M365 Changelog: (Updated) IPv6 coming to Azure AD

MC498471 – Updated March 21, 2023: Earlier, Microsoft had announced our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD) enabling our customers to reach the Azure AD services over IPv4, IPv6 or dual stack endpoints. This is just a reminder that we’ll begin introducing IPv6 support into Azure AD services in a phased approach, starting March 31st, 2023.

With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and IPv6 networks.

Today, we’re excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD). This will allow customers to reach the Azure AD services over both IPv4 and IPv6 network protocols (dual stack).

For most customers, IPv4 won’t completely disappear from their digital landscape, so Microsoft isn’t planning to require IPv6 or to de-prioritize IPv4 in any Azure Active Directory features or services.

When this will happen:

Microsoft has been gradually rolling out IPv6 for some of our services for a while. Starting in late March 2023 we’ll begin enabling IPv6 for Azure AD authentication. We will introduce IPv6 support into Azure AD authentication in a phased approach, beginning late March 2023.

What you can do to prepare:

Microsoft has guidance below which is specifically for Azure AD customers, who use IPv6 addresses and also use Named Locations in their Conditional Access policies. 

Customers who use named locations to identify specific network boundaries in their organization, need to:

  1. Conduct an audit of existing named locations to anticipate potential impact;
  2. Work with your network partner to identify egress IPv6 addresses in use in your environment.;
  3. Review and update existing named locations to include the identified IPv6 ranges.

Customers who use Conditional Access location based policies, to restrict and secure access to their apps from specific networks, need to:

  1. Conduct an audit of existing Conditional Access policies to identify use of named locations as a condition to anticipate potential impact;
  2. Review and update existing Conditional Access location based policies to ensure they continue to meet your organization’s security requirements.

Failing to follow these steps might result in the following impact:

  1. Users of IPv6 addresses may be blocked, depending on your organization’s Conditional Access policies and Identity Protection configurations.
  2. False positive detections due to ‘Mark as trust location’ not being checked for your internal networks and VPN’s can result in users being marked as risky.

 Microsoft will continue to share additional guidance on IPv6 enablement in Azure AD here: IPv6 Support in Azure Active Directory

Learn more about Microsoft identity: