs
to be changed.

4. Change the settings as needed and select the Save button.

Remove roles
You can remove role assignments from the Administrative roles page for a selected
user.

1. Go to Azure Active Directory > Users.

2. Search for and select the user getting the role assignment removed.

3. Go to the Assigned roles page and select the Remove link for the role that needs
to be removed. Confirm the change in the pop-up message.

Next steps
Add or delete users

Add or change profile information

Add guest users from another directory

Explore other user management tasks

Manage the 'Stay signed in?' prompt
Article • 07/25/2023

The Stay signed in? prompt appears after a user successfully signs in. This process is
known as Keep me signed in (KMSI) and was previously part of the customize branding
process.

This article covers how the KMSI process works, how to enable it for customers, and how
to troubleshoot KMSI issues.

How does it work?

If a user answers Yes to the 'Stay signed in?' prompt, a persistent authentication cookie
is issued. The cookie must be stored in session for KMSI to work. KMSI won't work with
locally stored cookies. If KMSI isn't enabled, a non-persistent cookie is issued and lasts
for 24 hours or until the browser is closed.

The following diagram shows the user sign-in flow for a managed tenant and federated
tenant using the KMSI in prompt. This flow contains smart logic so that the Stay signed
in? option won't be displayed if the machine learning system detects a high-risk sign-in
or a sign-in from a shared device. For federated tenants, the prompt will show after the
user successfully authenticates with the federated identity service.

Some features of SharePoint Online and Office 2010 depend on users being able to
choose to remain signed in. If you uncheck the Show option to remain signed in
option, your users may see other unexpected prompts during the sign-in process.
License and role requirements
Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:

Azure AD Premium 1
Azure AD Premium 2
Office 365 (for Office apps)
Microsoft 365

You must have the Global Administrator role to enable the 'Stay signed in?' prompt.

Enable the 'Stay signed in?' prompt

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

The KMSI setting is managed in the User settings of Azure Active Directory (Azure AD).

1. Sign in to the Azure portal .

2. Go to Azure Active Directory > Users > User settings.

3. Set the Show keep user signed in toggle to Yes.

Troubleshoot 'Stay signed in?' issues
If a user doesn't act on the Stay signed in? prompt but abandons the sign-in attempt, a
sign-in log entry appears in the Azure AD Sign-ins page. The prompt the user sees is
called an "interrupt."
Details about the sign-in error are found in the Sign-in logs in Azure AD. Select the
impacted user from the list and locate the following details in the Basic info section.

Sign in error code: 50140

Failure reason: This error occurred due to "Keep me signed in" interrupt when the
user was signing in.

You can stop users from seeing the interrupt by setting the Show option to remain
signed in setting to No in the user settings. This setting disables the KMSI prompt for all
users in your Azure AD directory.

You also can use the persistent browser session controls in Conditional Access to
prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI
prompt for a select group of users (such as the global administrators) without affecting
sign-in behavior for everyone else in the directory.

To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI
prompt is intentionally not shown in the following scenarios:

User is signed in via seamless SSO and integrated Windows authentication (IWA)
User is signed in via Active Directory Federation Services and IWA
User is a guest in the tenant
User's risk score is high
Sign-in occurs during user or admin consent flow
Persistent browser session control is configured in a Conditional Access policy

Next steps
Learn how to customize branding for sign-in experiences
Manage user settings in Azure AD
Add or update a user's profile
information and settings
Article • 05/25/2023

A user's profile information and settings can be managed on an individual basis and for
all users in your directory. When you look at these settings together, you can see how
permissions, restrictions, and other connections work together.

This article covers how to add user profile information, such as a profile picture and job-
specific information. You can also choose to allow users to connect their LinkedIn
accounts or restrict access to the Azure AD administration portal. Some settings may be
managed in more than one area of Azure AD. For more information about adding new
users, see How to add or delete users in Azure Active Directory.

Add or change profile information

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

When new users are created, only some details are added to their user profile. If your
organization needs more details, they can be added after the user is created.

1. Sign in to the Azure portal in the User Administrator role for the organization.

2. Go to Azure Active Directory > Users and select a user.

3. There are two ways to edit user profile details. Either select Edit properties from
the top of the page or select Properties.
 4. After making any changes, select the Save button.

If you selected the Edit properties option:

The full list of properties appears in edit mode on the All category.
To edit properties based on the category, select a category from the top of the
page.
Select the Save button at the bottom of the page to save any changes.
If you selected the Properties tab option:

The full list of properties appears for you to review.

To edit a property, select the pencil icon next to the category heading.
Select the Save button at the bottom of the page to save any changes.
Profile categories
There are six categories of profile details you may be able to edit.

Identity: Add or update other identity values for the user, such as a married last
name. You can set this name independently from the values of First name and Last
name. For example, you could use it to include initials, a company name, or to
change the sequence of names shown. If you have two users with the same name,
such as ‘Chris Green,’ you could use the Identity string to set their names to 'Chris
B. Green' and 'Chris R. Green.'

Job information: Add any job-related information, such as the user's job title,
department, or manager.

Contact info: Add any relevant contact information for the user.

Parental controls: For organizations like K-12 school districts, the user's age group
may need to be provided. Minors are 12 and under, Not adult are 13-18 years old,
and Adults are 18 and over. The combination of age group and consent provided
by parent options determine the Legal age group classification. The Legal age
group classification may limit the user's access and authority.

Settings: Decide whether the user can sign in to the Azure Active Directory tenant.
You can also specify the user's global location.

On-premises: Accounts synced from Windows Server Active Directory include

other values not applicable to Azure AD accounts.

７ Note

You must use Windows Server Active Directory to update the identity, contact info,
or job info for users whose source of authority is Windows Server Active Directory.
After you complete your update, you must wait for the next synchronization cycle
to complete before you'll see the changes.

Add or edit the profile picture

On the user's overview page, select the camera icon in the lower-right corner of the
user's thumbnail. If no image has been added, the user's initials appear here. This
picture appears in Azure Active Directory and on the user's personal pages, such as the
myapps.microsoft.com page.

All your changes are saved for the user.

 ７ Note

If you're having issues updating a user's profile picture, please ensure that your
Office 365 Exchange Online Enterprise App is Enabled for users to sign in.

Manage settings for all users

In the User settings area of Azure AD, you can adjust several settings that affect all
users. Some settings are managed in a separate area of Azure AD and linked from this
page. These settings require the Global Administrator role.

Go to Azure AD > User settings.

 

The following settings can be managed from Azure AD User settings.

Allow users to register their own applications

Prevent non-admins from creating their own tenants
For more information, see default user permissions
Allow users to create security groups
Guest user access restrictions
Guest users have the same access as members (most inclusive)
Guest users have limited access to properties and memberships of directory
objects
 Guest user access is restricted to properties and memberships of their own
directory objects (most restrictive)
Restrict access to the Azure AD administration portal
Allow users to connect their work or school account with LinkedIn
Enable the "Stay signed in?" prompt
Manage external collaboration settings
Guest user access
Guest invite setting
External user leave settings
Collaboration restrictions
Manage user feature settings
Users can use preview features for My Apps
Administrators can access My Staff

Next steps
Add or delete users

Assign roles to users

Create a basic group and add members

View Azure AD enterprise user management documentation.

Reset a user's password using Azure
Active Directory
Article • 07/25/2023

Azure Active Directory (Azure AD) administrators can reset a user's password if the
password is forgotten, if the user gets locked out of a device, or if the user never
received a password.

７ Note

Unless your Azure AD tenant is the home directory for a user, you won't be able
reset their password. This means that if your user is signing in to your organization
using an account from another organization, a Microsoft account, or a Google
account, you won't be able to reset their password.

If your user has a source of authority as Windows Server Active Directory, you'll
only be able to reset the password if you've turned on password writeback and the
user domain is managed. Changing the user password from Azure Active Directory
for federated domains is not supported. In this case, you should change the user
password in the on-premises Active Directory.

If your user has a source of authority as External Azure AD, you won't be able to
reset the password. Only the user, or an administrator in External Azure AD, can
reset the password.

７ Note

If you're not an administrator and you need instructions on how to reset your own
work or school password, see Reset your work or school password .

To reset a password

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.
1. Sign in to the Azure portal as a user administrator, or password administrator.
For more information about the available roles, see Azure AD built-in roles

2. Select Azure Active Directory, select Users, search for and select the user that
needs the reset, and then select Reset Password.

The Alain Charon - Profile page appears with the Reset password option.

3. In the Reset password page, select Reset password.

７ Note

When using Azure Active Directory, a temporary password is auto-generated

for the user. When using Active Directory on-premises, you create the
password for the user.

4. Copy the password and give it to the user. The user will be required to change the
password during the next sign-in process.

７ Note

The temporary password never expires. The next time the user signs in, the
password will still work, regardless how much time has passed since the
temporary password was generated.

） Important
 If an administrator is unable to reset the user's password, and the Application Event
Logs on the Azure AD Connect server has error code hr=80231367, review the
user's attributes in Active Directory. If the attribute AdminCount is set to 1, this will
prevent an administrator from resetting the user's password. The attribute
AdminCount must be set to 0, in order for an administrators to reset the user's
password.

Next steps
After you've reset your user's password, you can perform the following basic processes:

Add or delete users

Assign roles to users

Add or change profile information

Create a basic group and add members

Or you can perform more complex user scenarios, such as assigning delegates, using
policies, and sharing user accounts. For more information about other available actions,
see Azure Active Directory user management documentation.
Restore or remove a recently deleted
user using Azure Active Directory
Article • 07/25/2023

After you delete a user, the account remains in a suspended state for 30 days. During
that 30-day window, the user account can be restored, along with all its properties. After
that 30-day window passes, the permanent deletion process is automatically started and
can't be stopped. During this time, the management of soft-deleted users is blocked.
This limitation also applies to restoring a soft-deleted user via a match during Tenant
sync cycle for on-premises hybrid scenarios.

You can view your restorable users, restore a deleted user, or permanently delete a user
using Azure Active Directory (Azure AD) in the Azure portal.

） Important

Neither you nor Microsoft customer support can restore a permanently deleted
user.

Required permissions
You must have one of the following roles to restore and permanently delete users.

Global administrator

Partner Tier1 Support

Partner Tier2 Support

User administrator

View your restorable users

You can see all the users that were deleted less than 30 days ago. These users can be
restored.

To view your restorable users

） Important
 Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

1. Sign in to the Azure portal using a Global administrator account for the
organization.

2. Select Azure Active Directory, select Users, and then select Deleted users.

Review the list of users that are available to restore.

Restore a recently deleted user

When a user account is deleted from the organization, the account is in a suspended
state. All of the account's organization information is preserved. When you restore a
user, this organization information is also restored.

７ Note

Once a user is restored, licenses that were assigned to the user at the time of
deletion are also restored even if there are no seats available for those licenses. If
you are then consuming more licenses more than you purchased, your organization
could be temporarily out of compliance for license usage.

To restore a user
1. On the Users - Deleted users page, search for and select one of the available
users. For example, Mary Parker.

2. Select Restore user.

Permanently delete a user
You can permanently delete a user from your organization without waiting the 30 days
for automatic deletion. A permanently deleted user can't be restored by you, another
administrator, nor by Microsoft customer support.

７ Note

If you permanently delete a user by mistake, you'll have to create a new user and
manually enter all the previous information. For more information about creating a
new user, see Add or delete users.

To permanently delete a user

1. On the Users - Deleted users page, search for and select one of the available
users. For example, Rae Huff.

2. Select Delete permanently.

Next steps
After you've restored or deleted your users, you can:

Add or delete users

Assign roles to users

Add or change profile information

Add guest users from another organization

For more information about other available user management tasks, Azure AD user
management documentation.
What are the default user permissions in
Azure Active Directory?
Article • 03/13/2023

In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A
user's access consists of the type of user, their role assignments, and their ownership of
individual objects.

This article describes those default permissions and compares the member and guest
user defaults. The default user permissions can be changed only in user settings in Azure
AD.

Member and guest users

The set of default permissions depends on whether the user is a native member of the
tenant (member user) or whether the user is brought over from another directory as a
business-to-business (B2B) collaboration guest (guest user). For more information about
adding guest users, see What is Azure AD B2B collaboration?. Here are the capabilities of
the default permissions:

Member users can register applications, manage their own profile photo and
mobile phone number, change their own password, and invite B2B guests. These
users can also read all directory information (with a few exceptions).

Guest users have restricted directory permissions. They can manage their own
profile, change their own password, and retrieve some information about other
users, groups, and apps. However, they can't read all directory information.

For example, guest users can't enumerate the list of all users, groups, and other
directory objects. Guests can be added to administrator roles, which grant them full
read and write permissions. Guests can also invite other guests.

Compare member and guest default

permissions
Area Member user Default guest user Restricted guest user
permissions permissions permissions
Area Member user Default guest user Restricted guest user
permissions permissions permissions

Users and Enumerate the Read their own Read their own
contacts list of all users properties properties
and contacts Read display name, Change their
Read all public email, sign-in name, own password
properties of photo, user principal Manage their
users and name, and user type own mobile
contacts properties of other users phone number
Invite guests and contacts
Change their Change their own
own password password
Manage their Search for another user
own mobile by object ID (if allowed)
phone number Read manager and direct
Manage their report information of
own photo other users
Invalidate their
own refresh
tokens
Area Member user Default guest user Restricted guest user
permissions permissions permissions

Groups Create security Read properties of non- Read object ID

groups hidden groups, including for joined groups
Create membership and Read
Microsoft 365 ownership (even non- membership and
groups joined groups) ownership of
Enumerate the Read hidden Microsoft joined groups in
list of all 365 group memberships some Microsoft
groups for joined groups 365 apps (if
Read all Search for groups by allowed)
properties of display name or object
groups ID (if allowed)
Read non-
hidden group
memberships
Read hidden
Microsoft 365
group
memberships
for joined
groups
Manage
properties,
ownership, and
membership of
groups that the
user owns
Add guests to
owned groups
Manage
dynamic
membership
settings
Delete owned
groups
Restore owned
Microsoft 365
groups
Area Member user Default guest user Restricted guest user
permissions permissions permissions

Applications Register Read properties of Read properties

(create) new registered and enterprise of registered and
applications applications enterprise
Enumerate the List permissions granted applications
list of all to applications List permissions
applications granted to
Read applications
properties of
registered and
enterprise
applications
Manage
application
properties,
assignments,
and credentials
for owned
applications
Create or
delete
application
passwords for
users
Delete owned
applications
Restore owned
applications
List
permissions
granted to
applications

Devices Enumerate the No permissions No permissions

list of all
devices
Read all
properties of
devices
Manage all
properties of
owned devices
 Area Member user Default guest user Restricted guest user
permissions permissions permissions

Organization Read all Read company display Read company

company name display name
information Read all domains Read all domains
Read all Read configuration of
domains certificate-based
Read authentication
configuration
of certificate-
based
authentication
Read all
partner
contracts

Roles and Read all No permissions No permissions

scopes administrative
roles and
memberships
Read all
properties and
membership of
administrative
units

Subscriptions Read all No permissions No permissions

licensing
subscriptions
Enable service
plan
memberships

Policies Read all No permissions No permissions

properties of
policies
Manage all
properties of
owned policies

Restrict member users' default permissions

It's possible to add restrictions to users' default permissions.
You can restrict default permissions for member users in the following ways:

Ｕ Caution

Using the Restrict access to Azure AD administration portal switch is NOT a

security measure. For more information on the functionality, see the table below.

Permission Setting explanation

Register Setting this option to No prevents users from creating application registrations.
applications You can then grant the ability back to specific individuals, by adding them to the
application developer role.

Allow users to Setting this option to No prevents users from connecting their work or school
connect work account with their LinkedIn account. For more information, see LinkedIn account
or school connections data sharing and consent.
account with
LinkedIn

Create Setting this option to No prevents users from creating security groups. Global
security administrators and user administrators can still create security groups. To learn
groups how, see Azure Active Directory cmdlets for configuring group settings.

Create Setting this option to No prevents users from creating Microsoft 365 groups.
Microsoft 365 Setting this option to Some allows a set of users to create Microsoft 365 groups.
groups Global administrators and user administrators can still create Microsoft 365
groups. To learn how, see Azure Active Directory cmdlets for configuring group
settings.
Permission Setting explanation

Restrict access What does this switch do?

to Azure AD No lets non-administrators browse the Azure AD administration portal.

administration Yes Restricts non-administrators from browsing the Azure AD administration

portal portal. Non-administrators who are owners of groups or applications are unable
to use the Azure portal to manage their owned resources.

What does it not do?

It doesn't restrict access to Azure AD data using PowerShell, Microsoft GraphAPI,

or other clients such as Visual Studio.

It doesn't restrict access as long as a user is assigned a custom role (or any role).

When should I use this switch?

Use this option to prevent users from misconfiguring the resources that they
own.

When should I not use this switch?

Don't use this switch as a security measure. Instead, create a Conditional Access
policy that targets Microsoft Azure Management that blocks non-administrators
access to Microsoft Azure Management.

How do I grant only a specific non-administrator users the ability to use the
Azure AD administration portal?

Set this option to Yes, then assign them a role like global reader.

Restrict access to the Entra administration portal

A Conditional Access policy that targets Microsoft Azure Management targets

access to all Azure management.

Restrict non- Users can create tenants in the Azure AD and Entra administration portal under
admin users Manage tenant. The creation of a tenant is recorded in the Audit log as category
from creating DirectoryManagement and activity Create Company. Anyone who creates a
tenants tenant becomes the Global Administrator of that tenant. The newly created
tenant doesn't inherit any settings or configurations.

What does this switch do?

Setting this option to Yes restricts creation of Azure AD tenants to the Global
Administrator or tenant creator roles. Setting this option to No allows non-
admin users to create Azure AD tenants. Tenant create will continue to be
recorded in the Audit log.

How do I grant only a specific non-administrator users the ability to create

new tenants?

Set this option to Yes, then assign them the tenant creator role.
 Permission Setting explanation

Restrict users Setting this option to Yes restricts users from being able to self-service recover
from BitLocker key(s) for their owned devices. Users will have to contact their
recovering the organization's helpdesk to retrieve their BitLocker keys. Setting this option to No
BitLocker allows users to recover their BitLocker key(s).
key(s) for their
owned
devices

Read other This setting is available in Microsoft Graph and PowerShell only. Setting this flag
users to $false prevents all non-admins from reading user information from the
directory. This flag doesn't prevent reading user information in other Microsoft
services like Exchange Online.

This setting is meant for special circumstances, so we don't recommend setting

the flag to $false .

The Restrict non-admin users from creating tenants option is shown below

Restrict guest users' default permissions

You can restrict default permissions for guest users in the following ways.

７ Note

The Guest user access restrictions setting replaced the Guest users permissions
are limited setting. For guidance on using this feature, see Restrict guest access
permissions in Azure Active Directory.

Permission Setting explanation

 Permission Setting explanation

Guest user Setting this option to Guest users have the same access as members grants all
access member user permissions to guest users by default.
restrictions
Setting this option to Guest user access is restricted to properties and
memberships of their own directory objects restricts guest access to only their own
user profile by default. Access to other users is no longer allowed, even when
they're searching by user principal name, object ID, or display name. Access to
group information, including groups memberships, is also no longer allowed.

This setting doesn't prevent access to joined groups in some Microsoft 365 services
like Microsoft Teams. To learn more, see Microsoft Teams guest access.

Guest users can still be added to administrator roles regardless of this permission
setting.

Guests can Setting this option to Yes allows guests to invite other guests. To learn more, see
invite Configure external collaboration settings.

Object ownership

Application registration owner permissions

When a user registers an application, they're automatically added as an owner for the
application. As an owner, they can manage the metadata of the application, such as the
name and permissions that the app requests. They can also manage the tenant-specific
configuration of the application, such as the single sign-on (SSO) configuration and user
assignments.

An owner can also add or remove other owners. Unlike global administrators, owners
can manage only the applications that they own.

Enterprise application owner permissions

When a user adds a new enterprise application, they're automatically added as an
owner. As an owner, they can manage the tenant-specific configuration of the
application, such as the SSO configuration, provisioning, and user assignments.

An owner can also add or remove other owners. Unlike global administrators, owners
can manage only the applications that they own.

Group owner permissions

When a user creates a group, they're automatically added as an owner for that group. As
an owner, they can manage properties of the group (such as the name) and manage
group membership.

An owner can also add or remove other owners. Unlike global administrators and user
administrators, owners can manage only the groups that they own.

To assign a group owner, see Managing owners for a group.

Ownership permissions
The following tables describe the specific permissions in Azure AD that member users
have over owned objects. Users have these permissions only on objects that they own.

Owned application registrations

Users can perform the following actions on owned application registrations:

Action Description

microsoft.directory/applications/audience/update Update the applications.audience

property in Azure AD.

microsoft.directory/applications/authentication/update Update the

applications.authentication property
in Azure AD.

microsoft.directory/applications/basic/update Update basic properties on applications

in Azure AD.

microsoft.directory/applications/credentials/update Update the applications.credentials

property in Azure AD.

microsoft.directory/applications/delete Delete applications in Azure AD.

microsoft.directory/applications/owners/update Update the applications.owners

property in Azure AD.

microsoft.directory/applications/permissions/update Update the applications.permissions

property in Azure AD.

microsoft.directory/applications/policies/update Update the applications.policies

property in Azure AD.

microsoft.directory/applications/restore Restore applications in Azure AD.

Owned enterprise applications
Users can perform the following actions on owned enterprise applications. An enterprise
application consists of a service principal, one or more application policies, and
sometimes an application object in the same tenant as the service principal.

Action Description

microsoft.directory/auditLogs/allProperties/read Read all properties (including

privileged properties) on audit logs in
Azure AD.

microsoft.directory/policies/basic/update Update basic properties on policies in

Azure AD.

microsoft.directory/policies/delete Delete policies in Azure AD.

microsoft.directory/policies/owners/update Update the policies.owners property

in Azure AD.

microsoft.directory/servicePrincipals/appRoleAssignedTo/update Update the

servicePrincipals.appRoleAssignedTo
property in Azure AD.

microsoft.directory/servicePrincipals/appRoleAssignments/update Update the

users.appRoleAssignments property in
Azure AD.

microsoft.directory/servicePrincipals/audience/update Update the

servicePrincipals.audience property
in Azure AD.

microsoft.directory/servicePrincipals/authentication/update Update the

servicePrincipals.authentication
property in Azure AD.

microsoft.directory/servicePrincipals/basic/update Update basic properties on service

principals in Azure AD.

microsoft.directory/servicePrincipals/credentials/update Update the

servicePrincipals.credentials
property in Azure AD.

microsoft.directory/servicePrincipals/delete Delete service principals in Azure AD.

microsoft.directory/servicePrincipals/owners/update Update the

servicePrincipals.owners property in
Azure AD.
 Action Description

microsoft.directory/servicePrincipals/permissions/update Update the

servicePrincipals.permissions
property in Azure AD.

microsoft.directory/servicePrincipals/policies/update Update the

servicePrincipals.policies property
in Azure AD.

microsoft.directory/signInReports/allProperties/read Read all properties (including

privileged properties) on sign-in
reports in Azure AD.

Owned devices

Users can perform the following actions on owned devices:

Action Description

microsoft.directory/devices/bitLockerRecoveryKeys/read Read the

devices.bitLockerRecoveryKeys
property in Azure AD.

microsoft.directory/devices/disable Disable devices in Azure AD.

Owned groups

Users can perform the following actions on owned groups.

７ Note

Owners of dynamic groups must have a global administrator, group administrator,

Intune administrator, or user administrator role to edit group membership rules. For
more information, see Create or update a dynamic group in Azure Active
Directory.

Action Description

microsoft.directory/groups/appRoleAssignments/update Update the groups.appRoleAssignments

property in Azure AD.

microsoft.directory/groups/basic/update Update basic properties on groups in

Azure AD.
Action Description

microsoft.directory/groups/delete Delete groups in Azure AD.

microsoft.directory/groups/members/update Update the groups.members property in

Azure AD.

microsoft.directory/groups/owners/update Update the groups.owners property in

Azure AD.

microsoft.directory/groups/restore Restore groups in Azure AD.

microsoft.directory/groups/settings/update Update the groups.settings property

in Azure AD.

Next steps
To learn more about the Guest user access restrictions setting, see Restrict guest
access permissions in Azure Active Directory.
To learn more about how to assign Azure AD administrator roles, see Assign a user
to administrator roles in Azure Active Directory.
To learn more about how resource access is controlled in Microsoft Azure, see
Understanding resource access in Azure.
For more information on how Azure AD relates to your Azure subscription, see
How Azure subscriptions are associated with Azure Active Directory.
Manage users.
Learn about groups and access rights in
Azure Active Directory
Article • 03/10/2023

Azure Active Directory (Azure AD) provides several ways to manage access to resources,
applications, and tasks. With Azure AD groups, you can grant access and permissions to
a group of users instead of for each individual user. Limiting access to Azure AD
resources to only those users who need access is one of the core security principles of
Zero Trust. This article provides an overview of how groups and access rights can be
used together to make managing your Azure AD users easier while also applying
security best practices.

Azure AD lets you use groups to manage access to applications, data, and resources.
Resources can be:

Part of the Azure AD organization, such as permissions to manage objects through

roles in Azure AD
External to the organization, such as for Software as a Service (SaaS) apps
Azure services
SharePoint sites
On-premises resources

Some groups can't be managed in the Azure portal:

Groups synced from on-premises Active Directory can be managed only in on-
premises Active Directory.
Distribution lists and mail-enabled security groups are managed only in Exchange
admin center or Microsoft 365 admin center. You must sign in to Exchange admin
center or Microsoft 365 admin center to manage these groups.

What to know before creating a group

There are two group types and three group membership types. Review the options to
find the right combination for your scenario.

Group types:
Security: Used to manage user and computer access to shared resources.
For example, you can create a security group so that all group members have the same
set of security permissions. Members of a security group can include users, devices,
other groups, and service principals, which define access policy and permissions. Owners
of a security group can include users and service principals.

Microsoft 365: Provides collaboration opportunities by giving group members access to

a shared mailbox, calendar, files, SharePoint sites, and more.

This option also lets you give people outside of your organization access to the group.
Members of a Microsoft 365 group can only include users. Owners of a Microsoft 365
group can include users and service principals. For more info about Microsoft 365
Groups, see Learn about Microsoft 365 Groups .

Membership types:
Assigned: Lets you add specific users as members of a group and have unique
permissions.

Dynamic user: Lets you use dynamic membership rules to automatically add and
remove members. If a member's attributes change, the system looks at your
dynamic group rules for the directory to see if the member meets the rule
requirements (is added), or no longer meets the rules requirements (is removed).

Dynamic device: Lets you use dynamic group rules to automatically add and
remove devices. If a device's attributes change, the system looks at your dynamic
group rules for the directory to see if the device meets the rule requirements (is
added), or no longer meets the rules requirements (is removed).

） Important

You can create a dynamic group for either devices or users, but not for both.
You can't create a device group based on the device owners' attributes.
Device membership rules can only reference device attributions. For more info
about creating a dynamic group for users and devices, see Create a dynamic
group and check status

What to know before adding access rights to a

group
After creating an Azure AD group, you need to grant it the appropriate access. Each
application, resource, and service that requires access permissions needs to be managed
separately because the permissions for one may not be the same as another. Grant
access using the principle of least privilege to help reduce the risk of attack or a security
breach.

How access management in Azure AD works

Azure AD helps you give access to your organization's resources by providing access
rights to a single user or to an entire Azure AD group. Using groups lets the resource
owner or Azure AD directory owner assign a set of access permissions to all the
members of the group. The resource or directory owner can also give management
rights to someone such as a department manager or a help desk administrator, letting
that person add and remove members. For more information about how to manage
group owners, see the Manage groups article.

Ways to assign access rights

After creating a group, you need to decide how to assign access rights. Explore the ways
to assign access rights to determine the best process for your scenario.

Direct assignment. The resource owner directly assigns the user to the resource.

Group assignment. The resource owner assigns an Azure AD group to the

resource, which automatically gives all of the group members access to the
resource. Group membership is managed by both the group owner and the
resource owner, letting either owner add or remove members from the group. For
 more information about managing group membership, see the Manage groups
article.

Rule-based assignment. The resource owner creates a group and uses a rule to
define which users are assigned to a specific resource. The rule is based on
attributes that are assigned to individual users. The resource owner manages the
rule, determining which attributes and values are required to allow access the
resource. For more information, see Create a dynamic group and check status.

External authority assignment. Access comes from an external source, such as an

on-premises directory or a SaaS app. In this situation, the resource owner assigns a
group to provide access to the resource and then the external source manages the
group members.

Can users join groups without being assigned?

The group owner can let users find their own groups to join, instead of assigning them.
The owner can also set up the group to automatically accept all users that join or to
require approval.

After a user requests to join a group, the request is forwarded to the group owner. If it's
required, the owner can approve the request and the user is notified of the group
membership. If you have multiple owners and one of them disapproves, the user is
notified, but isn't added to the group. For more information and instructions about how
to let your users request to join groups, see Set up Azure AD so users can request to
join groups.
Next steps
Create and manage Azure AD groups and group membership

Learn about group-based licensing in Azure AD

Manage access to SaaS apps using groups

Manage dynamic rules for users in a group

Learn about Privileged Identity Management for Azure AD roles

Quickstart: Create a group with
members and view all groups and
members in Azure Active Directory
Article • 07/25/2023

You can view your organization's existing groups and group members using the Azure
portal. Groups are used to manage users that all need the same access and permissions
for potentially restricted apps and services.

In this quickstart, you’ll set up a new group and assign members to the group. Then
you'll view your organization's group and assigned members. Throughout this guide,
you'll create a user and group that you can use in other Azure AD Fundamentals
quickstarts and tutorials.

If you don’t have an Azure subscription, create a free account before you begin.

Prerequisites
Before you begin, you’ll need to:

Create an Azure Active Directory tenant. For more information, see Access the
Azure portal and create a new tenant.

Sign in to the Azure portal

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

You must sign in to the Azure portal using a Global administrator account for the
directory.

Create a new group

Create a new group, named MDM policy - West. For more information about creating a
group, see How to create a basic group and add members.
 1. Go to Azure Active Directory > Groups.

2. Select New group.

3. Complete the Group page:

Group type: Select Security

Group name: Type MDM policy - West

Membership type: Select Assigned.

4. Select Create.

Create a new user

A user must exist before being added as a group member, so you'll need to create a
new user. For this quickstart, we've added a user named Alain Charon. Check the
"Custom domain names" tab first to get the verified domain name in which to create
users. For more information about creating a user, see How to add or delete users.

1. Go to Azure Active Directory > Users.

2. Select New user.

3. Complete the User page:

Name: Type Alain Charon.

User name: Type alain@contoso.com.

4. Copy the auto-generated password provided in the Password box and select
Create.

Add a group member

Now that you have a group and a user, you can add Alain Charon as a member to the
MDM policy - West group. For more information about adding group members, see the
Manage groups article.

1. Go to Azure Active Directory > Groups.

2. From the Groups - All groups page, search for and select the MDM policy - West
group.
 3. From the MDM policy - West Overview page, select Members from the Manage
area.

4. Select Add members, and then search and select Alain Charon.

5. Choose Select.

View all groups

You can see all the groups for your organization in the Groups - All groups page of the
Azure portal.

Go to Azure Active Directory > Groups.

The Groups - All groups page appears, showing all your active groups.

Search for a group

Search the Groups – All groups page to find the MDM policy – West group.

1. From the Groups - All groups page, type MDM into the Search box.

The search results appear under the Search box, including the MDM policy - West
group.
2. Select the group MDM policy – West.

3. View the group info on the MDM policy - West Overview page, including the
number of members of that group.
View group members
Now that you’ve found the group, you can view all the assigned members.

Select Members from the Manage area, and then review the complete list of member
names assigned to that specific group, including Alain Charon.
Clean up resources
The group you just created is used in other articles in the Azure AD Fundamentals
documentation. If you'd rather not use this group, you can delete it and its assigned
members using the following steps:

1. On the Groups - All groups page, search for the MDM policy - West group.

2. Select the MDM policy - West group.

The MDM policy - West Overview page appears.

3. Select Delete.

The group and its associated members are deleted.

 ） Important

This doesn't delete the user Alain Charon, just his membership in the deleted
group.

Next steps
Advance to the next article to learn how to associate a subscription to your Azure AD
directory.

Associate an Azure subscription

Manage Azure Active Directory groups
and group membership
Article • 03/16/2023

Azure Active Directory (Azure AD) groups are used to manage users that all need the
same access and permissions to resources, such as potentially restricted apps and
services. Instead of adding special permissions to individual users, you create a group
that applies the special permissions to every member of that group.

This article covers basic group scenarios where a single group is added to a single
resource and users are added as members to that group. For more complex scenarios
like dynamic memberships and rule creation, see the Azure Active Directory user
management documentation.

Before adding groups and members, learn about groups and membership types to help
you decide which options to use when you create a group.

Create a basic group and add members

You can create a basic group and add your members at the same time using the Azure
Active Directory (Azure AD) portal. Azure AD roles that can manage groups include
Groups Administrator, User Administrator, Privileged Role Administrator, or Global
Administrator. Review the appropriate Azure AD roles for managing groups

To create a basic group and add members:

1. Sign in to the Azure portal .

2. Go to Azure Active Directory > Groups > New group.

3. Select a Group type. For more information on group types, see the learn about
groups and membership types article.

Selecting the Microsoft 365 Group type enables the Group email address
option.

4. Enter a Group name. Choose a name that you'll remember and that makes sense
for the group. A check will be performed to determine if the name is already in
use. If the name is already in use, you'll be asked to change the name of your
group.

5. Group email address: Only available for Microsoft 365 group types. Enter an email
address manually or use the email address built from the Group name you
provided.

6. Group description. Add an optional description to your group.

7. Switch the Azure AD roles can be assigned to the group setting to yes to use this
group to assign Azure AD roles to members.

This option is only available with Premium P1 or P2 licenses.

You must have the Privileged Role Administrator or Global Administrator
role.
Enabling this option automatically selects Assigned as the Membership type.
The ability to add roles while creating the group is added to the process.
Learn more about role-assignable groups.

8. Select a Membership type. For more information on membership types, see the
learn about groups and membership types article.
 9. Optionally add Owners or Members. Members and owners can be added after
creating your group.
a. Select the link under Owners or Members to populate a list of every user in
your directory.
b. Choose users from the list and then select the Select button at the bottom of
the window.

10. Select Create. Your group is created and ready for you to manage other settings.

Turn off group welcome email

A welcome notification is sent to all users when they're added to a new Microsoft 365
group, regardless of the membership type. When an attribute of a user or device
changes, all dynamic group rules in the organization are processed for potential
membership changes. Users who are added then also receive the welcome notification.
You can turn off this behavior in Exchange PowerShell.
Add or remove members and owners
Members and owners can be added to and removed from existing Azure AD groups.
The process is the same for members and owners. You'll need the Groups Administrator
or User Administrator role to add and remove members and owners.

Need to add multiple members at one time? Learn about the add members in bulk
option.

Add members or owners of a group:

1. Sign in to the Azure portal .

2. Go to Azure Active Directory > Groups.

3. Select the group you need to manage.

4. Select either Members or Owners.

 5. Select + Add (members or owners).

6. Scroll through the list or enter a name in the search box. You can choose multiple
names at one time. When you're ready, select the Select button.

The Group Overview page updates to show the number of members who are now
added to the group.

Remove members or owners of a group:

1. Go to Azure Active Directory > Groups.

2. Select the group you need to manage.

3. Select either Members or Owners.

4. Check the box next to a name from the list and select the Remove button.
Edit group settings
Using Azure AD, you can edit a group's name, description, or membership type. You'll
need the Groups Administrator or User Administrator role to edit a group's settings.

To edit your group settings:

1. Sign in to the Azure portal .

2. Go to Azure Active Directory > Groups. The Groups - All groups page appears,
showing all of your active groups.

3. Scroll through the list or enter a group name in the search box. Select the group
you need to manage.

4. Select Properties from the side menu.

5. Update the General settings information as needed, including:

Group name. Edit the existing group name.

Group description. Edit the existing group description.

Group type. You can't change the type of group after it's been created. To
change the Group type, you must delete the group and create a new one.

Membership type. Change the membership type. If you enabled the Azure
AD roles can be assigned to the group option, you can't change the
membership type. For more info about the available membership types, see
the learn about groups and membership types article.

Object ID. You can't change the Object ID, but you can copy it to use in your
PowerShell commands for the group. For more info about using PowerShell
cmdlets, see Azure Active Directory cmdlets for configuring group settings.
Add or remove a group from another group
You can add an existing Security group to another Security group (also known as nested
groups). Depending on the group types, you can add a group as a member of another
group, just like a user, which applies settings like roles and access to the nested groups.
You'll need the Groups Administrator or User Administrator role to edit group
membership.

We currently don't support:

Adding groups to a group synced with on-premises Active Directory.

Adding Security groups to Microsoft 365 groups.
Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.
Assigning apps to nested groups.
Applying licenses to nested groups.
Adding distribution groups in nesting scenarios.
Adding security groups as members of mail-enabled security groups.
Adding groups as members of a role-assignable group.

Add a group to another group

1. Sign in to the Azure portal .

2. Go to Azure Active Directory > Groups.

3. On the Groups - All groups page, search for and select the group you want to
become a member of another group.

７ Note

You only can add your group as a member to one other group at a time.
Wildcard characters aren't supported in the Select Group search box.

4. On the group Overview page, select Group memberships from the side menu.

5. Select + Add memberships.

6. Locate the group you want your group to be a member of and choose Select.

For this exercise, we're adding "MDM policy - West" to the "MDM policy - All org"
group. The "MDM - policy - West" group will have the same access as the "MDM
policy - All org" group.
Now you can review the "MDM policy - West - Group memberships" page to see the
group and member relationship.

For a more detailed view of the group and member relationship, select the parent group
name (MDM policy - All org) and take a look at the "MDM policy - West" page details.

Remove a group from another group

You can remove an existing Security group from another Security group; however,
removing the group also removes any inherited access for its members.

1. On the Groups - All groups page, search for and select the group you need to
remove as a member of another group.

2. On the group Overview page, select Group memberships.

3. Select the parent group from the Group memberships page.

4. Select Remove.

For this exercise, we're now going to remove "MDM policy - West" from the "MDM
policy - All org" group.
Delete a group
You can delete an Azure AD group for any number of reasons, but typically it will be
because you:

Chose the incorrect Group type option.

Created a duplicate group by mistake.

No longer need the group.

To delete a group, you'll need the Groups Administrator or User Administrator role.

1. Sign in to the Azure portal .

2. Go to Azure Active Directory > Groups.

3. Search for and select the group you want to delete.

4. Select Delete.

The group is deleted from your Azure Active Directory tenant.

Next steps
Learn about groups and assigning access rights to groups

Manage groups using PowerShell commands

Manage dynamic rules for users in a group

Scenarios, limitations, and known issues using groups to manage licensing in Azure
Active Directory

Associate or add an Azure subscription to Azure Active Directory

What is group-based licensing in Azure
Active Directory?
Article • 07/17/2023

Microsoft paid cloud services, such as Microsoft 365, Enterprise Mobility + Security,
Dynamics 365, and other similar products, require licenses. These licenses are assigned
to each user who needs access to these services. To manage licenses, administrators use
one of the management portals (Office or Azure) and PowerShell cmdlets. Azure AD is
the underlying infrastructure that supports identity management for all Microsoft cloud
services. Azure AD stores information about license assignment states for users.

Azure AD includes group-based licensing, which allows you to assign one or more
product licenses to a group. Azure AD ensures that the licenses are assigned to all
members of the group. Any new members who join the group are assigned the
appropriate licenses. When they leave the group, those licenses are removed. This
licensing management eliminates the need for automating license management via
PowerShell to reflect changes in the organization and departmental structure on a per-
user basis.

Licensing requirements
You must have one of the following licenses for every user who benefits from group-
based licensing:

Paid or trial subscription for Azure AD Premium P1 and above

Paid or trial edition of Microsoft 365 Business Premium or Office 365 Enterprise E3
or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for GCCH or Office 365 E3
for DOD and above

Required number of licenses

For any groups assigned a license, you must also have a license for each unique
member. While you don't have to assign each member of the group a license, you must
have at least enough licenses to include all of the members. For example, if you have
1,000 unique members who are part of licensed groups in your tenant, you must have at
least 1,000 licenses to meet the licensing agreement.

Features
Here are the main features of group-based licensing:

Licenses can be assigned to any security group in Azure AD. Security groups can
be synced from on-premises, by using Azure AD Connect. You can also create
security groups directly in Azure AD (also called cloud-only groups), or
automatically via the Azure AD dynamic group feature.

When a product license is assigned to a group, the administrator can disable one
or more service plans in the product. Typically, this assignment is done when the
organization is not yet ready to start using a service included in a product. For
example, the administrator might assign Microsoft 365 to a department, but
temporarily disable the Yammer service.

All Microsoft cloud services that require user-level licensing are supported. This
support includes all Microsoft 365 products, Enterprise Mobility + Security, and
Dynamics 365.

Group-based licensing is currently available through the Azure portal and

through the Microsoft Admin center .

Azure AD automatically manages license modifications that result from group

membership changes. Typically, license modifications are effective within minutes
of a membership change.

A user can be a member of multiple groups with license policies specified. A user
can also have some licenses that were directly assigned, outside of any groups. The
resulting user state is a combination of all assigned product and service licenses. If
a user is assigned same license from multiple sources, the license will be consumed
only once.

In some cases, licenses can't be assigned to a user. For example, there might not
be enough available licenses in the tenant, or conflicting services might have been
assigned at the same time. Administrators have access to information about users
for whom Azure AD couldn't fully process group licenses. They can then take
corrective action based on that information.

Your feedback is welcome!

If you have feedback or feature requests, share them with us using the Azure AD admin
forum .

Next steps
To learn more about other scenarios for license management through group-based
licensing, see:

Assigning licenses to a group in Azure Active Directory

Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active
Directory
How to migrate users between product licenses using group-based licensing in
Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
PowerShell examples for group-based licensing in Azure Active Directory
Sign up for Azure Active Directory
Premium editions
Article • 06/30/2023

You can purchase and associate Azure Active Directory (Azure AD) Premium editions
with your Azure subscription. If you need to create a new Azure subscription, you'll also
need to activate your licensing plan and Azure AD service access.

Before you sign up for Active Directory Premium 1 or Premium 2, you must first
determine which of your existing subscription or plan to use:

Through your existing Azure or Microsoft 365 subscription

Through your Enterprise Mobility + Security licensing plan

Through a Microsoft Volume Licensing plan

Signing up using your Azure subscription with previously purchased and activated Azure
AD licenses, automatically activates the licenses in the same directory. If that's not the
case, you must still activate your license plan and your Azure AD access. For more
information about activating your license plan, see Activate your new license plan. For
more information about activating your Azure AD access, see Activate your Azure AD
access.

Sign up using your existing Azure or Microsoft

365 subscription
As an Azure or Microsoft 365 subscriber, you can purchase the Azure Active Directory
Premium editions online. For detailed steps, see Buy or remove licenses.

Sign up using your Enterprise Mobility +

Security licensing plan
Enterprise Mobility + Security is a suite, comprised of Azure AD Premium, Azure
Information Protection, and Microsoft Intune. If you already have an EMS license, you
can get started with Azure AD, using one of these licensing options:

For more information about EMS, see Enterprise Mobility + Security web site .

Try out EMS with a free Enterprise Mobility + Security E5 trial subscription
 Purchase Enterprise Mobility + Security E5 licenses

Purchase Enterprise Mobility + Security E3 licenses

Sign up using your Microsoft Volume Licensing

plan
Through your Microsoft Volume Licensing plan, you can sign up for Azure AD Premium
using one of these two programs, based on the number of licenses you want to get:

For 250 or more licenses. Microsoft Enterprise Agreement

For 5 to 250 licenses. Open Volume License

For more information about volume licensing purchase options, see How to purchase
through Volume Licensing .

Activate your new license plan

If you signed up using a new Azure AD license plan, you must activate it for your
organization, using the confirmation email sent after purchase.

To activate your license plan

Open the confirmation email you received from Microsoft after you signed up, and
then select either Sign In or Sign Up.
Sign in. Choose this link if you have an existing tenant, and then sign in using
your existing administrator account. You must be a global administrator on the
tenant where the licenses are being activated.

Sign up. Choose this link if you want to open the Create Account Profile page
and create a new Azure AD tenant for your licensing plan.
When you're done, you'll see a confirmation box thanking you for activating the license
plan for your tenant.

Activate your Azure AD access

If you're adding new Azure AD Premium licenses to an existing subscription, your Azure
AD access should already be activated. Otherwise, you need to activate Azure AD access
after you receive the Welcome email.

After your purchased licenses are provisioned in your directory, you'll receive a
Welcome email. This email confirms that you can start managing your Azure AD
Premium or Enterprise Mobility + Security licenses and features.

 Tip
 You won't be able to access Azure AD for your new tenant until you activate Azure
AD directory access from the welcome email.

To activate your Azure AD access

1. Open the Welcome email, and then select Sign In.

2. After successfully signing in, you'll go through two-step verification using a mobile
device.
The activation process typically takes only a few minutes and then you can use your
Azure AD tenant.

Next steps
Now that you have Azure AD Premium, you can customize your domain, add your
corporate branding, create a tenant, and add groups and users.
Overview of Azure AD Multi-Factor
Authentication for your organization
Article • 03/16/2023

There are multiple ways to enable Azure AD Multi-Factor Authentication for your Azure
Active Directory (AD) users based on the licenses that your organization owns.

Based on our studies, your account is more than 99.9% less likely to be compromised if
you use multi-factor authentication (MFA).

So how does your organization turn on MFA even for free, before becoming a statistic?

Free option
Customers who are utilizing the free benefits of Azure AD can use security defaults to
enable multi-factor authentication in their environment.

Microsoft 365 Business, E3, or E5

For customers with Microsoft 365, there are two options:

Azure AD Multi-Factor Authentication is either enabled or disabled for all users, for
all sign-in events. There is no ability to only enable multi-factor authentication for
a subset of users, or only under certain scenarios. Management is through the
Office 365 portal.
For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use
Conditional Access. For more information, see secure Microsoft 365 resources with
multi-factor authentication.
Azure AD Premium P1
For customers with Azure AD Premium P1 or similar licenses that include this
functionality such as Enterprise Mobility + Security E3, Microsoft 365 F1, or Microsoft
365 E3:

Use Azure AD Conditional Access to prompt users for multi-factor authentication during
certain scenarios or events to fit your business requirements.

Azure AD Premium P2
For customers with Azure AD Premium P2 or similar licenses that include this
functionality such as Enterprise Mobility + Security E5 or Microsoft 365 E5:

Provides the strongest security position and improved user experience. Adds risk-based
Conditional Access to the Azure AD Premium P1 features that adapts to user's patterns
and minimizes multi-factor authentication prompts.

Authentication methods
Method Security defaults All other methods

Notification through mobile app X X

Verification code from mobile app or hardware token X

Text message to phone X

Call to phone X

Next steps
To get started, see the tutorial to secure user sign-in events with Azure AD Multi-Factor
Authentication.

For more information on licensing, see Features and licenses for Azure AD Multi-Factor
Authentication.
What is the identity secure score in
Azure Active Directory?
Article • 03/16/2023

How secure is your Azure AD tenant? If you don't know how to answer this question,
this article explains how the identity secure score helps you to monitor and improve
your identity security posture.

What is an identity secure score?

The identity secure score is percentage that functions as an indicator for how aligned
you are with Microsoft's best practice recommendations for security. Each improvement
action in identity secure score is tailored to your specific configuration.

The score helps you to:

Objectively measure your identity security posture

Plan identity security improvements
Review the success of your improvements

You can access the score and related information on the identity secure score
dashboard. On this dashboard, you find:
 Your identity secure score
A comparison graph showing how your Identity secure score compares to other
tenants in the same industry and similar size
A trend graph showing how your Identity secure score has changed over time
A list of possible improvements

By following the improvement actions, you can:

Improve your security posture and your score

Take advantage the features available to your organization as part of your identity
investments

How do I get my secure score?

The identity secure score is available in all editions of Azure AD. Organizations can
access their identity secure score from the Azure portal > Azure Active Directory >
Security > Identity Secure Score.

How does it work?

Every 48 hours, Azure looks at your security configuration and compares your settings
with the recommended best practices. Based on the outcome of this evaluation, a new
score is calculated for your directory. It’s possible that your security configuration isn’t
fully aligned with the best practice guidance and the improvement actions are only
partially met. In these scenarios, you will only be awarded a portion of the max score
available for the control.

Each recommendation is measured based on your Azure AD configuration. If you are

using third-party products to enable a best practice recommendation, you can indicate
this configuration in the settings of an improvement action. You also have the option to
set recommendations to be ignored if they don't apply to your environment. An ignored
recommendation does not contribute to the calculation of your score.
To address - You recognize that the improvement action is necessary and plan to
address it at some point in the future. This state also applies to actions that are
detected as partially, but not fully completed.
Planned - There are concrete plans in place to complete the improvement action.
Risk accepted - Security should always be balanced with usability, and not every
recommendation will work for your environment. When that is the case, you can
choose to accept the risk, or the remaining risk, and not enact the improvement
action. You won't be given any points, but the action will no longer be visible in the
list of improvement actions. You can view this action in history or undo it at any
time.
Resolved through third party and Resolved through alternate mitigation - The
improvement action has already been addressed by a third-party application or
software, or an internal tool. You'll gain the points that the action is worth, so your
score better reflects your overall security posture. If a third party or internal tool no
longer covers the control, you can choose another status. Keep in mind, Microsoft
will have no visibility into the completeness of implementation if the improvement
action is marked as either of these statuses.
How does it help me?
The secure score helps you to:

Objectively measure your identity security posture

Plan identity security improvements
Review the success of your improvements

What you should know

Who can use the identity secure score?

To access identity secure score, you must be assigned one of the following roles in
Azure Active Directory.

Read and write roles

With read and write access, you can make changes and directly interact with identity
secure score.

Global administrator
Security administrator
Exchange administrator
SharePoint administrator

Read-only roles

With read-only access, you aren't able to edit status for an improvement action.

Helpdesk administrator
User administrator
Service support administrator
Security reader
Security operator
Global reader

How are controls scored?

Controls can be scored in two ways. Some are scored in a binary fashion - you get 100%
of the score if you have the feature or setting configured based on our
recommendation. Other scores are calculated as a percentage of the total configuration.
For example, if the improvement recommendation states you’ll get a maximum of
10.71% if you protect all your users with MFA and you only have 5 of 100 total users
protected, you would be given a partial score around 0.53% (5 protected / 100 total *
10.71% maximum = 0.53% partial score).

What does [Not Scored] mean?

Actions labeled as [Not Scored] are ones you can perform in your organization but
won't be scored because they aren't hooked up in the tool (yet!). So, you can still
improve your security, but you won't get credit for those actions right now.

In addition, the recommended actions:

Protect all users with a user risk policy

Protect all users with a sign-in risk policy

Also won't give you credits when configured using Conditional Access Policies, yet, for
the same reason as above. For now, these actions give credits only when configured
through Identity Protection policies.

How often is my score updated?

The score is calculated once per day (around 1:00 AM PST). If you make a change to a
measured action, the score will automatically update the next day. It takes up to 48
hours for a change to be reflected in your score.

My score changed. How do I figure out why?

Head over to the Microsoft 365 Defender portal , where you’ll find your complete
Microsoft secure score. You can easily see all the changes to your secure score by
reviewing the in-depth changes on the history tab.

Does the secure score measure my risk of getting

breached?
In short, no. The secure score does not express an absolute measure of how likely you
are to get breached. It expresses the extent to which you have adopted features that can
offset the risk of being breached. No service can guarantee that you will not be
breached, and the secure score should not be interpreted as a guarantee in any way.

How should I interpret my score?

Your score improves for configuring recommended security features or performing
security-related tasks (like reading reports). Some actions are scored for partial
completion, like enabling multi-factor authentication (MFA) for your users. Your secure
score is directly representative of the Microsoft security services you use. Remember
that security must be balanced with usability. All security controls have a user impact
component. Controls with low user impact should have little to no effect on your users'
day-to-day operations.

To see your score history, head over to the Microsoft 365 Defender portal and review
your overall Microsoft secure score. You can review changes to your overall secure score
be clicking on View History. Choose a specific date to see which controls were enabled
for that day and what points you earned for each one.

How does the identity secure score relate to the

Microsoft 365 secure score?
The Microsoft secure score contains five distinct control and score categories:

Identity
Data
Devices
Infrastructure
Apps

The identity secure score represents the identity part of the Microsoft secure score. This
overlap means that your recommendations for the identity secure score and the identity
score in Microsoft are the same.

Next steps
Find out more about Microsoft secure score
Secure your organization's identities
with Azure AD
Article • 03/28/2023

It can seem daunting trying to secure your workers in today's world, especially when you
have to respond rapidly and provide access to many services quickly. This article is
meant to provide a concise list of all the actions to take, helping you identify and
prioritize which order to deploy the Azure Active Directory (Azure AD) features based on
the license type you own. Azure AD offers many features and provides many layers of
security for your Identities, navigating which feature is relevant can sometimes be
overwhelming. This document is intended to help organizations deploy services quickly,
with secure identities as the primary consideration.

Each table provides a consistent security recommendation, protecting identities from

common security attacks while minimizing user friction.

The guidance helps:

Configure access to SaaS and on-premises applications in a secure and protected

manner.
Both cloud and hybrid identities.
Users working remotely or in the office.

Prerequisites
This guide assumes that your cloud only or hybrid identities have been established in
Azure AD already. For help with choosing your identity type see the article, Choose the
right authentication method for your Azure Active Directory hybrid identity solution

Guided walkthrough
For a guided walkthrough of many of the recommendations in this article, see the Set
up Azure AD guide when signed in to the Microsoft 365 Admin Center. To review best
practices without signing in and activating automated setup features, go to the M365
Setup portal .

Guidance for Azure AD Free, Office 365, or

Microsoft 365 customers.
There are many recommendations that Azure AD Free, Office 365, or Microsoft 365 app
customers should take to protect their user identities. The following table is intended to
highlight key actions for the following license subscriptions:

Office 365 (Office 365 E1, E3, E5, F1, A1, A3, A5)
Microsoft 365 (Business Basic, Apps for Business, Business Standard, Business
Premium, A1)
Azure AD Free (included with Azure, Dynamics 365, Intune, and Power Platform)

Recommended action Detail

Enable Security Defaults Protect all user identities and applications by enabling MFA
and blocking legacy authentication

Enable Password Hash Sync (if Provide redundancy for authentication and improve security
using hybrid identities) (including Smart Lockout, IP Lockout, and the ability to
discover leaked credentials.)

Enable ADFS smart lock out (If Protects your users from experiencing extranet account
applicable) lockout from malicious activity.

Enable Azure Active Directory Smart lockout helps to lock out bad actors who are trying to
smart lockout (if using managed guess your users' passwords or use brute-force methods to get
identities) in.

Disable end-user consent to The admin consent workflow gives admins a secure way to
applications grant access to applications that require admin approval so
end users don't expose corporate data. Microsoft recommends
disabling future user consent operations to help reduce your
surface area and mitigate this risk.

Integrate supported SaaS Azure AD has a gallery that contains thousands of

applications from the gallery to preintegrated applications. Some of the applications your
Azure AD and enable Single organization uses are probably in the gallery accessible directly
sign on from the Azure portal. Provide access to corporate SaaS
applications remotely and securely with improved user
experience (SSO)

Automate user provisioning and Automatically create user identities and roles in the cloud
deprovisioning from SaaS (SaaS) applications that users need access to. In addition to
Applications (if applicable) creating user identities, automatic provisioning includes the
maintenance and removal of user identities as status or roles
change, increasing your organization's security.

Enable Secure hybrid access: Publish and protect your on-premises and cloud legacy
Secure legacy apps with existing authentication applications by connecting them to Azure AD
app delivery controllers and with your existing application delivery controller or network.
networks (if applicable)
 Recommended action Detail

Enable self-service password This ability reduces help desk calls and loss of productivity
reset (applicable to cloud only when a user can't sign into their device or an application.
accounts)

Use least privileged roles where Give your administrators only the access they need to only the
possible areas they need access to. Not all administrators need to be
Global Administrators.

Enable Microsoft's password Stop requiring users to change their password on a set
guidance schedule, disable complexity requirements, and your users are
more apt to remember their passwords and keep them
something that is secure.

Guidance for Azure AD Premium Plan 1

customers.
The following table is intended to highlight the key actions for the following license
subscriptions:

Azure Active Directory Premium P1 (Azure AD P1)

Enterprise Mobility + Security (EMS E3)
Microsoft 365 (E3, A3, F1, F3)

Recommended action Detail

Create more than one Global Assign at least two cloud-only permanent Global Administrator
Administrator accounts for use in an emergency. These accounts aren't to be
used daily and should have long and complex passwords.

Enable combined registration Allow your users to register from one common experience for
experience for Azure AD MFA both Azure AD Multi-Factor Authentication and self-service
and SSPR to simplify user password reset.
registration experience

Configure MFA settings for Ensure accounts are protected from being compromised with
your organization multi-factor authentication

Enable self-service password This ability reduces help desk calls and loss of productivity
reset when a user can't sign into their device or an application

Implement Password Writeback Allow password changes in the cloud to be written back to an
(if using hybrid identities) on-premises Windows Server Active Directory environment.

Create and enable Conditional MFA for admins to protect accounts that are assigned
Access policies administrative rights.
Recommended action Detail

Block legacy authentication protocols due to the increased risk

associated with legacy authentication protocols.

MFA for all users and applications to create a balanced MFA

policy for your environment, securing your users and
applications.

Require MFA for Azure Management to protect your privileged

resources by requiring multi-factor authentication for any user
accessing Azure resources.

Enable Password Hash Sync (if Provide redundancy for authentication and improve security
using hybrid identities) (including Smart Lockout, IP Lockout, and the ability to discover
leaked credentials.)

Enable ADFS smart lock out (If Protects your users from experiencing extranet account lockout
applicable) from malicious activity.

Enable Azure Active Directory Smart lockout helps to lock out bad actors who are trying to
smart lockout (if using guess your users' passwords or use brute-force methods to get
managed identities) in.

Disable end-user consent to The admin consent workflow gives admins a secure way to
applications grant access to applications that require admin approval so end
users don't expose corporate data. Microsoft recommends
disabling future user consent operations to help reduce your
surface area and mitigate this risk.

Enable remote access to on- Enable Azure AD Application Proxy and integrate with legacy
premises legacy applications apps for users to securely access on-premises applications by
with Application Proxy signing in with their Azure AD account.

Enable Secure hybrid access: Publish and protect your on-premises and cloud legacy
Secure legacy apps with authentication applications by connecting them to Azure AD
existing app delivery controllers with your existing application delivery controller or network.
and networks (if applicable).

Integrate supported SaaS Azure AD has a gallery that contains thousands of

applications from the gallery to preintegrated applications. Some of the applications your
Azure AD and enable Single organization uses are probably in the gallery accessible directly
sign on from the Azure portal. Provide access to corporate SaaS
applications remotely and securely with improved user
experience (SSO).

Automate user provisioning Automatically create user identities and roles in the cloud
and deprovisioning from SaaS (SaaS) applications that users need access to. In addition to
Applications (if applicable) creating user identities, automatic provisioning includes the
 Recommended action Detail

maintenance and removal of user identities as status or roles

change, increasing your organization's security.

Enable Conditional Access – Improve security and user experiences with device-based
Device based Conditional Access. This step ensures users can only access
from devices that meet your standards for security and
compliance. These devices are also known as managed devices.
Managed devices can be Intune compliant or Hybrid Azure AD
joined devices.

Enable Password Protection Protect users from using weak and easy to guess passwords.

Use least privileged roles where Give your administrators only the access they need to only the
possible areas they need access to. Not all administrators need to be
Global Administrators.

Enable Microsoft's password Stop requiring users to change their password on a set
guidance schedule, disable complexity requirements, and your users are
more apt to remember their passwords and keep them
something that is secure.

Create an organization specific Prevent users from creating passwords that include common
custom banned password list words or phrases from your organization or area.

Deploy passwordless Provide your users with convenient passwordless

authentication methods for authentication methods
your users

Create a plan for guest user Collaborate with guest users by letting them sign into your
access apps and services with their own work, school, or social
identities.

Guidance for Azure AD Premium Plan 2

customers.
The following table is intended to highlight the key actions for the following license
subscriptions:

Azure Active Directory Premium P2

Enterprise Mobility + Security (EMS E5)
Microsoft 365 (E5, A5)

Recommended action Detail

Create more than one Global Assign at least two cloud-only permanent Global Administrator
Administrator accounts for use in an emergency. These accounts aren't to be
Recommended action used
Detaildaily and should have long and complex passwords.

Enable combined registration Allow your users to register from one common experience for
experience for Azure AD MFA both Azure AD Multi-Factor Authentication and self-service
and SSPR to simplify user password reset.
registration experience

Configure MFA settings for Ensure accounts are protected from being compromised with
your organization multi-factor authentication

Enable self-service password This ability reduces help desk calls and loss of productivity
reset when a user can't sign into their device or an application

Implement Password Writeback Allow password changes in the cloud to be written back to an
(if using hybrid identities) on-premises Windows Server Active Directory environment.

Enable Identity Protection Manage the roll-out of Azure AD Multi-Factor Authentication

policies to enforce MFA (MFA).
registration

Enable Identity Protection user Enable Identity Protection User and Sign-in policies. The
and sign-in risk policies recommended sign-in policy is to target medium risk sign-ins
and require MFA. For User policies, you should target high risk
users requiring the password change action.

Create and enable Conditional MFA for admins to protect accounts that are assigned
Access policies administrative rights.

Block legacy authentication protocols due to the increased risk

associated with legacy authentication protocols.

Require MFA for Azure Management to protect your privileged

resources by requiring multi-factor authentication for any user
accessing Azure resources.

Enable Password Hash Sync (if Provide redundancy for authentication and improve security
using hybrid identities) (including Smart Lockout, IP Lockout, and the ability to discover
leaked credentials.)

Enable ADFS smart lock out (If Protects your users from experiencing extranet account lockout
applicable) from malicious activity.

Enable Azure Active Directory Smart lockout helps to lock out bad actors who are trying to
smart lockout (if using guess your users' passwords or use brute-force methods to get
managed identities) in.

Disable end-user consent to The admin consent workflow gives admins a secure way to
applications grant access to applications that require admin approval so end
users don't expose corporate data. Microsoft recommends
disabling future user consent operations to help reduce your
surface area and mitigate this risk.
Recommended action Detail

Enable remote access to on- Enable Azure AD Application Proxy and integrate with legacy
premises legacy applications apps for users to securely access on-premises applications by
with Application Proxy signing in with their Azure AD account.

Enable Secure hybrid access: Publish and protect your on-premises and cloud legacy
Secure legacy apps with authentication applications by connecting them to Azure AD
existing app delivery controllers with your existing application delivery controller or network.
and networks (if applicable).

Integrate supported SaaS Azure AD has a gallery that contains thousands of

applications from the gallery to preintegrated applications. Some of the applications your
Azure AD and enable Single organization uses are probably in the gallery accessible directly
sign on from the Azure portal. Provide access to corporate SaaS
applications remotely and securely with improved user
experience (SSO).

Automate user provisioning Automatically create user identities and roles in the cloud
and deprovisioning from SaaS (SaaS) applications that users need access to. In addition to
Applications (if applicable) creating user identities, automatic provisioning includes the
maintenance and removal of user identities as status or roles
change, increasing your organization's security.

Enable Conditional Access – Improve security and user experiences with device-based
Device based Conditional Access. This step ensures users can only access
from devices that meet your standards for security and
compliance. These devices are also known as managed devices.
Managed devices can be Intune compliant or Hybrid Azure AD
joined devices.

Enable Password Protection Protect users from using weak and easy to guess passwords.

Use least privileged roles where Give your administrators only the access they need to only the
possible areas they need access to. Not all administrators need to be
Global Administrators.

Enable Microsoft's password Stop requiring users to change their password on a set
guidance schedule, disable complexity requirements, and your users are
more apt to remember their passwords and keep them
something that is secure.

Create an organization specific Prevent users from creating passwords that include common
custom banned password list words or phrases from your organization or area.

Deploy passwordless Provide your users with convenient passwordless

authentication methods for authentication methods
your users

Create a plan for guest user Collaborate with guest users by letting them sign into your
access apps and services with their own work, school, or social
 Recommended action Detail

identities.

Enable Privileged Identity Enables you to manage, control, and monitor access to
Management important resources in your organization, ensuring admins
have access only when needed and with approval

Complete an access review for Work with your security and leadership teams to create an
Azure AD directory roles in PIM access review policy to review administrative access based on
your organization's policies.

Zero Trust
This feature helps organizations to align their identities with the three guiding principles
of a Zero Trust architecture:

Verify explicitly
Use least privilege
Assume breach

To find out more about Zero Trust and other ways to align your organization to the
guiding principles, see the Zero Trust Guidance Center.

Next steps
For detailed deployment guidance for individual features of Azure AD, review the
Azure AD project deployment plans.
Organizations can use identity secure score to track their progress against other
Microsoft recommendations.
Five steps to integrate your apps with
Azure Active Directory
Article • 06/01/2023

Learn to integrate your applications with Azure Active Directory (Azure AD), which is a
cloud-based identity and access management service. Organizations use Azure AD for
secure authentication and authorization so customers, partners, and employees can
access applications. With Azure AD, features such as Conditional Access, Azure AD
Multi-Factor Authentication (MFA), single sign-on, and application provisioning make
identity and access management easier to manage and more secure.

Learn more:

What is Conditional Access?

How it works: Azure AD Multi-Factor Authentication
Azure AD seamless single sign-on
What is app provisioning in Azure AD?

If your company has a Microsoft 365 subscription, you likely use Azure AD. However,
you can use Azure AD for applications. If you centralize application management,
identity management features, tools, and policies for your app portfolio. The benefit is a
unified solution that improves security, reduces costs, increases productivity, and
enables compliance. In addition, there's remote access to on-premises apps.

Learn more:

Deploy your identity infrastructure for Microsoft 365

What is application management in Azure AD?

Azure AD for new applications

When your business acquires new applications, add them to the Azure AD tenant.
Establish a company policy of adding new apps to Azure AD.

See, Quickstart: Add an enterprise application

Azure AD has a gallery of integrated applications to make it easy to get started. Add a
gallery app to your Azure AD organization (see, previous link) and learn about
integrating software as a service (SaaS) tutorials.

See, Tutorials for integrating SaaS applications with Azure AD

Integration tutorials
Use the following tutorials to learn to integrate common tools with Azure AD single
sign-on (SSO).

Tutorial: Azure AD SSO integration with ServiceNow

Tutorial: Azure AD SSO integration with Workday
Tutorial: Azure AD SSO integration with Salesforce
Tutorial: Azure AD SSO integration with AWS Single-Account Access
Tutorial: Azure AD SSO integration with Slack

Apps not in the gallery

You can integrate applications that don't appear in the gallery, including applications in
your organization, or third-party application from vendors. Submit a request to publish
your app in the gallery. To learn about integrating apps you develop in-house, see
Integrate apps your developers build.

Learn more:

Quickstart: View enterprise applications

Submit a request to publish your application in Azure AD application gallery

Determine application usage and prioritize

integration
Discover the applications employees use, and prioritize integrating the apps with Azure
AD. Use the Microsoft Defender for Cloud Apps Cloud Discovery tools to discover and
manage apps not managed by your IT team. Microsoft Defender for Endpoint (formerly
known as Microsoft Defender Advanced Threat Protection) simplifies and extends the
discovery process.

Learn more:

Set up Cloud Discovery

Microsoft Defender for Endpoint

In addition, use the Active Directory Federation Services (AD FS) in the Azure portal to
discover AD FS apps in your organization. Discover unique users that signed in to the
apps, and see information about integration compatibility.

See, Review the application activity report

Application migration
After you discover apps in your environment, prioritize the apps to migrate and
integrate. Consider the following parameters:

Apps used most frequently

Riskiest apps
Apps to be decommissioned, therefore not in migration
Apps that stay on-premises

See, Resources for migrating applications to Azure AD

Integrate apps and identity providers

During discovery, there might be applications not tracked by the IT team, which can
create vulnerabilities. Some applications use alternative identity solutions, including AD
FS, or other identity providers (IdPs). We recommend you consolidate identity and
access management. Benefits include:

Reduce on-premises user set-up, authentication, and IdP licensing fees

Lower administrative overhead with streamlined identity and access management
process
Enable single sign-on (SSO) access to applications in the My Apps portal
See, Create collections on the My Apps portal
Use Identity Protection and Conditional Access to increase data from app usage,
and extend benefits to recently added apps
What is Identity Protection?
What is Conditional Access?

App owner awareness

To help manage app integration with Azure AD, use the following material for
application owner awareness and interest. Modify the material with your branding.

You can download:

Zip file, Editable Azure AD App Integration One-Pager

Microsoft PowerPoint presentation, Azure AD application integration guidelines

Active Directory Federation Services

Evaluate use of AD FS for authentication with SaaS apps, line-of-business apps, also
Microsoft 365 and Azure AD apps.

Improve the configuration illustrated in the previous diagram by moving application

authentication to Azure AD. Enable sign-on for apps and ease application discovery with
the My Apps portal.

Learn more:

Move application authentication to Azure AD

Sign in and start apps from the My Apps portal

See the following diagram of app authentication simplified by Azure AD.

After Azure AD is the central IdP, you might be able to discontinue ADFS.

You can migrate apps that use a different cloud-based IdP. Your organization might
have multiple Identity Access Management (IAM) solutions. Migrating to one Azure AD
infrastructure can reduce dependencies on IAM licenses and infrastructure costs. If you
paid for Azure AD with Microsoft 365 licenses, likely you don't have to purchase another
IAM solution.

Integrate on-premises applications

Traditionally, application security enabled access during a connection to a corporate
network. However, organization grant access to apps for customers, partners, and/or
employees, regardless of location. Application Proxy Service in Azure AD connects on-
premises apps to Azure AD and doesn't require edge servers or more infrastructure.

See, Using Azure AD Application Proxy to publish on-premises apps for remote users

The following diagram illustrates Application Proxy Service processing a user request.
See, Tutorial: Add an on-premises application for remote access through Application
Proxy in Azure AD

In addition, integrate application delivery controllers like F5 BIG-IP APM, or Zscaler

Private Access, with Azure AD. Benefits are modern authentication and identity
management, traffic management, and security features. We call this solution secure
hybrid access.

See, Secure hybrid access: Protect legacy apps with Azure AD

For the following services, there are Azure AD integration tutorials.

Tutorial: Azure AD SSO integration with Akamai

Tutorial: Azure AD SSO integration with Citrix ADC SAML Connector for Azure AD
(Kerberos-based authentication)
Formerly known as Citrix Netscaler
Integrate F5 BIG-IP with Azure AD
Tutorial: Integrate Zscaler Private Access (ZPA) with Azure AD
Integrate apps your developers build
For your developers' apps, use the Microsoft identity platform for authentication and
authorization. Integrated applications are registered and managed like other apps in
your portfolio.

Learn more:

Microsoft identity platform documentation

Quickstart: Register an application with the Microsoft identity platform

Developers can use the platform for internal and customer-facing apps. For instance,
use Microsoft Authentication Libraries (MSAL) to enable multi-factor authentication and
security to access apps.

Learn more:

Overview of the Microsoft Authentication Library (MSAL)

Microsoft identity platform code samples
Video: Overview of the Microsoft identity platform for developers (33:54)

Next step
Resources for migrating applications to Azure AD
Security defaults in Azure AD
Article • 08/01/2023

Security defaults make it easier to help protect your organization from identity-related
attacks like password spray, replay, and phishing common in today's environments.

Microsoft is making these preconfigured security settings available to everyone, because

we know managing security can be difficult. Based on our learnings more than 99.9% of
those common identity-related attacks are stopped by using multifactor authentication
(MFA) and blocking legacy authentication. Our goal is to ensure that all organizations
have at least a basic level of security enabled at no extra cost.

These basic controls include:

Requiring all users to register for multifactor authentication.

Requiring administrators to do multifactor authentication.
Requiring users to do multifactor authentication when necessary.
Blocking legacy authentication protocols.
Protecting privileged activities like access to the Azure portal.

Who's it for?
Organizations who want to increase their security posture, but don't know how or
where to start.
Organizations using the free tier of Azure Active Directory licensing.

Who should use Conditional Access?

If you're an organization with Azure Active Directory Premium licenses, security
defaults are probably not right for you.
If your organization has complex security requirements, you should consider
Conditional Access

Enabling security defaults

If your tenant was created on or after October 22, 2019, security defaults may be
enabled in your tenant. To protect all of our users, security defaults are being rolled out
to all new tenants at creation.
To help protect organizations, we're always working to improve the security of Microsoft
account services. As part of this protection, customers are periodically notified for the
automatic enablement of the security defaults if they:

Haven't enabled Conditional Access policies.

Don't have premium licenses.
Aren’t actively using legacy authentication clients.

After this setting is enabled, all users in the organization will need to register for
multifactor authentication. To avoid confusion, refer to the email you received and
alternatively you can disable security defaults after it's enabled.

To configure security defaults in your directory, you must be assigned at least the
Security Administrator role. By default the first account in any directory is assigned a
higher privileged role known as Global Administrator.

To enable security defaults:

1. Sign in to the Microsoft Entra admin center .

2. Browse to Microsoft Entra ID (Azure AD) > Properties.
a. Select Manage security defaults.
3. Set Security defaults to Enabled.
4. Select Save.
 

Revoking active tokens

As part of enabling security defaults, administrators should revoke all existing tokens to
require all users to register for multifactor authentication. This revocation event forces
previously authenticated users to authenticate and register for multifactor
authentication. This task can be accomplished using the Revoke-
AzureADUserAllRefreshToken PowerShell cmdlet.

Enforced security policies

Require all users to register for Azure AD Multifactor

Authentication
All users have 14 days to register using the Microsoft Authenticator app or any app
supporting OATH TOTP. After the 14 days have passed, the user can't sign in until
registration is completed. A user's 14-day period begins after their first successful
interactive sign-in after enabling security defaults.

When users sign in and are prompted to perform multifactor authentication, they see a
screen providing them with a number to enter in the Microsoft Authenticator app. This
measure helps prevent users from falling for MFA fatigue attacks.
Require administrators to do multifactor authentication
Administrators have increased access to your environment. Because of the power these
highly privileged accounts have, you should treat them with special care. One common
method to improve the protection of privileged accounts is to require a stronger form of
account verification for sign-in, like requiring multifactor authentication.

 Tip

Recommendations for your admins:

Ensure all your admins sign in after enabling security defaults so that they can
register for authentication methods.
Have separate accounts for administration and standard productivity tasks to
significantly reduce the number of times your admins are prompted for MFA.

After registration is finished, the following administrator roles will be required to do

multifactor authentication every time they sign in:

Global Administrator
Application Administrator
Authentication Administrator
Billing Administrator
Cloud Application Administrator
Conditional Access Administrator
Exchange Administrator
Helpdesk Administrator
Password Administrator
Privileged Authentication Administrator
Privileged Role Administrator
Security Administrator
SharePoint Administrator
User Administrator

Require users to do multifactor authentication when

necessary
We tend to think that administrator accounts are the only accounts that need extra
layers of authentication. Administrators have broad access to sensitive information and
can make changes to subscription-wide settings. But attackers frequently target end
users.

After these attackers gain access, they can request access to privileged information for
the original account holder. They can even download the entire directory to do a
phishing attack on your whole organization.

One common method to improve protection for all users is to require a stronger form of
account verification, such as multifactor authentication, for everyone. After users
complete registration, they'll be prompted for another authentication whenever
necessary. Microsoft decides when a user is prompted for multifactor authentication,
based on factors such as location, device, role and task. This functionality protects all
registered applications, including SaaS applications.

７ Note

In case of B2B direct connect users, any multifactor authentication requirement

from security defaults enabled in resource tenant will need to be satisfied, including
multifactor authentication registration by the direct connect user in their home
tenant.

Block legacy authentication protocols

To give your users easy access to your cloud apps, we support various authentication
protocols, including legacy authentication. Legacy authentication is a term that refers to
an authentication request made by:

Clients that don't use modern authentication (for example, an Office 2010 client).
Any client that uses older mail protocols such as IMAP, SMTP, or POP3.

Today, most compromising sign-in attempts come from legacy authentication. Legacy
authentication doesn't support multifactor authentication. Even if you have a multifactor
authentication policy enabled on your directory, an attacker can authenticate by using
an older protocol and bypass multifactor authentication.

After security defaults are enabled in your tenant, all authentication requests made by
an older protocol will be blocked. Security defaults blocks Exchange Active Sync basic
authentication.

２ Warning
 Before you enable security defaults, make sure your administrators aren't using
older authentication protocols. For more information, see How to move away from
legacy authentication.

How to set up a multifunction device or application to send email using Microsoft

365

Protect privileged activities like access to the Azure portal

Organizations use various Azure services managed through the Azure Resource
Manager API, including:

Azure portal
Microsoft Entra Admin Center
Azure PowerShell
Azure CLI

Using Azure Resource Manager to manage your services is a highly privileged action.
Azure Resource Manager can alter tenant-wide configurations, such as service settings
and subscription billing. Single-factor authentication is vulnerable to various attacks like
phishing and password spray.

It's important to verify the identity of users who want to access Azure Resource Manager
and update configurations. You verify their identity by requiring more authentication
before you allow access.

After you enable security defaults in your tenant, any user accessing the following
services must complete multifactor authentication:

Azure portal
Azure PowerShell
Azure CLI

This policy applies to all users who are accessing Azure Resource Manager services,
whether they're an administrator or a user.

７ Note

Pre-2017 Exchange Online tenants have modern authentication disabled by default.

In order to avoid the possibility of a login loop while authenticating through these
tenants, you must enable modern authentication.
 ７ Note

The Azure AD Connect synchronization account is excluded from security defaults

and will not be prompted to register for or perform multifactor authentication.
Organizations should not be using this account for other purposes.

Deployment considerations

Preparing your users

It's critical to inform users about upcoming changes, registration requirements, and any
necessary user actions. We provide communication templates and user
documentation to prepare your users for the new experience and help to ensure a
successful rollout. Send users to https://myprofile.microsoft.com to register by
selecting the Security Info link on that page.

Authentication methods
Security defaults users are required to register for and use multifactor authentication
using the Microsoft Authenticator app using notifications. Users may use verification
codes from the Microsoft Authenticator app but can only register using the notification
option. Users can also use any third party application using OATH TOTP to generate
codes.

２ Warning

Do not disable methods for your organization if you are using security defaults.
Disabling methods may lead to locking yourself out of your tenant. Leave all
Methods available to users enabled in the MFA service settings portal.

B2B users
Any B2B guest users or B2B direct connect users that access your directory are treated
the same as your organization's users.

Disabled MFA status

If your organization is a previous user of per-user based multifactor authentication,
don't be alarmed to not see users in an Enabled or Enforced status if you look at the
Multi-Factor Auth status page. Disabled is the appropriate status for users who are
using security defaults or Conditional Access based multifactor authentication.

Disabling security defaults

Organizations that choose to implement Conditional Access policies that replace
security defaults must disable security defaults.

To disable security defaults in your directory:

1. Sign in to the Microsoft Entra admin center .

2. Browse to Microsoft Entra ID (Azure AD) > Properties.
a. Select Manage security defaults.
3. Set Security defaults to Disabled (not recommended).
4. Select Save.

Next steps
Blog: Introducing security defaults
More information about licensing can be found on the Azure AD pricing page .
Block legacy authentication with Azure
AD Conditional Access
Article • 07/26/2023

To give your users easy access to your cloud apps, Azure Active Directory (Azure AD)
supports a broad variety of authentication protocols including legacy authentication.
However, legacy authentication doesn't support things like multifactor authentication
(MFA). MFA is a common requirement to improve security posture in organizations.

Based on Microsoft's analysis more than 97 percent of credential stuffing attacks use
legacy authentication and more than 99 percent of password spray attacks use legacy
authentication protocols. These attacks would stop with basic authentication disabled or
blocked.

７ Note

Effective October 1, 2022, we will begin to permanently disable Basic

Authentication for Exchange Online in all Microsoft 365 tenants regardless of
usage, except for SMTP Authentication. For more information, see the article
Deprecation of Basic authentication in Exchange Online

Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020 blog post
New tools to block legacy authentication in your organization emphasizes why
organizations should block legacy authentication and what other tools Microsoft
provides to accomplish this task:

This article explains how you can configure Conditional Access policies that block legacy
authentication for all workloads within your tenant.

While rolling out legacy authentication blocking protection, we recommend a phased

approach, rather than disabling it for all users all at once. Customers may choose to first
begin disabling basic authentication on a per-protocol basis, by applying Exchange
Online authentication policies, then (optionally) also blocking legacy authentication via
Conditional Access policies when ready.

Customers without licenses that include Conditional Access can make use of security
defaults to block legacy authentication.

Prerequisites
This article assumes that you're familiar with the basic concepts of Azure AD Conditional
Access.

７ Note

Conditional Access policies are enforced after first-factor authentication is

completed. Conditional Access isn't intended to be an organization's first line of
defense for scenarios like denial-of-service (DoS) attacks, but it can use signals
from these events to determine access.

Scenario description
Azure AD supports the most widely used authentication and authorization protocols
including legacy authentication. Legacy authentication can't prompt users for second
factor authentication or other authentication requirements needed to satisfy Conditional
Access policies, directly. This authentication pattern includes basic authentication, a
widely used industry-standard method for collecting user name and password
information. Examples of applications that commonly or only use legacy authentication
are:

Microsoft Office 2013 or older.

Apps using mail protocols like POP, IMAP, and SMTP AUTH.

For more information about modern authentication support in Office, see How modern
authentication works for Office client apps.

Single factor authentication (for example, username and password) isn't enough these
days. Passwords are bad as they're easy to guess and we (humans) are bad at choosing
good passwords. Passwords are also vulnerable to various attacks, like phishing and
password spray. One of the easiest things you can do to protect against password
threats is to implement multifactor authentication (MFA). With MFA, even if an attacker
gets in possession of a user's password, the password alone isn't sufficient to
successfully authenticate and access the data.

How can you prevent apps using legacy authentication from accessing your tenant's
resources? The recommendation is to just block them with a Conditional Access policy.
If necessary, you allow only certain users and specific network locations to use apps that
are based on legacy authentication.

Implementation
This section explains how to configure a Conditional Access policy to block legacy
authentication.

Messaging protocols that support legacy authentication

The following messaging protocols support legacy authentication:

Authenticated SMTP - Used to send authenticated email messages.

Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes
in Exchange Online.
Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.
Exchange Online PowerShell - Used to connect to Exchange Online with remote
PowerShell. If you block Basic authentication for Exchange Online PowerShell, you
need to use the Exchange Online PowerShell Module to connect. For instructions,
see Connect to Exchange Online PowerShell using multifactor authentication.
Exchange Web Services (EWS) - A programming interface that's used by Outlook,
Outlook for Mac, and third-party apps.
IMAP4 - Used by IMAP email clients.
MAPI over HTTP (MAPI/HTTP) - Primary mailbox access protocol used by Outlook
2010 SP2 and later.
Offline Address Book (OAB) - A copy of address list collections that are
downloaded and used by Outlook.
Outlook Anywhere (RPC over HTTP) - Legacy mailbox access protocol supported
by all current Outlook versions.
POP3 - Used by POP email clients.
Reporting Web Services - Used to retrieve report data in Exchange Online.
Universal Outlook - Used by the Mail and Calendar app for Windows 10.
Other clients - Other protocols identified as utilizing legacy authentication.

For more information about these authentication protocols and services, see Sign-in
activity reports in the Azure portal.

Identify legacy authentication use

Before you can block legacy authentication in your directory, you need to first
understand if your users have client apps that use legacy authentication.

Sign-in log indicators

1. Navigate to the Azure portal > Azure Active Directory > Sign-in logs.
2. Add the Client App column if it isn't shown by clicking on Columns > Client App.
 3. Select Add filters > Client App > choose all of the legacy authentication protocols
and select Apply.
4. If you've activated the new sign-in activity reports preview, repeat the above steps
also on the User sign-ins (non-interactive) tab.

Filtering shows you sign-in attempts made by legacy authentication protocols. Clicking
on each individual sign-in attempt shows you more details. The Client App field under
the Basic Info tab indicates which legacy authentication protocol was used.

These logs indicate where users are using clients that are still depending on legacy
authentication. For users that don't appear in these logs and are confirmed to not be
using legacy authentication, implement a Conditional Access policy for these users only.

Additionally, to help triage legacy authentication within your tenant use the Sign-ins
using legacy authentication workbook.

Indicators from client

To determine if a client is using legacy or modern authentication based on the dialog

box presented at sign-in, see the article Deprecation of Basic authentication in Exchange
Online.

Important considerations
Many clients that previously only supported legacy authentication now support modern
authentication. Clients that support both legacy and modern authentication may require
configuration update to move from legacy to modern authentication. If you see modern
mobile, desktop client or browser for a client in the Sign-in logs, it's using modern
authentication. If it has a specific client or protocol name, such as Exchange ActiveSync,
it's using legacy authentication. The client types in Conditional Access, Sign-in logs, and
the legacy authentication workbook distinguish between modern and legacy
authentication clients for you.

Clients that support modern authentication but aren't configured to use modern
authentication should be updated or reconfigured to use modern authentication.
All clients that don't support modern authentication should be replaced.

） Important

Exchange Active Sync with Certificate-based authentication (CBA)

 When implementing Exchange Active Sync (EAS) with CBA, configure clients to use
modern authentication. Clients not using modern authentication for EAS with CBA
are not blocked with Deprecation of Basic authentication in Exchange Online.
However, these clients are blocked by Conditional Access policies configured to
block legacy authentication.

For more Information on implementing support for CBA with Azure AD and
modern authentication See: How to configure Azure AD certificate-based
authentication (Preview). As another option, CBA performed at a federation server
can be used with modern authentication.

If you're using Microsoft Intune, you might be able to change the authentication type
using the email profile you push or deploy to your devices. If you're using iOS devices
(iPhones and iPads), you should take a look at Add e-mail settings for iOS and iPadOS
devices in Microsoft Intune.

Block legacy authentication

There are two ways to use Conditional Access policies to block legacy authentication.

Directly blocking legacy authentication

Indirectly blocking legacy authentication

Directly blocking legacy authentication

The easiest way to block legacy authentication across your entire organization is by
configuring a Conditional Access policy that applies specifically to legacy authentication
clients and blocks access. When assigning users and applications to the policy, make
sure to exclude users and service accounts that still need to sign in using legacy
authentication. When choosing the cloud apps in which to apply this policy, select All
cloud apps, targeted apps such as Office 365 (recommended) or at a minimum, Office
365 Exchange Online. Organizations can use the policy available in Conditional Access
templates or the common policy Conditional Access: Block legacy authentication as a
reference.

Indirectly blocking legacy authentication

If your organization isn't ready to block legacy authentication completely, you should
ensure that sign-ins using legacy authentication aren't bypassing policies that require
grant controls like multifactor authentication. During authentication, legacy
authentication clients don't support sending MFA, device compliance, or join state
information to Azure AD. Therefore, apply policies with grant controls to all client
applications so that legacy authentication based sign-ins that can’t satisfy the grant
controls are blocked. With the general availability of the client apps condition in August
2020, newly created Conditional Access policies apply to all client apps by default.

What you should know

It can take up to 24 hours for the Conditional Access policy to go into effect.

Blocking access using Other clients also blocks Exchange Online PowerShell and
Dynamics 365 using basic auth.

Configuring a policy for Other clients blocks the entire organization from certain clients
like SPConnect. This block happens because older clients authenticate in unexpected
ways. The issue doesn't apply to major Office applications like the older Office clients.

You can select all available grant controls for the Other clients condition; however, the
end-user experience is always the same - blocked access.

Next steps
Determine effect using Conditional Access report-only mode
If you aren't familiar with configuring Conditional Access policies yet, see require
MFA for specific apps with Azure Active Directory Conditional Access for an
example.
For more information about modern authentication support, see How modern
authentication works for Office client apps
How to set up a multifunction device or application to send email using Microsoft
365
Enable modern authentication in Exchange Online
Enable Modern Authentication for Office 2013 on Windows devices
How to configure Exchange Server on-premises to use Hybrid Modern
Authentication
How to use Modern Authentication with Skype for Business
How to find your Azure Active Directory
tenant ID
Article • 07/25/2023

Azure subscriptions have a trust relationship with Azure Active Directory (Azure AD).
Azure AD is trusted to authenticate the subscription's users, services, and devices. Each
subscription has a tenant ID associated with it, and there are a few ways you can find the
tenant ID for your subscription.

Find tenant ID through the Azure portal

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

1. Sign in to the Azure portal .

2. Select Azure Active Directory.

3. Select Properties.

4. Scroll down to the Tenant ID section and you can find your tenant ID in the box.
Find tenant ID with PowerShell
To find the tenant ID with Azure PowerShell, use the cmdlet Get-AzTenant .

Azure PowerShell

Connect-AzAccount
Get-AzTenant

For more information, see the Get-AzTenant cmdlet reference.

Find tenant ID with CLI

The Azure CLI or Microsoft 365 CLI can be used to find the tenant ID.

For Azure CLI, use one of the commands az login, az account list, or az account tenant
list. All of command's included below return the tenantId property for each of your
subscriptions.

Azure CLI

az login
az account list
az account tenant list

For more information, see az login command reference, az account command reference,
or az account tenant command reference.

For Microsoft 365 CLI, use the cmdlet tenant id as shown in the following example:

cli

m365 tenant id get

For more information, see the Microsoft 365 tenant ID get command reference.

Next steps
To create a new Azure AD tenant, see Quickstart: Create a new tenant in Azure
Active Directory.

To learn how to associate or add a subscription to a tenant, see Associate or add

an Azure subscription to your Azure Active Directory tenant.
To learn how to find the object ID, see Find the user object ID.
Find help and get support for Azure
Active Directory
Article • 03/16/2023

Microsoft documentation and learning content provide quality support and

troubleshooting information, but if you have a problem not covered in our content,
there are several options to get help and support for Azure Active Directory (Azure AD).
This article provides the options to find support from the Microsoft community and how
to submit a support request with Microsoft.

Ask the Microsoft community

Start with our Microsoft community members who may have an answer to your
question. These communities provide support, feedback, and general discussions on
Microsoft products and services. Before creating a support request, check out the
following resources for answers and information.

For how-to information, quickstarts, or code samples for IT professionals and

developers, see the technical documentation at learn.microsoft.com.
Post a question to Microsoft Q&A to get answers to your identity and access
questions directly from Microsoft engineers, Azure Most Valuable Professionals
(MVPs) and members of our expert community.
The Microsoft Technical Community is the place for our IT pro partners and
customers to collaborate, share, and learn. Join the community to post questions
and submit your ideas.
The Microsoft Technical Community Info Center is used for announcements, blog
posts, ask-me-anything (AMA) interactions with experts, and more.

Microsoft Q&A best practices

Microsoft Q&A is Azure's recommended source for community support. We recommend
using one of the following tags when posting a question. Check out our tips for writing
quality questions.

Component/area Tags

Microsoft Authentication Library (MSAL) [msal]

Open Web Interface for .NET (OWIN) middleware [azure-active-directory]

 Component/area Tags

Azure AD B2B / External Identities [azure-ad-b2b]

Azure AD B2C [azure-ad-b2c]

Microsoft Graph API [azure-ad-graph]

All other authentication and authorization areas [azure-active-directory]

Open a support request in Azure Active

Directory
If you're unable to find answers by using self-help resources, you can open an online
support request. You should open a support request for only a single problem, so that
we can connect you to the support engineers who are subject matter experts for your
problem. Azure AD engineering teams prioritize their work based on incidents that are
generated from support, so you're often contributing to service improvements.

Support is available online and by phone for Microsoft Azure paid and trial subscriptions
on global technical, pre-sales, billing, and subscription issues. Phone support and online
billing support are available in additional languages.

Explore the range of Azure support options and choose the plan that best fits your
scenario, whether you're an IT admin managing your organization's tenant, a developer
just starting your cloud journey, or a large organization deploying business-critical,
strategic applications. Azure customers can create and manage support requests in the
Azure portal.

If you already have an Azure Support Plan, open a support request here .

If you're not an Azure customer, you can open a support request with Microsoft
Support for business .

７ Note

If you're using Azure AD B2C, open a support ticket by first switching to an Azure
AD tenant that has an Azure subscription associated with it. Typically, this is your
employee tenant or the default tenant created for you when you signed up for an
Azure subscription. To learn more, see how an Azure subscription is related to
Azure AD.

1. Sign in to the Azure portal and open Azure Active Directory.

 2. Scroll down to Troubleshooting + Support and select New support request.

3. Follow the prompts to provide us with information about the problem you're
having.

We'll walk you through some steps to gather information about your problem and help
you solve it. Each step is described in the following sections.

1. Problem description
1. Under Problem description, enter a brief description in the Summary field.

2. Select an Issue type.

Options are Billing and Subscription management. Once an option is selected,

Problem type and Problem subtype fields appear, pre-populated with options
associated with the initial selection.

3. Select Next at the bottom of the page.

2. Recommended solution
Based on the information you provided, we'll show you recommended solutions you can
use try to resolve the problem. Solutions are written by Azure engineers and will solve
most common problems.

If you're still unable to resolve the issue, select Next to continue creating the support
request.

3. Additional details
Next, we collect more details about the problem. Providing thorough and detailed
information in this step helps us route your support request to the right engineer.

1. Complete the Problem details section so that we have more information about
your issue. If possible, tell us when the problem started and any steps to reproduce
it. You can upload a file, such as a log file or output from diagnostics. For more
information on file uploads, see File upload guidelines.

2. In the Advanced diagnostic information section, select Yes or No.

Selecting Yes allows Azure support to gather advanced diagnostic

information from your Azure resources.
 If you prefer not to share this information, select No. For more information
about the types of files we might collect, see Advanced diagnostic
information logs section.
In some scenarios, an administrator in your tenant may need to approve
Microsoft Support access to your Azure Active Directory identity data.

3. In the Support method section, select your preferred contact method and support
language.

Some details are pre-selected for you.

The support plan and severity are populated based on your plan.
The maximum severity level depends on your support plan .

4. Next, complete the Contact info section so we know how to contact you.

Select Next when you've completed all of the necessary information.

4. Review + create
Before you create your request, review all of the details that you'll send to support. You
can select Previous to return to any tab if you need to make changes. When you're
satisfied the support request is complete, select Create.

A support engineer will contact you using the method you indicated. For information
about initial response times, see Support scope and responsiveness .

Get Microsoft 365 admin center support

Support for Azure AD in the Microsoft 365 admin center is offered for administrators
through the admin center. Review the support for Microsoft 365 for business article.

Stay informed
Things can change quickly. The following resources provide updates and information on
the latest releases.

Azure Updates : Learn about important product updates, roadmap, and

announcements.

What's new in Azure AD: Get to know what's new in Azure AD including the latest
release notes, known issues, bug fixes, deprecated functionality, and upcoming
changes.
 Azure Active Directory Identity Blog : Get news and information about Azure AD.

Next steps
Post a question to Microsoft Q&A

Join the Microsoft Technical Community ]

Learn about the diagnostic data Azure identity support can access
What's new in Azure Active Directory?
Article • 07/30/2023

Get notified about when to revisit this page for updates by copying and pasting this
URL: https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-
+Azure+Active+Directory%22&locale=en-us into your feed reader.

Azure AD receives improvements on an ongoing basis. To stay up to date with the most
recent developments, this article provides you with information about:

The latest releases

Known issues
Bug fixes
Deprecated functionality
Plans for changes

This page updates monthly, so revisit it regularly. If you're looking for items older than
six months, you can find them in Archive for What's new in Azure Active Directory.

July 2023

General Availability: Azure Active Directory (Azure AD) is

being renamed.
Type: Changed feature
Service category: N/A
Product capability: End User Experiences

No action is required from you, but you may need to update some of your own
documentation.

Azure AD is being renamed to Microsoft Entra ID. The name change rolls out across all
Microsoft products and experiences throughout the second half of 2023.

Capabilities, licensing, and usage of the product isn't changing. To make the transition
seamless for you, the pricing, terms, service level agreements, URLs, APIs, PowerShell
cmdlets, Microsoft Authentication Library (MSAL) and developer tooling remain the
same.

Learn more and get renaming details: New name for Azure Active Directory.
General Availability - Include/exclude My Apps in
Conditional Access policies
Type: Fixed
Service category: Conditional Access
Product capability: End User Experiences

My Apps can now be targeted in Conditional Access policies. This solves a top customer
blocker. The functionality is available in all clouds. GA also brings a new app launcher,
which improves app launch performance for both SAML and other app types.

Learn More about setting up Conditional Access policies here: Azure AD Conditional
Access documentation.

General Availability - Conditional Access for Protected

Actions
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Protected actions are high-risk operations, such as altering access policies or changing
trust settings, that can significantly impact an organization's security. To add an extra
layer of protection, Conditional Access for Protected Actions lets organizations define
specific conditions for users to perform these sensitive tasks. For more information, see:
What are protected actions in Azure AD?.

General Availability - Access Reviews for Inactive Users

Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This new feature, part of the Microsoft Entra ID Governance SKU, allows admins to
review and address stale accounts that haven’t been active for a specified period.
Admins can set a specific duration to determine inactive accounts that weren't used for
either interactive or non-interactive sign-in activities. As part of the review process, stale
accounts can automatically be removed. For more information, see: Microsoft Entra ID
Governance Introduces Two New Features in Access Reviews .
General Availability - Automatic assignments to access
packages in Microsoft Entra ID Governance
Type: Changed feature
Service category: Entitlement Management
Product capability: Entitlement Management

Microsoft Entra ID Governance includes the ability for a customer to configure an

assignment policy in an entitlement management access package that includes an
attribute-based rule, similar to dynamic groups, of the users who should be assigned
access. For more information, see: Configure an automatic assignment policy for an
access package in entitlement management.

General Availability - Custom Extensions in Entitlement

Management
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

Custom extensions in Entitlement Management are now generally available, and allow
you to extend the access lifecycle with your organization-specific processes and
business logic when access is requested or about to expire. With custom extensions you
can create tickets for manual access provisioning in disconnected systems, send custom
notifications to additional stakeholders, or automate additional access-related
configuration in your business applications such as assigning the correct sales region in
Salesforce. You can also leverage custom extensions to embed external governance, risk,
and compliance (GRC) checks in the access request.

For more information, see:

Microsoft Entra ID Governance Entitlement Management New Generally Available

Capabilities
Trigger Logic Apps with custom extensions in entitlement management

General Availability - Conditional Access templates

Type: Plan for change
Service category: Conditional Access
Product capability: Identity Security & Protection
Conditional Access templates are predefined set of conditions and controls that provide
a convenient method to deploy new policies aligned with Microsoft recommendations.
Customers are assured that their policies reflect modern best practices for securing
corporate assets, promoting secure, optimal access for their hybrid workforce. For more
information, see: Conditional Access templates.

General Availability - Lifecycle Workflows

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

User identity lifecycle is a critical part of an organization’s security posture, and when
managed correctly, can have a positive impact on their users’ productivity for Joiners,
Movers, and Leavers. The ongoing digital transformation is accelerating the need for
good identity lifecycle management. However, IT and security teams face enormous
challenges managing the complex, time-consuming, and error-prone manual processes
necessary to execute the required onboarding and offboarding tasks for hundreds of
employees at once. This is an ever present and complex issue IT admins continue to face
with digital transformation across security, governance, and compliance.

Lifecycle Workflows, one of our newest Microsoft Entra ID Governance capabilities is

now generally available to help organizations further optimize their user identity
lifecycle. For more information, see: Lifecycle Workflows is now generally available!

General Availability - Enabling extended customization

capabilities for sign-in and sign-up pages in Company
Branding capabilities.
Type: New feature
Service category: User Experience and Management
Product capability: User Authentication

Update the Microsoft Entra ID and Microsoft 365 sign in experience with new Company
Branding capabilities. You can apply your company’s brand guidance to authentication
experiences with predefined templates. For more information, see: Company Branding

General Availability - Enabling customization capabilities

for the Self-Service Password Reset (SSPR) hyperlinks,
footer hyperlinks and browser icons in Company
Branding.
Type: Changed feature
Service category: User Experience and Management
Product capability: End User Experiences

Update the Company Branding functionality on the Microsoft Entra ID/Microsoft 365
sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks,
footer hyperlinks, and a browser icon. For more information, see: Company Branding

General Availability - User-to-Group Affiliation

recommendation for group Access Reviews
Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This feature provides Machine Learning based recommendations to the reviewers of

Azure AD Access Reviews to make the review experience easier and more accurate. The
recommendation leverages machine learning based scoring mechanism and compares
users’ relative affiliation with other users in the group, based on the organization’s
reporting structure. For more information, see: Review recommendations for Access
reviews and Introducing Machine Learning based recommendations in Azure AD Access
reviews

Public Preview - Inactive guest insights

Type: New feature
Service category: Reporting
Product capability: Identity Governance

Monitor guest accounts at scale with intelligent insights into inactive guest users in your
organization. Customize the inactivity threshold depending on your organization’s
needs, narrow down the scope of guest users you want to monitor and identify the
guest users that may be inactive. For more information, see: Monitor and clean up stale
guest accounts using access reviews.

Public Preview - Just-in-time application access with PIM

for Groups
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

You can minimize the number of persistent administrators in applications such as

AWS/GCP and get JIT access to groups in AWS and GCP. While PIM for Groups is
publicly available, we’ve released a public preview that integrates PIM with provisioning
and reduces the activation delay from 40+ minutes to 1 – 2 minutes.

Public Preview - Graph beta API for PIM security alerts on

Azure AD roles
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Announcing API support (beta) for managing PIM security alerts for Azure AD roles.
Azure Privileged Identity Management (PIM) generates alerts when there's suspicious or
unsafe activity in your organization in Azure Active Directory (Azure AD), part of
Microsoft Entra. You can now manage these alerts using REST APIs. These alerts can also
be managed through the Azure portal. For more information, see:
unifiedRoleManagementAlert resource type.

General Availability - Reset Password on Azure Mobile

App
Type: New feature
Service category: Other
Product capability: End User Experiences

The Azure mobile app has been enhanced to empower admins with specific permissions
to conveniently reset their users' passwords. Self Service Password Reset will not be
supported at this time. However, users can still more efficiently control and streamline
their own sign-in and auth methods. The mobile app can be downloaded for each
platform here:

Android: https://aka.ms/AzureAndroidWhatsNew
IOS: https://aka.ms/ReferAzureIOSWhatsNew

Public Preview - API-driven inbound user provisioning

Type: New feature
Service category: Provisioning
Product capability: Inbound to Azure AD

With API-driven inbound provisioning, Microsoft Entra ID provisioning service now

supports integration with any system of record. Customers and partners can use any
automation tool of their choice to retrieve workforce data from any system of record for
provisioning into Entra ID and connected on-premises Active Directory domains. The IT
admin has full control on how the data is processed and transformed with attribute
mappings. Once the workforce data is available in Entra ID, the IT admin can configure
appropriate joiner-mover-leaver business processes using Entra ID Governance Lifecycle
Workflows. For more information, see: API-driven inbound provisioning concepts (Public
preview).

Public Preview - Dynamic Groups based on

EmployeeHireDate User attribute
Type: New feature
Service category: Group Management
Product capability: Directory

This feature enables admins to create dynamic group rules based on the user objects'
employeeHireDate attribute. For more information, see: Properties of type string.

General Availability - Enhanced Create User and Invite

User Experiences
Type: Changed feature
Service category: User Management
Product capability: User Management

We have increased the number of properties admins are able to define when creating
and inviting a user in the Entra admin portal, bringing our UX to parity with our Create
User APIs. Additionally, admins can now add users to a group or administrative unit, and
assign roles. For more information, see: Add or delete users using Azure Active
Directory.

General Availability - All Users and User Profile

Type: Changed feature
Service category: User Management
Product capability: User Management

The All Users list now features an infinite scroll, and admins can now modify more
properties in the User Profile. For more information, see: How to create, invite, and
delete users.

Public Preview - Windows MAM

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

“When will you have MAM for Windows?” is one of our most frequently asked customer
questions. We’re happy to report that the answer is: “Now!” We’re excited to offer this
new and long-awaited MAM Conditional Access capability in Public Preview for
Microsoft Edge for Business on Windows.

Using MAM Conditional Access, Microsoft Edge for Business provides users with secure
access to organizational data on personal Windows devices with a customizable user
experience. We’ve combined the familiar security features of app protection policies
(APP), Windows Defender client threat defense, and Conditional Access, all anchored to
Azure AD identity to ensure un-managed devices are healthy and protected before
granting data access. This can help businesses to improve their security posture and
protect sensitive data from unauthorized access, without requiring full mobile device
enrollment.

The new capability extends the benefits of app layer management to the Windows
platform via Microsoft Edge for Business. Admins are empowered to configure the user
experience and protect organizational data within Microsoft Edge for Business on un-
managed Windows devices.

For more information, see: Require an app protection policy on Windows devices
(preview).

General Availability - New Federated Apps available in

Azure AD Application gallery - July 2023
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In July 2023 we've added the following 10 new applications in our App gallery with
Federation support:

Gainsight SAML, Dataddo , Puzzel , Worthix App, iOps360 IdConnect , Airbase,

Couchbase Capella - SSO, SSO for Jama Connect®, mediment (メディメント) ,
Netskope Cloud Exchange Administration Console, Uber, Plenda , Deem Mobile,
40SEAS , Vivantio , AppTweak , ioTORQ EMIS , Vbrick Rev Cloud, OptiTurn,
Application Experience with Mist , クラウド勤怠管理システムKING OF TIME,
Connect1, DB Education Portal for Schools, SURFconext, Chengliye Smart SMS Platform,
CivicEye SSO, Colloquial, BigPanda, Foreman

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial .

For listing your application in the Azure AD app gallery, read the details here
https://aka.ms/AzureADAppRequest

Public Preview - New provisioning connectors in the

Azure AD Application Gallery - July 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:

Albert
Rhombus Systems
Axiad Cloud
Dagster Cloud
WATS
Funnel Leasing

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

General Availability - Microsoft Authentication Library for

.NET 4.55.0
Type: New feature
Service category: Other
Product capability: User Authentication

Earlier this month we announced the release of MSAL.NET 4.55.0 , the latest version of
the Microsoft Authentication Library for the .NET platform. The new version introduces
support for user-assigned managed identity being specified through object IDs, CIAM
authorities in the WithTenantId API, better error messages when dealing with cache
serialization, and improved logging when using the Windows authentication broker.

General Availability - Microsoft Authentication Library for

Python 1.23.0
Type: New feature
Service category: Other
Product capability: User Authentication

Earlier this month, the Microsoft Authentication Library team announced the release of
MSAL for Python version 1.23.0 . The new version of the library adds support for better
caching when using client credentials, eliminating the need to request new tokens
repeatedly when cached tokens exist.

To learn more about MSAL for Python, see: Microsoft Authentication Library (MSAL) for
Python.

June 2023

Public Preview - New provisioning connectors in the

Azure AD Application Gallery - June 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:

Headspace
Humbol
LUSID
 Markit Procurement Service
Moqups
Notion
OpenForms
SafeGuard Cyber
Uni-tel A/S
Vault Platform
V-Client
Veritas Enterprise Vault.cloud SSO-SCIM

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

General Availability - Include/exclude Entitlement

Management in Conditional Access policies
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

The Entitlement Management service can now be targeted in the Conditional Access
policy for inclusion or exclusion of applications. To target the Entitlement Management
service, select “Azure AD Identity Governance - Entitlement Management” in the cloud
apps picker. The Entitlement Management app includes the entitlement management
part of My Access, the Entitlement Management part of the Entra and Azure portals, and
the Entitlement Management part of MS Graph. For more information, see: Review your
Conditional Access policies.

General Availability - Azure Active Directory User and

Group capabilities on Azure Mobile are now available
Type: New feature
Service category: Azure Mobile App
Product capability: End User Experiences

The Azure Mobile app now includes a section for Azure Active Directory. Within Azure
Active Directory on mobile, user can search for and view more details about user and
groups. Additionally, permitted users can invite guest users to their active tenant, assign
group memberships and ownerships for users, and view user sign-in logs. For more
information, see: Get the Azure mobile app .
Plan for change - Modernizing Terms of Use Experiences
Type: Plan for change
Service category: Terms of Use
Product capability: AuthZ/Access Delegation

Recently we announced the modernization of terms of use end-user experiences as part

of ongoing service improvements. As previously communicated the end user
experiences will be updated with a new PDF viewer and are moving from
https://account.activedirectory.windowsazure.com to
https://myaccount.microsoft.com .

Starting today the modernized experience for viewing previously accepted terms of use
is available via https://myaccount.microsoft.com/termsofuse/myacceptances . We
encourage you to check out the modernized experience, which follows the same
updated design pattern as the upcoming modernization of accepting or declining terms
of use as part of the sign-in flow. We would appreciate your feedback before we
begin to modernize the sign-in flow.

General Availability - Privileged Identity Management for

Groups
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management for Groups is now generally available. With this feature,
you have the ability to grant users just-in-time membership in a group, which in turn
provides access to Azure Active Directory roles, Azure roles, Azure SQL, Azure Key Vault,
Intune, other application roles, and third-party applications. Through one activation, you
can conveniently assign a combination of permissions across different applications and
RBAC systems.

PIM for Groups offers can also be used for just-in-time ownership. As the owner of the
group, you can manage group properties, including membership. For more information,
see: Privileged Identity Management (PIM) for Groups.

General Availability - Privileged Identity Management

and Conditional Access integration
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

The Privileged Identity Management (PIM) integration with Conditional Access

authentication context is generally available. You can require users to meet various
requirements during role activation such as:

Have specific authentication method through Authentication Strengths

Activate from a compliant device
Validate location based on GPS
Not have certain level of sign-in risk identified with Identity Protection
Meet other requirements defined in Conditional Access policies

The integration is available for all providers: PIM for Azure AD roles, PIM for Azure
resources, PIM for groups. For more information, see:

Configure Azure AD role settings in Privileged Identity Management

Configure Azure resource role settings in Privileged Identity Management
Configure PIM for Groups settings

General Availability - Updated look and feel for Per-user

MFA
Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

As part of ongoing service improvements, we're making updates to the per-user MFA
admin configuration experience to align with the look and feel of Azure. This change
doesn't include any changes to the core functionality and will only include visual
improvements. For more information, see: Enable per-user Azure AD Multi-Factor
Authentication to secure sign-in events.

General Availability - Converged Authentication Methods

in US Gov cloud
Type: New feature
Service category: MFA
Product capability: User Authentication
The Converged Authentication Methods Policy enables you to manage all authentication
methods used for MFA and SSPR in one policy, migrate off the legacy MFA and SSPR
policies, and target authentication methods to groups of users instead of enabling them
for all users in the tenant. Customers should migrate management of authentication
methods off the legacy MFA and SSPR policies before September 30, 2024. For more
information, see: Manage authentication methods for Azure AD.

General Availability - Support for Directory Extensions

using Azure AD Cloud Sync
Type: New feature
Service category: Provisioning
Product capability: Azure Active Directory Connect Cloud Sync

Hybrid IT Admins can now sync both Active Directory and Azure AD Directory Extensions
using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover
the schema for both Active Directory and Azure Active Directory, thereby, allowing
customers to map the needed attributes using Cloud Sync's attribute mapping
experience. For more information, see: Cloud Sync directory extensions and custom
attribute mapping.

Public Preview - Restricted Management Administrative

Units
Type: New feature
Service category: Directory Management
Product capability: Access Control

Restricted Management Administrative Units allow you to restrict modification of users,

security groups, and device in Azure AD so that only designated administrators can
make changes. Global Administrators and other tenant-level administrators can't modify
the users, security groups, or devices that are added to a restricted management admin
unit. For more information, see: Restricted management administrative units in Azure
Active Directory (Preview).

General Availability - Report suspicious activity integrated

with Identity Protection
Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Report suspicious activity is an updated implementation of the MFA fraud alert, where
users can report a voice or phone app MFA prompt as suspicious. If enabled, users
reporting prompts have their user risk set to high, enabling admins to use Identity
Protection risk based policies or risk detection APIs to take remediation actions. Report
suspicious activity operates in parallel with the legacy MFA fraud alert at this time. For
more information, see: Configure Azure AD Multi-Factor Authentication settings.

May 2023

General Availability - Conditional Access authentication

strength for members, external users and FIDO2
restrictions
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Authentication strength is a Conditional Access control that allows administrators to

specify which combination of authentication methods can be used to access a resource.
For example, they can make only phishing-resistant authentication methods available to
access a sensitive resource. Likewise, to access a nonsensitive resource, they can allow
less secure multifactor authentication (MFA) combinations such as password + SMS.

Authentication strength is now in General Availability for members and external users
from any Microsoft cloud and FIDO2 restrictions. For more information, see: Conditional
Access authentication strength.

General Availability - SAML/Ws-Fed based identity

provider authentication for Azure Active Directory B2B
users in US Sec and US Nat clouds
Type: New feature
Service category: B2B
Product capability: B2B/B2C

SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally
available in US Sec, US Nat and China clouds. For more information, see: Federation with
SAML/WS-Fed identity providers for guest users.
Generally Availability - Cross-tenant synchronization
Type: New feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

Cross-tenant synchronization allows you to set up a scalable and automated solution for
users to access applications across tenants in your organization. It builds upon the Azure
Active Directory B2B functionality and automates creating, updating, and deleting B2B
users within tenants in your organization. For more information, see: What is cross-
tenant synchronization?.

Public Preview(Refresh) - Custom Extensions in

Entitlement Management
Type: New feature
Service category: Entitlement management
Product capability: Identity Governance

Last year we announced the public preview of custom extensions in Entitlement

Management allowing you to automate complex processes when access is requested
or about to expire. We have recently expanded the public preview to allow for the
access package assignment request to be paused while your external process is running.
In addition, the external process can now provide feedback to Entitlement Management
to either surface additional information to end users in MyAccess or even stop the
access request. This expands the scenarios of custom extension from notifications to
additional stakeholders or the generation of tickets to advanced scenarios such as
external governance, risk and compliance checks. In the course of this update, we have
also improved the audit logs, token security and the payload sent to the Logic App. To
learn more about the preview refresh, see:

Trigger Logic Apps with custom extensions in entitlement management (Preview)

accessPackageAssignmentRequest: resume
accessPackageAssignmentWorkflowExtension resource type
accessPackageAssignmentRequestWorkflowExtension resource type

General Availability - Managed Identity in Microsoft

Authentication Library for .NET
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

The latest version of MSAL.NET graduates the Managed Identity APIs into the General
Availability mode of support, which means that developers can integrate them safely in
production workloads.

Managed identities are a part of the Azure infrastructure, simplifying how developers
handle credentials and secrets to access cloud resources. With Managed Identities,
developers don't need to manually handle credential retrieval and security. Instead, they
can rely on an automatically managed set of identities to connect to resources that
support Azure Active Directory authentication. You can learn more in What are managed
identities for Azure resources?

With MSAL.NET 4.54.0, the Managed Identity APIs are now stable. There are a few
changes that we added that make them easier to use and integrate that might require
tweaking your code if you’ve used our experimental implementation :

When using Managed Identity APIs, developers need to specify the identity type
when creating an ManagedIdentityApplication.
When acquiring tokens with Managed Identity APIs and using the default HTTP
client, MSAL retries the request for certain exception codes.
We added a new MsalManagedIdentityException class that represents any
Managed Identity-related exceptions. It includes general exception information,
including the Azure source from which the exception originates.
MSAL will now proactively refresh tokens acquired with Managed Identity.

To get started with Managed Identity in MSAL.NET, you can use the
Microsoft.Identity.Client package together with the ManagedIdentityApplicationBuilder
class.

Public Preview - New My Groups Experience

Type: Changed feature
Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at

myaccount.microsoft.com/groups . This experience replaces the existing My Groups
experience at mygroups.microsoft.com in May. For more information, see: Update your
Groups info in the My Apps portal .
General Availability - Admins can restrict their users from
creating tenants
Type: New feature
Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been
present in Azure AD since almost the beginning of the Azure portal. This new capability
in the User Settings pane allows admins to restrict their users from being able to create
new tenants. There's also a new Tenant Creator role to allow specific users to create
tenants. For more information, see Default user permissions.

General Availability - Devices Self-Help Capability for

Pending Devices
Type: New feature
Service category: Device Access Management
Product capability: End User Experiences

In the All Devices view under the Registered column, you can now select any pending
devices you have, and it opens a context pane to help troubleshoot why a device may
be pending. You can also offer feedback on if the summarized information is helpful or
not. For more information, see: Pending devices in Azure Active Directory.

General Availability - Admins can now restrict users from

self-service accessing their BitLocker keys
Type: New feature
Service category: Device Access Management
Product capability: User Management

Admins can now restrict their users from self-service accessing their BitLocker keys
through the Devices Settings page. Turning on this capability hides the BitLocker key(s)
of all non-admin users. This helps to control BitLocker access management at the admin
level. For more information, see: Restrict member users' default permissions.

Public Preview - New provisioning connectors in the

Azure AD Application Gallery - May 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:

Sign In Enterprise Host Provisioning

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

General Availability - Microsoft Entra Permissions

Management Azure Active Directory Insights
Type: New feature
Service category: Other
Product capability: Permissions Management

The Azure Active Directory Insights tab in Microsoft Entra Permissions Management
provides a view of all permanent role assignments assigned to Global Administrators,
and a curated list of highly privileged roles. Administrators can then use the report to
take further action within the Azure Active Directory console. For more information, see
View privileged role assignments in your organization (Preview).

Public Preview - In portal guide to configure multi-factor

authentication
Type: New feature
Service category: MFA
Product capability: Identity Security & Protection

The in portal guide to configure multi-factor authentication helps you get started with
Azure Active Directory's MFA capabilities. You can find this guide under the Tutorials tab
in the Azure AD Overview. For more information, see: Configure multi-factor
authentication using the portal guide.

General Availability - Authenticator Lite (In Outlook)

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator Lite (in Outlook) is an authentication solution for users that haven't yet
downloaded the Microsoft Authenticator app. Users are prompted in Outlook on their
mobile device to register for multi-factor authentication. After they enter their password
at sign-in, they'll have the option to send a push notification to their Android or iOS
device.

Due to the security enhancement this feature provides users, the Microsoft managed
value of this feature will be changed from ‘disabled’ to ‘enabled’ on June 9. We’ve made
some changes to the feature configuration, so if you made an update before GA, May
17, please validate that the feature is in the correct state for your tenant prior to June 9.
If you don't wish for this feature to be enabled on June 9, move the state to ‘disabled’, or
set users to include and exclude groups.

For more information, see: How to enable Microsoft Authenticator Lite for Outlook
mobile (preview).

General Availability - PowerShell and Web Services

connector support through the Azure AD provisioning
agent
Type: New feature
Service category: Provisioning
Product capability: Outbound to On-premises Applications

The Azure AD on-premises application provisioning feature now supports both the
PowerShell and web services connectors. you can now provision users into a flat file
using the PowerShell connector or an app such as SAP ECC using the web services
connector. For more information, see: Provisioning users into applications using
PowerShell.

General Availability - Verified threat actor IP sign-in

detection
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection
Identity Protection has added a new detection, using the Microsoft Threat Intelligence
database, to detect sign-ins performed from IP addresses of known nation state and
cyber-crime actors and allow customers to block these sign-ins by using risk-based
Conditional Access policies. For more information, see: Sign-in risk.

General Availability - Conditional Access Granular control

for external user types
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

When configuring a Conditional Access policy, customers now have granular control
over the types of external users they want to apply the policy to. External users are
categorized based on how they authenticate (internally or externally) and their
relationship to your organization (guest or member). For more information, see:
Assigning Conditional Access policies to external user types.

General Availability - New Federated Apps available in

Azure AD Application gallery - May 2023
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2023 we added the following 51 new applications in our App gallery with
Federation support

INEXTRACK , Valotalive Digital Signage Microsoft 365 integration , Tailscale ,

MANTL , ServusConnect, Jigx MS Graph Demonstrator , Delivery Solutions, Radiant
IOT Portal, Cosgrid Networks, voya SSO , Redocly, Glaass Pro , TalentLyftOIDC ,
Cisco Expressway, IBM TRIRIGA on Cloud, Avionte Bold SAML Federated SSO,
InspectNTrack , CAREERSHIP, Cisco Unity Connection, HSC-Buddy , teamecho , Uni-
tel A/S , AskFora , Enterprise Bot ,CMD+CTRL Base Camp, Debitia Collections ,
EnergyManager , Visual Workforce , Uplifter , AI2 , TES Cloud ,VEDA Cloud, SOC
SST, Alchemer, Cleanmail Swiss , WOX , WATS , Data Quality Assistant ,
Softdrive , Fluence Portal , Humbol , Document360, Engage by Local
Measure ,Gate Property Management Software , Locus, Banyan Infrastructure ,
Proactis Rego Invoice Capture, SecureTransport, Recnice
You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, please read the details here
https://aka.ms/AzureADAppRequest

General Availability - My Security-info now shows

Microsoft Authenticator type
Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection

We have improved My Sign-ins and My Security-Info to give you more clarity on the
types of Microsoft Authenticator or other Authenticator apps a user has registered.
Users will now see Microsoft Authenticator registrations with additional information
showing the app as being registered as Push-based MFA or Password-less phone sign-in
(PSI) and for other Authenticator apps (Software OATH) we now indicate they're
registered as a Time-based One-time password method. For more information, see: Set
up the Microsoft Authenticator app as your verification method .

General Availability - SAML/Ws-Fed based identity

provider authentication for Azure Active Directory B2B
users in US Sec and US Nat clouds
Type: New feature
Service category: B2B
Product capability: B2B/B2C

SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally
available in US Sec, US Nat and China clouds. For more information, see: Federation with
SAML/WS-Fed identity providers for guest users.

April 2023

Public Preview - Custom attributes for Azure Active

Directory Domain Services
Type: New feature
Service category: Azure Active Directory Domain Services
Product capability: Azure Active Directory Domain Services

Azure Active Directory Domain Services will now support synchronizing custom
attributes from Azure AD for on-premises accounts. For more information, see: Custom
attributes for Azure Active Directory Domain Services.

General Availability - Enablement of combined security

information registration for MFA and self-service
password reset (SSPR)
Type: New feature
Service category: MFA
Product capability: Identity Security & Protection

Last year we announced the combined registration user experience for MFA and self-
service password reset (SSPR) was rolling out as the default experience for all
organizations. We're happy to announce that the combined security information
registration experience is now fully rolled out. This change doesn't affect tenants located
in the China region. For more information, see: Combined security information
registration for Azure Active Directory overview.

General Availability - System preferred MFA method

Type: Changed feature
Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Currently, organizations and users rely on a range of authentication methods, each

offering varying degrees of security. While Multifactor Authentication (MFA) is crucial,
some MFA methods are more secure than others. Despite having access to more secure
MFA options, users frequently choose less secure methods for various reasons.

To address this challenge, we're introducing a new system-preferred authentication

method for MFA. When users sign in, the system will determine and display the most
secure MFA method that the user has registered. This prompts users to switch from the
default method to the most secure option. While users may still choose a different MFA
method, they'll always be prompted to use the most secure method first for every
session that requires MFA. For more information, see: System-preferred multifactor
authentication - Authentication methods policy.
General Availability - PIM alert: Alert on active-
permanent role assignments in Azure or assignments
made outside of PIM
Type: Fixed
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Alert on Azure subscription role assignments made outside of Privileged Identity

Management (PIM) provides an alert in PIM for Azure subscription assignments made
outside of PIM. An owner or User Access Administrator can take a quick remediation
action to remove those assignments.

Public Preview - Enhanced Create User and Invite User

Experiences
Type: Changed feature
Service category: User Management
Product capability: User Management

We have increased the number of properties that admins are able to define when
creating and inviting a user in the Entra admin portal. This brings our UX to parity with
our Create User APIs. Additionally, admins can now add users to a group or
administrative unit, and assign roles. For more information, see: How to create, invite,
and delete users.

Public Preview - Azure AD Conditional Access protected

actions
Type: Changed feature
Service category: RBAC
Product capability: Access Control

The protected actions public preview introduces the ability to apply Conditional Access
to select permissions. When a user performs a protected action, they must satisfy
Conditional Access policy requirements. For more information, see: What are protected
actions in Azure AD? (preview).

Public Preview - Token Protection for Sign-in Sessions

Type: New feature
Service category: Conditional Access
Product capability: User Authentication

Token Protection for sign-in sessions is our first release on a road-map to combat
attacks involving token theft and replay. It provides Conditional Access enforcement of
token proof-of-possession for supported clients and services that ensure that access to
specified resources is only from a device to which the user has signed in. For more
information, see: Conditional Access: Token protection (preview).

General Availability- New limits on number and size of

group secrets starting June 2023
Type: Plan for change
Service category: Group Management
Product capability: Directory

Starting in June 2023, the secrets stored on a single group can't exceed 48 individual
secrets, or have a total size greater than 10 KB across all secrets on a single group.
Groups with more than 10 KB of secrets will immediately stop working in June 2023. In
June, groups exceeding 48 secrets are unable to increase the number of secrets they
have, though they may still update or delete those secrets. We highly recommend
reducing to fewer than 48 secrets by January 2024.

Group secrets are typically created when a group is assigned credentials to an app using
Password-based single sign-on. To reduce the number of secrets assigned to a group,
we recommend creating additional groups, and splitting up group assignments to your
Password-based SSO applications across those new groups. For more information, see:
Add password-based single sign-on to an application.

Public Preview - Authenticator Lite in Outlook

Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator Lite is an additional surface for Azure Active Directory users to complete
multifactor authentication using push notifications on their Android or iOS device. With
Authenticator Lite, users can satisfy a multifactor authentication requirement from the
convenience of a familiar app. Authenticator Lite is currently enabled in the Outlook
mobile app. Users may receive a notification in their Outlook mobile app to approve or
deny, or use the Outlook app to generate an OATH verification code that can be entered
during sign-in. The 'Microsoft managed' setting for this feature will be set to be enabled
on May 26, 2023. This enables the feature for all users in tenants where the feature is set
to Microsoft managed. If you wish to change the state of this feature, please do so
before May 26, 2023. For more information, see: How to enable Microsoft Authenticator
Lite for Outlook mobile (preview).

General Availability - Updated look and feel for Per-user

MFA
Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

As part of ongoing service improvements, we're making updates to the per-user MFA
admin configuration experience to align with the look and feel of Azure. This change
doesn't include any changes to the core functionality and will only include visual
improvements.  For more information, see: Enable per-user Azure AD Multi-Factor
Authentication to secure sign-in events.

General Availability - Additional terms of use audit logs

will be turned off
Type: Fixed
Service category: Terms of Use
Product capability: AuthZ/Access Delegation

Due to a technical issue, we have recently started to emit additional audit logs for terms
of use. The additional audit logs will be turned off by May 1 and are tagged with the
core directory service and the agreement category. If you have built a dependency on
the additional audit logs, you must switch to the regular audit logs tagged with the
terms of use service.

General Availability - New Federated Apps available in

Azure AD Application gallery - April 2023
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In April 2023 we've added the following 10 new applications in our App gallery with
Federation support:
iTel Alert , goFLUENT, StructureFlow , StructureFlow AU , StructureFlow CA ,
StructureFlow EU , StructureFlow USA , Predict360 SSO, Cegid Cloud , HashiCorp
Cloud Platform (HCP), O'Reilly learning platform, LeftClick Web Services – RoomGuide ,
LeftClick Web Services – Sharepoint , LeftClick Web Services – Presence , LeftClick
Web Services - Single Sign-On , InterPrice Technologies , WiggleDesk SSO ,
Application Experience with Mist , Connect Plans 360 , Proactis Rego Source-to-
Contract, Danomics , Fountain, Theom, DDC Web, Dozuki.

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial .

For listing your application in the Azure AD app gallery, read the details here
https://aka.ms/AzureADAppRequest

Public Preview - New provisioning connectors in the

Azure AD Application Gallery - April 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:

Alvao
Better Stack
BIS
Connecter
Howspace
Kno2fy
Netsparker Enterprise
uniFLOW Online

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

Public Preview - New PIM Azure resource picker

Type: Changed feature
Service category: Privileged Identity Management
Product capability: End User Experiences

With this new experience, PIM now automatically manages any type of resource in a
tenant, so discovery and activation is no longer required. With the new resource picker,
users can directly choose the scope they want to manage from the Management Group
down to the resources themselves, making it faster and easier to locate the resources
they need to administer. For more information, see: Assign Azure resource roles in
Privileged Identity Management.

General availability - Self Service Password Reset (SSPR)

now supports PIM eligible users and indirect group role
assignment
Type: Changed feature
Service category: Self Service Password Reset
Product capability: Identity Security & Protection

Self Service Password Reset (SSPR) can now check for PIM eligible users, and evaluate
group-based memberships, along with direct memberships when checking if a user is in
a particular administrator role. This capability provides more accurate SSPR policy
enforcement by validating if users are in scope for the default SSPR admin policy or your
organizations SSPR user policy.

For more information, see:

Administrator reset policy differences.

Create a role-assignable group in Azure Active Directory

March 2023

Public Preview - New provisioning connectors in the

Azure AD Application Gallery - March 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:
 Acunetix 360
Akamai Enterprise Application Access
Ardoq
Torii

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

General Availability - Workload identity Federation for

Managed Identities
Type: New feature
Service category: Managed identities for Azure resources
Product capability: Developer Experience

Workload Identity Federation enables developers to use managed identities for their
software workloads running anywhere and access Azure resources without needing
secrets. Key scenarios include:

Accessing Azure resources from Kubernetes pods running in any cloud or on-
premises
GitHub workflows to deploy to Azure, no secrets necessary
Accessing Azure resources from other cloud platforms that support OIDC, such as
Google Cloud Platform.

For more information, see:

Workload identity federation.

Configure a user-assigned managed identity to trust an external identity provider
(preview)
Use Azure AD workload identity with Azure Kubernetes Service (AKS)

Public Preview - New My Groups Experience

Type: Changed feature
Service category: Group Management
Product capability: End User Experiences

A new and improved My Groups experience is now available at

https://www.myaccount.microsoft.com/groups . My Groups enables end users to easily

manage groups, such as finding groups to join, managing groups they own, and
managing existing group memberships. Based on customer feedback, the new My
Groups support sorting and filtering on lists of groups and group members, a full list of
group members in large groups, and an actionable overview page for membership
requests. This experience replaces the existing My Groups experience at
https://www.mygroups.microsoft.com in May.

For more information, see: Update your Groups info in the My Apps portal .

Public preview - Customize tokens with Custom Claims

Providers
Type: New feature
Service category: Authentications (Logins)
Product capability: Extensibility

A custom claims provider lets you call an API and map custom claims into the token
during the authentication flow. The API call is made after the user has completed all
their authentication challenges, and a token is about to be issued to the app. For more
information, see: Custom authentication extensions (preview).

General Availability - Converged Authentication Methods

Type: New feature
Service category: MFA
Product capability: User Authentication

The Converged Authentication Methods Policy enables you to manage all authentication
methods used for MFA and SSPR in one policy, migrate off the legacy MFA and SSPR
policies, and target authentication methods to groups of users instead of enabling them
for all users in your tenant. For more information, see: Manage authentication methods.

General Availability - Provisioning Insights Workbook

Type: New feature
Service category: Provisioning
Product capability: Monitoring & Reporting

This new workbook makes it easier to investigate and gain insights into your
provisioning workflows in a given tenant. This includes HR-driven provisioning, cloud
sync, app provisioning, and cross-tenant sync.

Some key questions this workbook can help answer are:

 How many identities have been synced in a given time range?
How many create, delete, update, or other operations were performed?
How many operations were successful, skipped, or failed?
What specific identities failed? And what step did they fail on?
For any given user, what tenants / applications were they provisioned or
deprovisioned to?

For more information, see: Provisioning insights workbook.

General Availability - Number Matching for Microsoft

Authenticator notifications
Type: Plan for Change
Service category: Microsoft Authenticator App
Product capability: User Authentication

Microsoft Authenticator app’s number matching feature has been Generally Available
since Nov 2022! If you haven't already used the rollout controls (via Azure portal Admin
UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft
Authenticator push notifications, we highly encourage you to do so. We previously
announced that we'll remove the admin controls and enforce the number match
experience tenant-wide for all users of Microsoft Authenticator push notifications
starting February 27, 2023. After listening to customers, we'll extend the availability of
the rollout controls for a few more weeks. Organizations can continue to use the
existing rollout controls until May 8, 2023, to deploy number matching in their
organizations. Microsoft services will start enforcing the number matching experience
for all users of Microsoft Authenticator push notifications after May 8, 2023. We'll also
remove the rollout controls for number matching after that date.

If customers don’t enable number match for all Microsoft Authenticator push
notifications prior to May 8, 2023, Authenticator users may experience inconsistent sign-
ins while the services are rolling out this change. To ensure consistent behavior for all
users, we highly recommend you enable number match for Microsoft Authenticator
push notifications in advance.

For more information, see: How to use number matching in multifactor authentication
(MFA) notifications - Authentication methods policy

Public Preview - IPv6 coming to Azure AD

Type: Plan for Change
Service category: Identity Protection
Product capability: Platform

Earlier, we announced our plan to bring IPv6 support to Microsoft Azure Active Directory
(Azure AD), enabling our customers to reach the Azure AD services over IPv4, IPv6 or
dual stack endpoints. This is just a reminder that we have started introducing IPv6
support into Azure AD services in a phased approach in late March 2023.

If you utilize Conditional Access or Identity Protection, and have IPv6 enabled on any of
your devices, you likely must take action to avoid impacting your users. For most
customers, IPv4 won't completely disappear from their digital landscape, so we aren't
planning to require IPv6 or to deprioritize IPv4 in any Azure AD features or services. We
continue to share additional guidance on IPv6 enablement in Azure AD at this link: IPv6
support in Azure Active Directory.

General Availability - Microsoft cloud settings for Azure

AD B2B
Type: New feature
Service category: B2B
Product capability: B2B/B2C

Microsoft cloud settings let you collaborate with organizations from different Microsoft
Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration
between the following clouds:

Microsoft Azure commercial and Microsoft Azure Government

Microsoft Azure commercial and Microsoft Azure operated by 21Vianet

For more information about Microsoft cloud settings for B2B collaboration, see
Microsoft cloud settings.

Modernizing Terms of Use Experiences

Type: Plan for Change
Service category: Terms of use
Product capability: AuthZ/Access Delegation

Starting July 2023, we're modernizing the following Terms of Use end user experiences
with an updated PDF viewer, and moving the experiences from
https://account.activedirectory.windowsazure.com to
https://myaccount.microsoft.com :

View previously accepted terms of use.

 Accept or decline terms of use as part of the sign-in flow.

No functionalities are removed. The new PDF viewer adds functionality and the limited
visual changes in the end-user experiences will be communicated in a future update. If
your organization has allow-listed only certain domains, you must ensure your allowlist
includes the domains ‘myaccount.microsoft.com’ and ‘*.myaccount.microsoft.com’ for
Terms of Use to continue working as expected.

February 2023

General Availability - Expanding Privileged Identity

Management Role Activation across the Azure portal
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management (PIM) role activation has been expanded to the Billing
and AD extensions in the Azure portal. Shortcuts have been added to Subscriptions
(billing) and Access Control (AD) to allow users to activate PIM roles directly from these
settings. From the Subscriptions settings, select View eligible subscriptions in the
horizontal command menu to check your eligible, active, and expired assignments. From
there, you can activate an eligible assignment in the same pane. In Access control (IAM)
for a resource, you can now select View my access to see your currently active and
eligible role assignments and activate directly. By integrating PIM capabilities into
different Azure portal blades, this new feature allows users to gain temporary access to
view or edit subscriptions and resources more easily.

For more information Microsoft cloud settings, see: Activate my Azure resource roles in
Privileged Identity Management.

General Availability - Follow Azure AD best practices with

recommendations
Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD recommendations help you improve your tenant posture by surfacing

opportunities to implement best practices. On a daily basis, Azure AD analyzes the
configuration of your tenant. During this analysis, Azure AD compares the data of a
recommendation with the actual configuration of your tenant. If a recommendation is
flagged as applicable to your tenant, the recommendation appears in the
Recommendations section of the Azure AD Overview.

This release includes our first 3 recommendations:

Convert from per-user MFA to Conditional Access MFA

Migration applications from AD FS to Azure AD
Minimize MFA prompts from known devices

For more information, see:

What are Azure Active Directory recommendations?

Use the Azure AD recommendations API to implement Azure AD best practices for
your tenant

Public Preview - Azure AD PIM + Conditional Access

integration
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Now you can require users who are eligible for a role to satisfy Conditional Access policy
requirements for activation: use specific authentication method enforced through
Authentication Strengths, activate from Intune compliant device, comply with Terms of
Use, and use 3rd party MFA and satisfy location requirements.

For more information, see: Configure Azure AD role settings in Privileged Identity
Management.

General Availability - More information on why a sign-in

was flagged as "unfamiliar"
Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Unfamiliar sign-in properties risk detection now provides risk reasons as to which
properties are unfamiliar for customers to better investigate that risk.
Identity Protection now surfaces the unfamiliar properties in the Azure portal on UX and
in API as Additional Info with a user-friendly description explaining that the following
properties are unfamiliar for this sign-in of the given user.

There's no additional work to enable this feature, the unfamiliar properties are shown by
default. For more information, see: Sign-in risk.

General Availability - New Federated Apps available in

Azure AD Application gallery - February 2023
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2023 we've added the following 10 new applications in our App gallery with
Federation support:

PROCAS , Tanium Cloud SSO, LeanDNA, CalendarAnything LWC , courses.work,

Udemy Business SAML, Canva, Kno2fy, IT-Conductor, ナレッジワーク(Knowledge Work),
Valotalive Digital Signage Microsoft 365 integration , Priority Matrix HIPAA , Priority
Matrix Government , Beable, Grain , DojoNavi, Global Validity Access Manager ,
FieldEquip , Peoplevine , Respondent, WebTMA, ClearIP , Pennylane, VsimpleSSO ,
Compliance Genie, Dataminr Corporate , Talon.

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial .

For listing your application in the Azure AD app gallery, read the details here
https://aka.ms/AzureADAppRequest

Public Preview - New provisioning connectors in the

Azure AD Application Gallery - February 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:

Atmos
For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.
What's deprecated in Azure Active
Directory?
Article • 06/01/2023

The lifecycle of functionality, features, and services are governed by policy, support
timelines, data, also leadership and engineering team decisions. Lifecycle information
allows customers to predictably plan long-term deployment aspects, transition from
outdated to new technology, and help improve business outcomes. Use the definitions
below to understand the following table with change information about Azure Active
Directory (Azure AD) features, services, and functionality.

Get notified about when to revisit this page for updates by copying and pasting this
URL: https://learn.microsoft.com/api/search/rss?
search=%22What's+deprecated+in+Azure+Active+Directory%22&locale=en-us into your

feed reader.

Upcoming changes
Use the following table to learn about changes including deprecations, retirements,
breaking changes and rebranding. Also find key dates and recommendations.

７ Note

Dates and times are United States Pacific Standard Time, and are subject to change.

Functionality, feature, or service Change Change date

System-preferred authentication methods Feature change Sometime after

GA

Azure AD Graph API Start of phased Jul 2023

retirement

Terms of Use experience Feature change Jul 2023

Azure AD PowerShell and MSOnline PowerShell Deprecation Mar 30, 2024

Azure AD MFA Server Retirement Sep 30, 2024

Legacy MFA & SSPR policy Retirement Sep 30, 2024

 Functionality, feature, or service Change Change date

'Require approved client app' Conditional Access Retirement Mar 31, 2026
Grant

Past changes
Functionality, feature, or service Change Change date

Azure AD Authentication Library (ADAL) Retirement Jun 30, 2023

My Apps improvements Feature change Jun 30, 2023

Microsoft Authenticator Lite for Outlook mobile Feature change Jun 9, 2023

My Groups experience Feature change May 2023

My Apps browser extension Feature change May 2023

Microsoft Authenticator app Number matching Feature change May 8, 2023

Azure AD Domain Services virtual network deployments Retirement Mar 1, 2023

License management API, PowerShell Retirement *Mar 31, 2023

* The legacy license management API and PowerShell cmdlets won't work for new
tenants created after Nov 1, 2022.

） Important

Later versions of functionality, features, and services might not meet current
security requirements. Microsoft may be unable to provide security updates for
older products.

See the following two sections for definitions of categories, change state, etc.

Deprecation, retirement, breaking change,

feature change, and rebranding
Use the definitions in this section help clarify the state, availability, and support of
features, services, and functionality.
 Category Definition Communication
schedule

Retirement Signals retirement of a feature, capability, or product in Two times per year:
a specified period. Customers can't adopt the service or March and September
feature, and engineering investments are reduced.
Later, the feature reaches end-of-life and is unavailable
to any customer.

Breaking A change that might break the customer or partner Four times per year:
change experience if action isn't taken, or a change made, for March, June, September,
continued operation. and December

Feature Change to an existing Identity feature that requires no Four times per year:
change customer action, but is noticeable to them. Typically, March, June, September,
these changes are in the user interface/user and December
experperience (UI/UX).

Terminology
End-of-life - engineering investments have ended, and the feature is unavailable to
any customer

Next steps
What's new in Azure Active Directory?

Resources
Microsoft Entra Change Announcement blog
Devices: End-of-life management and recycling
What's new in Azure Active Directory
Sovereign Clouds?
Article • 07/20/2023

Azure AD receives improvements on an ongoing basis. To stay up to date with the most
recent developments, this article provides you with information about:

Azure Government

This page updates monthly, so revisit it regularly. If you're looking for items older than
six months, you can find them in Archive for What's new in Sovereign Clouds.

June 2023

General Availability - Apply RegEx Replace to groups

claim content
Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Today, when group claims are added to tokens Azure Active Directory attempts to
include all of the groups the user is a member of. In larger organizations where users are
members of hundreds of groups this can often exceed the limits of what can go in the
token. This feature enables more customers to connect their apps to Azure Active
Directory by making connections easier and more robust through automation of the
application’s creation process. This specifically allows the set of groups included in the
token to be limited to only those that are assigned to the application. For more
information, see: Regex-based claims transformation.

General Availability - Azure Active Directory SSO

integration with Cisco Unified Communications Manager
Type: New feature
Service category: Enterprise Apps
Product capability: Platform

Cisco Unified Communications Manager (Unified CM) provides reliable, secure, scalable,
and manageable call control and session management. When you integrate Cisco
Unified Communications Manager with Azure Active Directory, you can:

Control in Azure Active Directory who has access to Cisco Unified Communications
Manager.
Enable your users to be automatically signed-in to Cisco Unified Communications
Manager with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.

For more information, see: Azure Active Directory SSO integration with Cisco Unified
Communications Manager.

General Availability - Number Matching for Microsoft

Authenticator notifications
Type: Plan for Change
Service category: Microsoft Authenticator App
Product capability: User Authentication

Microsoft Authenticator app’s number matching feature has been Generally Available
since Nov 2022! If you haven't already used the rollout controls (via Azure portal Admin
UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft
Authenticator push notifications, we highly encourage you to do so. We previously
announced that we'll remove the admin controls and enforce the number match
experience tenant-wide for all users of Microsoft Authenticator push notifications
starting February 27, 2023. After listening to customers, we'll extend the availability of
the rollout controls for a few more weeks. Organizations can continue to use the
existing rollout controls until May 8, 2023, to deploy number matching in their
organizations. Microsoft services will start enforcing the number matching experience
for all users of Microsoft Authenticator push notifications after May 8, 2023. We'll also
remove the rollout controls for number matching after that date.

If customers don’t enable number match for all Microsoft Authenticator push
notifications prior to May 8, 2023, Authenticator users may experience inconsistent sign-
ins while the services are rolling out this change. To ensure consistent behavior for all
users, we highly recommend you enable number match for Microsoft Authenticator
push notifications in advance.

For more information, see: How to use number matching in multifactor authentication
(MFA) notifications - Authentication methods policy

May 2023
General Availability - Admins can now restrict users from
self-service accessing their BitLocker keys
Type: New feature
Service category: Device Access Management
Product capability: User Management

Admins can now restrict their users from self-service accessing their BitLocker keys
through the Devices Settings page. Turning on this capability hides the BitLocker key(s)
of all non-admin users. This helps to control BitLocker access management at the admin
level. For more information, see: Restrict member users' default permissions.

General Availability - Admins can restrict their users from

creating tenants
Type: New feature
Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been
present in Azure AD since almost the beginning of the Azure portal. This new capability
in the User Settings pane allows admins to restrict their users from being able to create
new tenants. There's also a new Tenant Creator role to allow specific users to create
tenants. For more information, see Default user permissions.

General Availability - My Apps new app discovery view

Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

My Apps has been updated to a new app discovery view that is more accessible and
responsive. With the new app discovery view, users can:

Customize their view by choosing between different layouts

Launch apps faster
Drag and drop apps to reorder and move
Add sites directly from the home screen

For more information, see My Apps portal overview.

General Availability - Number Matching for Microsoft
Authenticator notifications
Type: Plan for Change
Service category: Microsoft Authenticator App
Product capability: User Authentication

Microsoft Authenticator app’s number matching feature has been Generally Available
since Nov 2022! If you haven't already used the rollout controls (via Azure portal Admin
UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft
Authenticator push notifications, we highly encourage you to do so. We previously
announced that we'll remove the admin controls and enforce the number match
experience tenant-wide for all users of Microsoft Authenticator push notifications
starting February 27, 2023. After listening to customers, we'll extend the availability of
the rollout controls for a few more weeks. Organizations can continue to use the
existing rollout controls until May 8, 2023, to deploy number matching in their
organizations. Microsoft services will start enforcing the number matching experience
for all users of Microsoft Authenticator push notifications after May 8, 2023. We'll also
remove the rollout controls for number matching after that date.

If customers don’t enable number match for all Microsoft Authenticator push
notifications prior to May 8, 2023, Authenticator users may experience inconsistent sign-
ins while the services are rolling out this change. To ensure consistent behavior for all
users, we highly recommend you enable number match for Microsoft Authenticator
push notifications in advance.

For more information, see: How to use number matching in multifactor authentication
(MFA) notifications - Authentication methods policy

General Availability - System preferred MFA method

Type: Changed feature
Service category: Authentications (Logins)
Product capability: Identity Security & Protection

Currently, organizations and users rely on a range of authentication methods, each

offering varying degrees of security. While Multifactor Authentication (MFA) is crucial,
some MFA methods are more secure than others. Despite having access to more secure
MFA options, users frequently choose less secure methods for various reasons.

To address this challenge, we're introducing a new system-preferred authentication

method for MFA. When users sign in, the system will determine and display the most
secure MFA method that the user has registered. This prompts users to switch from the
default method to the most secure option. While users may still choose a different MFA
method, they'll always be prompted to use the most secure method first for every
session that requires MFA. For more information, see: System-preferred multifactor
authentication - Authentication methods policy.

General Availability - Azure Active Directory Identity

Protection Leaked credentials detection B2C and
AlternateLoginID support
Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Azure Active Directory Identity Protection "Leaked Credentials" detection is now enabled
in Azure Active Directory B2C. In addition, the detection now fully supports leaked
credential matching based on AlternateLoginID, providing customers with more robust
and comprehensive protection.

April 2023

General Availability - Azure Active Directory Domain

Services: Trusts for User Forests
Type: New feature
Service category: Azure Active Directory Domain Services
Product capability: Azure Active Directory Domain Services

You can now create trusts on both user and resource forests. On-premises Active
Directory DS users can't authenticate to resources in the Azure Active Directory DS
resource forest until you create an outbound trust to your on-premises Active Directory
DS. An outbound trust requires network connectivity to your on-premises virtual
network to which you have installed Azure AD Domain Service. On a user forest, trusts
can be created for on-premises Active Directory forests that aren't synchronized to
Azure Active Directory DS.

For more information, see: How trust relationships work for forests in Active Directory.

General Availability - Azure AD SCIM Validator Tool

Type: New feature
Service category: Provisioning
Product capability: Developer Experience

Azure Active Directory SCIM validator will enable you to test your server for
compatibility with the Azure Active Directory SCIM client. For more information, see:
Tutorial: Validate a SCIM endpoint.

General Availability - Enablement of combined security

information registration for MFA and self-service
password reset (SSPR)
Type: New feature
Service category: MFA
Product capability: Identity Security & Protection

Last year we announced the combined registration user experience for MFA and self-
service password reset (SSPR) was rolling out as the default experience for all
organizations. We're happy to announce that the combined security information
registration experience is now fully rolled out. This change doesn't affect tenants located
in the China region. For more information, see: Combined security information
registration for Azure Active Directory overview.

General Availability - Devices settings Self-Help Capability

for Pending Devices
Type: New feature
Service category: Device Registration and Management
Product capability: End User Experiences

In the All Devices settings under the Registered column, you can now select any
pending devices you have, and it opens a context pane to help troubleshoot why a
device may be pending. You can also offer feedback on if the summarized information is
helpful or not. For more information, see Pending devices in Azure Active Directory.

General availability - Consolidated App launcher (My

Apps) settings and new preview settings
Type: New feature
Service category: My Apps
Product capability: End User Experiences

We have consolidated relevant app launcher settings in a new App launchers section in
the Azure and Entra portals. The entry point can be found under Enterprise applications,
where Collections used to be. You can find the Collections option by selecting App
launchers. In addition, we've added a new App launchers Settings option. This option
has some settings you may already be familiar with like the Microsoft 365 settings. The
new Settings options also have controls for previews. As an admin, you can choose to
try out new app launcher features while they are in preview. Enabling a preview feature
means that the feature turns on for your organization. This enabled feature reflects in
the My Apps portal, and other app launchers for all of your users. To learn more about
the preview settings, see: End-user experiences for applications.

General Availability - RBAC: Delegated app registration

management using custom roles
Type: New feature
Service category: RBAC
Product capability: Access Control

Custom roles give you fine-grained control over what access your admins have. This
release of custom roles includes the ability to delegate management of app registrations
and enterprise apps. For more information, see: Overview of role-based access control in
Azure Active Directory.

March 2023

General Availability - Provisioning Insights Workbook

Type: New feature
Service category: Provisioning
Product capability: Monitoring & Reporting

This new workbook makes it easier to investigate and gain insights into your
provisioning workflows in a given tenant. This includes HR-driven provisioning, cloud
sync, app provisioning, and cross-tenant sync.

Some key questions this workbook can help answer are:

How many identities have been synced in a given time range?

How many create, delete, update, or other operations were performed?
 How many operations were successful, skipped, or failed?
What specific identities failed? And what step did they fail on?
For any given user, what tenants / applications were they provisioned or
deprovisioned to?

For more information, see: Provisioning insights workbook.

General Availability - Follow Azure Active Directory best

practices with recommendations
Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure Active Directory recommendations help you improve your tenant posture by
surfacing opportunities to implement best practices. On a daily basis, Azure AD analyzes
the configuration of your tenant. During this analysis, Azure Active Directory compares
the data of a recommendation with the actual configuration of your tenant. If a
recommendation is flagged as applicable to your tenant, the recommendation appears
in the Recommendations section of the Azure Active Directory Overview.

This release includes our first three recommendations:

Convert from per-user MFA to Conditional Access MFA

Migration applications from AD FS to Azure Active Directory
Minimize MFA prompts from known devices.

We're developing more recommendations, so stay tuned!

For more information, see:

What are Azure Active Directory recommendations?.

Use the Azure AD recommendations API to implement Azure AD best practices for
your tenant

General Availability - Improvements to Azure Active

Directory Smart Lockout
Type: Changed feature
Service category: Other
Product capability: User Management
With a recent improvement, Smart Lockout now synchronizes the lockout state across
Azure Active Directory data centers, so the total number of failed sign-in attempts
allowed before an account is locked will match the configured lockout threshold.

For more information, see: Protect user accounts from attacks with Azure Active
Directory smart lockout.

General Availability- MFA events from ADFS and NPS

adapter available in Sign-in logs
Type: Changed feature
Service category: MFA
Product capability: Identity Security & Protection

Customers with Cloud MFA activity from ADFS adapter, or NPS Extension, can now see
these events in the Sign-in logs, rather than the legacy multi-factor authentication
activity report. Not all attributes in the sign-in logs are populated for these events due
to limited data from the on-premises components. Customers with ADFS using AD
Health Connect and customers using NPS with the latest NPS extension installed will
have a richer set of data in the events.

For more information, see: Protect user accounts from attacks with Azure Active
Directory smart lockout.

February 2023

General Availability - Filter and transform group names in

token claims configuration using regular expression
Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Filter and transform group names in token claims configuration using regular
expression. Many application configurations on ADFS and other IdPs rely on the ability
to create authorization claims based on the content of Group Names using regular
expression functions in the claim rules. Azure AD now has the capability to use a regular
expression match and replace function to create claim content based on Group
onpremisesSAMAccount names. This functionality allows those applications to be
moved to Azure AD for authentication using the same group management patterns. For
more information, see: Configure group claims for applications by using Azure Active
Directory.

General Availability - Filter groups in tokens using a

substring match
Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Azure AD now has the capability to filter the groups included in the token using
substring match on the display name or onPremisesSAMAccountName attributes of the
group object. Only Groups the user is a member of will be included in the token. This
was a blocker for some of our customers to migrate their apps from ADFS to Azure AD.
This feature unblocks those challenges.

For more information, see:

Group Filter.
Configure group claims for applications by using Azure Active Directory.

General Availability - New SSO claims transformation

features
Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Azure AD now supports claims transformations on multi-valued attributes and can emit
multi-valued claims. More functions to allow match and string operations on claims
processing to enable apps to be migrated from other IdPs to Azure AD. This includes:
Match on Empty(), NotEmpty(), Prefix(), Suffix(), and extract substring operators. For
more information, see: Claims mapping policy type.

General Availability - New Detection for Service Principal

Behavior Anomalies
Type: New feature
Service category: Access Reviews
Product capability: Identity Security & Protection
Post-authentication anomalous activity detection for workload identities. This detection
focuses specifically on detection of post authenticated anomalous behavior performed
by a workload identity (service principal). Post-authentication behavior is assessed for
anomalies based on an action and/or sequence of actions occurring for the account.
Based on the scoring of anomalies identified, the offline detection may score the
account as low, medium, or high risk. The risk allocation from the offline detection will
be available within the Risky workload identities reporting settings. A new detection
type identified as Anomalous service principal activity appears in filter options. For more
information, see: Securing workload identities.

General Availability - Microsoft cloud settings for Azure

AD B2B
Type: New feature
Service category: B2B
Product capability: B2B/B2C

Microsoft cloud settings let you collaborate with organizations from different Microsoft
Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration
between the following clouds:

Microsoft Azure commercial and Microsoft Azure Government

Microsoft Azure commercial and Microsoft Azure operated by 21Vianet

For more information about Microsoft cloud settings for B2B collaboration, see:
Microsoft cloud settings.

Public Preview - Support for Directory Extensions using

Azure AD cloud sync
Type: New feature
Service category: Provisioning
Product capability: Azure AD Connect Cloud Sync

Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions
using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover
the schema for both Active Directory and Azure AD, allowing customers to map the
needed attributes using Cloud Sync's attribute mapping experience.

For more information on how to enable this feature, see: Cloud Sync directory
extensions and custom attribute mapping
General Availability - On-premises application
provisioning
Type: Changed feature
Service category: Provisioning
Product capability: Outbound to On-premises Applications

Azure AD supports provisioning users into applications hosted on-premises or in a

virtual machine, without having to open up any firewalls. If your application supports
SCIM , or you've built a SCIM gateway to connect to your legacy application, you can
use the Azure AD Provisioning agent to directly connect with your application and
automate provisioning and deprovisioning. If you have legacy applications that don't
support SCIM and rely on an LDAP user store, or a SQL database, Azure AD can support
those as well.

January 2023

General Availability - Azure AD Domain Services: Deeper

Insights
Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Now within the Azure portal you have access to view key data for your Azure AD-DS
Domain Controllers such as: LDAP Searches/sec, Total Query Received/sec, DNS Total
Response Sent/sec, LDAP Successful Binds/sec, memory usage, processor time, Kerberos
Authentications, and NTLM Authentications. For more information, see: Check fleet
metrics of Azure Active Directory Domain Services.

General Availability - Add multiple domains to the same

SAML/Ws-Fed based identity provider configuration for
your external users
Type: New feature
Service category: B2B
Product capability: B2B/B2C

An IT admin can now add multiple domains to a single SAML/WS-Fed identity provider
configuration to invite users from multiple domains to authenticate from the same
identity provider endpoint. For more information, see: Federation with SAML/WS-Fed
identity providers for guest users.

General Availability - New risk in Identity Protection:

Anomalous user activity
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

This risk detection baselines normal administrative user behavior in Azure AD, and spots
anomalous patterns of behavior like suspicious changes to the directory. The detection
is triggered against the administrator making the change or the object that was
changed. For more information, see: User-linked detections.

General Availability - Administrative unit support for

devices
Type: New feature
Service category: Directory Management
Product capability: AuthZ/Access Delegation

You can now use administrative units to delegate management of specified devices in
your tenant by adding devices to an administrative unit, and assigning built-in and
custom device management roles scoped to that administrative unit. For more
information, see: Device management.

General Availability - Azure AD Terms of Use (ToU) API

Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Represents a tenant's customizable terms of use agreement that is created, and

managed, with Azure Active Directory (Azure AD). You can use the following methods to
create and manage the Azure Active Directory Terms of Use feature according to your
scenario. For more information, see: agreement resource type.

Next steps
What's new in Azure Active Directory?
Archive for What's new in Azure Active Directory?
Archive for What's new in Azure Active
Directory?
Article • 07/19/2023

The primary What's new in Azure Active Directory? release notes article contains
updates for the last six months, while this article contains Information up to 18 months.

The What's new in Azure Active Directory? release notes provide information about:

The latest releases

Known issues
Bug fixes
Deprecated functionality
Plans for changes

January 2023

Public Preview - Cross-tenant synchronization

Type: New feature
Service category: Provisioning
Product capability: Collaboration

Cross-tenant synchronization allows you to set up a scalable and automated solution for
users to access applications across tenants in your organization. It builds upon the Azure
AD B2B functionality and automates creating, updating, and deleting B2B users. For
more information, see: What is cross-tenant synchronization? (preview).

General Availability - New Federated Apps available in

Azure AD Application gallery - January 2023
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2023 we've added the following 10 new applications in our App gallery with
Federation support:
MINT TMS, Exterro Legal GRC Software Platform, SIX.ONE Identity Access Manager ,
Lusha, Descartes, Travel Management System , Pinpoint (SAML), my.sdworx.com, itopia
Labs , Better Stack .

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial .

For listing your application in the Azure AD app gallery, read the details here
https://aka.ms/AzureADAppRequest

Public Preview - New provisioning connectors in the

Azure AD Application Gallery - January 2023
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:

SurveyMonkey Enterprise

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

Public Preview - Azure AD cloud sync new user

experience
Type: Changed feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Governance

Try out the new guided experience for syncing objects from AD to Azure AD using Azure
AD Cloud Sync in Azure portal. With this new experience, Hybrid Identity Administrators
can easily determine which sync engine to use for their scenarios and learn more about
the various options they have with our sync solutions. With a rich set of tutorials and
videos, customers are able to learn everything about Azure AD cloud sync in one single
place.
This experience helps administrators walk through the different steps involved in setting
up a cloud sync configuration and an intuitive experience to help them easily manage it.
Admins can also get insights into their sync configuration by using the "Insights" option,
which integrates with Azure Monitor and Workbooks.

For more information, see:

Create a new configuration for Azure AD Connect cloud sync

Attribute mapping in Azure AD Connect cloud sync
Azure AD cloud sync insights workbook

Public Preview - Support for Directory Extensions using

Azure AD cloud sync
Type: New feature
Service category: Provisioning
Product capability: Azure AD Connect Cloud Sync

Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions
using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover
the schema for both Active Directory and Azure AD, allowing customers to map the
needed attributes using Cloud Sync's attribute mapping experience.

For more information on how to enable this feature, see: Cloud Sync directory
extensions and custom attribute mapping

December 2022

Public Preview - Windows 10+ Troubleshooter for

Diagnostic Logs
Type: New feature
Service category: Audit
Product capability: Monitoring & Reporting

This feature analyzes uploaded client-side logs, also known as diagnostic logs, from a
Windows 10+ device that is having an issue(s) and suggests remediation steps to
resolve the issue(s). Admins can work with end user to collect client-side logs, and then
upload them to this troubleshooter in the Entra Portal. For more information, see:
Troubleshooting Windows devices in Azure AD.
General Availability - Multiple Password-less Phone Sign-
ins for iOS Devices
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

End users can now enable password-less phone sign-in for multiple accounts in the
Authenticator App on any supported iOS device. Consultants, students, and others with
multiple accounts in Azure AD can add each account to Microsoft Authenticator and use
password-less phone sign-in for all of them from the same iOS device. The Azure AD
accounts can be in the same tenant or different tenants. Guest accounts aren't
supported for multiple account sign-ins from one device.

End users aren't required to enable the optional telemetry setting in the Authenticator
App. For more information, see: Enable passwordless sign-in with Microsoft
Authenticator.

Public Preview(refresh) - Updates to Conditional Access

templates
Type: Changed feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access templates provide a convenient method to deploy new policies

aligned with Microsoft recommendations. In total, there are 14 Conditional Access policy
templates, filtered by five different scenarios; secure foundation, zero trust, remote work,
protect administrators, and emerging threats.

In this Public Preview refresh, we've enhanced the user experience with an updated
design and added four new improvements:

Admins can create a Conditional Access policy by importing a JSON file.

Admins can duplicate existing policy.
Admins can view more detailed policy information.
Admins can query templates programmatically via MSGraph API.

For more information, see: Conditional Access templates (Preview).

Public Preview - Admins can restrict their users from

creating tenants
Type: New feature
Service category: User Access Management
Product capability: User Management

The ability for users to create tenants from the Manage Tenant overview has been
present in Azure AD since almost the beginning of the Azure portal. This new capability
in the User Settings option allows admins to restrict their users from being able to
create new tenants. There's also a new Tenant Creator role to allow specific users to
create tenants. For more information, see Default user permissions.

General availability - Consolidated App launcher (My

Apps) settings and new preview settings
Type: New feature
Service category: My Apps
Product capability: End User Experiences

We have consolidated relevant app launcher settings in a new App launchers section in
the Azure and Entra portals. The entry point can be found under Enterprise applications,
where Collections used to be. You can find the Collections option by selecting App
launchers. In addition, we've added a new App launchers Settings option. This option
has some settings you may already be familiar with like the Microsoft 365 settings. The
new Settings options also have controls for previews. As an admin, you can choose to
try out new app launcher features while they are in preview. Enabling a preview feature
means that the feature turns on for your organization. This enabled feature reflects in
the My Apps portal, and other app launchers for all of your users. To learn more about
the preview settings, see: End-user experiences for applications.

Public preview - Converged Authentication Methods

Policy
Type: New feature
Service category: MFA
Product capability: User Authentication

The Converged Authentication Methods Policy enables you to manage all authentication
methods used for MFA and SSPR in one policy. You can migrate off the legacy MFA and
SSPR policies, and target authentication methods to groups of users instead of enabling
them for all users in the tenant. For more information, see: Manage authentication
methods for Azure AD.
General Availability - Administrative unit support for
devices
Type: New feature
Service category: Directory Management
Product capability: AuthZ/Access Delegation

You can now use administrative units to delegate management of specified devices in
your tenant by adding devices to an administrative unit. You're also able to assign built-
in, and custom device management roles, scoped to that administrative unit. For more
information, see: Device management.

Public Preview - Frontline workers using shared devices

can now use Microsoft Edge and Yammer apps on
Android
Type: New feature
Service category: N/A
Product capability: SSO

Companies often provide mobile devices to frontline workers that need are shared
between shifts. Microsoft’s shared device mode allows frontline workers to easily
authenticate by automatically signing users in and out of all the apps that have enabled
this feature. In addition to Microsoft Teams and Managed Home Screen being generally
available, we're excited to announce that Microsoft Edge and Yammer apps on Android
are now in Public Preview.

For more information on deploying frontline solutions, see: frontline deployment

documentation .

For more information on shared-device mode, see: Azure Active Directory Shared Device
Mode documentation.

For steps to set up shared device mode with Intune, see: Intune setup blog .

Public preview - New provisioning connectors in the

Azure AD Application Gallery - December 2022
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration
We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:

GHAE

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

General Availability - On-premises application

provisioning
Type: Changed feature
Service category: Provisioning
Product capability: Outbound to On-premises Applications

Azure AD supports provisioning users into applications hosted on-premises or in a

virtual machine, without having to open up any firewalls. If your application supports
SCIM , or you've built a SCIM gateway to connect to your legacy application, you can
use the Azure AD Provisioning agent to directly connect with your application and
automate provisioning and deprovisioning. If you have legacy applications that don't
support SCIM and rely on an LDAP user store, or a SQL database, Azure AD can support
those as well.

General Availability - New Federated Apps available in

Azure AD Application gallery - December 2022
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In December 2022 we've added the following 44 new applications in our App gallery
with Federation support:

Bionexo IDM , SMART Meeting Pro , Venafi Control Plane – Datacenter, HighQ,
Drawboard PDF , ETU Skillsims, TencentCloud IDaaS, TeamHeadquarters Email Agent
OAuth , Verizon MDM , QRadar SOAR, Tripwire Enterprise, Cisco Unified
Communications Manager, Howspace , Flipsnack SAML, Albert , Altinget.no , Coveo
Hosted Services, Cybozu(cybozu.com), BombBomb , VMware Identity Service,
HexaSync , Trifecta Teams , VerosoftDesign , Mazepay , Wistia, Begin.AI , WebCE,
Dream Broker Studio , PKSHA Chatbot, PGM-BCP , ChartDesk SSO, Elsevier SP,
GreenCommerce IdentityServer , Fullview , Aqua Platform, SpedTrack, Pinpoint ,
Darzin Outlook Add-in , Simply Stakeholders Outlook Add-in , tesma, Parkable, Unite
Us

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, read the details here
https://aka.ms/AzureADAppRequest

Microsoft Authentication Library End of Support

Announcement
Type: N/A
Service category: Other
Product capability: Developer Experience

As part of our ongoing initiative to improve the developer experience, service reliability,
and security of customer applications, we end support for the Microsoft Authentication
Library (Microsoft Authentication Library). The final deadline to migrate your
applications to Microsoft Authentication Library (MSAL) has been extended to June 30,
2023.

Why are we doing this?

As we consolidate and evolve the Microsoft Identity platform, we're also investing in
making significant improvements to the developer experience and service features that
make it possible to build secure, robust and resilient applications. To make these
features available to our customers, we needed to update the architecture of our
software development kits. As a result of this change, we’ve decided that the path
forward requires us to sunset Microsoft Authentication Library. This allows us to focus
on developer experience investments with Microsoft Authentication Library.

What happens?
We recognize that changing libraries isn't an easy task, and can't be accomplished
quickly. We're committed to helping customers plan their migrations to Microsoft
Authentication Library and execute them with minimal disruption.

In June 2020, we announced the 2-year end of support timeline for Microsoft
Authentication Library .
 In December 2022, we’ve decided to extend the Microsoft Authentication Library
end of support to June 2023.
Through the next six months (January 2023 – June 2023) we continue informing
customers about the upcoming end of support along with providing guidance on
migration.
On June 2023 we'll officially sunset Microsoft Authentication Library, removing
library documentation and archiving all GitHub repositories related to the project.

How to find out which applications in my tenant are

using Microsoft Authentication Library?
Refer to our post on Microsoft Q&A for details on identifying Microsoft Authentication
Library apps with the help of Azure Workbooks.

If I’m using Microsoft Authentication Library, what can I

expect after the deadline?
There will be no new releases (security or otherwise) to the library after June 2023.
We won't accept any incident reports or support requests for Microsoft
Authentication Library. Microsoft Authentication Library to Microsoft
Authentication Library migration support would continue.
The underpinning services continue working and applications that depend on
Microsoft Authentication Library should continue working. Applications, and the
resources they access, are at increased security and reliability risk due to not
having the latest updates, service configuration, and enhancements made available
through the Microsoft Identity platform.

What features can I only access with Microsoft

Authentication Library?
The number of features and capabilities that we're adding to Microsoft Authentication
Library libraries are growing weekly. Some of them include:

Support for Microsoft accounts (MSA)

Support for Azure AD B2C accounts
Handling throttling
Proactive token refresh and token revocation based on policy or critical events for
Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE)
Auth broker support with device-based Conditional Access policies
Azure AD hardware-based certificate authentication (CBA) on mobile
 System browsers on mobile devices And more. For an up-to-date list, refer to our
migration guide.

How to migrate?
To make the migration process easier, we published a comprehensive guide that
documents the migration paths across different platforms and programming languages.

In addition to the Microsoft Authentication Library to Microsoft Authentication Library

update, we recommend migrating from Azure AD Graph API to Microsoft Graph. This
change enables you to take advantage of the latest additions and enhancements, such
as CAE, across the Microsoft service offering through a single, unified endpoint. You can
read more in our Migrate your apps from Azure AD Graph to Microsoft Graph guide.
You can post any questions to Microsoft Q&A or Stack Overflow .

November 2022

General Availability - Use Web Sign-in on Windows for

password-less recovery with Temporary Access Pass
Type: Changed feature
Service category: N/A
Product capability: User Authentication

The Temporary Access Pass can now be used to recover Azure AD-joined PCs when the
EnableWebSignIn policy is enabled on the device. This is useful for when your users
don't know, or have, a password. For more information, see:
Authentication/EnableWebSignIn.

Public Preview - Workload Identity Federation for

Managed Identities
Type: New feature
Service category: Managed identities for Azure resources
Product capability: Developer Experience

Developers can now use managed identities for their software workloads running
anywhere, and for accessing Azure resources, without needing secrets. Key scenarios
include:
 Accessing Azure resources from Kubernetes pods running on-premises or in any
cloud.
GitHub workflows to deploy to Azure, no secrets necessary.
Accessing Azure resources from other cloud platforms that support OIDC, such as
Google Cloud.

For more information, see:

Configure a user-assigned managed identity to trust an external identity provider

(preview)
Workload identity federation
Use an Azure AD workload identity (preview) on Azure Kubernetes Service (AKS)

General Availability - Authenticator on iOS is FIPS 140

compliant
Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator version 6.6.8 and higher on iOS will be FIPS 140 compliant for all Azure
AD authentications using push multi-factor authentications (MFA), Password-less Phone
Sign-In (PSI), and time-based one-time pass-codes (TOTP). No changes in configuration
are required in the Authenticator app or Azure portal to enable this capability. For more
information, see: FIPS 140 compliant for Azure AD authentication.

General Availability - New Federated Apps available in

Azure AD Application gallery - November 2022
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2022, we've added the following 22 new applications in our App gallery
with Federation support

Adstream, Databook, Ecospend IAM , Digital Pigeon, Drawboard Projects, Vellum ,

Veracity , Microsoft OneNote to Bloomberg Note Sync , DX NetOps Portal, itslearning
Outlook integration , Tranxfer, Occupop , Nialli Workspace , Tideways , SOWELL ,
Prewise Learning , CAPTOR for Intune , wayCloud Platform , Nura Space Meeting
Room , Flexopus Exchange Integration , Ren Systems , Nudge Security
You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, read the details here
https://aka.ms/AzureADAppRequest

General Availability - New provisioning connectors in the

Azure AD Application Gallery - November 2022
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning
support. You can now automate creating, updating, and deleting of user accounts for
these newly integrated apps:

Keepabl
Uber

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

Public Preview - Dynamic Group pause functionality

Type: New feature
Service category: Group Management
Product capability: Directory

Admins can now pause, and resume, the processing of individual dynamic groups in the
Entra Admin Center. For more information, see: Create or update a dynamic group in
Azure Active Directory.

Public Preview - Enabling extended customization

capabilities for sign-in and sign-up pages in Company
Branding capabilities.
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication
Update the Azure AD and Microsoft 365 sign-in experience with new company branding
capabilities. You can apply your company’s brand guidance to authentication
experiences with predefined templates. For more information, see: Configure your
company branding.

Public Preview - Enabling customization capabilities for

the Self-Service Password Reset (SSPR) hyperlinks, footer
hyperlinks and browser icons in Company Branding.
Type: New feature
Service category: Directory Management
Product capability: Directory

Update the company branding functionality on the Azure AD/Microsoft 365 sign-in
experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer
hyperlinks and browser icon. For more information, see: Configure your company
branding.

General Availability - Soft Delete for Administrative Units

Type: New feature
Service category: Directory Management
Product capability: Directory

Administrative Units now support soft deletion. Admins can now list, view properties of,
or restore deleted Administrative Units using the Microsoft Graph. This functionality
restores all configuration for the Administrative Unit when restored from soft delete,
including memberships, admin roles, processing rules, and processing rules state.

This functionality greatly enhances recoverability and resilience when using

Administrative Units. Now, when an Administrative Unit is accidentally deleted, you can
restore it quickly to the same state it was at time of deletion. This removes uncertainty
around configuration and makes restoration quick and easy. For more information, see:
List deletedItems (directory objects).

Public Preview - IPv6 coming to Azure AD

Type: Plan for change
Service category: Identity Protection
Product capability: Platform
With the growing adoption and support of IPv6 across enterprise networks, service
providers, and devices, many customers are wondering if their users can continue to
access their services and applications from IPv6 clients and networks. Today, we’re
excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory
(Azure AD). This allows customers to reach the Azure AD services over both IPv4 and
IPv6 network protocols (dual stack). For most customers, IPv4 won't completely
disappear from their digital landscape, so we aren't planning to require IPv6 or to
deprioritize IPv4 in any Azure Active Directory features or services. We'll begin
introducing IPv6 support into Azure AD services in a phased approach, beginning March
31, 2023. We have guidance that is specifically for Azure AD customers who use IPv6
addresses and also use Named Locations in their Conditional Access policies.

Customers who use named locations to identify specific network boundaries in their
organization need to:

1. Conduct an audit of existing named locations to anticipate potential risk.

2. Work with your network partner to identify egress IPv6 addresses in use in your
environment.
3. Review and update existing named locations to include the identified IPv6 ranges.

Customers who use Conditional Access location based policies to restrict and secure
access to their apps from specific networks need to:

1. Conduct an audit of existing Conditional Access policies to identify use of named

locations as a condition to anticipate potential risk.
2. Review and update existing Conditional Access location based policies to ensure
they continue to meet your organization’s security requirements.

We continue to share additional guidance on IPv6 enablement in Azure AD at this link:

https://aka.ms/azureadipv6 .

October 2022

General Availability - Upgrade Azure AD Provisioning

agent to the latest version (version number: 1.1.977.0)
Type: Plan for change
Service category: Provisioning
Product capability: Azure AD Connect Cloud Sync

Microsoft stops support for Azure AD provisioning agent with versions 1.1.818.0 and
below starting Feb 1,2023. If you're using Azure AD cloud sync, make sure you have the
latest version of the agent. You can view info about the agent release history here. You
can download the latest version here

You can find out which version of the agent you're using as follows:

1. Going to the domain server that you have the agent installed
2. Right-click on the Microsoft Azure AD Connect Provisioning Agent app
3. Select on “Details” tab and you can find the version number there

７ Note

Azure Active Directory (AD) Connect follows the Modern Lifecycle Policy. Changes
for products and services under the Modern Lifecycle Policy may be more frequent
and require customers to be alert for forthcoming modifications to their product or
service. Product governed by the Modern Policy follow a continuous support and
servicing model. Customers must take the latest update to remain supported. For
products and services governed by the Modern Lifecycle Policy, Microsoft's policy is
to provide a minimum 30 days' notification when customers are required to take
action in order to avoid significant degradation to the normal use of the product or
service.

General Availability - Add multiple domains to the same

SAML/Ws-Fed based identity provider configuration for
your external users
Type: New feature
Service category: B2B
Product capability: B2B/B2C

An IT admin can now add multiple domains to a single SAML/WS-Fed identity provider
configuration to invite users from multiple domains to authenticate from the same
identity provider endpoint. For more information, see: Federation with SAML/WS-Fed
identity providers for guest users.

General Availability - Limits on the number of configured

API permissions for an application registration enforced
starting in October 2022
Type: Plan for change
Service category: Other
Product capability: Developer Experience

In the end of October, the total number of required permissions for any single
application registration must not exceed 400 permissions across all APIs. Applications
exceeding the limit are unable to increase the number of permissions configured for.
The existing limit on the number of distinct APIs for permissions required remains
unchanged and may not exceed 50 APIs.

In the Azure portal, the required permissions list is under API Permissions within specific
applications in the application registration menu. When using Microsoft Graph or
Microsoft Graph PowerShell, the required permissions list is in the
requiredResourceAccess property of an application entity. For more information, see:
Validation differences by supported account types (signInAudience).

Public Preview - Conditional Access Authentication

strengths
Type: New feature
Service category: Conditional Access
Product capability: User Authentication

We're announcing Public preview of Authentication strength, a Conditional Access

control that allows administrators to specify which authentication methods can be used
to access a resource. For more information, see: Conditional Access authentication
strength (preview). You can use custom authentication strengths to restrict access by
requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and
apply this through Conditional Access policies. For more information, see: FIDO2
security key advanced options.

Public Preview - Conditional Access authentication

strengths for external identities
Type: New feature
Service category: B2B
Product capability: B2B/B2C

You can now require your business partner (B2B) guests across all Microsoft clouds to
use specific authentication methods to access your resources with Conditional Access
Authentication Strength policies. For more information, see: Conditional Access:
Require an authentication strength for external users.
Generally Availability - Windows Hello for Business, Cloud
Kerberos Trust deployment
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're excited to announce the general availability of hybrid cloud Kerberos trust, a new
Windows Hello for Business deployment model to enable a password-less sign-in
experience. With this new model, we’ve made Windows Hello for Business easier to
deploy than the existing key trust and certificate trust deployment models by removing
the need for maintaining complicated public key infrastructure (PKI), and Azure Active
Directory (AD) Connect synchronization wait times. For more information, see: Hybrid
Cloud Kerberos Trust Deployment.

General Availability - Device-based Conditional Access on

Linux Desktops
Type: New feature
Service category: Conditional Access
Product capability: SSO

This feature empowers users on Linux clients to register their devices with Azure AD,
enroll into Intune management, and satisfy device-based Conditional Access policies
when accessing their corporate resources.

Users can register their Linux devices with Azure AD

Users can enroll in Mobile Device Management (Intune), which can be used to
provide compliance decisions based upon policy definitions to allow device based
Conditional Access on Linux Desktops
If compliant, users can use Microsoft Edge Browser to enable Single-Sign on to
M365/Azure resources and satisfy device-based Conditional Access policies.

For more information, see: Azure AD registered devices. Plan your Azure Active Directory
device deployment

General Availability - Deprecation of Azure Active

Directory Multi-Factor Authentication.
Type: Deprecated
Service category: MFA
Product capability: Identity Security & Protection

Beginning September 30, 2024, Azure Active Directory Multi-Factor Authentication

Server deployments will no longer service multi-factor authentication (MFA) requests,
which could cause authentications to fail for your organization. To ensure uninterrupted
authentication services, and to remain in a supported state, organizations should
migrate their users’ authentication data to the cloud-based Azure Active Directory
Multi-Factor Authentication service using the latest Migration Utility included in the
most recent Azure Active Directory Multi-Factor Authentication Server update. For more
information, see: Migrate from MFA Server to Azure AD Multi-Factor Authentication.

Public Preview - Lifecycle Workflows is now available

Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

We're excited to announce the public preview of Lifecycle Workflows, a new Identity
Governance capability that allows customers to extend the user provisioning process,
and adds enterprise grade user lifecycle management capabilities, in Azure AD to
modernize your identity lifecycle management process. With Lifecycle Workflows, you
can:

Confidently configure and deploy custom workflows to onboard and offboard

cloud employees at scale replacing your manual processes.
Automate out-of-the-box actions critical to required Joiner and Leaver scenarios
and get rich reporting insights.
Extend workflows via Logic Apps integrations with custom tasks extensions for
more complex scenarios.

For more information, see: What are Lifecycle Workflows? (Public Preview).

Public Preview - User-to-Group Affiliation

recommendation for group Access Reviews
Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

This feature provides Machine Learning based recommendations to the reviewers of

Azure AD Access Reviews to make the review experience easier and more accurate. The
recommendation detects user affiliation with other users within the group, and applies
the scoring mechanism we built by computing the user’s average distance with other
users in the group. For more information, see: Review recommendations for Access
reviews.

General Availability - Group assignment for

SuccessFactors Writeback application
Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

When configuring writeback of attributes from Azure AD to SAP SuccessFactors

Employee Central, you can now specify the scope of users using Azure AD group
assignment. For more information, see: Tutorial: Configure attribute write-back from
Azure AD to SAP SuccessFactors.

General Availability - Number Matching for Microsoft

Authenticator notifications
Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

To prevent accidental notification approvals, admins can now require users to enter the
number displayed on the sign-in screen when approving an MFA notification in the
Microsoft Authenticator app. We've also refreshed the Azure portal admin UX and
Microsoft Graph APIs to make it easier for customers to manage Authenticator app
feature roll-outs. As part of this update we have also added the highly requested ability
for admins to exclude user groups from each feature.

The number matching feature greatly up-levels the security posture of the Microsoft
Authenticator app and protects organizations from MFA fatigue attacks. We highly
encourage our customers to adopt this feature applying the rollout controls we have
built. Number Matching will begin to be enabled for all users of the Microsoft
Authenticator app starting February 27 2023.

For more information, see: How to use number matching in multifactor authentication
(MFA) notifications - Authentication methods policy.

General Availability - Additional context in Microsoft

Authenticator notifications
Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Reduce accidental approvals by showing users additional context in Microsoft

Authenticator app notifications. Customers can enhance notifications with the following
steps:

Application Context: This feature shows users which application they're signing
into.
Geographic Location Context: This feature shows users their sign-in location based
on the IP address of the device they're signing into.

The feature is available for both MFA and Password-less Phone Sign-in notifications and
greatly increases the security posture of the Microsoft Authenticator app. We've also
refreshed the Azure portal Admin UX and Microsoft Graph APIs to make it easier for
customers to manage Authenticator app feature roll-outs. As part of this update, we've
also added the highly requested ability for admins to exclude user groups from certain
features.

We highly encourage our customers to adopt these critical security features to reduce
accidental approvals of Authenticator notifications by end users.

For more information, see: How to use additional context in Microsoft Authenticator
notifications - Authentication methods policy.

New Federated Apps available in Azure AD Application

gallery - October 2022
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In October 2022 we've added the following 15 new applications in our App gallery with
Federation support:

Unifii , WaitWell Staff App , AuthParency , Oncospark Code Interceptor , Thread

Legal Case Management , e2open CM-Global, OpenText XM Fax and XM SendSecure,
Contentkalender, Evovia, Parmonic , mailto.wiki , JobDiva Azure SSO , Mapiq, IVM
Smarthub, Span.zone – SSO and Read-only , RecruiterPal , Broker groupe Achat
Solutions, Philips SpeechLive , Crayon, Cytric, Notate , ControlDocumentario ,
Intuiflow , Valence Security Platform, Skybreathe® Analytics
You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, read the details here
https://aka.ms/AzureADAppRequest

Public preview - New provisioning connectors in the

Azure AD Application Gallery - October 2022
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly
integrated apps:

LawVu

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

September 2022

General Availability - SSPR writeback is now available for

disconnected forests using Azure AD Connect cloud sync
Type: New feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Lifecycle Management

Azure AD Connect Cloud Sync Password writeback now provides customers the ability to
synchronize Azure AD password changes made in the cloud to an on-premises directory
in real time. This can be accomplished using the lightweight Azure AD cloud
provisioning agent. For more information, see: Tutorial: Enable cloud sync self-service
password reset writeback to an on-premises environment.

General Availability - Device-based Conditional Access on

Linux Desktops
Type: New feature
Service category: Conditional Access
Product capability: SSO

This feature empowers users on Linux clients to register their devices with Azure AD,
enroll into Intune management, and satisfy device-based Conditional Access policies
when accessing their corporate resources.

Users can register their Linux devices with Azure AD.

Users can enroll in Mobile Device Management (Intune), which can be used to
provide compliance decisions based upon policy definitions to allow device based
Conditional Access on Linux Desktops.
If compliant, users can use Microsoft Edge Browser to enable Single-Sign on to
M365/Azure resources and satisfy device-based Conditional Access policies.

For more information, see:

Azure AD registered devices

Plan your Azure Active Directory device deployment

General Availability - Azure AD SCIM Validator

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Independent Software Vendors(ISVs) and developers can self-test their SCIM endpoints
for compatibility: We have made it easier for ISVs to validate that their endpoints are
compatible with the SCIM-based Azure AD provisioning services. This is now in general
availability (GA) status.

For more information, see: Tutorial: Validate a SCIM endpoint

General Availability - prevent accidental deletions

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in any system could be disastrous. We’re excited to

announce the general availability of the accidental deletions prevention capability as
part of the Azure AD provisioning service. When the number of deletions to be
processed in a single provisioning cycle spikes above a customer defined threshold the
following will happen. The Azure AD provisioning service pauses, provide you with
visibility into the potential deletions, and allow you to accept or reject the deletions. This
functionality has historically been available for Azure AD Connect, and Azure AD
Connect Cloud Sync. It's now available across the various provisioning flows, including
both HR-driven provisioning and application provisioning.

For more information, see: Enable accidental deletions prevention in the Azure AD
provisioning service

General Availability - Identity Protection Anonymous and

Malicious IP for ADFS on-premises logins
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity protection expands its Anonymous and Malicious IP detections to protect ADFS
sign-ins. This automatically applies to all customers who have AD Connect Health
deployed and enabled, and show up as the existing "Anonymous IP" or "Malicious IP"
detections with a token issuer type of "AD Federation Services".

For more information, see: What is risk?

New Federated Apps available in Azure AD Application

gallery - September 2022
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2022 we've added the following 15 new applications in our App gallery
with Federation support:

RocketReach SSO, Arena EU, Zola, FourKites SAML2.0 SSO for Tracking, Syniverse
Customer Portal, Rimo , Q Ware CMMS , Mapiq (OIDC), NICE Cxone,
dominKnow|ONE, Waynbo for Azure AD , innDex , Profiler Software , Trotto go
links , AsignetSSOIntegration.

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,
For listing your application in the Azure AD app gallery, read the details here:
https://aka.ms/AzureADAppRequest

August 2022

General Availability - Ability to force reauthentication on

Intune enrollment, risky sign-ins, and risky users
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Customers can now require a fresh authentication each time a user performs a certain
action. Forced reauthentication supports requiring a user to reauthenticate during
Intune device enrollment, password change for risky users, and risky sign-ins.

For more information, see: Configure authentication session management with

Conditional Access

General Availability - Multi-Stage Access Reviews

Type: Changed feature
Service category: Access Reviews
Product capability: Identity Governance

Customers can now meet their complex audit and recertification requirements through
multiple stages of reviews. For more information, see: Create a multi-stage access
review.

Public Preview - External user leave settings

Type: New feature
Service category: Enterprise Apps
Product capability: B2B/B2C

Currently, users can self-service leave for an organization without the visibility of their IT
administrators. Some organizations may want more control over this self-service
process.

With this feature, IT administrators can now allow or restrict external identities to leave
an organization by Microsoft provided self-service controls via Azure Active Directory in
the Microsoft Entra portal. In order to restrict users to leave an organization, customers
need to include "Global privacy contact" and "Privacy statement URL" under tenant
properties.

A new policy API is available for the administrators to control tenant wide policy:
externalIdentitiesPolicy resource type

For more information, see:

Leave an organization as an external user

Configure external collaboration settings

Public Preview - Restrict self-service BitLocker for devices

Type: New feature
Service category: Device Registration and Management
Product capability: Access Control

In some situations, you may want to restrict the ability for end users to self-service
BitLocker keys. With this new functionality, you can now turn off self-service of BitLocker
keys, so that only specific individuals with right privileges can recover a BitLocker key.

For more information, see: Block users from viewing their BitLocker keys (preview)

Public Preview- Identity Protection Alerts in Microsoft

365 Defender
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection risk detections (alerts) are now also available in Microsoft 365
Defender to provide a unified investigation experience for security professionals. For
more information, see: Investigate alerts in Microsoft 365 Defender

New Federated Apps available in Azure AD Application

gallery - August 2022
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In August 2022, we've added the following 40 new applications in our App gallery with
Federation support

Albourne Castle , Adra by Trintech, workhub, 4DX, Ecospend IAM V1 , TigerGraph,

Sketch, Lattice, snapADDY Single Sign On , RELAYTO Content Experience Platform ,
oVice , Arena, QReserve, Curator, NetMotion Mobility, HackNotice, ERA_EHS_CORE,
AnyClip Teams Connector , Wiz SSO, Tango Reserve by AgilQuest (EU Instance),
valid8Me, Ahrtemis, KPMG Leasing Tool Mist Cloud Admin SSO, Work-Happy , Ediwin
SaaS EDI, LUSID, Next Gen Math , Total ID , Cheetah For Benelux, Live Center
Australia , Shop Floor Insight , Warehouse Insight , myAOS, Hero , FigBytes,
VerosoftDesign , ViewpointOne - UK , EyeRate Reviews , Lytx DriveCam

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, please read the details here
https://aka.ms/AzureADAppRequest

Public preview - New provisioning connectors in the

Azure AD Application Gallery - August 2022
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly
integrated apps:

Ideagen Cloud
Lucid (All Products)
Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
SuccessFactors Writeback
Tableau Cloud

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

General Availability - Workload Identity Federation with

App Registrations are available now
Type: New feature
Service category: Other
Product capability: Developer Experience

Entra Workload Identity Federation allows developers to exchange tokens issued by

another identity provider with Azure AD tokens, without needing secrets. It eliminates
the need to store, and manage, credentials inside the code or secret stores to access
Azure AD protected resources such as Azure and Microsoft Graph. By removing the
secrets required to access Azure AD protected resources, workload identity federation
can improve the security posture of your organization. This feature also reduces the
burden of secret management and minimizes the risk of service downtime due to
expired credentials.

For more information on this capability and supported scenarios, see Workload identity
federation.

Public Preview - Entitlement management automatic

assignment policies
Type: Changed feature
Service category: Entitlement Management
Product capability: Identity Governance

In Azure AD entitlement management, a new form of access package assignment policy

is being added. The automatic assignment policy includes a filter rule, similar to a
dynamic group, that specifies the users in the tenant who should have assignments.
When users come into scope of matching that filter rule criteria, an assignment is
automatically created, and when they no longer match, the assignment is removed.

For more information, see: Configure an automatic assignment policy for an access
package in Azure AD entitlement management (Preview).

July 2022

Public Preview - ADFS to Azure AD: SAML App Multi-

Instancing
Type: New feature
Service category: Enterprise Apps
Product capability: SSO
Users can now configure multiple instances of the same application within an Azure AD
tenant. It's now supported for both IdP, and Service Provider (SP), initiated single sign-
on requests. Multiple application accounts can now have a separate service principal to
handle instance-specific claims mapping and roles assignment. For more information,
see:

Configure SAML app multi-instancing for an application - Microsoft Entra

Customize app SAML token claims - Microsoft Entra

Public Preview - ADFS to Azure AD: Apply RegEx Replace

to groups claim content
Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Administrators up until recently has the capability to transform claims using many
transformations, however using regular expression for claims transformation wasn't
exposed to customers. With this public preview release, administrators can now
configure and use regular expressions for claims transformation using portal UX. For
more information, see:Customize app SAML token claims - Microsoft Entra.

Public Preview - Azure AD Domain Services - Trusts for

User Forests
Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

You can now create trusts on both user and resource forests. On-premises AD DS users
can't authenticate to resources in the Azure AD DS resource forest until you create an
outbound trust to your on-premises AD DS. An outbound trust requires network
connectivity to your on-premises virtual network on which you have installed Azure AD
Domain Service. On a user forest, trusts can be created for on-premises AD forests that
aren't synchronized to Azure AD DS.

To learn more about trusts and how to deploy your own, visit How trust relationships
work for forests in Active Directory.
New Federated Apps available in Azure AD Application
gallery - July 2022
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In July 2022 we've added the following 28 new applications in our App gallery with
Federation support:

Lunni Ticket Service , Spring Health , Sorbet , Planview ID, Karbonalpha ,

Headspace, SeekOut, Stackby, Infrascale Cloud Backup, Keystone, LMS・教育管理システ
ム Leaf, ZDiscovery, ラインズeライブラリアドバンス (Lines eLibrary Advance), Rootly,
Articulate 360, Rise.com, SevOne Network Monitoring System (NMS), PGM ,
TouchRight Software , Tendium, Training Platform, Znapio , Preset, itslearning MS
Teams sync , Veza,

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, please read the details here
https://aka.ms/AzureADAppRequest

General Availability - No more waiting, provision groups

on demand into your SaaS applications.
Type: New feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

Pick a group of up to five members and provision them into your third-party
applications in seconds. Get started testing, troubleshooting, and provisioning to non-
Microsoft applications such as ServiceNow, ZScaler, and Adobe. For more information,
see: On-demand provisioning in Azure Active Directory.

General Availability – Protect against by-passing of cloud

Azure AD Multi-Factor Authentication when federated
with Azure AD
Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud
Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for
a federated domain in your Azure AD tenant, it ensures that a compromised federated
account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi
factor authentication has already been performed by the identity provider. The
protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor
Authentication as your multi factor authentication for your federated users. To learn
more about the protection and how to enable it, visit Enable protection to prevent by-
passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.

Public preview - New provisioning connectors in the

Azure AD Application Gallery - July 2022
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly
integrated apps:

Tableau Cloud

For more information about how to better secure your organization by using automated
user account provisioning, see Automate user provisioning to SaaS applications with
Azure AD.

General Availability - Tenant-based service outage

notifications
Type: New feature
Service category: Other
Product capability: Platform

Azure Service Health supports service outage notifications to Tenant Admins for Azure
Active Directory issues. These outages will also appear on the Azure portal Overview
page with appropriate links to Azure Service Health. Outage events will be able to be
seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications
to subscriptions within a tenant for transition. More information is available at: What are
Service Health notifications in Azure Active Directory?.

Public Preview - Multiple Passwordless Phone sign-in

Accounts for iOS devices
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

End users can now enable passwordless phone sign-in for multiple accounts in the
Authenticator App on any supported iOS device. Consultants, students, and others with
multiple accounts in Azure AD can add each account to Microsoft Authenticator and use
passwordless phone sign-in for all of them from the same iOS device. The Azure AD
accounts can be in either the same, or different, tenants. Guest accounts aren't
supported for multiple account sign-ins from one device.

End users are encouraged to enable the optional telemetry setting in the Authenticator
App, if not done so already. For more information, see: Enable passwordless sign-in with
Microsoft Authenticator

Public Preview - Azure AD Domain Services - Fine Grain

Permissions
Type: Changed feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Previously to set up and administer your AAD-DS instance you needed top level
permissions of Azure Contributor and Azure AD Global Administrator. Now for both
initial creation, and ongoing administration, you can utilize more fine grain permissions
for enhanced security and control. The prerequisites now minimally require:

You need Application Administrator and Groups Administrator Azure AD roles in

your tenant to enable Azure AD DS.
You need Domain Services Contributor Azure role to create the required Azure AD
DS resources.

Check out these resources to learn more:

Tutorial - Create an Azure Active Directory Domain Services managed domain

Least privileged roles by task
 Azure built-in roles - Azure RBAC

General Availability- Azure AD Connect update release

with new functionality and bug fixes
Type: Changed feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

A new Azure AD Connect release fixes several bugs and includes new functionality. This
release is also available for auto upgrade for eligible servers. For more information, see:
Azure AD Connect: Version release history.

General Availability - Cross-tenant access settings for B2B

collaboration
Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Cross-tenant access settings enable you to control how users in your organization
collaborate with members of external Azure AD organizations. Now you have granular
inbound and outbound access control settings that work on a per org, user, group, and
application basis. These settings also make it possible for you to trust security claims
from external Azure AD organizations like multi-factor authentication (MFA), device
compliance, and hybrid Azure AD joined devices. For more information, see: Cross-
tenant access with Azure AD External Identities.

General Availability- Expression builder with Application

Provisioning
Type: Changed feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in your apps or in your on-premises directory could be

disastrous. We’re excited to announce the general availability of the accidental deletions
prevention capability. When a provisioning job would cause a spike in deletions, it will
first pause and provide you with visibility into the potential deletions. You can then
accept or reject the deletions and have time to update the job’s scope if necessary. For
more information, see Understand how expression builder in Application Provisioning
works.

Public Preview - Improved app discovery view for My

Apps portal
Type: Changed feature
Service category: My Apps
Product capability: End User Experiences

An improved app discovery view for My Apps is in public preview. The preview shows
users more apps in the same space and allows them to scroll between collections. It
doesn't currently support drag-and-drop and list view. Users can opt into the preview by
selecting Try the preview and opt out by selecting Return to previous view. To learn
more about My Apps, see My Apps portal overview.

Public Preview - New Azure portal All Devices list

Type: Changed feature
Service category: Device Registration and Management
Product capability: End User Experiences

We're enhancing the All Devices list in the Azure portal to make it easier to filter and
manage your devices. Improvements include:

All Devices List:

Infinite scrolling
More devices properties can be filtered on
Columns can be reordered via drag and drop
Select all devices

For more information, see: Manage devices in Azure AD using the Azure portal.

Public Preview - ADFS to Azure AD: Persistent NameID for

IDP-initiated Apps
Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO
Previously the only way to have persistent NameID value was to ​configure user attribute
with an empty value. Admins can now explicitly configure the NameID value to be
persistent ​along with the corresponding format.

For more information, see: Customize app SAML token claims - Microsoft identity
platform.

Public Preview - ADFS to Azure Active Directory:

Customize attrname-format​
Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

With this new parity update, customers can now integrate non-gallery applications such
as Socure DevHub with Azure AD to have SSO via SAML.

For more information, see Claims mapping policy - Microsoft Entra.

June 2022

Public preview - New provisioning connectors in the

Azure AD Application Gallery - June 2022
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly
integrated apps:

Whimsical

For more information about how to better secure your organization by using automated
user account provisioning, see Automate user provisioning to SaaS applications with
Azure AD.

Public Preview - Roles are being assigned outside of

Privileged Identity Management
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Customers can be alerted on assignments made outside PIM either directly on the Azure
portal or also via email. For the current public preview, the assignments are being
tracked at the subscription level. For more information, see Configure security alerts for
Azure roles in Privileged Identity Management.

General Availability - Temporary Access Pass is now

available
Type: New feature
Service category: MFA
Product capability: User Authentication

Temporary Access Pass (TAP) is now generally available. TAP can be used to securely
register password-less methods such as Phone Sign-in, phishing resistant methods such
as FIDO2, and even help Windows onboarding (AADJ and WHFB). TAP also makes
recovery easier when a user has lost or forgotten their strong authentication methods
and needs to sign in to register new authentication methods. For more information, see:
Configure Temporary Access Pass in Azure AD to register Passwordless authentication
methods.

Public Preview of Dynamic Group support for MemberOf

Type: New feature
Service category: Group Management
Product capability: Directory

Create "nested" groups with Azure AD Dynamic Groups! This feature enables you to
build dynamic Azure AD Security Groups and Microsoft 365 groups based on other
groups! For example, you can now create Dynamic-Group-A with members of Group-X
and Group-Y. For more information, see: Steps to create a memberOf dynamic group.

New Federated Apps available in Azure AD Application

gallery - June 2022
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In June 2022 we've added the following 22 new applications in our App gallery with
Federation support:

Leadcamp Mailer , PULCE , Hive Learning, Planview LeanKit, Javelo, きょうしつでビス

ケット,Agile Provisioning , xCarrier®, Skillcast, JTRA , InnerSpace inTELLO , Seculio,
XplicitTrust Partner Console , Veracity Single-Sign On , Guardium Data Protection,
IntellicureEHR v7 , BMIS - Battery Management Information System, Finbiosoft
Cloud , Standard for Success K-12, E2open LSP, TVU Service, S4 - Digitsec.

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, see the details here
https://aka.ms/AzureADAppRequest

General Availability – Protect against by-passing of cloud

Azure AD Multi-Factor Authentication when federated
with Azure AD
Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud
Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for
a federated domain in your Azure AD tenant, it ensures that a compromised federated
account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi
factor authentication has already been performed by the identity provider. The
protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor
Authentication as your multi factor authentication for your federated users. To learn
more about the protection and how to enable it, visit Enable protection to prevent by-
passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.

Public Preview - New Azure portal All Users list and User
Profile UI
Type: Changed feature
Service category: User Management
Product capability: User Management
We're enhancing the All Users list and User Profile in the Azure portal to make it easier
to find and manage your users. Improvements include:

All Users List:

Infinite scrolling (yes, no 'Load more')

More user properties can be added as columns and filtered on
Columns can be reordered via drag and drop
Default columns shown and their order can be managed via the column picker
The ability to copy and share the current view

User Profile:

A new Overview page that surfaces insights (that is, group memberships, account
enabled, MFA capable, risky user, etc.)
A new monitoring tab
More user properties can be viewed and edited in the properties tab

For more information, see: User management enhancements in Azure Active Directory.

General Availability - More device properties supported

for Dynamic Device groups
Type: Changed feature
Service category: Group Management
Product capability: Directory

You can now create or update dynamic device groups using the following properties:

deviceManagementAppId
deviceTrustType
extensionAttribute1-15
profileType

For more information on how to use this feature, see: Dynamic membership rule for
device groups.

May 2022

General Availability: Tenant-based service outage

notifications
Type: Plan for change
Service category: Other
Product capability: Platform

Azure Service Health will soon support service outage notifications to Tenant Admins for
Azure Active Directory issues soon. These outages will also appear on the Azure portal
overview page with appropriate links to Azure Service Health. Outage events are able to
be seen by built-in Tenant Administrator Roles. We continue to send outage
notifications to subscriptions within a tenant for transition. More information is available
when this capability is released. The expected release is for June 2022.

New Federated Apps available in Azure AD Application

gallery - May 2022
Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2022 we've added the following 25 new applications in our App gallery with
Federation support:

UserZoom, AMX Mobile , i-Sight, Method InSight, Chronus SAML, Attendant Console
for Microsoft Teams , Skopenow, Fidelity PlanViewer, Lyve Cloud, Framer, Authomize,
gamba!, Datto File Protection Single Sign On, LONEALERT , Payfactors , deBroome
Brand Portal, TeamSlide, Sensera Systems , YEAP , Monaca Education , Personify
Inc , Phenom TXM, Forcepoint Cloud Security Gateway - User Authentication,
GoalQuest, OpenForms .

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, please read the details here
https://aka.ms/AzureADAppRequest

General Availability – My Apps users can make apps from

URLs (add sites)
Type: New feature
Service category: My Apps
Product capability: End User Experiences
When editing a collection using the My Apps portal, users can now add their own sites,
in addition to adding apps that have been assigned to them by an admin. To add a site,
users must provide a name and URL. For more information on how to use this feature,
see: Customize app collections in the My Apps portal .

Public preview - New provisioning connectors in the

Azure AD Application Gallery - May 2022
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly
integrated apps:

Alinto Protect
Blinq
Cerby

For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

Public Preview: Confirm safe and compromised in sign-

ins API beta
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

The sign-ins Microsoft Graph API now supports confirming safe and compromised on
risky sign-ins. This public preview functionality is available at the beta endpoint. For
more information, please check out the Microsoft Graph documentation: signIn:
confirmSafe - Microsoft Graph beta

Public Preview of Microsoft cloud settings for Azure AD

B2B
Type: New feature
Service category: B2B
Product capability: B2B/B2C
Microsoft cloud settings let you collaborate with organizations from different Microsoft
Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration
between the following clouds:

-Microsoft Azure global cloud and Microsoft Azure Government -Microsoft Azure global
cloud and Microsoft Azure operated by 21Vianet

To learn more about Microsoft cloud settings for B2B collaboration, see: Cross-tenant
access overview - Azure AD.

General Availability of SAML and WS-Fed federation in

External Identities
Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

When setting up federation with a partner's IdP, new guest users from that domain can
use their own IdP-managed organizational account to sign in to your Azure AD tenant
and start collaborating with you. There's no need for the guest user to create a separate
Azure AD account. To learn more about federating with SAML or WS-Fed identity
providers in External Identities, see: Federation with a SAML/WS-Fed identity provider
(IdP) for B2B - Azure AD.

Public Preview - Create Group in Administrative Unit

Type: Changed feature
Service category: Directory Management
Product capability: Access Control

Groups Administrators assigned over the scope of an administrative unit can now create
groups within the administrative unit. This enables scoped group administrators to
create groups that they can manage directly, without needing to elevate to Global
Administrator or Privileged Role Administrator. For more information, see:
Administrative units in Azure Active Directory.

Public Preview - Dynamic administrative unit support for

onPremisesDistinguishedName property
Type: Changed feature
Service category: Directory Management
Product capability: AuthZ/Access Delegation

The public preview of dynamic administrative units now supports the

onPremisesDistinguishedName property for users. This makes it possible to create
dynamic rules that incorporate the organizational unit of the user from on-premises AD.
For more information, see: Manage users or devices for an administrative unit with
dynamic membership rules (Preview).

General Availability - Improvements to Azure AD Smart

Lockout
Type: Changed feature
Service category: Other
Product capability: User Management

Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the
total number of failed sign-in attempts allowed before an account is locked out will
match the configured lockout threshold. For more information, see: Protect user
accounts from attacks with Azure Active Directory smart lockout.

April 2022

General Availability - Entitlement management separation

of duties checks for incompatible access packages
Type: Changed feature Service category: Other Product capability: Identity Governance

In Azure AD entitlement management, an administrator can now configure the

incompatible access packages and groups of an access package in the Azure portal. This
prevents a user who already has one of those incompatible access rights from being
able to request further access. For more information, see: Configure separation of duties
checks for an access package in Azure AD entitlement management.

General Availability - Microsoft Defender for Endpoint

Signal in Identity Protection
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection
Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE)
that will protect against PRT theft detection. To learn more, see: What is risk? Azure AD
Identity Protection.

General Availability - Entitlement management 3 stages

of approval
Type: Changed feature
Service category: Other
Product capability: Entitlement Management

This update extends the Azure AD entitlement management access package policy to
allow a third approval stage. This is able to be configured via the Azure portal or
Microsoft Graph. For more information, see: Change approval and requestor information
settings for an access package in Azure AD entitlement management.

General Availability - Improvements to Azure AD Smart

Lockout
Type: Changed feature
Service category: Identity Protection
Product capability: User Management

With a recent improvement, Smart Lockout now synchronizes the lockout state across
Azure AD data centers, so the total number of failed sign-in attempts allowed before an
account is locked out will match the configured lockout threshold. For more
information, see: Protect user accounts from attacks with Azure Active Directory smart
lockout.

Public Preview - Integration of Microsoft 365 App

Certification details into Azure Active Directory UX and
Consent Experiences
Type: New feature
Service category: User Access Management
Product capability: AuthZ/Access Delegation

Microsoft 365 Certification status for an app is now available in Azure AD consent UX,
and custom app consent policies. The status will later be displayed in several other
Identity-owned interfaces such as enterprise apps. For more information, see:
Understanding Azure AD application consent experiences.

Public preview - Use Azure AD access reviews to review

access of B2B direct connect users in Teams shared
channels
Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Use Azure AD access reviews to review access of B2B direct connect users in Teams
shared channels. For more information, see: Include B2B direct connect users and teams
accessing Teams Shared Channels in access reviews (preview).

Public Preview - New MS Graph APIs to configure

federated settings when federated with Azure AD
Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're announcing the public preview of following MS Graph APIs and PowerShell
cmdlets for configuring federated settings when federated with Azure AD:

Action MS Graph API PowerShell cmdlet

Get federation settings Get Get-

for a federated domain internalDomainFederation MgDomainFederationConfiguration

Create federation Create New-

settings for a federated internalDomainFederation MgDomainFederationConfiguration
domain

Remove federation Delete Remove-

settings for a federated internalDomainFederation MgDomainFederationConfiguration
domain

Update federation Update Update-

settings for a federated internalDomainFederation MgDomainFederationConfiguration
domain

If using older MSOnline cmdlets (Get-MsolDomainFederationSettings and Set-

MsolDomainFederationSettings), we highly recommend transitioning to the latest MS
Graph APIs and PowerShell cmdlets.

For more information, see internalDomainFederation resource type - Microsoft Graph

beta.

Public Preview – Ability to force reauthentication on

Intune enrollment, risky sign-ins, and risky users
Type: New feature
Service category: RBAC role
Product capability: AuthZ/Access Delegation

Added functionality to session controls allowing admins to reauthenticate a user on

every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a
device in Intune. For more information, see Configure authentication session
management with conditional Access.

Public Preview – Protect against by-passing of cloud

Azure AD Multi-Factor Authentication when federated
with Azure AD
Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud
Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for
a federated domain in your Azure AD tenant, it ensures that a compromised federated
account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi
factor authentication has already been performed by the identity provider. The
protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor
Authentication as your multi factor authentication for your federated users. To learn
more about the protection and how to enable it, visit Enable protection to prevent by-
passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.

New Federated Apps available in Azure AD Application

gallery - April 2022
Type: New feature
Service category: Enterprise Apps
Product capability: Third Party Integration

In April 2022 we added the following 24 new applications in our App gallery with
Federation support: X-1FBO , select Armor , Smint.io Portals for SharePoint , Pluto,
ADEM, Smart360, MessageWatcher SSO , Beatrust, AeyeScan , ABa Customer ,
Twilio Sendgrid, Vault Platform, Speexx, Clicksign , Per Angusta, EruditAI , MetaMoJi
ClassRoom , Numici , MCB.CLOUD , DepositLink , Last9 , ParkHere Corporate,
Keepabl, Swit

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial .

For listing your application in the Azure AD app gallery, please read the details here
https://aka.ms/AzureADAppRequest

General Availability - Customer data storage for Japan

customers in Japanese data centers
Type: New feature
Service category: App Provisioning
Product capability: GoLocal

From April 15, 2022, Microsoft began storing Azure AD’s Customer Data for new tenants
with a Japan billing address within the Japanese data centers. For more information, see:
Customer data storage for Japan customers in Azure Active Directory.

Public Preview - New provisioning connectors in the

Azure AD Application Gallery - April 2022
Type: New feature
Service category: App Provisioning
Product capability: Third Party Integration

You can now automate creating, updating, and deleting user accounts for these newly
integrated apps:

Adobe Identity Management (OIDC)

embed signage
KnowBe4 Security Awareness Training
NordPass
For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD

March 2022

Tenant enablement of combined security information

registration for Azure Active Directory
Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection

We announced in April 2020 General Availability of our new combined registration

experience, enabling users to register security information for multi-factor
authentication and self-service password reset at the same time, which was available for
existing customers to opt in. We're happy to announce the combined security
information registration experience will be enabled to all nonenabled customers after
September 30, 2022. This change doesn't impact tenants created after August 15, 2020,
or tenants located in the China region. For more information, see: Combined security
information registration for Azure Active Directory overview.

Public preview - New provisioning connectors in the

Azure AD Application Gallery - March 2022
Type: New feature
Service category: App Provisioning
Product capability: Third Party Integration

You can now automate creating, updating, and deleting user accounts for these newly
integrated apps:

AlexisHR
embed signage
Joyn FSM
KPN Grip
MURAL Identity
Palo Alto Networks SCIM Connector
Tap App Security
Yellowbox
For more information about how to better secure your organization by using automated
user account provisioning, see: Automate user provisioning to SaaS applications with
Azure AD.

Public preview - Azure AD Recommendations

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD Recommendations is now in public preview. This feature provides

personalized insights with actionable guidance to help you identify opportunities to
implement Azure AD best practices, and optimize the state of your tenant. For more
information, see: What is Azure Active Directory recommendations

Public Preview: Dynamic administrative unit membership

for users and devices
Type: New feature
Service category: RBAC role
Product capability: Access Control

Administrative units now support dynamic membership rules for user and device
members. Instead of manually assigning users and devices to administrative units,
tenant admins can set up a query for the administrative unit. The membership is
automatically maintained by Azure AD. For more information, see:Administrative units in
Azure Active Directory.

Public Preview: Devices in Administrative Units

Type: New feature
Service category: RBAC role
Product capability: AuthZ/Access Delegation

Devices can now be added as members of administrative units. This enables scoped
delegation of device permissions to a specific set of devices in the tenant. Built-in and
custom roles are also supported. For more information, see: Administrative units in
Azure Active Directory.
New Federated Apps available in Azure AD Application
gallery - March 2022
Type: New feature
Service category: Enterprise Apps
Product capability: Third Party Integration

In March 2022 we've added the following 29 new applications in our App gallery with
Federation support:

Informatica Platform, Buttonwood Central SSO, Blockbax, Datto Workplace Single Sign
On, Atlas by Workland , Simply.Coach , Benevity , Engage Absence Management ,
LitLingo App Authentication , ADP EMEA French HR Portal mon.adp.com, Ready
Room , Axway CSOS, Alloy , U.S. Bank Prepaid, EdApp , GoSimplo , Snow Atlas
SSO , Abacus.AI , Culture Shift, StaySafe Hub , OpenLearning, Draup, Inc , Air,
Regulatory Lab , SafetyLine , Zest, iGrafx Platform, Tracker Software Technologies

You can also find the documentation of all the applications from here
https://aka.ms/AppsTutorial ,

For listing your application in the Azure AD app gallery, please read the details here
https://aka.ms/AzureADAppRequest

Public Preview - New APIs for fetching transitive role

assignments and role permissions
Type: New feature
Service category: RBAC role
Product capability: Access Control

1. transitiveRoleAssignments - Last year the ability to assign Azure AD roles to

groups was created. Originally it took four calls to fetch all direct, and transitive,
role assignments of a user. This new API call allows it all to be done via one API
call. For more information, see: List transitiveRoleAssignment - Microsoft Graph
beta.

2. unifiedRbacResourceAction - Developers can use this API to list all role

permissions and their descriptions in Azure AD. This API can be thought of as a
dictionary that can help build custom roles without relying on UX. For more
information, see: List resourceActions - Microsoft Graph beta.
February 2022

General Availability - France digital accessibility

requirement
Type: Plan for change
Service category: Other
Product capability: End User Experiences

This change provides users who are signing into Azure Active Directory on iOS, Android,
and Web UI flavors information about the accessibility of Microsoft's online services via
a link on the sign-in page. This ensures that the France digital accessibility compliance
requirements are met. The change will only be available for French language
experiences.Learn more

General Availability - Downloadable access review history

report
Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

With Azure Active Directory (Azure AD) Access Reviews, you can create a downloadable
review history to help your organization gain more insight. The report pulls the
decisions that were taken by reviewers when a report is created. These reports can be
constructed to include specific access reviews, for a specific time frame, and can be
filtered to include different review types and review results.Learn more

Public Preview of Identity Protection for Workload

Identities
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Azure AD Identity Protection is extending its core capabilities of detecting, investigating,

and remediating identity-based risk to workload identities. This allows organizations to
better protect their applications, service principals, and managed identities. We're also
extending Conditional Access so you can block at-risk workload identities. Learn more
Public Preview - Cross-tenant access settings for B2B
collaboration
Type: New feature
Service category: B2B
Product capability: Collaboration

Cross-tenant access settings enable you to control how users in your organization
collaborate with members of external Azure AD organizations. Now you have granular
inbound and outbound access control settings that work on a per org, user, group, and
application basis. These settings also make it possible for you to trust security claims
from external Azure AD organizations like multi-factor authentication (MFA), device
compliance, and hybrid Azure AD joined devices. Learn more

Public preview - Create Azure AD access reviews with

multiple stages of reviewers
Type: New feature
Service category: Access Reviews
Product capability: Identity Governance

Use multi-stage reviews to create Azure AD access reviews in sequential stages, each
with its own set of reviewers and configurations. Supports multiple stages of reviewers
to satisfy scenarios such as: independent groups of reviewers reaching quorum,
escalations to other reviewers, and reducing burden by allowing for later stage reviewers
to see a filtered-down list. For public preview, multi-stage reviews are only supported on
reviews of groups and applications. Learn more

New Federated Apps available in Azure AD Application

gallery - February 2022
Type: New feature
Service category: Enterprise Apps
Product capability: Third Party Integration

In February 2022 we added the following 20 new applications in our App gallery with
Federation support:

Embark, FENCE-Mobile RemoteManager SSO, カオナビ, Adobe Identity Management

(OIDC), AppRemo, Live Center , Offishall , MoveWORK Flow , Cirros SL , ePMX
Procurement Software , Vanta O365 , Hubble, Medigold Gateway , クラウドロ
グ,Amazing People Schools, XplicitTrust Network Access , Spike Email - Mail & Team
Chat , AltheaSuite , Balsamiq Wireframes.

You can also find the documentation of all the applications from here:
https://aka.ms/AppsTutorial,

For listing your application in the Azure AD app gallery, please read the details here:
https://aka.ms/AzureADAppRequest

Two new MDA detections in Identity Protection

Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection has added two new detections from Microsoft Defender for Cloud
Apps, (formerly MCAS). The Mass Access to Sensitive Files detection detects anomalous
user activity, and the Unusual Addition of Credentials to an OAuth app detects
suspicious service principal activity.Learn more

Public preview - New provisioning connectors in the

Azure AD Application Gallery - February 2022
Type: New feature
Service category: App Provisioning
Product capability: 3rd Party Integration

You can now automate creating, updating, and deleting user accounts for these newly
integrated apps:

BullseyeTDP
GitHub Enterprise Managed User (OIDC)
Gong
LanSchool Air
ProdPad

For more information about how to better secure your organization by using automated
user account provisioning, see Automate user provisioning to SaaS applications with
Azure AD.

General Availability - Privileged Identity Management

(PIM) role activation for SharePoint Online enhancements
Type: Changed feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management

We've improved the Privileged Identity management (PIM) time to role activation for
SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should
be able to use your permissions right away in SharePoint Online. This change rolls out in
stages, so you might not yet see these improvements in your organization. Learn more
Archive for What's new in Azure
Sovereign Clouds?
Article • 07/20/2023

The primary What's new in sovereign clouds release notes article contains updates for
the last six months, while this article contains older information up to two years.

December 2022

General Availability - Risk-based Conditional Access for

workload identities
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Customers can now bring one of the most powerful forms of access control in the
industry to workload identities. Conditional Access supports risk-based policies for
workload identities. Organizations can block sign-in attempts when Identity Protection
detects compromised apps or services. For more information, see: Create a risk-based
Conditional Access policy.

General Availability - API to recover accidentally deleted

Service Principals
Type: New feature
Service category: Enterprise Apps
Product capability: Identity Lifecycle Management

Restore a recently deleted application, group, servicePrincipal, administrative unit, or

user object from deleted items. If an item was accidentally deleted, you can fully restore
the item. This isn't applicable to security groups, which are deleted permanently. A
recently deleted item remains available for up to 30 days. After 30 days, the item is
permanently deleted. For more information, see: servicePrincipal resource type.

General Availability - Using Staged rollout to test Cert

Based Authentication (CBA)
Type: New feature
Service category: Authentications (Logins)
Product capability: Identity Security & Protection

We're excited to announce the general availability of hybrid cloud Kerberos trust, a new
Windows Hello for Business deployment model to enable a password-less sign-in
experience. With this new model, we’ve made Windows Hello for Business easier to
deploy than the existing key trust and certificate trust deployment models by removing
the need for maintaining complicated public key infrastructure (PKI), and Azure Active
Directory (AD) Connect synchronization wait times. For more information, see: Migrate
to cloud authentication using Staged Rollout.

November 2022

General Availability - Windows Hello for Business, cloud

Kerberos trust deployment
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

We're excited to announce the general availability of hybrid cloud Kerberos trust, a new
Windows Hello for Business deployment model to enable a password-less sign-in
experience. With this new model, we’ve made Windows Hello for Business easier to
deploy than the existing key trust and certificate trust deployment models by removing
the need for maintaining complicated public key infrastructure (PKI), and Azure Active
Directory (AD) Connect synchronization wait times. For more information, see: Hybrid
Cloud Kerberos Trust Deployment.

General Availability - Expression builder with Application

Provisioning
Type: Changed feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in your apps or in your on-premises directory could be

disastrous. We’re excited to announce the general availability of the accidental deletions
prevention capability. When a provisioning job would cause a spike in deletions, it will
first pause and provide you with visibility into the potential deletions. You can then
accept or reject the deletions and have time to update the job’s scope if necessary. For
more information, see Understand how expression builder in Application Provisioning
works.

General Availability - SSPR writeback is now available for

disconnected forests using Azure AD Connect Cloud sync
Type: New feature
Service category: Azure AD Connect Cloud Sync
Product capability: Identity Lifecycle Management

Azure AD Connect Cloud Sync Password writeback now provides customers the ability to
synchronize Azure AD password changes made in the cloud to an on-premises directory
in real time. This can be accomplished using the lightweight Azure AD cloud
provisioning agent. For more information, see: Tutorial: Enable cloud sync self-service
password reset writeback to an on-premises environment.

General Availability - Prevent accidental deletions

Type: New feature
Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in any system could be disastrous. We’re excited to

announce the general availability of the accidental deletions prevention capability as
part of the Azure AD provisioning service. When the number of deletions to be
processed in a single provisioning cycle spikes above a customer defined threshold, the
Azure AD provisioning service pauses, provide you with visibility into the potential
deletions, and allow you to accept or reject the deletions. This functionality has
historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's
now available across the various provisioning flows, including both HR-driven
provisioning and application provisioning.

For more information, see: Enable accidental deletions prevention in the Azure AD
provisioning service

General Availability - Create group in administrative unit

Type: New feature
Service category: RBAC
Product capability: AuthZ/Access Delegation
Groups Administrators and other roles scoped to an administrative unit can now create
groups within the administrative unit. Previously, creating a new group in administrative
unit required a two-step process to first create the group, then add the group to the
administrative unit. The second step required a Privileged Role Administrator or Global
Administrator. Now, groups can be directly created in an administrative unit by anyone
with appropriate roles scoped to the administrative unit, and this no longer requires a
higher privilege admin role. For more information, see: Add users, groups, or devices to
an administrative unit.

General Availability - Number matching for Microsoft

Authenticator notifications
Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

To prevent accidental notification approvals, admins can now require users to enter the
number displayed on the sign-in screen when approving an MFA notification in the
Microsoft Authenticator app. We've also refreshed the Azure portal admin UX and
Microsoft Graph APIs to make it easier for customers to manage Authenticator app
feature roll-outs. As part of this update we have also added the highly requested ability
for admins to exclude user groups from each feature.

The number matching feature greatly up-levels the security posture of the Microsoft
Authenticator app and protects organizations from MFA fatigue attacks. We highly
encourage our customers to adopt this feature applying the rollout controls we have
built. Number Matching will begin to be enabled for all users of the Microsoft
Authenticator app starting 27th of February 2023.

For more information, see: How to use number matching in multifactor authentication
(MFA) notifications - Authentication methods policy.

General Availability - Additional context in Microsoft

Authenticator notifications
Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Reduce accidental approvals by showing users additional context in Microsoft

Authenticator app notifications. Customers can enhance notifications with the following:
 Application Context: This feature will show users which application they're signing
into.
Geographic Location Context: This feature will show users their sign-in location
based on the IP address of the device they're signing into.

The feature is available for both MFA and Password-less Phone Sign-in notifications and
greatly increases the security posture of the Microsoft Authenticator app. We've also
refreshed the Azure portal Admin UX and Microsoft Graph APIs to make it easier for
customers to manage Authenticator app feature roll-outs. As part of this update, we've
also added the highly requested ability for admins to exclude user groups from certain
features.

We highly encourage our customers to adopt these critical security features to reduce
accidental approvals of Authenticator notifications by end users.

For more information, see: How to use additional context in Microsoft Authenticator
notifications - Authentication methods policy.

October 2022

General Availability - Azure AD certificate-based

authentication
Type: New feature
Service category: Other
Product capability: User Authentication

Azure AD certificate-based authentication (CBA) enables customers to allow or require

users to authenticate with X.509 certificates against their Azure Active Directory (Azure
AD) for applications and browser sign-in. This feature enables customers to adopt a
phishing resistant authentication and authenticate with an X.509 certificate against their
Enterprise Public Key Infrastructure (PKI). For more information, see: Overview of Azure
AD certificate-based authentication (Preview).

General Availability - Audited BitLocker Recovery

Type: New feature
Service category: Device Access Management
Product capability: Device Lifecycle Management
BitLocker keys are sensitive security items. Audited BitLocker recovery ensures that when
BitLocker keys are read, an audit log is generated so that you can trace who accesses
this information for given devices. For more information, see: View or copy BitLocker
keys.

General Availability - More device properties supported

for Dynamic Device groups
Type: Changed feature
Service category: Group Management
Product capability: Directory

You can now create or update dynamic device groups using the following properties:

deviceManagementAppId
deviceTrustType
extensionAttribute1-15
profileType

For more information on how to use this feature, see: Dynamic membership rule for
device groups

September 2022

General Availability - No more waiting, provision groups

on demand into your SaaS applications.
Type: New feature
Service category: Provisioning
Product capability: Identity Lifecycle Management

Pick a group of up to five members and provision them into your third-party
applications in seconds. Get started testing, troubleshooting, and provisioning to non-
Microsoft applications such as ServiceNow, ZScaler, and Adobe. For more information,
see: On-demand provisioning in Azure Active Directory.

General Availability - Devices Overview

Type: New feature
Service category: Device Registration and Management
Product capability: Device Lifecycle Management

The new Device Overview in the Azure portal provides meaningful and actionable
insights about devices in your tenant.

In the devices overview, you can view the number of total devices, stale devices,
noncompliant devices, and unmanaged devices. You'll also find links to Intune,
Conditional Access, BitLocker keys, and basic monitoring. For more information, see:
Manage device identities by using the Azure portal.

General Availability - Support for Linux as Device

Platform in Azure AD Conditional Access
Type: New feature
Service category: Conditional Access
Product capability: User Authentication

Added support for “Linux” device platform in Azure AD Conditional Access.

An admin can now require a user is on a compliant Linux device, managed by Intune, to
sign-in to a selected service (for example ‘all cloud apps’ or ‘Office 365’). For more
information, see: Device platforms

General Availability - Cross-tenant access settings for B2B

collaboration
Type: Changed feature
Service category: B2B
Product capability: B2B/B2C

Cross-tenant access settings enable you to control how users in your organization
collaborate with members of external Azure AD organizations. Now you’ll have granular
inbound and outbound access control settings that work on a per org, user, group, and
application basis. These settings also make it possible for you to trust security claims
from external Azure AD organizations like multi-factor authentication (MFA), device
compliance, and hybrid Azure AD joined devices. For more information, see: Cross-
tenant access with Azure AD External Identities.

General Availability - Location Aware Authentication

using GPS from Authenticator App
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

Admins can now enforce Conditional Access policies based off of GPS location from
Authenticator. For more information, see: Named locations.

General Availability - My Sign-ins now supports org

switching and improved navigation
Type: Changed feature
Service category: MFA
Product capability: End User Experiences

We've improved the My Sign-ins experience to now support organization switching.

Now users who are guests in other tenants can easily switch and sign-in to manage their
security info and view activity. More improvements were made to make it easier to
switch from My Sign-ins directly to other end user portals such as My Account, My
Apps, My Groups, and My Access. For more information, see: Sign-in logs in Azure
Active Directory - preview

General Availability - Temporary Access Pass is now

available
Type: New feature
Service category: MFA
Product capability: User Authentication

Temporary Access Pass (TAP) is now generally available. TAP can be used to securely
register password-less methods such as Phone Sign-in, phishing resistant methods such
as FIDO2, and even help Windows onboarding (AADJ and WHFB). TAP also makes
recovery easier when a user has lost or forgotten their strong authentication methods
and needs to sign in to register new authentication methods. For more information, see:
Configure Temporary Access Pass in Azure AD to register Passwordless authentication
methods.

General Availability - Ability to force reauthentication on

Intune enrollment, risky sign-ins, and risky users
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

In some scenarios customers may want to require a fresh authentication, every time

before a user performs specific actions. Sign-in frequency Every time support requiring a
user to reauthenticate during Intune device enrollment, password change for risky users
and risky sign-ins.

More information: Configure authentication session management.

General Availability - Non-interactive risky sign-ins

Type: Changed feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Identity Protection now emits risk (such as unfamiliar sign-in properties) on non-
interactive sign-ins. Admins can now find these non-interactive risky sign-ins using the
"sign-in type" filter in the Risky sign-ins report. For more information, see: How To:
Investigate risk.

General Availability - Workload Identity Federation with

App Registrations are available now
Type: New feature
Service category: Other
Product capability: Developer Experience

Entra Workload Identity Federation allows developers to exchange tokens issued by

another identity provider with Azure AD tokens, without needing secrets. It eliminates
the need to store, and manage, credentials inside the code or secret stores to access
Azure AD protected resources such as Azure and Microsoft Graph. By removing the
secrets required to access Azure AD protected resources, workload identity federation
can improve the security posture of your organization. This feature also reduces the
burden of secret management and minimizes the risk of service downtime due to
expired credentials.

For more information on this capability and supported scenarios, see: Workload identity
federation.

General Availability - Continuous Access Evaluation

Type: New feature
Service category: Other
Product capability: Access Control

With Continuous access evaluation (CAE), critical security events and policies are
evaluated in real time. This includes account disable, password reset, and location
change. For more information, see: Continuous access evaluation

Public Preview – Protect against by-passing of cloud

Azure AD Multi-Factor Authentication when federated
with Azure AD
Type: New feature
Service category: MS Graph
Product capability: Identity Security & Protection

We're delighted to announce a new security protection that prevents bypassing of cloud
Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for
a federated domain in your Azure AD tenant, it ensures that a compromised federated
account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi
factor authentication has already been performed by the identity provider. The
protection can be enabled via new security setting, federatedIdpMfaBehavior.

We highly recommend enabling this new protection when using Azure AD Multi-Factor
Authentication as your multi factor authentication for your federated users. To learn
more about the protection and how to enable it, visit Enable protection to prevent by-
passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD.
Frequently asked questions about
Azure Active Directory
FAQ

Azure Active Directory (Azure AD) is a comprehensive identity as a service (IDaaS)

solution that spans all aspects of identity, access management, and security.

For more information, see What is Azure Active Directory?.

Access Azure and Azure Active Directory

Why do I get "No subscriptions found" when I
try to access Azure AD in the Azure portal?
To access the Azure portal, each user needs permissions with an Azure subscription. If
you don't have a paid Microsoft 365 or Azure AD subscription, you will need to activate
a free Azure account or a paid subscription.

For more information, see:

How Azure subscriptions are associated with Azure Active Directory

What's the relationship between Azure AD,

Microsoft 365, and Azure?
Azure AD provides you with common identity and access capabilities to all web services.
Whether you are using Microsoft 365, Microsoft Azure, Intune, or others, you're already
using Azure AD to help turn on sign-on and access management for all these services.

All users who are set up to use web services are defined as user accounts in one or more
Azure AD instances. You can set up these accounts for free Azure AD capabilities like
cloud application access.

Azure AD paid services like Enterprise Mobility + Security complement other web
services like Microsoft 365 and Microsoft Azure with comprehensive enterprise-scale
management and security solutions.
What are the differences between Owner and
Global Administrator?
By default, the person who signs up for an Azure subscription is assigned the Owner
role for Azure resources. An Owner can use either a Microsoft account or a work or
school account from the directory that the Azure subscription is associated with. This
role is authorized to manage services in the Azure portal.

If others need to sign in and access services by using the same subscription, you can
assign them the appropriate built-in role. For more information, see Assign Azure roles
using the Azure portal.

By default, the person who signs up for an Azure subscription is assigned the Global
Administrator role for the directory. The Global Administrator has access to all Azure AD
directory features. Azure AD has a different set of administrator roles to manage the
directory and identity-related features. These administrators will have access to various
features in the Azure portal. The administrator's role determines what they can do, like
create or edit users, assign administrative roles to others, reset user passwords, manage
user licenses, or manage domains. For additional information on Azure AD directory
admins and their roles, see Assign a user to administrator roles in Azure Active Directory
and Assigning administrator roles in Azure Active Directory.

Additionally, Azure AD paid services like Enterprise Mobility + Security complement

other web services, such as Microsoft 365 and Microsoft Azure, with comprehensive
enterprise-scale management and security solutions.

Is there a report that shows when my Azure AD

user licenses will expire?
No. This isn't currently available.

How can I allow Microsoft Entra admin center

URLs on my firewall or proxy server?
To optimize connectivity between your network and the Microsoft Entra admin center
and its services, you may want to add specific Microsoft Entra admin center URLs to your
allowlist. Doing so can improve performance and connectivity between your local- or
wide-area network. Network administrators often deploy proxy servers, firewalls, or
other devices, which can help secure and give control over how users access the
internet. Rules designed to protect users can sometimes block or slow down legitimate
business-related internet traffic. This traffic includes communications between you and
Microsoft Entra admin center over the URLs listed here.

*.entra.microsoft.com
*.entra.microsoft.us
*.entra.microsoft.scloud
*.entra.microsoft.eaglex.ic.gov
*.entra.microsoftonline.cn

Get started with Hybrid Azure AD

How do I leave a tenant when I'm added as a
collaborator?
Information on how to leave tenants where you were added as a collaborator is
documented in Leave an organization as an external user

How can I connect my on-premises directory to

Azure AD?
You can connect your on-premises directory to Azure AD by using Azure AD Connect.

For more information, see Integrating your on-premises identities with Azure Active
Directory.

How do I set up SSO between my on-premises

directory and my cloud applications?
You only need to set up single sign-on (SSO) between your on-premises directory and
Azure AD. As long as you access your cloud applications through Azure AD, the service
automatically drives your users to correctly authenticate with their on-premises
credentials.

Implementing SSO from on-premises can be easily achieved with federation solutions
such as Active Directory Federation Services (AD FS), or by configuring password hash
sync. You can easily deploy both options by using the Azure AD Connect configuration
wizard.

For more information, see Integrating your on-premises identities with Azure Active
Directory.
Does Azure AD provide a self-service portal for
users in my organization?
Yes, Azure AD provides you with the Azure AD Access Panel for user self-service and
application access. If you are a Microsoft 365 customer, you can find many of the same
capabilities in the Office 365 portal .

For more information, see Introduction to the Access Panel .

Does Azure AD help me manage my on-premises

infrastructure?
Yes. The Azure AD Premium edition provides you with Azure AD Connect Health. Azure
AD Connect Health helps you monitor and gain insight into your on-premises identity
infrastructure and the synchronization services.

For more information, see Monitor your on-premises identity infrastructure and
synchronization services in the cloud.

Password management
Can I use Azure AD password write-back without
password sync? (In this scenario, is it possible to
use Azure AD self-service password reset (SSPR)
with password write-back and not store
passwords in the cloud?)
You do not need to synchronize your Active Directory passwords to Azure AD to enable
write-back. In a federated environment, Azure AD single sign-on (SSO) relies on the on-
premises directory to authenticate the user. This scenario does not require the on-
premises password to be tracked in Azure AD.

How long does it take for a password to be

written back to Active Directory on-premises?
Password write-back operates in real time.

For more information, see Getting started with password management.

Can I use password write-back with passwords
that are managed by an admin?
Yes, if you have password write-back enabled, the password operations performed by an
admin are written back to your on-premises environment.

For more answers to password-related questions, see Password management frequently

asked questions.

What can I do if I can't remember my existing

Microsoft 365/Azure AD password while trying
to change my password?
For this type of situation, there are a couple of options. Use self-service password reset
(SSPR) if it's available. Whether SSPR works depends on how it's configured. For more
information, see How does the password reset portal work.

For Microsoft 365 users, your admin can reset the password by using the steps outlined
in Reset user passwords .

For Azure AD accounts, admins can reset passwords by using one of the following:

Reset accounts in the Azure portal

Using PowerShell

Security
Are accounts locked after a specific number of
failed attempts or is there a more sophisticated
strategy used?
We use a more sophisticated strategy to lock accounts. This is based on the IP of the
request and the passwords entered. The duration of the lockout also increases based on
the likelihood that it is an attack.

Certain (common) passwords get rejected with

the messages 'this password has been used too
many times', does this refer to passwords used in
the current active directory?
This refers to passwords that are globally common, such as any variants of "Password"
and "123456".

Will a sign-in request from dubious sources

(botnets, tor endpoint) be blocked in a B2C
tenant or does this require a Basic or Premium
edition tenant?
We do have a gateway that filters requests and provides some protection from botnets,
and is applied for all B2C tenants.

Application access
Where can I find a list of applications that are
pre-integrated with Azure AD and their
capabilities?
Azure AD has more than 2,600 pre-integrated applications from Microsoft, application
service providers, and partners. All pre-integrated applications support single sign-on
(SSO). SSO lets you use your organizational credentials to access your apps. Some of the
applications also support automated provisioning and de-provisioning.

For a complete list of the pre-integrated applications, see the Active Directory
Marketplace .

What if the application I need is not in the Azure

AD marketplace?
With Azure AD Premium, you can add and configure any application that you want.
Depending on your application's capabilities and your preferences, you can configure
SSO and automated provisioning.

For more information, see:

 Configuring single sign-on to applications that are not in the Azure Active
Directory application gallery
Using SCIM to enable automatic provisioning of users and groups from Azure
Active Directory to applications

How do users sign in to applications by using

Azure AD?
Azure AD provides several ways for users to view and access their applications, such as:

The Azure AD access panel

The Microsoft 365 application launcher
Direct sign-in to federated apps
Deep links to federated, password-based, or existing apps

For more information, see End user experiences for applications.

What are the different ways Azure AD enables

authentication and single sign-on to
applications?
Azure AD supports many standardized protocols for authentication and authorization,
such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD also
supports password vaulting and automated sign-in capabilities for apps that only
support forms-based authentication.

For more information, see:

Authentication Scenarios for Azure AD

Active Directory authentication protocols
Single sign-on for applications in Azure AD

Can I add applications I'm running on-premises?

Azure AD Application Proxy provides you with easy and secure access to on-premises
web applications that you choose. You can access these applications in the same way
that you access your software as a service (SaaS) apps in Azure AD. There is no need for
a VPN or to change your network infrastructure.

For more information, see How to provide secure remote access to on-premises
applications.
How do I require multi-factor authentication for
users who access a particular application?
With Azure AD Conditional Access, you can assign a unique access policy for each
application. In your policy, you can require multi-factor authentication always, or when
users are not connected to the local network.

For more information, see Securing access to Microsoft 365 and other apps connected
to Azure Active Directory.

What is automated user provisioning for SaaS

apps?
Use Azure AD to automate the creation, maintenance, and removal of user identities in
many popular cloud SaaS apps.

For more information, see Automate user provisioning and deprovisioning to SaaS
applications with Azure Active Directory.

Can I set up a secure LDAP connection with

Azure AD?
No. Azure AD doesn't support the Lightweight Directory Access Protocol (LDAP)
protocol or Secure LDAP directly. However, it's possible to enable Azure AD Domain
Services (Azure AD DS) instance on your Azure AD tenant with properly configured
network security groups through Azure Networking to achieve LDAP connectivity. For
more information, see Configure secure LDAP for an Azure Active Directory Domain
Services managed domain
CSS template reference guide
Article • 03/24/2023

Configuring your company branding for the user sign-in process provides a seamless
experience in your applications that use Azure Active Directory (Azure AD) as the
identity and access management service. Use this CSS reference guide if you're using
the CSS template as part of the customize company branding process.

HTML selectors
The following CSS styles become the default body and link styles for the whole page.
Applying styles for other links or text override CSS selectors.

body - Styles for the whole page

Styles for links:
a, a:link - All links

a:hover - When the mouse is over the link

a:focus - When the link has focus

a:focus:hover - When the link has focus and the mouse is over the link
a:active - When the link is being clicked

Azure AD CSS selectors

Use the following CSS selectors to configure the details of the sign-in experience.

.ext-background-image - Container that includes the background image in the

default lightbox template

.ext-header - Header at the top of the container

.ext-header-logo - Header logo at the top of the container

.ext-middle - Style for the full-screen background that aligns the sign-in box

vertically to the middle and horizontally to the center

.ext-vertical-split-main-section - Style for the container of the partial-screen

background in the vertical split template that contains both a sign-in box and a
background (This style is also known as the Active Directory Federation Services
(ADFS) template.)

.ext-vertical-split-background-image-container - Sign-in box background in the

vertical split/ADFS template

.ext-sign-in-box - Sign-in box container

.ext-title - Title text

.ext-subtitle - Subtitle text

Styles for primary buttons:

.ext-button.ext-primary - Primary button default style

.ext-button.ext-primary:hover - When the mouse is over the button

.ext-button.ext-primary:focus - When the button has focus
 .ext-button.ext-primary:focus:hover - When the button has focus and the

mouse is over the button

.ext-button.ext-primary:active - When the button is being clicked

Styles for secondary buttons:

.ext-button.ext-secondary - Secondary buttons

.ext-button.ext-secondary:hover - When the mouse is over the button

.ext-button.ext-secondary:focus When the button has focus

.ext-button.ext-secondary:focus:hover - When the button has focus and the

mouse is over the button
.ext-button.ext-secondary:active - When the button is being clicked
.ext-error - Error text

Styles for text boxes:

.ext-input.ext-text-box - Text boxes

.ext-input.ext-text-box.ext-has-error - When there's a validation error

associated with the text box

.ext-input.ext-text-box:hover - When the mouse is over the text box

.ext-input.ext-text-box:focus - When the text box has focus

 .ext-input.ext-text-box:focus:hover - When the text box has focus and the

mouse is over the text box

.ext-boilerplate-text - Custom message text at the bottom of the sign-in box

.ext-promoted-fed-cred-box - Sign-in options text box

Styles for the footer:

.ext-footer - Footer area at the bottom of the page
.ext-footer-links - Links area in the footer at the bottom of the page

.ext-footer-item - Link items (such as "Terms of use" or "Privacy & cookies") in

the footer at the bottom of the page

.ext-debug-item - Debug details ellipsis in the footer at the bottom of the page
Azure Active Directory and data
residency
Article • 06/01/2023

Azure AD is an Identity as a Service (IDaaS) solution that stores and manages identity
and access data in the cloud. You can use the data to enable and manage access to
cloud services, achieve mobility scenarios, and secure your organization. An instance of
the Azure AD service, called a tenant, is an isolated set of directory object data that the
customer provisions and owns.

Core Store
The Core Store is made up of tenants stored in scale units, each of which contains
multiple tenants. Update or retrieval data operations in the Azure AD Core Store relate
to a single tenant, based on the user's security token, which achieves tenant isolation.
Scale units are assigned to a geo-location. Each geo-location uses two or more Azure
regions to store the data. In each Azure region, a scale unit data is replicated in the
physical data centers for resiliency and performance.

Learn more: Azure Active Directory Core Store Scale Units

Azure AD is available in the following clouds

Public
China
US government

In the public cloud, you're prompted to select a location at the time of tenant creation
(for example, signing up for Office 365 or Azure, or creating more Azure AD instances
through the Azure portal). Azure AD maps the selection to a geo-location and a single
scale unit in it. Tenant location can't be changed after it's set.

The location selected during tenant creation will map to one of the following geo-
locations:

Australia
Asia/Pacific
Europe, Middle East, and Africa (EMEA)
Japan
North America
Worldwide
Azure AD handles Core Store data based on usability, performance, residency and/or
other requirements based on geo-location. Azure AD replicates each tenant through its
scale unit, across data centers, based on the following criteria:

Azure AD Core Store data, stored in data centers closest to the tenant-residency
location, to reduce latency and provide fast user sign-in times
Azure AD Core Store data stored in geographically isolated data centers to assure
availability during unforeseen single-datacenter, catastrophic events
Compliance with data residency, or other requirements, for specific customers and
geo-locations

Azure AD cloud solution models

Use the following table to see Azure AD cloud solution models based on infrastructure,
data location, and operational sovereignty.

Model Locations Data location Operations Put a tenant in

personnel this model

Public geo North America, At rest, in the Operated by Create the tenant in
located EMEA, Japan, target location. Microsoft. Microsoft the sign-up
Asia/Pacific Exceptions by datacenter personnel experience. Choose
service or must pass a the location for
feature background check. data residency.

Public Worldwide All locations Operated by Tenant creation

worldwide Microsoft. Microsoft available via official
datacenter personnel support channel
must pass a and subject to
background check. Microsoft
discretion.

Sovereign US At rest, in the Operated by a data Each national cloud

or national government, target location. custodian (1). instance has a sign-
clouds China No exceptions. Personnel are up experience.
screened according to
requirements.

Table references:

(1) Data custodians: Data centers in the US government cloud are operated by
Microsoft. In China, Azure AD is operated through a partnership with 21Vianet.

Learn more:

Customer data storage and processing for European customers in Azure AD

 Power BI: Azure Active Directory – Where is your data located?
What is the Azure Active Directory architecture?
Find the Azure geography that meets your needs
Microsoft Trust Center

Data residency across Azure AD components

Learn more: Azure Active Directory, Product overview

７ Note

To understand service data location, such as Exchange Online, or Skype for

Business, refer to the corresponding service documentation.

Azure AD components and data storage location

Azure AD Description Data

component storage
location

Azure AD This service is stateless. The data for authentication is in the In geo
Authentication Azure AD Core Store. It has no directory data. Azure AD location
Service Authentication Service generates log data in Azure storage,
and in the data center where the service instance runs. When
users attempt to authenticate using Azure AD, they're routed
to an instance in the geographically nearest data center that
is part of its Azure AD logical region.

Azure AD Identity User and management experiences: The Azure AD In geo

and Access management experience is stateless and has no directory location
Management data. It generates log and usage data stored in Azure Tables
(IAM) Services storage. The user experience is like the Azure portal.
Identity management business logic and reporting services:
These services have locally cached data storage for groups
and users. The services generate log and usage data that
goes to Azure Tables storage, Azure SQL, and in Microsoft
Elastic Search reporting services.

Azure AD Multi- For details about MFA-operations data storage and retention, North
Factor see Data residency and customer data for Azure AD America
Authentication multifactor authentication. Azure AD MFA logs the User
(MFA) Principal Name (UPN), voice-call telephone numbers, and
SMS challenges. For challenges to mobile app modes, the
service logs the UPN and a unique device token. Data centers
Azure AD Description Data
component storage
location

in the North America region store Azure AD MFA, and the

logs it creates.

Azure AD Domain See regions where Azure AD Domain Services is published on In geo
Services Products available by region . The service holds system location
metadata globally in Azure Tables, and it contains no
personal data.

Azure AD Connect Azure AD Connect Health generates alerts and reports in In geo
Health Azure Tables storage and blob storage. location

Azure AD dynamic Azure Tables storage holds dynamic membership rule In geo
membership for definitions. location
groups, Azure AD
self-service group
management

Azure AD Azure AD Application Proxy stores metadata about the In geo

Application Proxy tenant, connector machines, and configuration data in Azure location
SQL.

Azure AD During initial configuration, Azure AD Connect generates an In geo

password asymmetric keypair, using the Rivest–Shamir–Adleman (RSA) location
writeback in Azure cryptosystem. It then sends the public key to the self-service
AD Connect password reset (SSPR) cloud service, which performs two
operations:

1. Creates two Azure Service Bus relays for the Azure AD

Connect on-premises service to communicate securely with
the SSPR service
2. Generates an Advanced Encryption Standard (AES) key, K1

The Azure Service Bus relay locations, corresponding listener

keys, and a copy of the AES key (K1) goes to Azure AD
Connect in the response. Future communications between
SSPR and Azure AD Connect occur over the new ServiceBus
channel and are encrypted using SSL.
New password resets, submitted during operation, are
encrypted with the RSA public key generated by the client
during onboarding. The private key on the Azure AD Connect
machine decrypts them, which prevents pipeline subsystems
from accessing the plaintext password.
The AES key encrypts the message payload (encrypted
passwords, more data, and metadata), which prevents
malicious ServiceBus attackers from tampering with the
payload, even with full access to the internal ServiceBus
channel.
Azure AD Description Data
component storage
location

For password writeback, Azure AD Connect need keys and

data:

- The AES key (K1) that encrypts the reset payload, or change
requests from the SSPR service to Azure AD Connect, via the
ServiceBus pipeline
- The private key, from the asymmetric key pair that decrypts
the passwords, in reset or change request payloads
- The ServiceBus listener keys

The AES key (K1) and the asymmetric keypair rotate a

minimum of every 180 days, a duration you can change
during certain onboarding or offboarding configuration
events. An example is a customer disables and re-enables
password writeback, which might occur during component
upgrade during service and maintenance.
The writeback keys and data stored in the Azure AD Connect
database are encrypted by data protection application
programming interfaces (DPAPI) (CALG_AES_256). The result
is the master ADSync encryption key stored in the Windows
Credential Vault in the context of the ADSync on-premises
service account. The Windows Credential Vault supplies
automatic secret re-encryption as the password for the
service account changes. To reset the service account
password invalidates secrets in the Windows Credential Vault
for the service account. Manual changes to a new service
account might invalidate the stored secrets.
By default, the ADSync service runs in the context of a virtual
service account. The account might be customized during
installation to a least-privileged domain service account, a
managed service account (MSA), or a group managed service
account (gMSA). While virtual and managed service accounts
have automatic password rotation, customers manage
password rotation for a custom provisioned domain account.
As noted, to reset the password causes loss of stored secrets.

Azure AD Device Azure AD Device Registration Service has computer and In geo
Registration device lifecycle management in the directory, which enable location
Service scenarios such as device-state Conditional Access, and
mobile device management.

Azure AD Azure AD provisioning creates, removes, and updates users in In geo

provisioning systems, such as software as service (SaaS) applications. It location
manages user creation in Azure AD and on-premises AD from
cloud HR sources, like Workday. The service stores its
configuration in an Azure Cosmos DB, which stores the group
Azure AD Description Data
component storage
location

membership data for the user directory it keeps. Cosmos DB

replicates the database to multiple datacenters in the same
region as the tenant, which isolates the data, according to the
Azure AD cloud solution model. Replication creates high
availability and multiple reading and writing endpoints.
Cosmos DB has encryption on the database information, and
the encryption keys are stored in the secrets storage for
Microsoft.

Azure AD Azure AD B2B collaboration has no directory data. Users and In geo
business-to- other directory objects in a B2B relationship, with another location
business (B2B) tenant, result in user data copied in other tenants, which
collaboration might have data residency implications.

Azure AD Identity Azure AD Identity Protection uses real-time user log-in data, In geo
Protection with multiple signals from company and industry sources, to location
feed its machine-learning systems that detect anomalous
logins. Personal data is scrubbed from real-time log-in data
before it's passed to the machine learning system. The
remaining log-in data identifies potentially risky usernames
and logins. After analysis, the data goes to Microsoft
reporting systems. Risky logins and usernames appear in
reporting for Administrators.

Azure AD Azure AD managed identities for Azure resources with In geo

managed identities managed identities systems can authenticate to Azure location
for Azure services, without storing credentials. Rather than use
resources username and password, managed identities authenticate to
Azure services with certificates. The service writes certificates
it issues in Azure Cosmos DB in the East US region, which fail
over to another region, as needed. Azure Cosmos DB geo-
redundancy occurs by global data replication. Database
replication puts a read-only copy in each region that Azure
AD managed identities runs. To learn more, see Azure
services that can use managed identities to access other
services. Microsoft isolates each Cosmos DB instance in an
Azure AD cloud solution model.
The resource provider, such as the virtual machine (VM) host,
stores the certificate for authentication, and identity flows,
with other Azure services. The service stores its master key to
access Azure Cosmos DB in a datacenter secrets
management service. Azure Key Vault stores the master
encryption keys.

Azure Active Azure AD B2C is an identity management service to Customer-

Directory B2C customize and manage how customers sign up, sign in, and selectable
 Azure AD Description Data
component storage
location

manage their profiles when using applications. B2C uses the geo
Core Store to keep user identity information. The Core Store location
database follows known storage, replication, deletion, and
data-residency rules. B2C uses an Azure Cosmos DB system
to store service policies and secrets. Cosmos DB has
encryption and replication services on database information.
Its encryption key is stored in the secrets storage for
Microsoft. Microsoft isolates Cosmos DB instances in an
Azure AD cloud solution model.

Related resources
For more information on data residency in Microsoft Cloud offerings, see the following
articles:

Azure Active Directory – Where is your data located?

Data Residency in Azure | Microsoft Azure
Microsoft 365 data locations - Microsoft 365 Enterprise
Microsoft Privacy - Where is Your Data Located?
Download PDF: Privacy considerations in the cloud

Next steps
Azure Active Directory and data residency (You're here)

Data operational considerations

Data protection considerations

Data operational considerations
Article • 01/31/2023

In this article, learn about data operational considerations for your configuration. There's
information about how log files and other features work in relation to Azure Active
Directory (Azure AD), such as usage data and operator security. You’ll learn about
physical security considerations in addition to guidance on how the Azure AD team
defines deployments and change.

Log files
Azure AD generates log files for auditing, investigation, and debugging for actions and
events in the service. Log files might contain data about users, devices, and Azure AD
configuration, for instance policies, apps, and groups. Log files are created and stored in
Azure Storage in the data center where the Azure AD service runs.

Log files are used for local debugging, security, usage analysis, system-health
monitoring, and service-wide analysis. These logs are copied over a Transport Layer
Security (TLS) connection to Microsoft reporting machine learning systems, which are in
Microsoft-owned data centers in the continental United States.

Usage data
Usage data is metadata generated by the Azure AD service that indicates how the
service is being used. This metadata is used to generate administrator- and user-facing
reports. The Azure AD engineering team uses the metadata to evaluate system usage
and identify opportunities to improve the service. Generally, this data is written to log
files, but in some cases, is collected by our service monitoring and reporting systems.

Operator security
Access to Azure AD by Microsoft personnel, contractors, and vendors (system admins) is
highly restricted. Wherever possible, human intervention is replaced by an automated,
tool-based process, including routine functions such as deployment, debugging,
diagnostic collection, and restarting services.

Administrator access is limited to a subset of qualified engineers and requires

completion of an authentication challenge with phishing-resistant credentials. System
access and update functions are assigned to roles managed by the Microsoft just-in-
time (JIT) privileged-access management system. System administrators request
elevation using the JIT system, which routes the request for manual or automated
approval. Upon approval, JIT elevates the account. Requests for elevation, approval,
elevation into roles, and removal from roles are logged for future debugging or
investigations.

Microsoft personnel can execute operations only from a secure access workstation,
which uses an internal isolated strong authentication identity platform. Access to other
Microsoft identity systems doesn't grant access to the security access workstation. The
identity platform runs separately from other Microsoft identity systems.

Physical security
Physical access to servers that comprise the Azure AD service, and access to Azure AD
back-end systems, is restricted by Azure facility, premises, and physical security. Azure
AD customers have no access to physical assets or locations, therefore they can't bypass
the logical role-based access control (RBAC) policy checks. Personnel with operator
access are authorized to run approved workflows for maintenance.

Learn more: Azure facilities, premises, and physical security

Change control process

To roll out changes to the service across data centers, the Azure AD team defines the
layers of a deployment environment. Applying the change layers is constrained by strict
exit criteria. The amount of time to roll a change across layers is defined by the
operations team and is based on potential effects. Typically a rollout takes between 1 to
2 weeks. Critical changes, such as security fixes or hot fixes, can be deployed faster. If a
change doesn't meet the exit criteria when applied to a deployment layer, it's rolled
back to the prior, stable state.

Resources
Microsoft Service Trust Documents
Microsoft Azure Trusted Cloud
Office 365 data centers

Next steps
Azure Active Directory and data residency
Data operational considerations (You're here)

Data protection considerations

Data protection considerations
Article • 02/24/2023

The following diagram illustrates how services store and retrieve Azure Active Directory
(Azure AD) object data through a role-based access control (RBAC) authorization layer.
This layer calls the internal directory data access layer, ensuring the user's data request
is permitted:

Azure AD Internal Interfaces Access: Service-to-service communication with other

Microsoft services, such as Microsoft 365 use Azure AD interfaces, which authorize the
service's callers using client certificates.

Azure AD External Interfaces Access: Azure AD external interface helps prevent data
leakage by using RBAC. When a security principal, such as a user, makes an access
request to read information through Azure AD interfaces, a security token must
accompany the request. The token contains claims about the principal making the
request.

The security tokens are issued by the Azure AD Authentication Services. Information
about the user’s existence, enabled state, and role is used by the authorization system to
decide whether the requested access to the target tenant is authorized for this user in
this session.

Application Access: Because applications can access the Application Programming

Interfaces (APIs) without user context, the access check includes information about the
user’s application and the scope of access requested, for example read only, read/write,
etc. Many applications use OpenID Connect or OAuth to obtain tokens to access the
directory on behalf of the user. These applications must be explicitly granted access to
the directory or they won't receive a token from Azure AD Authentication Service, and
they access data from the granted scope.
Auditing: Access is audited. For example, authorized actions such as create user and
password reset create an audit trail that can be used by a tenant administrator to
manage compliance efforts or investigations. Tenant administrators can generate audit
reports by using the Azure AD audit API.

Learn more: Audit logs in Azure Active Directory

Tenant Isolation: Enforcement of security in Azure AD multi-tenant environment helps

achieve two primary goals:

Prevent data leakage and access across tenants: Data belonging to Tenant 1 can't
be obtained by users in Tenant 2 without explicit authorization by Tenant 1.
Resource access isolation across tenants: Operations performed by Tenant 1 can't
affect access to resources for Tenant 2.

Tenant isolation
The following information outlines tenant isolation.

The service secures tenants using RBAC policy to ensure data isolation.
To enable access to a tenant, a principal, for example a user or application, needs
to be able to authenticate against Azure AD to obtain context and has explicit
permissions defined in the tenant. If a principal isn't authorized in the tenant, the
resulting token won't carry permissions, and the RBAC system rejects requests in
this context.
RBAC ensures access to a tenant is performed by a security principal authorized in
the tenant. Access across tenants is possible when a tenant administrator creates a
security principal representation in the same tenant (for example, provisioning a
guest user account using B2B collaboration), or when a tenant administrator
creates a policy to enable a trust relationship with another tenant. For example, a
cross-tenant access policy to enable B2B Direct Connect. Each tenant is an isolation
boundary; existence in one tenant doesn't equate existence in another tenant
unless the administrator allows it.
Azure AD data for multiple tenants is stored in the same physical server and drive
for a given partition. Isolation is ensured because access to the data is protected
by the RBAC authorization system.
A customer application can't access Azure AD without needed authentication. The
request is rejected if not accompanied by credentials as part of the initial
connection negotiation process. This dynamic prevents unauthorized access to a
tenant by neighboring tenants. Only user credential’s token, or Security Assertion
Markup Language (SAML) token, is brokered with a federated trust. Therefore, it's
 validated by Azure AD, based on the shared keys configured by the Azure AD
tenant Global Administrator.
Because there's no application component that can execute from the Core Store,
it's not possible for one tenant to forcibly breach the integrity of a neighboring
tenant.

Data security
Encryption in Transit: To assure data security, directory data in Azure AD is signed and
encrypted while in transit between data centers in a scale unit. The data is encrypted
and unencrypted by the Azure AD Core Store tier, which resides in secured server
hosting areas of the associated Microsoft data centers.

Customer-facing web services are secured with the Transport Layer Security (TLS)
protocol.

Secret Storage: Azure AD Service back-end uses encryption to store sensitive material
for service use, such as certificates, keys, credentials, and hashes using Microsoft
proprietary technology. The store used depends on the service, the operation, the scope
of the secret (user-wide or tenant-wide), and other requirements.

These stores are operated by a security-focused group via established automation and
workflows, including certificate request, renewal, revocation, and destruction.

There's activity auditing related to these stores/workflows/processes, and there is no

standing access. Access is request- and approval-based, and for a limited amount of
time.

For more information about Secret encryption at rest, see the following table.

Algorithms: The following table lists the minimum cryptography algorithms used by
Azure AD components. As a cloud service, Microsoft reassesses and improves the
cryptography, based on security research findings, internal security reviews, key strength
against hardware evolution, etc.

Data/scenario Cryptography algorithm

Password hash sync

Hash: Password Key Derivation Function 2
Cloud account passwords (PBKDF2), using HMAC-SHA256 @ 1000
iterations

Directory in transit between data centers AES-256-CTS-HMAC-SHA1-96

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Data/scenario Cryptography algorithm

Pass-through authentication user credential RSA 2048-Public/Private key pair

flow Learn more: Azure Active Directory Pass-through

Authentication security deep dive

Self-service password reset password RSA 2048 Private/Public key pair

writeback with Azure AD Connect: Cloud to AES_GCM (256-bits key, 96-bits IV size)
on-premises communication

Self-service password reset: Answers to SHA256

security questions

SSL certificates for Azure AD application

AES-GCM 256-bit
Proxy published applications

Disk-level encryption XTS-AES 128

Seamless single sign-on (SSO) service AES-CBC 128-bit

account password

SaaS application provisioning credentials

Azure AD Managed Identities AES-GCM 256-bit

Microsoft Authenticator app: Passwordless Asymmetric RSA Key 2048-bit

sign-in to Azure AD

Microsoft Authenticator app: Backup and AES-256

restore of enterprise account metadata

Resources
Microsoft Service Trust Documents
Microsoft Azure Trust Center
Recover from deletions in Azure Active Directory

Next steps
Azure Active Directory and data residency

Data operational considerations

Data protection considerations (You're here)

Customer data storage and processing
for European customers in Azure Active
Directory
Article • 06/30/2023

Azure Active Directory (Azure AD) stores customer data in a geographic location based
on how a tenant was created and provisioned. The following list provides information
about how the location is defined:

Azure portal or Azure AD API - A customer selects a location from the pre-defined
list.
Dynamics 365 and Power Platform - A customer provisions their tenant in a pre-
defined location.
EU Data Residency - For customers who provided a location in Europe, Azure AD
stores most of the customer data in Europe, except where noted later in this article.
EU Data Boundary - For customers who provided a location that is within the EU
Data Boundary (members of the EU and EFTA), Azure AD stores and processes
most of the customer data in the EU Data Boundary, except where noted later in
this article.
Microsoft 365 - The location is based on a customer provided billing address.

The following sections provide information about customer data that doesn't meet the
EU Data Residency or EU Data Boundary commitments.

Services permanently excluded from the EU

Data Residency and EU Data Boundary
Reason for customer data egress - Some forms of communication rely on a
network that is operated by global providers, such as phone calls and SMS. Device
vendor-specific services such Apple Push Notifications, may be outside of Europe.
Types of customer data being egressed - User account data (phone number).
Customer data location at rest - In EU Data Boundary.
Customer data processing - Some processing may occur globally.
Services - Multi-Factor Authentication

Services temporarily excluded from the EU

Data Residency and EU Data Boundary
Some services have work in progress to be EU Data Residency and EU Data Boundary
compliant, but this work is delayed beyond January 1, 2023. The following details
explain the customer data that these features currently transfer out of the EU as part of
their service operations:

Reason for customer data egress - To provide reliable and scalable service,
Microsoft performs regular analytics that involve transfers of data outside the EU
location.
Types of customer data being egressed - User and device account data, usage
data, and service configuration (application, policy, and group).
Customer data location at rest - US
Customer data processing - US
Services - Azure Active Directory Connect, Azure Active Directory Connect Health,
Device Registration, Directory Core Store, Dynamic Groups Service, Self-Service
Group Management

Some services incorrectly stored data out of the EU Data Boundary. The following details
explain the customer data that these features currently transfer out of the EU as part of
their service operations:

Reason for customer data egress - A small number of tenants created in the EU
location prior to March 2019 were incorrectly stored out of the EU Data Boundary
due to an issue that is now fixed. Microsoft is in the process of migrating tenants
to the correct location.
Types of customer data being egressed - User and device account data, and
service configuration (application, policy, and group).
Customer data location at rest - US and Asia/Pacific.
Customer data processing - The same as the location at rest.
Services - Directory Core Store

Services temporarily excluded from the EU

Data Boundary
Some services have work in progress to be EU Data Boundary compliant. This work is
delayed beyond January 1, 2023. The following details explain the customer data that
these features currently transfer out of the EU Data Boundary as part of their service
operations:

Reason for customer data egress - These features haven't completed changes to
fully process user or admin transactions, such as sign-in or object and application
configuration actions within the EU Data Boundary.
 Types of customer data being egressed - User and device account data, usage
data, and service configuration (application, policy, group, and terms of use).
Customer data location at rest - In the EU Data Boundary.
Customer data processing - Some processing may occur globally.
Services - Azure Active Directory Connect, Azure Active Directory Connect Health,
Enterprise Application Management, Dynamic Groups Service, MyAccount,
MyApps, MySign-Ins, Reporting and Audit Insights, Self-Service Credentials
Management, Self-Service Group Management, Sign-In, Terms of Use

Some services have email specific data that will become compliant in the coming
months. The following details explain the customer data that these features currently
transfer out of the EU Data Boundary as part of their service operations:

Reason for customer data egress - To provide email notifications, some data is
processed outside of the EU location.
Types of customer data being egressed - User account data (email address).
Customer data location at rest - In EU Data Boundary.
Customer data processing- Some processing may occur globally.
Services - Azure Active Directory Sync Fabric, Azure Certificate Service, Enterprise
App Management, Identity Governance, Azure Customer Lockbox

Other considerations

Optional service capabilities that transfer data out of the

EU Data Residency and EU Data Boundary
Administrators can choose to enable or disable certain Azure AD features. If the
following features are enabled and used by the customer, they will result in data
transfers out of the EU Data Residency and EU Data Boundary as described:

Azure Active Directory Multi Tenant Collaboration - With multi tenant

collaboration scenarios enabled, customers can configure their tenant to
collaborate with users from a different tenant. For example, a customer can invite
users to their tenant in a B2B context. A customer can create a multi-tenant SaaS
application that allows other third party tenants to provision the application in the
third party tenant. Or, the customer can make two or more tenants affiliated with
one another and act as a single tenant in certain scenarios, such as multi-tenant
organization (MTO) formation, tenant to tenant sync, and shared e-mail domain
sharing. Customer configuration and use of multi tenant collaboration may occur
with tenants outside of the EU Data Residency and EU Data Boundary resulting in
some customer data, such as user and device account data, usage data, and service
 configuration (application, policy, and group) stored and processed in the location
of the collaborating tenant.
Application Proxy - Allows customers to access their on-premises web
applications externally. Customers may choose advanced routing configurations
that allow customer data to egress outside of the EU Data Residency and EU Data
Boundary, including user account data, usage data, and application configuration
data.
Microsoft 365 Multi Geo - Microsoft 365 Multi-Geo provides customers with the
ability to expand their Microsoft 365 presence to multiple geographic
countries/regions within a single existing Microsoft 365 tenant. Azure Active
Directory will egress customer data to perform backup authentication to the
locations configured by the customer. Types of customer data include user and
device account data, branding data, and service configuration data (application,
policy, and group).

Other EU Data Boundary online services

Services and applications that integrate with Azure AD have access to customer data.
Review how each service and application stores and processes customer data, and verify
that they meet your company's data handling requirements.

Next steps
For more information about Microsoft services' data residency, see the Where your data
is located section of the Microsoft Trust Center .
Identity data storage for Australian and
New Zealand customers in Azure Active
Directory
Article • 06/30/2023

Azure AD stores identity data in a location chosen based on the address provided by
your organization when subscribing to a Microsoft service like Microsoft 365 or Azure.
For information on where your Identity Customer Data is stored, you can use the Where
is your data located? section of the Microsoft Trust Center.

７ Note

Services and applications that integrate with Azure AD have access to Identity
Customer Data. Evaluate each service and application you use to determine how
Identity Customer Data is processed by that specific service and application, and
whether they meet your company's data storage requirements. For more
information about Microsoft services' data residency, see the Where is your data
located? section of the Microsoft Trust Center.

For customers who provided an address in Australia or New Zealand, Azure AD keeps
identity data for these services within Australian datacenters:

Azure AD Directory Management

Authentication

All other Azure AD services store customer data in global datacenters. To locate the
datacenter for a service, see Azure Active Directory – Where is your data located?

Microsoft Azure AD Multi-Factor

Authentication (MFA)
MFA stores Identity Customer Data in global datacenters. To learn more about the user
information collected and stored by cloud-based Azure AD MFA and Azure AD Multi-
Factor Authentication Server, see Azure Active Directory Multi-Factor Authentication
user data collection.

Next steps
For more information about any of the features and functionality described above, see
these articles:

What is Multi-Factor Authentication?

Customer Data storage for Australian
and New Zealand customers in Azure
Active Directory
Article • 06/30/2023

Azure AD stores identity data in a location chosen based on the address provided by
your organization when subscribing to a Microsoft service like Microsoft 365 or Azure.
Microsoft Online services include Microsoft 365 and Azure.

For information about where Azure AD and other Microsoft services' data is located, see
the Where your data is located section of the Microsoft Trust Center.

From February 26, 2020, Microsoft began storing Azure AD’s Customer Data for new
tenants with an Australian or New Zealand billing address within the Australian
datacenters.

Additionally, certain Azure AD features don't yet support storage of Customer Data in
Australia. Go to the Azure AD data map , for specific feature information. For example,
Microsoft Azure AD Multi-Factor Authentication stores Customer Data in the US and
processes it globally. See Data residency and customer data for Azure AD Multi-Factor
Authentication.

７ Note

Microsoft products, services, and third-party applications that integrate with Azure
AD have access to Customer Data. Evaluate each product, service, and application
you use to determine how Customer Data is processed by that specific product,
service, and application, and whether they meet your company's data storage
requirements. For more information about Microsoft services' data residency, see
the Where your data is located section of the Microsoft Trust Center.

Azure role-based access control (Azure RBAC)

Role definitions, role assignments, and deny assignments are stored globally to ensure
that you have access to your resources regardless of the region you created the
resource. For more information, see What is Azure role-based access control (Azure
RBAC)?.
Customer data storage for Japan
customers in Azure Active Directory
Article • 06/30/2023

Azure Active Directory (Azure AD) stores its Customer Data in a geographical location
based on the country/region you provided when you signed up for a Microsoft Online
service. Microsoft Online services include Microsoft 365 and Azure.

For information about where Azure AD and other Microsoft services' data is located, see
the Where your data is located section of the Microsoft Trust Center.

Additionally, certain Azure AD features do not yet support storage of Customer Data in
Japan. Please go to the Azure AD data map , for specific feature information. For
example, Microsoft Azure AD Multi-Factor Authentication stores Customer Data in the
US and processes it globally. See Data residency and customer data for Azure AD Multi-
Factor Authentication.

７ Note

Microsoft products, services, and third-party applications that integrate with Azure
AD have access to Customer Data. Evaluate each product, service, and application
you use to determine how Customer Data is processed by that specific product,
service, and application, and whether they meet your company's data storage
requirements. For more information about Microsoft services' data residency, see
the Where your data is located section of the Microsoft Trust Center.

Azure role-based access control (Azure RBAC)

Role definitions, role assignments, and deny assignments are stored globally to ensure
that you have access to your resources regardless of the region you created the
resource. For more information, see What is Azure role-based access control (Azure
RBAC)?.
Compare Active Directory to Azure
Active Directory
Article • 06/02/2023

Azure Active Directory is the next evolution of identity and access management
solutions for the cloud. Microsoft introduced Active Directory Domain Services in
Windows 2000 to give organizations the ability to manage multiple on-premises
infrastructure components and systems using a single identity per user.

Azure AD takes this approach to the next level by providing organizations with an
Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises.

Most IT administrators are familiar with Active Directory Domain Services concepts. The
following table outlines the differences and similarities between Active Directory
concepts and Azure Active Directory.

Concept Active Directory (AD) Azure Active Directory

Users

Provisioning: Organizations create internal Existing AD organizations use Azure AD

users users manually or use an in- Connect to sync identities to the cloud.
house or automated Azure AD adds support to automatically
provisioning system, such as create users from cloud HR systems.
the Microsoft Identity Azure AD can provision identities in SCIM
Manager, to integrate with an enabled SaaS apps to automatically provide
HR system. apps with the necessary details to allow
access for users.

Provisioning: Organizations create external Azure AD provides a special class of identity

external users manually as regular users to support external identities. Azure AD B2B
identities in a dedicated external AD will manage the link to the external user
forest, resulting in identity to make sure they are valid.
administration overhead to
manage the lifecycle of
external identities (guest users)

Entitlement Administrators make users Groups are also available in Azure AD and
management and members of groups. App and administrators can also use groups to grant
groups resource owners then give permissions to resources. In Azure AD,
groups access to apps or administrators can assign membership to
resources. groups manually or use a query to
dynamically include users to a group.
Administrators can use Entitlement
management in Azure AD to give users
access to a collection of apps and resources
Concept Active Directory (AD) Azure Active Directory

using workflows and, if necessary, time-

based criteria.

Admin Organizations will use a Azure AD provides built-in roles with its
management combination of domains, Azure AD role-based access control (Azure
organizational units, and AD RBAC) system, with limited support for
groups in AD to delegate creating custom roles to delegate
administrative rights to privileged access to the identity system, the
manage the directory and apps, and resources it controls.
resources it controls. Managing roles can be enhanced with
Privileged Identity Management (PIM) to
provide just-in-time, time-restricted, or
workflow-based access to privileged roles.

Credential Credentials in Active Directory Azure AD uses intelligent password

management are based on passwords, protection for cloud and on-premises.
certificate authentication, and Protection includes smart lockout plus
smartcard authentication. blocking common and custom password
Passwords are managed using phrases and substitutions.
password policies that are Azure AD significantly boosts security
based on password length, through Multi-factor authentication and
expiry, and complexity. passwordless technologies, like FIDO2.
Azure AD reduces support costs by
providing users a self-service password
reset system.

Apps

Infrastructure Active Directory forms the In a new cloud world, Azure AD, is the new
apps basis for many infrastructure control plane for accessing apps versus
on-premises components, for relying on networking controls. When users
example, DNS, DHCP, IPSec, authenticate, Conditional Access controls
WiFi, NPS, and VPN access which users have access to which apps
under required conditions.

Traditional and Most on-premises apps use Azure AD can provide access to these types
legacy apps LDAP, Windows-Integrated of on-premises apps using Azure AD
Authentication (NTLM and application proxy agents running on-
Kerberos), or Header-based premises. Using this method Azure AD can
authentication to control authenticate Active Directory users on-
access to users. premises using Kerberos while you migrate
or need to coexist with legacy apps.

SaaS apps Active Directory doesn't SaaS apps supporting OAuth2, SAML, and
support SaaS apps natively and WS-* authentication can be integrated to
requires federation system, use Azure AD for authentication.
such as AD FS.
Concept Active Directory (AD) Azure Active Directory

Line of business Organizations can use AD FS LOB apps requiring modern authentication
(LOB) apps with with Active Directory to can be configured to use Azure AD for
modern support LOB apps requiring authentication.
authentication modern authentication.

Mid-tier/Daemon Services running in on- Azure AD provides managed identities to

services premises environments run other workloads in the cloud. The
normally use AD service lifecycle of these identities is managed by
accounts or group Managed Azure AD and is tied to the resource
Service Accounts (gMSA) to provider and it can't be used for other
run. These apps will then purposes to gain backdoor access.
inherit the permissions of the
service account.

Devices

Mobile Active Directory doesn't Microsoft’s mobile device management

natively support mobile solution, Microsoft Intune, is integrated
devices without third-party with Azure AD. Microsoft Intune provides
solutions. device state information to the identity
system to evaluate during authentication.

Windows Active Directory provides the Windows devices can be joined to Azure
desktops ability to domain join Windows AD. Conditional Access can check if a
devices to manage them using device is Azure AD joined as part of the
Group Policy, System Center authentication process. Windows devices
Configuration Manager, or can also be managed with Microsoft Intune.
other third-party solutions. In this case, Conditional Access, will
consider whether a device is compliant (for
example, up-to-date security patches and
virus signatures) before allowing access to
the apps.

Windows servers Active Directory provides Windows servers virtual machines in Azure
strong management can be managed with Azure AD Domain
capabilities for on-premises Services. Managed identities can be used
Windows servers using Group when VMs need access to the identity
Policy or other management system directory or resources.
solutions.

Linux/Unix Active Directory doesn't Linux/Unix VMs can use managed identities
workloads natively support non-Windows to access the identity system or resources.
without third-party solutions, Some organizations, migrate these
although Linux machines can workloads to cloud container technologies,
be configured to authenticate which can also use managed identities.
with Active Directory as a
Kerberos realm.
Next steps
What is Azure Active Directory?
Compare self-managed Active Directory Domain Services, Azure Active Directory,
and managed Azure Active Directory Domain Services
Frequently asked questions about Azure Active Directory
What's new in Azure Active Directory?
What are custom security attributes in
Azure AD? (Preview)
Article • 07/19/2023

） Important

Custom security attributes are currently in PREVIEW. See the Supplemental Terms
of Use for Microsoft Azure Previews for legal terms that apply to Azure features
that are in beta, preview, or otherwise not yet released into general availability.

Custom security attributes in Azure Active Directory (Azure AD) are business-specific
attributes (key-value pairs) that you can define and assign to Azure AD objects. These
attributes can be used to store information, categorize objects, or enforce fine-grained
access control over specific Azure resources. Custom security attributes can be used with
Azure attribute-based access control (Azure ABAC).

Why use custom security attributes?

Extend user profiles, such as add Hourly Salary to all my employees.
Ensure only administrators can see the Hourly Salary attribute in my employees'
profiles.
Categorize hundreds or thousands of applications to easily create a filterable
inventory for auditing.
Grant users access to the Azure Storage blobs belonging to a project.

What can I do with custom security attributes?

Define business-specific information (attributes) for your tenant.
Add a set of custom security attributes on users, applications, Azure AD resources,
or Azure resources.
Manage Azure AD objects using custom security attributes with queries and filters.
Provide attribute governance so attributes determine who can get access.

Features of custom security attributes

Available tenant-wide​
Include a description
 Support different data types: Boolean, integer, string​
Support single value or multiple values
Support user-defined free-form values​or predefined values
Assign custom security attributes to directory synced users from an on-premises
Active Directory

The following example shows how you can specify custom security attribute values that
are single, multiple, free-form, or predefined.

Objects that support custom security attributes

Currently, you can add custom security attributes for the following Azure AD objects:

Azure AD users
Azure AD enterprise applications (service principals)
Managed identities for Azure resources

How do custom security attributes compare

with extensions?
While both extensions and custom security attributes can be used to extend objects in
Azure AD and Microsoft 365, they are suitable for fundamentally different custom data
scenarios. Here are some ways that custom security attributes compare with extensions:

Capability Extensions Custom security attributes

Extend Azure AD and Yes Yes

Microsoft 365 objects

Supported objects Depends on the extension type Users and service principals
 Capability Extensions Custom security attributes

Restricted access No. Anyone with permissions to Yes. Read and write access is
read the object can read the restricted through a separate set of
extension data. permissions and RBAC.

When to use Store data to be used by an Store sensitive data

application Use for authorization scenarios
Store non-sensitive data

License requirements Available in all editions of Azure Requires an Azure AD Premium P1 or

AD P2 license

For more information about working with extensions, see Add custom data to resources
using extensions.

Steps to use custom security attributes

1. Check permissions

Check that you are assigned the Attribute Definition Administrator or Attribute
Assignment Administrator roles. If not, check with your administrator to assign you
the appropriate role at tenant scope or attribute set scope. By default, Global
Administrator and other administrator roles do not have permissions to read,
define, or assign custom security attributes. If necessary, a Global Administrator
can assign these roles to themselves.

2. Add attribute sets

Add attribute sets to group and manage related custom security attributes. Learn
more

3. Manage attribute sets

 Specify who can read, define, or assign custom security attributes in an attribute
set. Learn more

4. Define attributes

Add your custom security attributes to your directory. You can specify the date
type (Boolean, integer, or string) and whether values are predefined, free-form,
single, or multiple. Learn more

5. Assign attributes

Assign custom security attributes to Azure AD objects for your business scenarios.
Learn more

6. Use attributes
 Filter users and applications that use custom security attributes. Learn more

Add conditions that use custom security attributes to Azure role assignments for
fine-grained access control. Learn more

Terminology
To better understand custom security attributes, you can refer back to the following list
of terms.

Term Definition

attribute The schema of a custom security attribute or key-value pair. For example, the
definition custom security attribute name, description, data type, and predefined values.

attribute set A collection of related custom security attributes. Attribute sets can be
delegated to other users for defining and assigning custom security attributes.

attribute name A unique name of a custom security attribute within an attribute set. The
combination of attribute set and attribute name forms a unique attribute for
your tenant.

attribute The assignment of a custom security attribute to an Azure AD object, such as

assignment users, enterprise applications (service principals), and managed identities.

predefined A value that is allowed for a custom security attribute.

value

Custom security attribute properties

The following table lists the properties you can specify for attribute sets and custom
security attributes. Some properties are immutable and cannot be changed later.

Property Required Can be Description

changed
later

Attribute set ✔️ Name of the attribute set. Must be unique within a

name tenant. Cannot include spaces or special characters.

Attribute set ✔️ Description of the attribute set.

description

Maximum ✔️ Maximum number of custom security attributes that

number of can be defined in an attribute set. Default value is
attributes
 Property Required Can be Description
changed
later

null . If not specified, the administrator can add up

to the maximum of 500 active attributes per tenant.

Attribute set ✔️ A collection of related custom security attributes.

Every custom security attribute must be part of an
attribute set.

Attribute name ✔️ Name of the custom security attribute. Must be

unique within an attribute set. Cannot include spaces
or special characters.

Attribute ✔️ Description of the custom security attribute.

description

Data type ✔️ Data type for the custom security attribute values.
Supported types are Boolean , Integer , and String .

Allow multiple ✔️ Indicates whether multiple values can be assigned to

values to be the custom security attribute. If data type is set to
assigned Boolean , cannot be set to Yes.

Only allow ✔️ Indicates whether only predefined values can be

predefined assigned to the custom security attribute. If set to
values to be No, free-form values are allowed. Can later be
assigned changed from Yes to No, but cannot be changed
from No to Yes. If data type is set to Boolean , cannot
be set to Yes.

Predefined Predefined values for the custom security attribute of

values the selected data type. More predefined values can
be added later. Values can include spaces, but some
special characters are not allowed.

Predefined ✔️ Specifies whether the predefined value is active or

value is active deactivated. If set to false, the predefined value
cannot be assigned to any additional supported
directory objects.

Attribute is ✔️ Specifies whether the custom security attribute is

active active or deactivated.

Limits and constraints

Here are some of the limits and constraints for custom security attributes.
Resource Limit Notes

Attribute definitions per 500 Applies only to active

tenant attributes in the tenant

Attribute sets per tenant 500

Attribute set name length 32 Unicode characters and case

insensitive

Attribute set description 128 Unicode characters

length

Attribute name length 32 Unicode characters and case

insensitive

Attribute description length 128 Unicode characters

Predefined values Unicode characters and case

sensitive

Predefined values per attribute 100

definition

Attribute value length 64 Unicode characters

Attribute values assigned per 50 Values can be distributed

object across single and multi-valued
attributes.
Example: 5 attributes with 10
values each or 50 attributes
with 1 value each

Special characters not allowed <space> ` ~ ! @ # $ % ^ & * Attribute set name and
for: ( ) _ - + = { [ } ] \| \ : ; attribute name cannot start
Attribute set name " ' < , > . ? / with a number
Attribute name

Special characters allowed for All special characters

attribute values

Special characters allowed for <space> + - . : = _ / If you plan to use attribute

attribute values when used values with blob index tags,
with blob index tags these are the only special
characters allowed for blob
index tags. For more
information, see Setting blob
index tags.

Custom security attribute roles

Azure AD provides built-in roles to work with custom security attributes. The Attribute
Definition Administrator role is the minimum role you need to manage custom security
attributes. The Attribute Assignment Administrator role is the minimum role you need to
assign custom security attribute values for Azure AD objects like users and applications.
You can assign these roles at tenant scope or at attribute set scope.

Role Permissions

Attribute Definition Reader Read attribute sets

Read custom security attribute definitions

Attribute Definition Administrator Manage all aspects of attribute sets

Manage all aspects of custom security attribute
definitions

Attribute Assignment Reader Read attribute sets

Read custom security attribute definitions
Read custom security attribute keys and values
for users and service principals

Attribute Assignment Administrator Read attribute sets

Read custom security attribute definitions
Read and update custom security attribute keys
and values for users and service principals

） Important

By default, Global Administrator and other administrator roles do not have

permissions to read, define, or assign custom security attributes.

Microsoft Graph APIs

You can manage custom security attributes programmatically using Microsoft Graph
APIs. For more information, see Overview of custom security attributes using the
Microsoft Graph API.

You can use an API client such as Graph Explorer or Postman to more easily try the
Microsoft Graph APIs for custom security attributes.
Known issues
Here are some of the known issues with custom security attributes:

Global Administrators can read audit logs for custom security attribute definitions
and assignments.
If you have an Azure AD Premium P2 license, you can't add eligible role
assignments at attribute set scope.
If you have an Azure AD Premium P2 license, the Assigned roles page for a user
does not list permanent role assignments at attribute set scope. The role
assignments exist, but aren't listed.

Depending on whether you have an Azure AD Premium P1 or P2 license, here are the
role assignment tasks that are currently supported for custom security attribute roles:

Role assignment task Premium Premium P2

P1

Permanent role assignments ✔️ ✔️

Eligible role assignments n/a ✔️

Permanent role assignments at attribute set scope ✔️ ✔️

Eligible role assignments at attribute set scope n/a ❌

Assigned roles page lists permanent role ✔️ ⚠️

assignments at attribute set scope Role assignments exist, but
aren't listed

License requirements
Using this feature requires Azure AD Premium P1 licenses. To find the right license for
your requirements, see Compare generally available features of Azure AD .

Next steps
Add or deactivate custom security attribute definitions in Azure AD
Manage access to custom security attributes in Azure AD
Assign, update, list, or remove custom security attributes for a user
Add or deactivate custom security
attribute definitions in Azure AD
(Preview)
Article • 06/30/2023

） Important

Custom security attributes are currently in PREVIEW.

See the Supplemental Terms
of Use for Microsoft Azure Previews for legal terms that apply to Azure features
that are in beta, preview, or otherwise not yet released into general availability.

Custom security attributes in Azure Active Directory (Azure AD) are business-specific
attributes (key-value pairs) that you can define and assign to Azure AD objects. This
article describes how to add, edit, or deactivate custom security attribute definitions.

Prerequisites
To add or deactivate custom security attributes definitions, you must have:

Azure AD Premium P1 or P2 license

Attribute Definition Administrator
Microsoft.Graph module when using Microsoft Graph PowerShell
AzureADPreview version 2.0.2.138 or later when using Azure AD PowerShell

） Important

By default, Global Administrator and other administrator roles do not have

permissions to read, define, or assign custom security attributes.

Add an attribute set

An attribute set is a collection of related attributes. All custom security attributes must
be part of an attribute set. Attribute sets cannot be renamed or deleted.

1. Sign in to the Azure portal .

2. Click Azure Active Directory > Custom security attributes (Preview).

 3. Click Add attribute set to add a new attribute set.

If Add attribute set is disabled, make sure you are assigned the Attribute Definition
Administrator role. For more information, see Troubleshoot custom security
attributes.

4. Enter a name, description, and maximum number of attributes.

An attribute set name can be 32 characters with no spaces or special characters.

Once you've specified a name, you can't rename it. For more information, see
Limits and constraints.

5. When finished, click Add.

The new attribute set appears in the list of attribute sets.

Add a custom security attribute definition

1. Sign in to the Azure portal .

2. Click Azure Active Directory > Custom security attributes (Preview).

3. On the Custom security attributes page, find an existing attribute set or click Add
attribute set to add a new attribute set.

All custom security attribute definitions must be part of an attribute set.

4. Click to open the selected attribute set.

5. Click Add attribute to add a new custom security attribute to the attribute set.

6. In the Attribute name box, enter a custom security attribute name.

A custom security attribute name can be 32 characters with no spaces or special

characters. Once you've specified a name, you can't rename it. For more
information, see Limits and constraints.

7. In the Description box, enter an optional description.

A description can be 128 characters long. If necessary, you can later change the
description.

8. From the Data type list, select the data type for the custom security attribute.

Data type Description

Boolean A Boolean value that can be true, True, false, or False.

Integer A 32-bit integer.

String A string that can be X characters long.

9. For Allow multiple values to be assigned, select Yes or No.

Select Yes to allow multiple values to be assigned to this custom security attribute.
Select No to only allow a single value to be assigned to this custom security
attribute.
 10. For Only allow predefined values to be assigned, select Yes or No.

Select Yes to require that this custom security attribute be assigned values from a
predefined values list. Select No to allow this custom security attribute to be
assigned user-defined values or potentially predefined values.

11. If Only allow predefined values to be assigned is Yes, click Add value to add
predefined values.

An active value is available for assignment to objects. A value that is not active is
defined, but not yet available for assignment.

12. When finished, click Save.

The new custom security attribute appears in the list of custom security attributes.

13. If you want to include predefined values, follow the steps in the next section.

Edit a custom security attribute definition

Once you add a new custom security attribute definition, you can later edit some of the
properties. Some properties are immutable and cannot be changed.

1. Sign in to the Azure portal .

2. Click Azure Active Directory > Custom security attributes (Preview).

3. Click the attribute set that includes the custom security attribute you want to edit.
 4. In the list of custom security attributes, click the ellipsis for the custom security
attribute you want to edit and then click Edit attribute.

5. Edit the properties that are enabled.

6. If Only allow predefined values to be assigned is Yes, click Add value to add
predefined values. Click an existing predefined value to change the Is active?
setting.

Deactivate a custom security attribute

definition
Once you add a custom security attribute definition, you can't delete it. However, you
can deactivate a custom security attribute definition.

1. Sign in to the Azure portal .

2. Click Azure Active Directory > Custom security attributes (Preview).

3. Click the attribute set that includes the custom security attribute you want to
deactivate.

4. In the list of custom security attributes, add a check mark next to the custom
security attribute you want to deactivate.

5. Click Deactivate attribute.

6. In the Deactivate attribute dialog that appears, click Yes.

The custom security attribute is deactivated and moved to the Deactivated

attributes list.
PowerShell or Microsoft Graph API
To manage custom security attribute definitions in your Azure AD organization, you can
also use PowerShell or Microsoft Graph API. The following examples manage attribute
sets and custom security attribute definitions.

Get all attribute sets

The following example gets all attribute sets.

PowerShell

Get-MgDirectoryAttributeSet

PowerShell

Get-MgDirectoryAttributeSet | Format-List

Output

Description : Attributes for engineering team

Id : Engineering

MaxAttributesPerSet : 25

AdditionalProperties : {}

Description : Attributes for marketing team

Id : Marketing

MaxAttributesPerSet : 25

AdditionalProperties : {}

Get top attribute sets

The following example gets the top attribute sets.

PowerShell

Get-MgDirectoryAttributeSet

PowerShell

Get-MgDirectoryAttributeSet -Top 10

Get attribute sets in order

The following example gets attribute sets in order.

PowerShell

Get-MgDirectoryAttributeSet

PowerShell

Get-MgDirectoryAttributeSet -Sort "Id"

Get an attribute set

The following example gets an attribute set.

Attribute set: Engineering

PowerShell

Get-MgDirectoryAttributeSet

PowerShell

Get-MgDirectoryAttributeSet -AttributeSetId "Engineering" | Format-List

Output

Description : Attributes for engineering team

Id : Engineering

MaxAttributesPerSet : 25

AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#directory/attributeSets/$enti
ty]}

Add an attribute set

The following example adds a new attribute set.

Attribute set: Engineering

PowerShell
 New-MgDirectoryAttributeSet

PowerShell

$params = @{

Id = "Engineering"

Description = "Attributes for engineering team"

MaxAttributesPerSet = 25

New-MgDirectoryAttributeSet -BodyParameter $params

Output

Id Description MaxAttributesPerSet

-- ----------- -------------------

Engineering Attributes for engineering team 25

Update an attribute set

The following example updates an attribute set.

Attribute set: Engineering

PowerShell

Update-MgDirectoryAttributeSet

PowerShell

$params = @{

description = "Attributes for engineering team"

maxAttributesPerSet = 20

Update-MgDirectoryAttributeSet -AttributeSetId "Engineering" -

BodyParameter $params

Get all custom security attribute definitions

The following example gets all custom security attribute definitions.

PowerShell
 Get-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinition | Format-List

Output

AllowedValues :

AttributeSet : Engineering

Description : Target completion date

Id : Engineering_ProjectDate

IsCollection : False

IsSearchable : True

Name : ProjectDate

Status : Available

Type : String

UsePreDefinedValuesOnly : False

AdditionalProperties : {}

AllowedValues :

AttributeSet : Engineering

Description : Active projects for user

Id : Engineering_Project

IsCollection : True

IsSearchable : True

Name : Project
Status : Available

Type : String

UsePreDefinedValuesOnly : True

AdditionalProperties : {}

AllowedValues :

AttributeSet : Marketing

Description : Country where is application is used

Id : Marketing_AppCountry

IsCollection : True

IsSearchable : True

Name : AppCountry

Status : Available

Type : String

UsePreDefinedValuesOnly : True

AdditionalProperties : {}

Filter custom security attribute definitions

The following examples filter custom security attribute definitions.
 Filter: Attribute name eq 'Project' and status eq 'Available'

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinition -Filter "name eq

'Project' and status eq 'Available'" | Format-List

Output

AllowedValues :

AttributeSet : Engineering

Description : Active projects for user

Id : Engineering_Project

IsCollection : True

IsSearchable : True

Name : Project
Status : Available

Type : String

UsePreDefinedValuesOnly : True

AdditionalProperties : {}

Filter: Attribute set eq 'Engineering' and status eq 'Available' and data type eq
'String'

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinition -Filter "attributeSet

eq 'Engineering' and status eq 'Available' and type eq 'String'" |
Format-List

Output

AllowedValues :

AttributeSet : Engineering

Description : Target completion date

Id : Engineering_ProjectDate

IsCollection : False

IsSearchable : True

 Name : ProjectDate

Status : Available

Type : String

UsePreDefinedValuesOnly : False

AdditionalProperties : {}

AllowedValues :

AttributeSet : Engineering

Description : Active projects for user

Id : Engineering_Project

IsCollection : True

IsSearchable : True

Name : Project
Status : Available

Type : String

UsePreDefinedValuesOnly : True

AdditionalProperties : {}

Get a custom security attribute definition

The following example gets a custom security attribute definition.

Attribute set: Engineering

Attribute: ProjectDate

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinition -
CustomSecurityAttributeDefinitionId "Engineering_ProjectDate" | Format-
List

Output

AllowedValues :

AttributeSet : Engineering

Description : Target completion date

Id : Engineering_ProjectDate

IsCollection : False

IsSearchable : True

Name : ProjectDate

Status : Available

Type : String

UsePreDefinedValuesOnly : False

AdditionalProperties : {[@odata.context,
 https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttri
buteDefinitions/$entity]}

Add a custom security attribute definition

The following example adds a new custom security attribute definition.

Attribute set: Engineering

Attribute: ProjectDate
Attribute data type: String

PowerShell

New-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

$params = @{

attributeSet = "Engineering"

description = "Target completion date"

isCollection = $false

isSearchable = $true

name = "ProjectDate"

status = "Available"

type = "String"

usePreDefinedValuesOnly = $false

New-MgDirectoryCustomSecurityAttributeDefinition -BodyParameter $params

| Format-List

Output

AllowedValues :

AttributeSet : Engineering

Description : Target completion date

Id : Engineering_ProjectDate

IsCollection : False

IsSearchable : True

Name : ProjectDate

Status : Available

Type : String

UsePreDefinedValuesOnly : False

AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttri
buteDefinitions/$entity]}

Add a custom security attribute definition that supports multiple

predefined values

The following example adds a new custom security attribute definition that supports
multiple predefined values.

Attribute set: Engineering

Attribute: Project
Attribute data type: Collection of Strings

PowerShell

New-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

$params = @{

attributeSet = "Engineering"

description = "Active projects for user"

isCollection = $true

isSearchable = $true

name = "Project"

status = "Available"

type = "String"

usePreDefinedValuesOnly = $true

New-MgDirectoryCustomSecurityAttributeDefinition -BodyParameter $params

| Format-List

Output

AllowedValues :

AttributeSet : Engineering

Description : Active projects for user

Id : Engineering_Project

IsCollection : True

IsSearchable : True

Name : Project
Status : Available

Type : String

UsePreDefinedValuesOnly : True

AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttri
buteDefinitions/$entity]}

Add a custom security attribute definition with a list of predefined

values

The following example adds a new custom security attribute definition with a list of
predefined values.

Attribute set: Engineering

Attribute: Project
Attribute data type: Collection of Strings
Predefined values: Alpine , Baker , Cascade

PowerShell

New-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

$params = @{

attributeSet = "Engineering"

description = "Active projects for user"

isCollection = $true

isSearchable = $true

name = "Project"

status = "Available"

type = "String"

usePreDefinedValuesOnly = $true

allowedValues = @(

@{

id = "Alpine"

isActive = $true

@{

id = "Baker"

isActive = $true

@{

id = "Cascade"

isActive = $true

New-MgDirectoryCustomSecurityAttributeDefinition -BodyParameter $params

| Format-List

Output

AllowedValues :

AttributeSet : Engineering

Description : Active projects for user

 Id : Engineering_Project

IsCollection : True

IsSearchable : True

Name : Project
Status : Available

Type : String

UsePreDefinedValuesOnly : True

AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttri
buteDefinitions/$entity]}

Update a custom security attribute definition

The following example updates a custom security attribute definition.

Attribute set: Engineering

Attribute: ProjectDate

PowerShell

Update-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

$params = @{

description = "Target completion date (YYYY/MM/DD)"

Update-MgDirectoryCustomSecurityAttributeDefinition -
CustomSecurityAttributeDefinitionId "Engineering_ProjectDate" -
BodyParameter $params

Update the predefined values for a custom security attribute

definition
The following example updates the predefined values for a custom security attribute
definition.

Attribute set: Engineering

Attribute: Project
Attribute data type: Collection of Strings
Update predefined value: Baker
New predefined value: Skagit
 PowerShell

Invoke-MgGraphRequest

７ Note

For this request, you must add the OData-Version header and assign it the
value 4.01 .

PowerShell

$params = @{

"allowedValues@delta" = @(

@{

id = "Baker"

isActive = $false

@{

id = "Skagit"

isActive = $true

$header = @{

"OData-Version" = 4.01

Invoke-MgGraphRequest -Method PATCH -Uri

"https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefin
itions/Engineering_Project5" -Headers $header -Body $params

Deactivate a custom security attribute definition

The following example deactivates a custom security attribute definition.

Attribute set: Engineering

Attribute: Project

PowerShell

Update-MgDirectoryCustomSecurityAttributeDefinition

PowerShell

$params = @{

status = "Deprecated"

Update-MgDirectoryCustomSecurityAttributeDefinition -
CustomSecurityAttributeDefinitionId "Engineering_ProjectDate" -
BodyParameter $params

Get all predefined values

The following example gets all predefined values for a custom security attribute
definition.

Attribute set: Engineering

Attribute: Project

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue -
CustomSecurityAttributeDefinitionId "Engineering_Project" | Format-List

Output

Id : Skagit

IsActive : True

AdditionalProperties : {}

Id : Baker

IsActive : False

AdditionalProperties : {}

Id : Cascade

IsActive : True

AdditionalProperties : {}

Id : Alpine

IsActive : True

AdditionalProperties : {}

Get a predefined value

The following example gets a predefined value for a custom security attribute definition.
 Attribute set: Engineering
Attribute: Project
Predefined value: Alpine

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue

PowerShell

Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue -
CustomSecurityAttributeDefinitionId "Engineering_Project" -
AllowedValueId "Alpine" | Format-List

Output

Id : Alpine

IsActive : True

AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttri
buteDefinitions('Engineering_Project')/al

lowedValues/$entity]}

Add a predefined value

The following example adds a predefined value for a custom security attribute
definition.

You can add predefined values for custom security attributes that have
usePreDefinedValuesOnly set to true .

Attribute set: Engineering

Attribute: Project
Predefined value: Alpine

PowerShell

New-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue

PowerShell

$params = @{

id = "Alpine"

 isActive = $true

New-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue -
CustomSecurityAttributeDefinitionId "Engineering_Project" -BodyParameter
$params | Format-List

Output

Id : Alpine

IsActive : True

AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttri
buteDefinitions('Engineering_Project')/al

lowedValues/$entity]}

Deactivate a predefined value

The following example deactivates a predefined value for a custom security attribute
definition.

Attribute set: Engineering

Attribute: Project
Predefined value: Alpine

PowerShell

Update-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue

PowerShell

$params = @{

isActive = $false

Update-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue -
CustomSecurityAttributeDefinitionId "Engineering_Project" -
AllowedValueId "Alpine" -BodyParameter $params

Frequently asked questions

Can you delete custom security attribute definitions?

No, you can't delete custom security attribute definitions. You can only deactivate
custom security attribute definitions. Once you deactivate a custom security attribute, it
can no longer be applied to the Azure AD objects. Custom security attribute
assignments for the deactivated custom security attribute definition are not
automatically removed. There is no limit to the number of deactivated custom security
attributes. You can have 500 active custom security attribute definitions per tenant with
100 allowed predefined values per custom security attribute definition.

Next steps
Manage access to custom security attributes in Azure AD
Assign, update, list, or remove custom security attributes for a user
Assign, update, list, or remove custom security attributes for an application
Manage access to custom security
attributes in Azure AD (Preview)
Article • 06/30/2023

） Important

Custom security attributes are currently in PREVIEW.

See the Supplemental Terms
of Use for Microsoft Azure Previews for legal terms that apply to Azure features
that are in beta, preview, or otherwise not yet released into general availability.

For people in your organization to effectively work with custom security attributes, you
must grant the appropriate access. Depending on the information you plan to include in
custom security attributes, you might want to restrict custom security attributes or you
might want to make them broadly accessible in your organization. This article describes
how to manage access to custom security attributes.

Prerequisites
To manage access to custom security attributes, you must have:

Azure AD Premium P1 or P2 license

Attribute Assignment Administrator
Microsoft.Graph module when using Microsoft Graph PowerShell

） Important

By default, Global Administrator and other administrator roles do not have

permissions to read, define, or assign custom security attributes.

Step 1: Figure out how to organize your

attributes
Every custom security attribute definition must be part of an attribute set. An attribute
set is a way to group and manage related custom security attributes. You'll need to
figure out how you want to add attributes sets for your organization. For example, you
might want to add attribute sets based on departments, teams, or projects. Your ability
to grant access to custom security attributes will depend on how you organize your
attribute sets.

Step 2: Identify the needed scope

Scope is the set of resources that the access applies to. For custom security attributes,
you can assign roles at tenant scope or at attribute set scope. If you want to assign
broad access, you can assign roles at tenant scope. However, if you want to limit access
to particular attribute sets, you can assign roles at attribute set scope.

Azure AD role assignments are an additive model, so your effective permissions are the
sum of your role assignments. For example, if you assign a user a role at tenant scope
and assign the same user the same role at attribute set scope, the user will still have
permissions at tenant scope.

Step 3: Review the available roles

You need to determine who needs access to work with custom security attributes in your
organization. To help you manage access to custom security attributes, there are four
Azure AD built-in roles. By default, Global Administrator and other administrator roles
do not have permissions to read, define, or assign custom security attributes. If
necessary, a Global Administrator can assign these roles to themselves.

Attribute Definition Administrator

Attribute Assignment Administrator
Attribute Definition Reader
Attribute Assignment Reader
The following table provides a high-level comparison of the custom security attributes
roles.

Permission Global Attribute Attribute Attribute Attribute

Administrator Definition Assignment Definition Assignment
Admin Admin Reader Reader

Read attribute sets ✔️ ✔️ ✔️ ✔️

Read attribute ✔️ ✔️ ✔️ ✔️
definitions

Read attribute ✔️ ✔️
assignments for users
and applications
(service principals)

Add or edit attribute ✔️

sets

Add, edit, or deactivate ✔️

attribute definitions

Assign attributes to ✔️
users and applications
(service principals)

Step 4: Determine your delegation strategy

This step describes two ways you can manage access to custom security attributes. The
first way is to manage them centrally and the second way is to delegate management to
others.

Manage attributes centrally

An administrator that has been assigned the Attribute Definition Administrator and
Attribute Assignment Administrator roles at tenant scope can manage all aspects of
custom security attributes. The following diagram shows how custom security attributes
are defined and assigned by a single administrator.
 1. The administrator (Xia) has both the Attribute Definition Administrator and
Attribute Assignment Administrator roles assigned at tenant scope. The
administrator adds attribute sets and defines attributes.
2. The administrator assigns attributes to Azure AD objects.

Managing attributes centrally has the advantage that it can be managed by one or two
administrators. The disadvantage is that the administrator might get several requests to
define or assign custom security attributes. In this case, you might want to delegate
management.

Manage attributes with delegation

An administrator may not know all the situations of how custom security attributes
should be defined and assigned. Typically it's users within the respective departments,
teams, or projects who know the most about their area. Instead of assigning one or two
administrators to manage all custom security attributes, you can instead delegate the
management at attribute set scope. This also follows the best practice of least privilege
to grant just the permissions other administrators need to do their job and avoid
unnecessary access. The following diagram shows how the management of custom
security attributes can be delegated to multiple administrators.

1. The administrator (Xia) with the Attribute Definition Administrator role assigned at
tenant scope adds attribute sets. The administrator also has permissions to assign
roles to others (Privileged Role Administrator) and delegates who can read, define,
or assign custom security attributes for each attribute set.
2. The delegated Attribute Definition Administrators (Alice and Bob) define attributes
in the attribute sets they have been granted access to.
3. The delegated Attribute Assignment Administrators (Chandra and Bob) assign
attributes from their attribute sets to Azure AD objects.

Step 5: Select the appropriate roles and scope

Once you have a better understanding of how your attributes will be organized and who
needs access, you can select the appropriate custom security attribute roles and scope.
The following table can help you with the selection.
I want to grant this access Assign this role Scope

Read all attribute sets in a tenant Attribute

Read all attribute definitions in a tenant Definition
Tenant
Add or edit all attribute sets in a tenant Administrator
Add, edit, or deactivate all attribute definitions in a tenant

Read attribute definitions in a scoped attribute set Attribute

Add, edit, or deactivate attribute definitions in a scoped Definition

Attribute
attribute set Administrator
set
Cannot update the scoped attribute set
Cannot read, add, or update other attribute sets

Read all attribute sets in a tenant Attribute

Read all attribute definitions in a tenant Assignment
Read all attribute assignments in a tenant for users Administrator Tenant
Read all attribute assignments in a tenant for applications
(service principals)
Assign all attributes in a tenant to users
Assign all attributes in a tenant to applications (service
principals)
Author Azure role assignment conditions that use the
Principal attribute for all attributes in a tenant

Read attribute definitions in a scoped attribute set Attribute

Read attribute assignments that use attributes in a scoped Assignment

Attribute
attribute set for users Administrator
set
Read attribute assignments that use attributes in a scoped
attribute set for applications (service principals)
Assign attributes in a scoped attribute set to users
Assign attributes in a scoped attribute set to applications
(service principals)
Author Azure role assignment conditions that use the
Principal attribute for all attributes in a scoped attribute
set
Cannot read attributes in other attribute sets
Cannot read attribute assignments that use attributes in
other attribute sets

Read all attribute sets in a tenant Attribute

Read all attribute definitions in a tenant Definition Reader
Tenant

Read attribute definitions in a scoped attribute set Attribute

Cannot read other attribute sets Definition Reader

Attribute
set
 I want to grant this access Assign this role Scope

Read all attribute sets in a tenant Attribute

Read all attribute definitions in a tenant Assignment
Tenant
Read all attribute assignments in a tenant for users Reader
Read all attribute assignments in a tenant for applications
(service principals)

Read attribute definitions in a scoped attribute set Attribute

Read attribute assignments that use attributes in a scoped Assignment

Attribute
attribute set for users Reader
set
Read attribute assignments that use attributes in a scoped
attribute set for applications (service principals)
Cannot read attributes in other attribute sets
Cannot read attribute assignments that use attributes in
other attribute sets

Step 6: Assign roles

To grant access to the appropriate people, follow these steps to assign one of the
custom security attribute roles.

Assign roles at attribute set scope

The following examples show how to assign a custom security attribute role to a
principal at an attribute set scope named Engineering.

Portal

1. Sign in to the Azure portal .

2. Click Azure Active Directory.

3. In the left navigation menu, click Custom security attributes (Preview).

4. Click the attribute set you want grant access to.

5. Click Roles and administrators.

 6. Add assignments for the custom security attribute roles.

７ Note

If you are using Azure AD Privileged Identity Management (PIM), eligible

role assignments at attribute set scope currently aren't supported.
Permanent role assignments at attribute set scope are supported, but the
Assigned roles page for a user doesn't list the role assignments.

Assign roles at tenant scope

The following examples show how to assign a custom security attribute role to a
principal at tenant scope.

Portal

1. Sign in to the Azure portal .

2. Click Azure Active Directory.

3. In the left navigation menu, click Roles and administrators.

 4. Add assignments for the custom security attribute roles.

View audit logs for attribute changes

Sometimes you need information about custom security attribute changes, such as for
auditing or troubleshooting purposes. Anytime someone makes changes to definitions
or assignments, the changes get logged in the Azure AD audit logs.

Here are the custom security attribute-related activities that are logged:

Add attribute set

Update attribute set
Add custom security attribute definition
Update custom security attribute definition
Assign custom security attribute
Remove custom security attribute

The following screenshot shows an example of the audit log. To filter the logs for
custom security attribute-related activities, select the Category filter and then select
AttributeManagement.
Next steps
Add or deactivate custom security attribute definitions in Azure AD
Assign, update, list, or remove custom security attributes for a user
Troubleshoot custom security attributes in Azure AD
Assign, update, list, or remove custom
security attributes for a user (Preview)
Article • 06/30/2023

） Important

Custom security attributes are currently in PREVIEW. See the Supplemental Terms
of Use for Microsoft Azure Previews for legal terms that apply to Azure features
that are in beta, preview, or otherwise not yet released into general availability.

Custom security attributes in Azure Active Directory (Azure AD), part of Microsoft Entra,
are business-specific attributes (key-value pairs) that you can define and assign to Azure
AD objects. For example, you can assign custom security attribute to filter your
employees or to help determine who gets access to resources. This article describes how
to assign, update, list, or remove custom security attributes for Azure AD.

Prerequisites
To assign or remove custom security attributes for a user in your Azure AD tenant, you
need:

Azure AD Premium P1 or P2 license

Attribute Assignment Administrator
Microsoft.Graph module when using Microsoft Graph PowerShell
AzureADPreview version 2.0.2.138 or later when using Azure AD PowerShell

） Important

By default, Global Administrator and other administrator roles do not have

permissions to read, define, or assign custom security attributes.

Assign custom security attributes to a user

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

1. Sign in to the Azure portal .

2. Make sure that you have defined custom security attributes. For more information,
see Add or deactivate custom security attribute definitions in Azure AD.

3. Select Azure Active Directory > Users.

4. Find and select the user you want to assign custom security attributes to.

5. In the Manage section, select Custom security attributes (preview).

6. Select Add assignment.

7. In Attribute set, select an attribute set from the list.

8. In Attribute name, select a custom security attribute from the list.

9. Depending on the properties of the selected custom security attribute, you can
enter a single value, select a value from a predefined list, or add multiple values.

For freeform, single-valued custom security attributes, enter a value in the

Assigned values box.
For predefined custom security attribute values, select a value from the
Assigned values list.
For multi-valued custom security attributes, select Add values to open the
Attribute values pane and add your values. When finished adding values,
select Done.

10. When finished, select Save to assign the custom security attributes to the user.
Update custom security attribute assignment
values for a user
1. Sign in to the Azure portal .

2. Select Azure Active Directory > Users.

3. Find and select the user that has a custom security attribute assignment value you
want to update.

4. In the Manage section, select Custom security attributes (preview).

5. Find the custom security attribute assignment value you want to update.

Once you have assigned a custom security attribute to a user, you can only change
the value of the custom security attribute. You can't change other properties of the
custom security attribute, such as attribute set or attribute name.

6. Depending on the properties of the selected custom security attribute, you can
update a single value, select a value from a predefined list, or update multiple
values.

7. When finished, select Save.

Filter users based on custom security attribute

assignments
You can filter the list of custom security attributes assigned to users on the All users
page.

1. Sign in to the Azure portal .

2. Select Azure Active Directory > Users.

3. Select Add filter to open the Add filter pane.

4. Select Custom security attributes.

5. Select your attribute set and attribute name.

6. For Operator, you can select equals (==), not equals (!=), or starts with.

7. For Value, enter or select a value.

 8. To apply the filter, select Apply.

Remove custom security attribute assignments

from a user
1. Sign in to the Azure portal .

2. Select Azure Active Directory > Users.

3. Find and select the user that has the custom security attribute assignments you
want to remove.

4. In the Manage section, select Custom security attributes (preview).

5. Add check marks next to all the custom security attribute assignments you want to
remove.

6. Select Remove assignment.

PowerShell or Microsoft Graph API

To manage custom security attribute assignments for users in your Azure AD
organization, you can use PowerShell or Microsoft Graph API. The following examples
can be used to manage assignments.

Assign a custom security attribute with a string value to a user

The following example assigns a custom security attribute with a string value to a user.

Attribute set: Engineering

Attribute: ProjectDate
Attribute data type: String
Attribute value: "2023-10-01"

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"ProjectDate" = "2023-10-01"
}
}
Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes

Assign a custom security attribute with a multi-string value to a

user

The following example assigns a custom security attribute with a multi-string value to a
user.

Attribute set: Engineering

Attribute: Project
Attribute data type: Collection of Strings
Attribute value: ["Baker","Cascade"]

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
 "@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"Project@odata.type" = "#Collection(String)"
"Project" = @("Baker","Cascade")
}
}
Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes

Assign a custom security attribute with an integer value to a user

The following example assigns a custom security attribute with an integer value to a
user.

Attribute set: Engineering

Attribute: NumVendors
Attribute data type: Integer
Attribute value: 4

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"NumVendors@odata.type" = "#Int32"
"NumVendors" = 4
}
}
Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes

Assign a custom security attribute with a multi-integer value to a

user

The following example assigns a custom security attribute with a multi-integer value to a
user.

Attribute set: Engineering

 Attribute: CostCenter
Attribute data type: Collection of Integers
Attribute value: [1001,1003]

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"CostCenter@odata.type" = "#Collection(Int32)"
"CostCenter" = @(1001,1003)
}
}
Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes

Assign a custom security attribute with a Boolean value to a user

The following example assigns a custom security attribute with a Boolean value to a
user.

Attribute set: Engineering

Attribute: Certification
Attribute data type: Boolean
Attribute value: true

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"Certification" = $true
}
 }
Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes

Update a custom security attribute assignment with an integer

value for a user

The following example updates a custom security attribute assignment with an integer
value for a user.

Attribute set: Engineering

Attribute: NumVendors
Attribute data type: Integer
Attribute value: 8

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"NumVendors@odata.type" = "#Int32"
"NumVendors" = 8
}
}
Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes

Update a custom security attribute assignment with a Boolean

value for a user
The following example updates a custom security attribute assignment with a Boolean
value for a user.

Attribute set: Engineering

Attribute: Certification
Attribute data type: Boolean
 Attribute value: false

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"Certification" = $false
}
}
Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes

Update a custom security attribute assignment with a multi-string

value for a user

The following example updates a custom security attribute assignment with a multi-
string value for a user.

Attribute set: Engineering

Attribute: Project
Attribute data type: Collection of Strings
Attribute value: ("Alpine","Baker")

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"Project@odata.type" = "#Collection(String)"
"Project" = @("Alpine","Baker")
}
}
 Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes

Get the custom security attribute assignments for a user

The following example gets the custom security attribute assignments for a user.

PowerShell

Get-MgUser

PowerShell

Select-MgProfile -Name "beta"

$userAttributes = Get-MgUser -UserId $userId -Property
"customSecurityAttributes"
$userAttributes.CustomSecurityAttributes.AdditionalProperties | Format-
List
$userAttributes.CustomSecurityAttributes.AdditionalProperties.Engineerin
g
$userAttributes.CustomSecurityAttributes.AdditionalProperties.Marketing

Output

Key : Engineering
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[Project@odata.type, #Collection(String)], [Project, System.Object[]],
[ProjectDate, 2023-10-01]…}

Key : Marketing
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[EmployeeId, GS45897]}

Key Value
--- -----
@odata.type #microsoft.graph.customSecurityAttributeValue
Project@odata.type #Collection(String)
Project {Baker, Alpine}
ProjectDate 2023-10-01
NumVendors 8
CostCenter@odata.type #Collection(Int32)
CostCenter {1001, 1003}
Certification False

Key Value
--- -----
 @odata.type #microsoft.graph.customSecurityAttributeValue
EmployeeId KX45897

If there are no custom security attributes assigned to the user or if the calling
principal does not have access, the response will be empty.

List all users with a custom security attribute assignment that

equals a value
The following example lists all users with a custom security attribute assignment that
equals a value. It retrieves users with a custom security attribute named AppCountry with
a value that equals Canada . The filter value is case sensitive. You must add
ConsistencyLevel=eventual in the request or the header. You must also include
$count=true to ensure the request is routed correctly.

Attribute set: Marketing

Attribute: AppCountry
Filter: AppCountry eq 'Canada'

PowerShell

Get-MgUser

PowerShell

Select-MgProfile -Name "beta"

$userAttributes = Get-MgUser -CountVariable CountVar -Property
"id,displayName,customSecurityAttributes" -Filter
"customSecurityAttributes/Marketing/AppCountry eq 'Canada'" -
ConsistencyLevel eventual
$userAttributes | select Id,DisplayName,CustomSecurityAttributes
$userAttributes.CustomSecurityAttributes.AdditionalProperties | Format-
List

Output

Id DisplayName
CustomSecurityAttributes
-- ----------- -----------------------
-
4b4e8090-e9ba-4bdc-b2f0-67c3c7c59489 Jiya
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue
efdf3082-64ae-495f-b051-855e2d8df969 Jana
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
 alue

Key : Engineering
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[Datacenter@odata.type, #Collection(String)], [Datacenter,
System.Object[]]}

Key : Marketing
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[AppCountry@odata.type, #Collection(String)], [AppCountry,
System.Object[]],
[EmployeeId, KX19476]}

Key : Marketing
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[AppCountry@odata.type, #Collection(String)], [AppCountry,
System.Object[]],
[EmployeeId, GS46982]}

List all users with a custom security attribute assignment that starts
with a value

The following example lists all users with a custom security attribute assignment that
starts with a value. It retrieves users with a custom security attribute named EmployeeId
with a value that starts with GS . The filter value is case sensitive. You must add
ConsistencyLevel=eventual in the request or the header. You must also include

$count=true to ensure the request is routed correctly.

Attribute set: Marketing

Attribute: EmployeeId
Filter: EmployeeId startsWith 'GS'

PowerShell

Get-MgUser

PowerShell

Select-MgProfile -Name "beta"

$userAttributes = Get-MgUser -CountVariable CountVar -Property
"id,displayName,customSecurityAttributes" -Filter
"startsWith(customSecurityAttributes/Marketing/EmployeeId,'GS')" -
ConsistencyLevel eventual
$userAttributes | select Id,DisplayName,CustomSecurityAttributes
$userAttributes.CustomSecurityAttributes.AdditionalProperties | Format-
List
 Output

Id DisplayName
CustomSecurityAttributes
-- ----------- -----------------------
-
02d52406-be75-411b-b02f-29d7f38dcf62 Chandra
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue
efdf3082-64ae-495f-b051-855e2d8df969 Jana
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue
d5a1c025-2d79-4ad3-9217-91ac3a4ed8b8 Joe
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue

Key : Marketing
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[EmployeeId, GS36348]}

Key : Marketing
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[AppCountry@odata.type, #Collection(String)], [AppCountry,
System.Object[]],
[EmployeeId, GS46982]}

Key : Engineering
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[Project@odata.type, #Collection(String)], [Project, System.Object[]],
[ProjectDate, 2023-10-01]…}

Key : Marketing
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue],
[EmployeeId, GS45897]}

List all users with a custom security attribute assignment that does
not equal a value
The following example lists all users with a custom security attribute assignment that
does not equal a value. It retrieves users with a custom security attribute named
AppCountry with a value that does not equal Canada . The filter value is case sensitive.

You must add ConsistencyLevel=eventual in the request or the header. You must also
include $count=true to ensure the request is routed correctly.

Attribute set: Marketing

Attribute: AppCountry
Filter: AppCountry ne 'Canada'
 PowerShell

Get-MgUser

PowerShell

Select-MgProfile -Name "beta"

$userAttributes = Get-MgUser -CountVariable CountVar -Property
"id,displayName,customSecurityAttributes" -Filter
"customSecurityAttributes/Marketing/AppCountry ne 'Canada'" -
ConsistencyLevel eventual
$userAttributes | select Id,DisplayName,CustomSecurityAttributes

Output

Id DisplayName
CustomSecurityAttributes
-- ----------- ----------
--------------
02d52406-be75-411b-b02f-29d7f38dcf62 Chandra
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue
eaea4971-7764-4498-9aeb-776496812e75 Isabella
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue
d937580c-692c-451f-a507-6758d3bdf353 Alain
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue
d5a1c025-2d79-4ad3-9217-91ac3a4ed8b8 Joe
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue
23ad8721-f46c-421a-9785-33b0ef474198 Dara
Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeV
alue

Remove a single-valued custom security attribute assignment from

a user

The following example removes a single-valued custom security attribute assignment

from a user by setting the value to null.

Attribute set: Engineering

Attribute: ProjectDate
Attribute value: null
 PowerShell

Invoke-MgGraphRequest

PowerShell

$params = @{
"customSecurityAttributes" = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"ProjectDate" = $null
}
}
}
Invoke-MgGraphRequest -Method PATCH -Uri
"https://graph.microsoft.com/beta/users/$userId" -Body $params

Remove a multi-valued custom security attribute assignment from

a user
The following example removes a multi-valued custom security attribute assignment
from a user by setting the value to an empty collection.

Attribute set: Engineering

Attribute: Project
Attribute value: []

PowerShell

Update-MgUser

PowerShell

Select-MgProfile -Name "beta"

$customSecurityAttributes = @{
"Engineering" = @{
"@odata.type" =
"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
"Project" = @()
}
}
Update-MgUser -UserId $userId -CustomSecurityAttributes
$customSecurityAttributes
Frequently asked questions
Where are custom security attribute assignments for users supported?

Custom security attribute assignments for users are supported in Azure portal,
PowerShell, and Microsoft Graph APIs. Custom security attribute assignments are not
supported in My Apps or Microsoft 365 admin center.

Who can view the custom security attributes assigned to a user?

Only users that have been assigned the Attribute Assignment Administrator or Attribute
Assignment Reader roles at tenant scope can view custom security attributes assigned
to any users in the tenant. Users cannot view the custom security attributes assigned to
their own profile or other users. Guests cannot view the custom security attributes
regardless of the guest permissions set on the tenant.

Do I need to create an app to add custom security attribute assignments?

No, custom security attributes can be assigned to user objects without requiring an
application.

Why do I keep getting an error trying to save custom security attribute assignments?

You don't have permissions to assign custom security attributes to users. Make sure that
you are assigned the Attribute Assignment Administrator role.

Can I assign custom security attributes to guests?

Yes, custom security attributes can be assigned to members or guests in your tenant.

Can I assign custom security attributes to directory synced users?

Yes, directory synced users from an on-premises Active Directory can be assigned
custom security attributes.

Are custom security attribute assignments available for dynamic membership rules?

No, custom security attributes assigned to users are not supported for configuring
dynamic membership rules.

Are custom security attributes the same as the custom attributes in B2C tenants?

No, custom security attributes are not supported in B2C tenants and are not related to
B2C features.
Next steps
Add or deactivate custom security attribute definitions in Azure AD
Assign, update, list, or remove custom security attributes for an application
Examples: Assign, update, list, or remove custom security attribute assignments
using the Microsoft Graph API
Troubleshoot custom security attributes in Azure AD
Manage custom security attributes for
an application (Preview)
Article • 03/10/2023

） Important

Custom security attributes are currently in PREVIEW. See the Supplemental Terms
of Use for Microsoft Azure Previews for legal terms that apply to Azure features
that are in beta, preview, or otherwise not yet released into general availability.

Custom security attributes in Azure Active Directory (Azure AD) are business-specific
attributes (key-value pairs) that you can define and assign to Azure AD objects. For
example, you can assign custom security attribute to filter your applications or to help
determine who gets access. This article describes how to assign, update, list, or remove
custom security attributes for Azure AD enterprise applications.

Prerequisites
To assign or remove custom security attributes for an application in your Azure AD
tenant, you need:

Azure AD Premium P1 or P2 license

Attribute Assignment Administrator
Make sure you have existing custom security attributes. To learn how to create a
security attribute, see Add or deactivate custom security attributes in Azure AD.

） Important

By default, Global Administrator and other administrator roles don't have

permissions to read, define, or assign custom security attributes.

Assign, update, list, or remove custom

attributes for an application
Learn how to work with custom attributes for applications in Azure AD.
Assign custom security attributes to an application

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

Undertake the following steps to assign custom security attributes through the Azure
portal.

1. Sign in to the Azure portal .

2. Select Azure Active Directory, then select Enterprise applications.

3. Find and select the application you want to add a custom security attribute to.

4. In the Manage section, select Custom security attributes (preview).

5. Select Add assignment.

6. In Attribute set, select an attribute set from the list.

7. In Attribute name, select a custom security attribute from the list.

8. Depending on the properties of the selected custom security attribute, you can
enter a single value, select a value from a predefined list, or add multiple values.

For freeform, single-valued custom security attributes, enter a value in the

Assigned values box.
For predefined custom security attribute values, select a value from the
Assigned values list.
For multi-valued custom security attributes, select Add values to open the
Attribute values pane and add your values. When finished adding values,
select Done.
 9. When finished, select Save to assign the custom security attributes to the
application.

Update custom security attribute assignment values for

an application
1. Sign in to the Azure portal .

2. Select Azure Active Directory, then select Enterprise applications.

3. Find and select the application that has a custom security attribute assignment
value you want to update.

4. In the Manage section, select Custom security attributes (preview).

5. Find the custom security attribute assignment value you want to update.

Once you've assigned a custom security attribute to an application, you can only
change the value of the custom security attribute. You can't change other
properties of the custom security attribute, such as attribute set or custom security
attribute name.

6. Depending on the properties of the selected custom security attribute, you can
update a single value, select a value from a predefined list, or update multiple
values.

7. When finished, select Save.

Filter applications based on custom security attributes

You can filter the list of custom security attributes assigned to applications on the All
applications page.

1. Sign in to the Azure portal .

2. Select Azure Active Directory, then select Enterprise applications.

3. Select Add filters to open the Pick a field pane.

If you don't see Add filters, select the banner to enable the Enterprise applications
search preview.

4. For Filters, select Custom security attribute.

5. Select your attribute set and attribute name.

6. For Operator, you can select equals (==), not equals (!=), or starts with.

7. For Value, enter or select a value.

8. To apply the filter, select Apply.

Remove custom security attribute assignments from

applications
1. Sign in to the Azure portal .

2. Select Azure Active Directory, then select Enterprise applications.

 3. Find and select the application that has the custom security attribute assignments
you want to remove.

4. In the Manage section, select Custom security attributes (preview).

5. Add check marks next to all the custom security attribute assignments you want to
remove.

6. Select Remove assignment.

Next steps
Add or deactivate custom security attributes in Azure AD
Assign, update, list, or remove custom security attributes for a user
Troubleshoot custom security attributes in Azure AD
Troubleshoot custom security attributes
in Azure AD (Preview)
Article • 06/29/2023

） Important

Custom security attributes are currently in PREVIEW.

See the Supplemental Terms
of Use for Microsoft Azure Previews for legal terms that apply to Azure features
that are in beta, preview, or otherwise not yet released into general availability.

Symptom - Custom security attributes page is

disabled
When signed in to the Azure portal as Global Administrator and you try to access the
Custom security attributes page, it is disabled.
Cause

Custom security attributes require an Azure AD Premium P1 or P2 license.

Solution

Open Azure Active Directory > Overview and check the license for your tenant.

Symptom - Add attribute set is disabled

When signed in to the Azure portal as Global Administrator and you try to click the
Custom security attributes > Add attribute set option, it is disabled.
Cause

You don't have permissions to add an attribute set. To add an attribute set and custom
security attributes, you must be assigned the Attribute Definition Administrator role. By
default, Global Administrator and other administrator roles do not have permissions to
read, define, or assign custom security attributes.

Solution

Make sure that you are assigned the Attribute Definition Administrator role at either the
tenant scope or attribute set scope. For more information, see Manage access to custom
security attributes in Azure AD.

Symptom - Error when you try to assign a

custom security attribute
When you try to save a custom security attribute assignment, you get the message:

Insufficient privileges to save custom security attributes

This account does not have the necessary admin privileges to change custom
security attributes

Cause
You don't have permissions to assign custom security attributes. To assign custom
security attributes, you must be assigned the Attribute Assignment Administrator role.
By default, Global Administrator and other administrator roles do not have permissions
to read, define, or assign custom security attributes.

Solution

Make sure that you are assigned the Attribute Assignment Administrator role at either
the tenant scope or attribute set scope. For more information, see Manage access to
custom security attributes in Azure AD.

Symptom - Cannot filter custom security

attributes for users or applications
Cause 1

You don't have permissions to filter custom security attributes. To read and filter custom
security attributes for users or enterprise applications, you must be assigned the
Attribute Assignment Reader or Attribute Assignment Administrator role. By default,
Global Administrator and other administrator roles do not have permissions to read,
define, or assign custom security attributes.

Solution 1

Make sure that you are assigned one of the following Azure AD built-in roles at either
the tenant scope or attribute set scope. For more information, see Manage access to
custom security attributes in Azure AD.

Attribute Assignment Administrator

Attribute Assignment Reader

Cause 2

You are assigned the Attribute Assignment Reader or Attribute Assignment

Administrator role, but you have not been assigned access to an attribute set.

Solution 2

You can delegate the management of custom security attributes at the tenant scope or
at the attribute set scope. Make sure you have been assigned access to an attribute set
at either the tenant scope or attribute set scope. For more information, see Manage
access to custom security attributes in Azure AD.

Cause 3
There are no custom security attributes defined and assigned yet for your tenant.

Solution 3

Add and assign custom security attributes to users or enterprise applications. For more
information, see Add or deactivate custom security attribute definitions in Azure AD,
Assign, update, list, or remove custom security attributes for a user, or Assign, update,
list, or remove custom security attributes for an application.

Symptom - Custom security attributes cannot

be deleted
Cause

Currently, you can only activate and deactivate custom security attribute definitions.
Deletion of custom security attributes is not supported. Deactivated definitions do not
count towards the tenant wide 500 definition limit.

Solution

Deactivate the custom security attributes you no longer need. For more information, see
Add or deactivate custom security attribute definitions in Azure AD.

Symptom - Cannot add a role assignment at an

attribute set scope using PIM
When you try to add an eligible Azure AD role assignment using Azure AD Privileged
Identity Management (PIM), you cannot set the scope to an attribute set.

Cause

PIM currently does not support adding an eligible Azure AD role assignment at an
attribute set scope.

Symptom - Insufficient privileges when using

Graph Explorer
When you try to use Graph Explorer to call Microsoft Graph APIs for custom security
attributes, you see a message similar to the following:
 Forbidden - 403. You need to consent to the permissions on the Modify
permissions (Preview) tab

Authorization_RequestDenied

Insufficient privileges to complete the operation.

Cause 1

You have not consented to the required custom security attribute permissions to make
the API call.

Solution 1

Open the Permissions panel, select the appropriate custom security attribute permission,
and click Consent. In the Permissions requested window that appears, review the
requested permissions.
Cause 2

You are not assigned the required custom security attribute role to make the API call. By
default, Global Administrator and other administrator roles do not have permissions to
read, define, or assign custom security attributes.

Solution 2

Make sure that you are assigned the required custom security attribute role. For more
information, see Manage access to custom security attributes in Azure AD.

Symptom - Request_UnsupportedQuery error

When you try to call Microsoft Graph APIs for custom security attributes, you see a
message similar to the following:
 Bad Request - 400

Request_UnsupportedQuery

Unsupported or invalid query filter clause specified for property

'<AttributeSet>_<Attribute>' of resource 'CustomSecurityAttributeValue'.

Cause

The request isn't formatted correctly.

Solution

If required, add ConsistencyLevel=eventual in the request or the header. You might also
need to include $count=true to ensure the request is routed correctly. For more
information, see Examples: Assign, update, list, or remove custom security attribute
assignments using the Microsoft Graph API.

Next steps
Manage access to custom security attributes in Azure AD
Troubleshoot Azure role assignment conditions
Frontline worker management
Article • 03/02/2023

Frontline workers account for over 80 percent of the global workforce. Yet because of
high scale, rapid turnover, and fragmented processes, frontline workers often lack the
tools to make their demanding jobs a little easier. Frontline worker management brings
digital transformation to the entire frontline workforce. The workforce may include
managers, frontline workers, operations, and IT.

Frontline worker management empowers the frontline workforce by making the

following activities easier to accomplish:

Streamlining common IT tasks with My Staff

Easy onboarding of frontline workers through simplified authentication
Seamless provisioning of shared devices and secure sign-out of frontline workers

Delegated user management through My Staff

Azure Active Directory (Azure AD) in the My Staff portal enables delegation of user
management. Frontline managers can save valuable time and reduce risks using the My
Staff portal. When an administrator enables simplified password resets and phone
management directly from the store or factory floor, managers can grant access to
employees without routing the request through the help-desk, IT, or operations.
Accelerated onboarding with simplified
authentication
My Staff also enables frontline managers to register their team members' phone
numbers for SMS sign-in. In many verticals, frontline workers maintain a local username
and password combination, a solution that is often cumbersome, expensive, and error-
prone. When IT enables authentication using SMS sign-in, frontline workers can log in
with Single Sign-On (SSO) for Microsoft Teams and other applications using just their
phone number and a one-time passcode (OTP) sent via SMS. Single Sign-On makes
signing in for frontline workers simple and secure, delivering quick access to the apps
they need most.

Frontline managers can also use Managed Home Screen (MHS) application to allow
workers to have access to a specific set of applications on their Intune-enrolled Android
dedicated devices. The dedicated devices are enrolled with Azure AD shared device
mode. When configured in multi-app kiosk mode in the Microsoft Intune admin center,
MHS is automatically launched as the default home screen on the device and appears to
the end user as the only home screen. To learn more, see how to configure the Microsoft
Managed Home Screen app for Android Enterprise.
Secure sign-out of frontline workers from
shared devices
Frontline workers in many companies use shared devices to do inventory management
and sales transactions. Sharing devices reduces the IT burden of provisioning and
tracking them individually. With shared device sign-out, it's easy for a frontline worker to
securely sign out of all apps on any shared device before handing it back to a hub or
passing it off to a teammate on the next shift. Frontline workers can use Microsoft
Teams to view their assigned tasks. Once a worker signs out of a shared device, Intune
and Azure AD clear all of the company data so the device can safely be handed off to
the next associate. You can choose to integrate this capability into all your line-of-
business iOS and Android apps using the Microsoft Authentication Library.

Next steps
For more information on delegated user management, see My Staff user
documentation .
Add or delete users using Azure Active
Directory
Article • 08/02/2023

Add new users or delete existing users from your Azure Active Directory (Azure AD)
tenant. To add or delete users, you must be a User Administrator or Global
Administrator.

７ Note

For information about viewing or deleting personal data, please review Microsoft's
guidance on the Windows data subject requests for the GDPR site. For general
information about GDPR, see the GDPR section of the Microsoft Trust Center
and the GDPR section of the Service Trust portal .

Add a new user

） Important

Steps in this article may vary slightly based on the portal you start from. Content
will be updated to reflect the Microsoft Entra admin center over the next few
months.

You can create a new user for your organization or invite an external user from the same
starting point.

1. Sign in to the Azure portal in the User Administrator role.

2. Navigate to Azure Active Directory > Users.

3. Select either Create new user or Invite external user from the menu. You can
change this setting on the next screen.
 4. On the New User page, provide the new user's information:

Identity: Add a user name and display name for the user. User name and
Name are required and can't contain accent characters. You can also add a
first and last name.

The domain part of the user name must use either the initial default domain
name, <yourdomainname>.onmicrosoft.com, or a custom domain name, such
as contoso.com. For more information about how to create a custom domain
name, see Add your custom domain name using the Azure portal.

Groups and roles: Optional. Add the user to one or more existing groups.
Group membership can be set at any time. For more information about
adding users to groups, see the manage groups article.

Settings: Optional. Toggle the option to block sign-in for the user or set the
user's default location.

Job info: Optional. Add the user's job title, department, company name, and
manager. These details can be updated at any time. For more information
about adding other user info, see How to manage user profile information.

5. Copy the autogenerated password provided in the Password box. You need to give
this password to the user to sign in for the first time.

6. Select Create.

The user is created and added to your Azure AD organization.

Add a new guest user
You can also invite new guest user to collaborate with your organization by selecting
Invite user from the New user page. If your organization's external collaboration
settings are configured to allow guests, the user will be emailed an invitation they must
accept in order to begin collaborating. For more information about inviting B2B
collaboration users, see Invite B2B users to Azure Active Directory.

The process for inviting a guest is the same as adding a new user, with two exceptions.
The email address won't follow the same domain rules as users from your organization.
You can also include a personal message.

Add other users

There might be scenarios in which you want to manually create consumer accounts in
your Azure Active Directory B2C (Azure AD B2C) directory. For more information about
creating consumer accounts, see Create and delete consumer users in Azure AD B2C.

If you have an environment with both Azure Active Directory (cloud) and Windows
Server Active Directory (on-premises), you can add new users by syncing the existing
user account data. For more information about hybrid environments and users, see
Integrate your on-premises directories with Azure Active Directory.

Delete a user
You can delete an existing user using Azure portal.

You must have a Global Administrator, Privileged Authentication Administrator or

User Administrator role assignment to delete users in your organization.
Global Admins and Privileged Authentication Admins can delete any users
including other admins.
User Administrators can delete any non-admin users, Helpdesk Administrators and
other User Administrators.
For more information, see Administrator role permissions in Azure AD.

To delete a user, follow these steps:

1. Sign in to the Azure portal using one of the appropriate roles listed above.

2. Go to Azure Active Directory > Users.

3. Search for and select the user you want to delete from your Azure AD tenant.
 4. Select Delete user.

The user is deleted and no longer appears on the Users - All users page. The user can
be seen on the Deleted users page for the next 30 days and can be restored during that
time. For more information about restoring a user, see Restore or remove a recently
deleted user using Azure Active Directory.

When a user is deleted, any licenses consumed by the user are made available for other
users.

７ Note

To update the identity, contact information, or job information for users whose
source of authority is Windows Server Active Directory, you must use Windows
Server Active Directory. After you complete the update, you must wait for the next
synchronization cycle to complete before you'll see the changes.

Next steps
After you've added your users, you can do the following basic processes:

Add or change profile information

Assign roles to users

Create a basic group and add members

Work with dynamic groups and users

Add guest users from another directory