Microsoft Adds Single Sign-On Access for All Azure Active Directory Users
Microsoft offered an overview of its recent Azure Active Directory release milestones, including free single sign-on access (SSO) for all of its online services subscribers, per a Thursday announcement.
SSO is a facility for end users, allowing them to log in once and have access to various applications without having to go through the same identity verification process each time. If an organization has an Azure AD subscription, even the free version, then they can now use SSO with their applications.
Here’s Microsoft’s characterization of the new free SSO capability:
Whether you need gallery apps or non-gallery apps, using OIDC, SAML or password SSO, we have removed the limit on the number of apps each user can be assigned for SSO access in Azure AD. This means any Microsoft customer using a subscription of a commercial online service such as Azure, Office 365, Dynamics and Power Platform can enable SSO for all their cloud apps, even with Azure AD Free. This complements our earlier announcement that multi-factor authentication (MFA) along with security defaults is free across all Azure AD pricing tiers, so every one of your apps can also be protected.
New Azure AD Features at General Availability
Microsoft’s announcement also listed the following Azure AD capabilities that have recently reached “general availability” commercial-release status. Access to these features sometimes requires having Azure AD Premium licensing in place to use them.
The “bulk operations for users and groups” feature lets IT pros use comma-separated value (CSV) files to import or export users or groups. It can be used to do things like “delete users, update group memberships as well as download users, groups and group memberships,” the announcement indicated.
IT pros also now have access to the “report-only mode for Azure AD Conditional Access” feature. It lets them see the effects of Conditional Access policy changes before going live with them.
The “Continuous Access Evaluation” feature, which checks for changed conditions after a user has been granted access, is available for use with Exchange Online and Microsoft Teams applications. Microsoft’s Continuous Access Evaluation solution derives from an OpenID Foundation developing standard, as described last month.
Also last month, Microsoft described a “combined MFA and password reset registration” feature for end users that’s available. It’s an easier way for end users with mobile devices to set up multifactor authentication (a secondary ID verification scheme) and self-service password reset capabilities. They can do the setup themselves using the My Profile Website or the Microsoft Authenticator App.
A new “token configuration” capability permits the customization of “access tokens, id tokens and SAML tokens to include additional claims.” It can be used by application developers to “specify which claims they want in tokens sent to their application,” per Microsoft’s documentation.
The ability to configure “SAML token encryption” for applications, which is an Azure AD Premium feature, is now commercially available. Encrypting a SAML token is an added assurance, since “Azure AD already sends SAML tokens on an encrypted HTTPS transport channel,” the announcement explained.
Azure AD Features at Preview
A couple of new Azure AD previews were announced.
The “Dynamic Groups rule validation” feature lets IT pros validate the rules that are set for the inclusion of users in Dynamic Groups. The Dynamic Groups capability has been around for over five years, but Microsoft is now previewing the ability of IT pros to validate these rules by “checking if specific users will be members of a dynamic group or not.”
Microsoft also has an “administrative units” preview that lets IT pros “logically group users and devices and then delegate administration of those users and devices.” Microsoft defines an administrative unit as “an Azure AD resource that can be a container for other Azure AD resources.”
Administrative units are conceived as being useful for delegating tasks when organizations have “multiple independent departments” overseen by different administrators, as might be the case in a large university having multiple schools. A “Business School” administrative unit might be created, for instance.
Azure AD B2B and B2C Additions
Microsoft also described a few improvements for tenancies using its Azure AD Business to Business (B2B) and Azure AD Business to Consumer (B2C) services.
Microsoft has “redesigned B2B collaboration invitation emails” used to establish resource sharing with external business partners. The newly designed invitation, now generally available, “provides external users with more clarity to help make an informed decision for accepting the invitation,” the announcement indicated.
Azure AD B2B tenancies also now have access to a preview that will let them “invite internal users to B2B collaboration.” This preview is designed for organizations that collaborated with external users but didn’t treat them as guest users. IT pros can use this feature to switch them to guest users and still “retain their user ID, user principal name, group memberships as well as app assignments,” the announcement explained.
Lastly, Azure AD B2C tenancies now have “secure access to SAML-based applications,” a capability that has reached the general availability stage. It means that “all OIDC, OAUTH, and SAML-based identity providers such as Salesforce, Facebook, Google, and Active Directory Federation Services (ADFS) can be offered to your users,” Microsoft explained.
Azure AD for Zero Trust Security
If all of that info wasn’t enough Azure AD news, Microsoft outlined its vision and technologies that can be used to get to a so-called “zero trust” security state in this Thursday announcement.
“A Zero Trust strategy requires that we verify explicitly, use least privileged access principles, and assume breach,” explained Tarek Dawoud, a Microsoft principal program manager. “Azure Active Directory can act as the policy decision point to enforce your access policies based on insights on the user, device, target resource, and environment.”
The technologies needed for this zero trust solution involve Azure AD Premium P1 or P2 licensing at minimum, but top-tier Microsoft 365 E5 licensing sometimes got mentioned, as well.