Azure AD Enhancements Bring Expanded Support for Auto-Provisioned SaaS Apps
Microsoft announced a number of Azure Active Directory enhancements this month.
The enhancements include an expanded list of Software as a Service (SaaS) applications that will automatically provision with Azure AD. There's also a new custom administrator role preview for controlling app registrations. Microsoft also expanded the capabilities of the Azure AD B2C service, among other additions.
There was also a low-key product change this month, with Microsoft ending the Basic subscription option for Azure AD users. The official Microsoft announcement came in an obscure Aug. 8 Twitter post by Alex Simons, vice president of program management at the Microsoft Identity Division, as noted in this article by veteran Microsoft reporter Mary Jo Foley.
The discontinuance of the Basic option, priced at $1 per user per month, will mostly affect "kiosk workers" and others not requiring the capabilities of the Azure AD Premium P1 option, according to a report (paywalled) by Directions on Microsoft, an independent consultancy.
Auto-SaaS App Provisioning Expansion
Microsoft expanded its Azure AD provisioning support this month for SaaS applications and now supports "more than 80 apps," according to an Aug. 12 announcement.
Newly added is Azure AD support for provisioning apps that use the OpenID Connect (OIDC) authentication protocol. Microsoft also supports apps that use the System for Cross-Domain Identity Management 2.0 protocol.
Automating app provisioning with Azure AD has some benefits for organizations. It eases the adding and removing of user access to those apps. Supported apps get automatically provisioned for team members, for instance, and when a team member moves or leaves the organization, then the access gets automatically removed. These sorts of details are well explained in this Microsoft article on automated user provisioning.
Microsoft's announcement listed the newly supported SaaS apps, which include 4me, Envoy, Federated Directory, Oracle Fusion ERP and Peakon, among others. To make the automatic provisioning work, Microsoft works with the app builder to create connectors using the "management API endpoints provided by each application vendor."
Microsoft also added a feature in the Azure Portal management console that lets IT pros check on the provisioning status of these applications. It will show the number of users and groups that have been provisioned, for instance. Typically, the Azure AD app provisioning process occurs "every 10 minutes," although the actual time taken depends on synchronization settings, the number of users and groups, and throttling and system rate limits, Microsoft explained in this article.
IT pros can find links to tutorials for provisioning various supported SaaS apps at this page.
Custom Admin Roles for Apps Preview
A preview of the Azure AD "custom administrator roles" feature is available, Microsoft indicated in an Aug. 8 announcement. However, this preview specifically just adds controls over who has access to manage application registrations.
The custom admin roles feature for app registrations adds greater flexibility to Azure AD's built-in role-based access control (RBAC) capabilities. Permissions can be set for a single app without granting access to all apps, for instance, Microsoft's document explained. The role assignments can be made using the "Azure Portal, Azure AD PowerShell or Graph API," it added. Organizations using Microsoft's Privileged Identity Management solution can specify custom admin roles within a specific time period, as well.
One catch is that the custom admin roles preview for app registration permissions has a licensing restriction. Organizations will need to have Azure AD Premium P1 licensing in place.
Other custom admin roles will be coming. Microsoft is planning the ability to specify custom roles in Azure AD for "enterprise applications, users, groups, and more," in future updates.
Azure AD B2C Additions
The Azure AD B2C (Business to Consumer) service, used for verifying external identities, got two feature additions that are at the "general availability" (GA) commercial release stage, according to an Aug. 15 announcement.
First, it's now possible to use any OIDC authentication protocol for an identity provider in Azure AD B2C's built-in user flows, as described here. "User flows" are configurable policies for specifying things like which accounts can be used for sign-ins, and whether multifactor authentication gets used, according to Microsoft's description. The Azure AD B2C service previously just supported using specific OAuth 2.0 identity providers, namely Facebook and Google, in the user flows. OIDC is "an identity layer on top of the OAuth 2.0 open standard," according to this description.
Second, applications can now get an identity provider's token "passed through as part of the Azure AD B2C token." It's done by turning on the "Identity Provider Access Token" attribute for application claims within the Azure Portal management console, as described in this Microsoft document. It just works with OAuth 2.0 identity providers, though, according to the document.
Proxy and ID Protection Improvements
Microsoft this month announced an integration of the Azure AD Application Proxy service with the Power BI Mobile App. It gives end users Azure AD authentication protections when remotely accessing Power BI business intelligence reports. Those protections include "Multi-Factor Authentication (MFA), Conditional Access, Identity Protection, Delegated Application Access, Access Reviews, and more," per Microsoft's Aug. 14 announcement.
Microsoft also bolstered its Unfamiliar Sign-in feature in Azure Identity Protection to better address the risks that organizations will tolerate. Azure Identity Protection, which requires having Azure AD Premium P2 licensing, can be configured to respond when a user's identity is deemed to be compromised. The Unfamiliar Sign-in feature of Azure Identity Protection will flag sign-in attempts from unfamiliar locations. It uses a risk score for those assessments. Microsoft now lets organizations adjust the risk sensitivity "properties" with this feature. Newly created options include "high risk," "medium risk," "low risk" and "no detected risk," although the low-risk option was said to be "coming soon," per Microsoft's Aug. 1 announcement.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.