What’s new in Microsoft Entra – June 2024

This post has been republished via RSS; it originally appeared at: Microsoft Entra Blog articles.

Have you explored the What's New in Microsoft Entra hub in the Microsoft Entra admin center? It's a centralized view of our roadmap and change announcements across the Microsoft Entra identity and network access portfolio so you can stay informed with the latest updates and actionable insights to strengthen your security posture.

 

Here in the Microsoft Entra blog, we share feature release information and change announcements every quarter. Today’s post covers April – June 2024. It’s organized by Microsoft Entra products, so you can quickly scan what’s relevant for your deployment. 

 

• Microsoft Entra ID 
• Microsoft Entra ID Governance 
• Microsoft Entra External ID 
• Microsoft Entra Permissions Management 
• Microsoft Entra Verified ID 

 

New releases

 

• Microsoft Entra ID Protection: remediate risks and unblock users
• On-premises password reset remediates user risk
• Multiple Passwordless Phone Sign-in for Android Devices
• Windows Account extension is now Microsoft Single Sign On
• Custom Claims Providers enable token claim augmentation from external data sources
• Granular Certificate-Based Authentication Configuration in Conditional Access
• New role: Organizational Branding Administrator
• Microsoft Graph activity logs

• $select in signIn AP

• Last successful sign-in date for users

• Self-service password reset Admin policy expansion to include additional roles

• Dynamic Groups quota increased to 15,000

• Streamline your ADAL migration with updated sign-ins workbook

 

Change announcements

 

Security update to Entra ID affecting clients which are running old, unpatched builds of Windows

[Action may be required]

 

We're making a security update to Entra ID such that use of older unpatched version of Windows which still use the less secure Key Derivation Function v1 (KDFv1) will no longer be supported.  Once the update is rolled out, unsupported and unpatched Windows 10 and 11 clients will no longer be able to sign in to Entra ID. Globally, more than 99% of Windows clients signing in to Entra ID have the required security patches.

 

Action required:

If your Windows devices have Security Patches after July 2021 no action is required.

 

If your Windows devices do not have security updates after July 2021, update Windows to the latest build of your currently supported Windows version to maintain access to Entra ID. 

 

All currently supported versions of Windows have the required patch. 

 

We recommend you keep Windows up to date with Security Updates.

 

Background: 

A Security Update to Windows CVE-2021-33781 was issued in July 2021 to address a vulnerability where Primary Refresh Tokens were not stored sufficiently securely in the client.  Once patched, Windows clients used the stronger KDFv2 algorithm.  All versions of Windows released since that time have the update and handle the token securely.

 

A small percentage of Windows devices have not yet been updated and are still using the older v1 key derivation function. To improve security of the system, unpatched devices using the KDFv1 algorithm will no longer be able to sign in to Entra ID using Primary Refresh Tokens.

 

What is the user experience on unsupported Windows devices when this change is rolled out?  

Users of Windows devices which haven’t been updated with patches since July 2021 may experience sign in failures with their Entra ID user accounts on joined or hybrid joined Windows device.

 

How do I diagnose this situation?

The error code, which will show in sign in logs, is 'AADSTS5000611: Symmetric Key Derivation Function version 'KDFV1' is invalid. Update the device for the latest updates.'

 

Enhancing the security of Apple devices in the enterprise with hardware bound device identity – 2-year notice

[Action may be required]

 

Device identity is one of the fundamental Entra ID concepts that enables multiple Entra ID and MDM/MAM security features like device compliance policies, app protection policies, or PRT-based SSO.  To enhance security, Entra ID has now done work to support the binding of device identity keys to Apple’s Secure Enclave hardware, which will replace previous Keychain-based mechanism.

 

Starting in June 2026, all new Entra ID registrations will be bound to the Secure Enclave. As a result, all customers will need to adopt the Microsoft Enterprise SSO plug-in and some of the apps may need to make code changes to adopt the new Secure Enclave based device identity.

 

Opt-in, provide feedback

Before Entra enables Secure Enclave by default for all new registrations, we encourage tenants to perform early testing using the documentation provided on learn.microsoft.com. This will help to identify any compatibility issues, where you may need to request code changes from app or MDM vendors. 

 

To report issues, raise questions, or voice concerns please open a support ticket or reach out to your Microsoft account team. 

 

Upgrade to the latest version of Microsoft Entra Connect by September 23, 2024 

[Action may be required]

 

Since September 2023, we have been auto-upgrading Microsoft Entra Connect Sync and Microsoft Entra Connect Health to an updated build as part of a precautionary security-related service change. For customers who have previously opted out of auto-upgrade or for whom auto-upgrade failed, we strongly recommend that you upgrade to the latest versions by September 23, 2024.

 

When you upgrade to the latest versions by that date, you ensure that when the service changes take effect, you avoid disruption for the following capabilities:

 

Service	Recommended Version	Features Impacted by Service Change
Microsoft Entra Connect Sync	2.3.2.0 or higher	Auto-upgrade will stop working. Synchronization isn’t impacted
Microsoft Entra Connect Health agent for Sync	4.5.2487.0 or higher	A subset of alerts will be impacted: ·        Connection to Microsoft Entra ID failed due to authentication failure ·        High CPU usage detected ·        High Memory Consumption Detected ·        Password Hash Synchronization has stopped working ·        Export to Microsoft Entra ID was Stopped. Accidental delete threshold was reached ·        Password Hash Synchronization heartbeat was skipped in the last 120 minutes ·        Microsoft Entra Sync service cannot start due to invalid encryption keys ·        Microsoft Entra Sync service not running: Windows Service account Creds Expired
Microsoft Entra Connect Health agent for ADDS	4.5.2487.0 or higher	All alerts will be impacted
Microsoft Entra Connect Health agent for ADFS	4.5.2487.0 or higher	All alerts will be impacted

 

Note: If you cannot upgrade by September 23, 2024, you can still regain full functionality for the above features after that date. You would do so by manually upgrading to the recommended builds at your earliest convenience.

 

For upgrade-related guidance, please refer to our docs.

 

Important Update: Azure AD Graph Retirement

[Action may be required]

 

As of June 2023, the Azure AD Graph API service is in a retirement cycle and will be retired (shut down) in incremental stages. In the first stage of this retirement cycle, newly created applications will receive an error (HTTP 403) for any requests to Azure AD Graph APIs (https://graph.windows.net). We are revising the da20te for this first stage from June 30 to August 31, so only applications created after August 31, 2024, will be impacted. The second stage of the Azure AD Graph service retirement cycle will begin after January 31, 2025. At this point, all applications that are using Azure AD Graph APIs will receive an error when making requests to the AAD Graph service. Azure AD Graph will be completely retired (and stop working) after June 30, 2025.

 

We understand that some apps may not have fully completed migration to Microsoft Graph. We are providing an optional configuration (through the authenticationBehaviors setting) that will allow an application to continue use of Azure AD Graph APIs through March 30, 2025.  If you develop or distribute software that still uses Azure AD Graph APIs, you must act now to avoid interruption. You will either need to migrate your applications to Microsoft Graph (highly recommended) or configure the application for an extension, and ensure that your customers are prepared for the change. 

 

To identify applications that are using Azure AD Graph APIs, we have provided two Entra recommendations with information about applications and service principals that are actively using Azure AD Graph APIs in your tenant.  

 

For more information, see the following references:  

 

• June 2024 update on Azure AD Graph API retirement
• Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph  
• Azure AD Graph app migration planning checklist  
• Azure AD Graph to Microsoft Graph migration FAQ  

 

Important Update: AzureAD and MSOnline PowerShell retirement 

[Action may be required]

 

As of March 30, 2024, the legacy Azure AD PowerShell, Azure AD PowerShell Preview, and MS Online modules are deprecated. These modules will continue to function through March 30, 2025, when they are retired and stop functioning. Microsoft Graph PowerShell SDK is the replacement for these modules and you should migrate your scripts to Microsoft Graph PowerShell SDK as soon as possible.  

 

Note: as indicated in our April update, MS Online with “Legacy Auth” will stop functioning in the weeks after June 30, 2024. Legacy Auth is typically associated with versions before 1.1.166.0, and involves use of MS Online PowerShell with the Microsoft Online Sign-In Assistant package installed. If you are using MS Online versions before 1.1.166.0 or MS Online with Legacy Auth, you should immediately migrate to Microsoft Graph PowerShell SDK or update the MS Online version to the latest version (1.1.183.81).  

 

To help you identify usage of Azure AD PowerShell in your tenant, you can use the Entra Recommendation titled Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph. This recommendation will show vendor applications that are using Azure AD Graph APIs in your tenant, including AzureAD PowerShell.  

 

We are making substantial new and future investments in the PowerShell experience for managing Entra, with the recent Public Preview launch of the Microsoft Entra PowerShell module. This new module builds upon and is part of the Microsoft Graph PowerShell SDK. It’s fully interoperable with all cmdlets in the Microsoft Graph PowerShell SDK, enabling you to perform complex operations with simple, well documented commands. The module also offers a backward compatibility option to simplify migraiton from the deprecated AzureAD Module. Additionally, we are aware that some of our customers were unable to fully migrate to scripts that managed Per-user MFA from MSOnline to Microsoft Graph PowerShell. Microsoft Graph APIs were recently made available to read and configure Per-user MFA settings for users, and availability in Microsoft Graph PowerShell SDK cmdlets is soon to follow.

 

Private Preview – QR code sign-in, a new authentication method for Frontline Workers

[Action may be required]

 

We are introducing a new simple way for Frontline Workers to authenticate in Microsoft Entra ID with a QR code and PIN, eliminating the need to enter long UPNs and alphanumeric passwords multiple times during their shift.

 

With the private preview release of this feature in August 2024, all users in your tenant will see a new link ‘Sign in with QR code’ on navigating to https://login.microsoftonline.com > ‘Sign-in options’ > ‘Sign in to an organization’ page. This new link, ‘Sign in with QR code’, will be visible only on mobile devices (Android/iOS/iPadOS). If you are not participating in the private preview, users from your tenant will not be able to sign-in through this method while we are still in private preview. They will receive an error message if they try to sign-in.

 

The feature will have a ‘preview’ tag until it is generally available. Your organization needs to be enabled to test this feature. Broad testing will be available in public preview, which we will announce later.  

 

While the feature is in private preview, no technical support will be provided. Please learn more about support during previews here Microsoft Entra ID preview program information - Microsoft Entra | Microsoft Learn. 

 

Changes to phone call settings: custom greetings and caller ID

[Action may be required]

 

Starting September 2024, phone call settings (custom greetings and caller ID) under Entra's multifactor authentication blade will be moved under the voice authentication method in the authentication method policy. Instead of accessing these settings through the Entra ID or Azure portal, they will be accessible through MS Graph API. If your organization is using custom greetings and/or caller ID, please make sure to check the public documentation once we release the new experience to learn how to manage these settings through MS Graph.

 

MS Graph API support for per-user MFA

[Action may be required]

 

Starting June 2024, we are releasing the capability to manage user status (Enforced, Enabled, Disabled) for per-user MFA through MS Graph API. This will replace the legacy MS Online PowerShell module that is being retired. Please be aware that the recommended approach to protect users with Microsoft Entra MFA is Conditional Access (for licensed organizations) and security defaults (for unlicensed organizations). The public documentation will be updated once we release the new experience.

 

Azure Multi-Factor Authentication Server - 3-month notice                         

[Action may be required]

Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests, which could cause authentications to fail for your organization. MFA Server will have limited SLA and MFA Activity Report in the Azure Portal will no longer be available. To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service using the latest Migration Utility included in the most recent Azure MFA Server update. Learn more at Azure MFA Server Migration.

 

Decommissioning of Group Writeback V2 (Public Preview) in Entra Connect Sync - Reminder

[Action may be required]

 

The public preview of Group Writeback V2 (GWB) in Entra Connect Sync is no longer available and Connect Sync will no longer support provisioning cloud security groups to Active Directory.

 

Another similar functionality is offered in Entra Cloud Sync, called “Group Provision to AD”, that maybe used instead of GWB V2 for provisioning cloud security groups to AD. Enhanced functionality in Cloud Sync, along with other new features, are being developed.

 

Customers who use this preview feature in Connect Sync should switch their configuration from Connect Sync to Cloud Sync. Customers can choose to move all their hybrid sync to Cloud Sync (if it supports their needs) or Cloud Sync can be run side-by-side and move only cloud security group provisioning to AD onto Cloud Sync. Customers who provision Microsoft 365 groups to AD can continue using GWB V1 for this capability.

 

Visual enhancements to the per-user MFA admin configuration experience

[No action is required]

 

As part of ongoing service improvements, we are making updates to the per-user MFA admin configuration experience to align with the look and feel of Entra ID. This change does not include any changes to the core functionality and will only include visual improvements. Starting in August 2024, you will be redirected to the new experience both from the Entra admin center and Azure portal. There will be a banner presented for the first 30 days to switch back to the old experience, after which you can only use the new experience. The public documentation will be updated once we release the new experience.

 

Updates to “Target resources” in Microsoft Entra Conditional Access

[No action is required]

 

Starting in September 2024, the Microsoft Entra Conditional Access 'Target resources' assignment will consolidate the "Cloud apps" and "Global Secure Access" options under a new name "Resources".  

 

Customers will be able to target "All internet resources with Global Secure Access", "All resources (formerly 'all cloud apps') or select specific resources (formerly "select apps"). Some of the Global Secure Access attributes in the Conditional Access API will be deprecated. 

 

This change will start in September 2024 and will occur automatically, admins won’t need to take any action. There are no changes in the behavior of existing Conditional Access policies. To learn more, click here. 

 

Upcoming Improvements to Entra ID device code flow

[No action is required]

 

As part of our ongoing commitment to security, we are announcing upcoming enhancements to the Entra ID device code flow. These improvements aim to provide a more secure and efficient authentication experience.

 

We've refined the messaging and included app details within the device code flow to ensure a more secure and precise user experience. Specifically, we've adjusted headers and calls to action to help your users recognize and respond to security threats more effectively. These changes are designed to help your users make more informed decisions and prevent phishing attacks.

 

These changes will be gradually introduced starting in July 2024 and are expected to be fully implemented by August 30, 2024. No action required from you.

 

Microsoft Entra ID Governance

New releases

• Microsoft Entra ID multi-tenant organization
• Security group provisioning to Active Directory using cloud sync
• Support for PIM approvals and activations on the Azure mobile app (iOS and Android)
• Lifecycle Workflows: Export workflow history data to CSV files
• B2B Sponsors as an Attribute and Approvers in Entitlement Management
• Maximum workflows limit in Lifecycle workflows is now 100
• New provisioning connectors in the Microsoft Entra Application Gallery

 

Microsoft Entra External ID

New releases

• Microsoft Entra External ID
• Configure redemption order for B2B collaboration

 

Microsoft Entra Permissions Management

New releases

• Support for PIM enabled Groups in Microsoft Entra Permissions Management

 

Microsoft Entra Verified ID

New releases

• Quick Microsoft Entra Verified ID setup

 

 

Add to Favorites: What’s New in Microsoft Entra

Stay informed about Entra product updates and actionable insights with What’s New in Microsoft Entra.  This new hub in the Microsoft Entra admin center offers you a centralized view of our roadmap and change announcements across the Microsoft Entra identity and network access portfolio.

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• ⁠⁠Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community