Microsoft Enhances Azure Active Directory With Several New Features

At Microsoft’s Ignite conference this week, there was a series of announcements for new Azure Active Directory features either entering general availability or released in public preview.

AWS Single Sign-On (SSO)

The Azure Active Directory (Azure AD) app gallery now includes AWS Single Sign-On (SSO). AWS SSO is a cloud service that is designed to simplify SSO access to Amazon Web Services accounts and resources. Microsoft says:

As a pre-integrated application in the Azure AD app gallery, AWS SSO can be quickly connected to Azure AD for centralized access management of AWS resources. End users can sign into AWS SSO using their Azure AD credentials to access all their assigned AWS resources.

Passwordless authentication

Microsoft has been pushing passwordless authentication for a while now. With passwordless sign-in, passwords are replaced by something you have, like a security key, plus something you are or know. Something you are might be a biometric gesture like a fingerprint. Something you know might be a PIN.

Passwordless authentication lets users sign in to Azure AD with Windows Hello for Business, the Microsoft Authenticator app, and FIDO2 security keys. Microsoft says that Azure AD now lets organizations configure policies for different users, groups, and types of credentials. And it provides reporting and APIs.

Temporary Access Pass

Temporary Access Pass is a new feature that is available in public preview. TAP provides a time-limited code that can be used to set up and recover a passwordless credential. Microsoft says:

With Temporary Access Pass, new network users receive a one-time password to log in and register their account and then register a passwordless credential, such as the Authenticator app, to use going forward. Temporary Access Pass can also be used to replace a lost credential or recover an account.

For more information on passwordless authentication, read How to Set Up Passwordless Sign-in Using the Microsoft Authenticator App for Microsoft 365 and Understanding Windows 10 and Microsoft 365 Passwordless Sign-In on Petri.

Enterprise app management updates

Application Template API and Admin Consent Workflow will be generally available this month. Both are new ways in which admins can secure and manage applications while simplifying employee access. The Application Template API in Microsoft Graph lets admins and developers programmatically manage applications in the Azure AD app gallery. And Admin Consent Workflow, which was first announced in September 2020, lets admins securely grant access to apps for users who require approval.

Azure Active Directory verifiable credentials

Entering public preview in April 2021, verifiable credentials let organizations issue digital credentials containing information that other entities can trust. Ankur Patel, a Principal Program Manager for the Microsoft Identity Division, explains it like this:

To make it easier for developers to reuse their skills, and libraries they are familiar with, we demonstrated how to leverage the widely used Open ID Connect protocol to exchange Verifiable Credentials. Using Azure AD’s Verifiable Credentials service, a university can issue digital credentials to access special discounts, offers, and services meant for students. A bookstore can confidently grant discounts to students from universities and educational institutions they trust. These same Verifiable Credentials, for example, a digital diploma or your employment status, can be used to prove education and career accomplishments, as well as access resources at work and across organizational boundaries.

Microsoft adds:

The verifiable credentials capability in Azure AD enables organizations to issue digital claims about identity attributes based on open standards. Individuals can manage credentials in the Microsoft Authenticator app and developers will be able to request and verify credentials via an application software development kit (SDK).

Azure Active Directory (Azure AD) Application Proxy

Azure AD Application Proxy sees header-based authentication reach general availability. Header-based authentication lets organizations move legacy apps, which don’t support modern authentication, to natively connect with Azure AD. App Proxy geo routing is now available in public preview. It lets customers designate the region an App Proxy service connector group should use to improve performance by reducing latency.

Azure Active Directory (Azure AD) Conditional Access

Conditional Access authentication context is now in public preview. Microsoft says:

Azure AD Conditional Access enables customers to configure and fine-tune their access policies with factors such as user, device, location and real-time risk information to control what a specific user can access, as well as when and how they can access it. App-triggered Confidential Access policies (authentication context), which enables additional access controls at the app level, has been released to public preview.

Azure Active Directory (Azure AD) External Identities

Reaching general availability later this month, External Identities let organizations secure and manage access for customers and partners. External identities let companies protect B2B and B2C apps and users with adaptive, machine learning-based security. Microsoft says that organizations can get started with External Identities for free for up to the first 50,000 monthly active users at any tier.