What’s new in Microsoft Entra

Microsoft has recently introduced a range of new security tools and features for the Microsoft Entra product family, aimed at helping organizations to improve their security posture. With the ever-increasing sophistication of cyber-attacks and the increasing use of cloud-based services and the proliferation of mobile devices, it’s essential that organizations have effective tools in place to manage their security scope.

To stay ahead of the evolving threat landscape and secure access in the era of AI, this month at Microsoft Ignite, we made several substantial announcements:

Microsoft Entra + Security Copilot to help respond to identity risks quickly.
Integrate Microsoft Defender for Cloud with Microsoft Entra Permissions Management to consolidate identity and access permission insights across multi-cloud infrastructure.
Secure customers by default through auto-rollout of Microsoft Entra Conditional Access policies.
Key advancements in Microsoft's Security Service Edge (SSE) products (Microsoft Entra Internet Access and Microsoft Entra Private Access).
Microsoft Entra certificate-based authentication (CBA).

For more information, read the blog, Identity at Microsoft Ignite: Securing access in the era of AI on the Microsoft Community Hub.

Today, we’re sharing the new feature releases for the last two months (October – November 2023) and the change announcements for the November 2023 change management train. We also communicate these changes on release notes and via email. We’re continuing to make it easier for our customers to manage lifecycle changes, including deprecations, retirements, and service breaking changes within the new Entra admin center as well.

These recent updates have been organized into Microsoft Entra product areas, making it easy to quickly find and access the latest updates. With these new features, we aim to provide our customers with an identity and access solution for a better-connected world.

Product Updates Summary

Microsoft Entra ID
Microsoft Entra ID Governance
Microsoft Entra Workload ID
Microsoft Entra External ID
Microsoft Entra Permissions Management

Microsoft Entra ID

New releases

Change announcements

Auto-rollout of Conditional Access policies

[Action may be required]

Earlier in November 2023, we announced the auto-rollout of Microsoft Entra Conditional Access policies to automatically protect tenants based on risk signals, licensing, and usage. This is to remind you that Microsoft will begin automatically protecting customers with Microsoft-managed Conditional Access policies. These are policies that Microsoft creates and enables in customer tenants. The following policies will be rolled out to all eligible tenants:

Policy	Who it’s for	What it does
Require multifactor authentication for admin portals	All customers	This policy covers privileged admin roles and requires multifactor authentication when an admin signs into a Microsoft admin portal.
Require multifactor authentication for per-user multifactor authentication users	Existing per-user multifactor authentication customers	This policy applies to users with per-user multifactor authentication and requires multifactor authentication for all cloud apps. It helps organizations transition to Conditional Access.
Require multifactor authentication for high-risk sign-ins	Microsoft Entra ID Premium Plan 2 customers	This policy covers all users and requires multifactor authentication and reauthentication during high-risk sign-ins.

We’ll begin a gradual rollout of these policies to all eligible tenants and notify in advance. Once the policies are visible in your tenant, you’ll have 90 days to review and customize or disable them before we turn them on. For those 90 days, the policies will be in report-only mode, which means Conditional Access will log the policy results without enforcing them. For more information refer to the blog, “Automatic Conditional Access policies in Microsoft Entra streamline identity protection.”  

Update on Azure AD Graph Retirement

[Action may be required]

In June of 2023, we shared an update that described the completion of a three-year notice period for the deprecation of the Azure AD Graph API service. This service is now in the retirement cycle and retirement (shut down) will be done with incremental steps. We’re committed to supporting our customers through this retirement and migration to Microsoft Graph, and we’re committed to increased transparency and communication as we work through this change. 

Azure AD Graph Retirement: Stage One 

The first stage of Azure AD Graph retirement will begin later in 2024. We’ll share a specific date in a subsequent update, with a minimum of three months of advance notice.

Once we enter this first stage, applications that are created after a specific date will encounter an error for requests to Azure AD Graph APIs (https://graph.windows.net). We understand that some apps may not have fully completed migration to Microsoft Graph at this point, and we’ll provide an optional configuration to allow applications created after this point to resume use of Azure AD Graph APIs for an extended period. If you develop or distribute software that requires applications to be created as part of the installation or setup, and these applications will need to access Azure AD Graph APIs, you must begin planning to avoid interruption. This optional configuration can be set on an application after it is created, and the configuration change will be done through the AuthenticationBehaviors interface.  

We’ll provide more detailed guidance on the timeline for this plan and on configuring the optional configuration in our next update.  

How do I find Applications in my tenant using Azure AD Graph APIs? 

We’re working to deliver a new experience to help our customers identify applications in their tenant that are using Azure AD Graph APIs. This will be enabled through the Microsoft Entra Recommendations experience. We’re expecting to enable this experience in the first months of 2024.

Available tools: 

Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph  
Azure AD Graph app migration planning checklist  
Script to identify Apps that might be using Azure AD Graph  
PowerShell Cmdlet mapping to Microsoft Graph PowerShell SDK

Changes to audit logs behavior for custom security attributes

[Action may be required]

Beginning in October 2023, changes were made to custom security attribute audit logs for general availability that might impact your daily operations. If you’ve been using custom security attribute audit logs during the preview, here are the actions you must take before February 2024 to ensure your audit log operations aren't disrupted:

Use new audit logs location.
Assign Attribute Log roles to view audit logs. 
Create new diagnostic settings to export audit logs.

For more information, see Changes to audit logs behavior.  
 

Changing sign-in audience for new applications

[No action is required]

Starting March 2024, new applications created using Microsoft Graph application API will change the default value of 'signInAudience' property in app registration from 'AzureADandPersonalMicrosoftAccount' to 'AzureADMyOrg'. Our analysis shows that most new applications do not ever support users outside the application tenant. This will improve latency and security of apps. For more information on application sign-in audience, refer to the documentation application resource type - Microsoft Graph v1.0 | Microsoft Learn. 

Enabling app instance lock by default

[No action is required]

Starting March 2024, new applications created using Microsoft Graph application API will have “App instance lock” enabled by default. The capability called App instance lock for workload identities was launched in September 2023. This feature allows app developers to protect their multi-tenant apps from attackers tampering with critical properties. Applications created using Entra ID portal already have the setting enabled by default, and going forward, it will be enabled for other app creation surface areas such as MS Graph, PowerShell, and SDKs. For more information, see How to configure app instance property lock in your applications | Microsoft Learn.  

My Account is replacing legacy profile page

[No action is required]

In June we announced the legacy profile page will be replaced with a new, modernized experience. This is a reminder that My Account (https://www.myaccount.microsoft.com) will replace the existing Profile page (https://account.activedirectory.windowsazure.com/r#/profile) by January 2024. My Account enables customers to manage account details, language and privacy settings, security information, and more. My Account has been around for several years and has all the functionality of the legacy profile page. This deprecation is moving customers to a better and more modern experience. No actions are required by the customers, as customers will be automatically directed to the new My Account experience. 