Azure Active Directory Getting Multi-Stage Access Reviews Capability, Plus Change Management Cycle

Microsoft this week announced coming Azure Active Directory management improvements designed to make things a little easier for IT pros.

One of the improvements is a new software feature, now at preview, for setting up "multi-stage" access review requests concerning network access permissions or application access permissions held by end users. The other improvement is a new Azure AD change management communications approach that Microsoft has already kicked off to help IT pros.

Azure AD Change Management Biannual Communications
"Hundreds of changes" are made to Azure AD each year, but it's been difficult for IT pros to follow them. Consequently, Microsoft has started a program to deliver biannual (March and September) communications regarding these changes.

These announcements will aim to keep IT pros apprised about "feature deprecations" (when software development by Microsoft stops) and "product retirement communications" associated with Azure AD. Moreover, Microsoft is promising to deliver "consistent end-of-support timelines (with some exceptions)" in ushering in this new communications model.

"With this new model, you'll have predictable product and feature changes, making it easier to accelerate the adoption of newer and more secure technologies," the announcement indicated.

March Azure AD Change Management Items
Microsoft's announcement included its Azure AD change management items for March 2022.

For instance, the Azure AD Graph API retirement is now delayed by six months. Microsoft is now planning to end it at the end of 2022, "at least."

The licensing assignment APIs and PowerShell cmdlets ("commandlets") for Azure AD Graph and MSOnline PowerShell are on target for retirement on Aug. 26, 2022. Microsoft wants IT pros to switch to using the Microsoft Graph PowerShell SDK instead, and is planning to "provide guidance and tools" to migrate "existing scripts and PowerShell processes" at some point.

Azure AD Connect Sync releases will now get retired "12 months from the date they are superseded by a newer version."

Transport Layer Security (TLS) 1.0 and 1.1 protocols are getting deprecated throughout 2022.

Azure Key Vault will add a soft delete feature, which will make deleted "secrets" recoverable for "up to 90 days." This feature will be "automatically enabled for Azure Key Vault users on February 1, 2025."

The Active Directory Authentication Library (ADAL) is ending, but Microsoft has pushed out its end date from "June 30th to December 2022." Last year, Microsoft had described how developers can use an Azure AD monitoring workbook tool to find ADAL file use. Microsoft wants developers to use the Microsoft Authentication Library (MSAL) instead of ADAL.

Lastly, all existing Azure AD tenancies will get Microsoft's combined multifactor authentication plus self-service password reset setup capability automatically "after Sept. 30th, 2022," according to a Microsoft document. Microsoft had already included this combined setup feature for new Azure AD tenancies ever since Aug. 15, 2020, but it'll be in effect for older tenancies as well after September. This change just simplifies the process. Microsoft previously made IT pros configure the two capabilities separately.

Multi-Stage Access Review Preview
Microsoft this week announced a preview that lets IT pros with certain network access permissions set up Azure AD access reviews of end users. These multi-stage access reviews can undergo approvals at different stages.

The idea is to periodically check if end users should still have permissions to access network resources or applications, typically for organizational compliance purposes. Microsoft's new preview feature creates a sign-off workflow process to that end.

The multi-stage access approval (or disapproval) workflow process gets accessed and configured in the Azure Portal. It has lots of options that can be set for the review process and largely automates it, even to the point of automatically implementing policy, if wanted. IT pros can even specify what actions to take if a reviewer doesn't respond to the access review request.

The process of setting up Azure AD access reviews is well explained in Microsoft's video that accompanies its documentation.

This feature requires having an Azure AD Premium P2 license. The workflow process for access reviews based on groups or applications has to be set up by IT pros with "Global administrator, User administrator, or Identity Governance administrator" privileges.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube