What’s new in Microsoft Entra – September 2024
We’re excited to announce the general availability of Microsoft Entra Suite—one of the industry’s most comprehensive secure access solutions for the workforce. With 66% of digital attack paths involving insecure credentials1, Microsoft Entra Suite helps prevent security breaches by enabling secure access to cloud and on-premises apps with least privilege, inside and outside the corporate perimeter. It unifies network access, identity protection, governance, and verification to streamline onboarding, modernize remote access, and ensure secure access to apps and resources. Get started with a Microsoft Entra Suite trial.
Last November, we launched the Secure Future Initiative (SFI) at Microsoft to combat the increasing scale of cyberattacks. Security now drives every decision we make, as detailed in the September 2024 SFI Progress Report. Today, we’re sharing new security improvements and innovations across Microsoft Entra from July to September 2024, organized by product to help you quickly find what’s relevant to your deployment.
Watch the video “What’s New in Microsoft Entra” for a quick overview of product updates and visit the What’s New blade in the Microsoft Entra Admin Center for detailed information.
Microsoft Entra ID
New releases
Admin provisioning of FIDO2 security keys (passkeys) on behalf of users
Insider risk condition in Conditional Access
Device based conditional access to M365/Azure resources on Red Hat Enterprise Linux
Attacker in the Middle detection in Identity Protection
Active Directory Federation Services (AD FS) application migration wizard
Microsoft Authenticator on Android is FIPS 140 compliant for Entra authentication
Change announcements
Security improvements
Upcoming MFA enforcement on Microsoft Entra admin center
[Action may be required]
As part of our commitment to providing our customers with the highest level of security, we previously announced that Microsoft will require multifactor authentication (MFA) for users signing into Azure. We’d like to share an update that the scope of MFA enforcement includes Microsoft Entra admin center in addition to the Azure portal and Intune admin center. This change will be rolled out in phases, allowing organizations time to plan their implementation:
Phase 1: Starting on or after October 15, 2024, MFA will be required to sign into the Entra admin center, Azure portal, and Intune admin center. The enforcement will gradually roll out to all tenants worldwide. This phase will not impact other Azure clients such as the Azure Command Line Interface, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.
Phase 2: Beginning in early 2025, gradual enforcement of MFA at sign-in for the Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence.
Microsoft will send a 60-day advance notice to all Entra global admins by email and through Azure Service Health Notifications to notify them of the start date of enforcement and required actions. Additional notifications will be sent through the Azure portal, Entra admin center, and the M365 message center.
We understand that some customers may need additional time to prepare for this MFA requirement. Therefore, Microsoft will allow extended time for customers with complex environments or technical barriers. The notification from us will also include details about how customers can postpone the start date of enforcement for their tenants, the duration of the postponement, and a link to apply. To learn more, read the blog, “MFA enforcement for Microsoft Entra admin center sign-in coming soon.”
Date change announcement: Deprecation of keychain-backed device identity for Apple devices
[Action may be required]
Earlier this year, we announced the upcoming deprecation of keychain-backed device identity for Apple devices on the Microsoft Entra ID platform. The previously announced deprecation date of June 2026 has been accelerated to June 2025 as part of our commitment to secure design and defaults. This change is being made to enhance device security and better protect your data.
Once in effect, this deprecation will ensure that newly registered Apple devices managed by Microsoft Entra ID use strong, hardware-bound cryptographic secrets, backed by Apple’s Secure Enclave. To learn more, we encourage you to review our updated documentation on this deprecation. We advise both consumers and vendors of applications to test their software for compatibility with this new datastore.
Upgrade to the latest version of Microsoft Entra Connect by April 2, 2025
[Action may be required]
In early October 2024, we will release a new version of Microsoft Entra Connect Sync that contains a back-end service change that further hardens our services. To avoid service disruptions, customers are required to upgrade to that version (2.4.XX.0) by early April 2025 (exact deadline to be announced upon version release).
Review our roadmap for a timeline of upcoming releases, so that you can plan your upgrade accordingly. We will auto-upgrade customers where supported, alongside an early 2025 release of Connect Sync. For customers who wish to be auto-upgraded, ensure that you have auto-upgrade configured.
For a list of minimum requirements and expected impacts of the service change, please refer to this article. For upgrade-related guidance, check out our docs.
New Certificate Authorities (CAs) for login.microsoftonline.com: Action required from customers who only trust DigiCert certificates
[Action may be required]
Microsoft Entra ID is introducing new Certificate Authorities (CAs) for server certificates for the domain login.microsoftonline.com. Currently, connections to login.microsoftonline.com are exclusively presented with DigiCert certificates. Starting on October 1, 2024, you may also encounter certificates issued by Microsoft Azure CAs. This update is designed to enhance security and improve the resilience of Entra ID. This could impact customers who do not trust Microsoft Azure CAs or have pinned client-side to DigiCert certificates, as they may experience authentication failures.
Recommended Action:
To prevent potential issues, we recommend trusting all Root and Subordinate CAs listed in the Azure Certificate public documentation. This documentation has included Microsoft Azure CAs for over a year. If you are an Entra ID user who uses the login.microsoftonline.com domain, it’s crucial to remove any client-side pinning to DigiCert and trust the new Azure CAs for a seamless transition. For more details on how to ensure uninterrupted and secure service, please read the Client Compatibility for public PKIs documentation.
Microsoft Copilot update to enterprise data protection
[No action is required]
Last month, we made several updates to the free Microsoft Copilot service for users with a Microsoft Entra account to enhance data security, privacy, and compliance and simplify the user experience. For users signed in with an Entra account, Microsoft Copilot will offer enterprise data protection (EDP) and redirect users to a new simplified, ad-free user interface designed for work and education.
With EDP in Microsoft Copilot, your data is private, it isn’t used to train foundation models, and we help protect it at rest and in transit with encryption. For more details on EDP, please review our documentation.
If you or your users have a Microsoft 365 subscription in addition to an Entra account, you can enable in-app access by pinning Microsoft Copilot. If you elect to pin Microsoft Copilot for your users, it will appear in the Microsoft 365 app starting mid-September, and it will be coming soon to Microsoft Teams and Outlook. Additional functionality in Microsoft Copilot like chat history is also available for users with a Microsoft 365 subscription.
For additional information about these changes, whether you or your users have a Microsoft 365 subscription or not, please visit our blog and FAQ.
We hope you are as excited as we are about these updates to Microsoft Copilot. If you would like to try Microsoft Copilot updated with enterprise data protection prior to mid-September, a private preview is available (space limited). To apply, please fill out our form.
Enable Browser Access (EBA) by default for all Android users
[No action is required]
As part of ongoing security hardening, we are deprecating the Enable Browser Access (EBA) user interface in the Android Authenticator and Company Portal apps. Consequently, browser access will be enabled by default for all Android users. This change will occur automatically, so no action is required from admins or Android users.
Restricted permissions on Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Cloud Sync
[No action is required]
As part of ongoing security hardening, we’ve removed unused permissions from the privileged “Directory Synchronization Accounts” role. This role is exclusively used by Connect Sync and Cloud Sync to synchronize Active Directory objects with Entra ID. There is no action required by customers to benefit from this hardening. Please refer to the documentation for details on the revised role permissions.
Upcoming improvements to the SSO enrollment dialog
[No action is required]
We’re making some improvements to the end user experience when users add their account to a Windows device. We’ve refined the messaging in the SSO enrollment dialog (consent) to make it easier for end users to understand the choice(s) they can make and the impact of their choice(s). The changes also include a ‘Learn more’ link on the screen. The link points to a Microsoft Learn article that provides users with more information that will further enable them to make informed choice(s). The new SSO enrollment dialog will be gradually introduced starting in October 2024. Please check here for more details.
Identity modernization
Important Update: Azure AD Graph Retirement
[Action may be required]
The retirement of the Azure AD Graph API service began on 1 September 2024, and will eventually impact both new and existing applications. As we deploy the phase starting over the coming weeks, new applications will not be able to use Azure AD Graph APIs unless they are configured for extended access. Microsoft Graph is the replacement for Azure AD Graph APIs, and we strongly recommend immediately migrating use of Azure AD Graph APIs to Microsoft Graph and limiting any further development using Azure AD Graph APIs.
Timeline for incremental retirement of Azure AD Graph API service
Phase start date
Impact to existing apps
Impact to new apps
1 September 2024
None.
New apps are blocked from using Azure AD Graph APIs, unless the app is configured to allow extended Azure AD Graph access by setting blockAzureAdGraphAccess to false. Any new apps must use Microsoft Graph
1 February 2025
Application is unable make requests to Azure AD Graph APIs unless it is configured to allow extended Azure AD Graph access by setting blockAzureAdGraphAccess to false.
1 July 2025
Azure AD Graph is fully retired. No Azure AD Graph API requests will function.
Action required:
To avoid service disruptions, please follow our instructions to migrate applications to Microsoft Graph APIs.
If you need to extend Azure AD Graph access for an app to July 2025
If you have not fully completed app migrations to Microsoft Graph, you can extend this retirement. If you set the blockAzureADGraphAccess attribute to false in the application’s authenticationBehaviors configuration, the application will be able to use Azure AD Graph APIs through June 30, 2025. Further documentation can be found here.
New applications will receive a 403 error when attempting to access Azure AD Graph APIs unless this setting is set to false. For existing applications that will not complete migration to Microsoft Graph in 2024, you should plan to set this configuration now.
If you need to find Applications in your tenant using Azure AD Graph APIs
The Microsoft Entra recommendations feature provides recommendations to put your tenant in a secure and healthy state, while also helping you maximize the value of the features available in Entra ID.
We’ve provided two Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These new recommendations can support your efforts to identify and migrate the impacted applications and service principals to Microsoft Graph.
References:
Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph
Azure AD Graph app migration planning checklist
Azure AD Graph to Microsoft Graph migration FAQ
Important Update: AzureAD PowerShell and MSOnline PowerShell retirement
[Action may be required]
As of March 30, 2024, the legacy Azure AD PowerShell, Azure AD PowerShell Preview, and MS Online modules are deprecated. These modules will continue to function through March 30, 2025, after which they will be retired and stop functioning. Microsoft Graph PowerShell SDK is the replacement for these modules and you should migrate your scripts to Microsoft Graph PowerShell SDK as soon as possible.
To help you identify usage of Azure AD PowerShell in your tenant, you can use the Entra Recommendation titled Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph. This recommendation will show vendor applications that are using Azure AD Graph APIs in your tenant, including AzureAD PowerShell.
We are making substantial new and future investments in the PowerShell experience for managing Entra, with the recent Public Preview launch of the Microsoft Entra PowerShell module. This new module builds upon the Microsoft Graph PowerShell SDK and brings scenario-focused cmdlets. It’s fully interoperable with all cmdlets in the Microsoft Graph PowerShell SDK, enabling you to perform complex operations with simple, well documented commands. The module also offers a backward compatibility option to simplify migration from the deprecated AzureAD Module.
Microsoft Graph APIs were recently made available to read and configure Per-user MFA settings for users, and availability in Microsoft Graph PowerShell SDK cmdlets is soon to follow.
License assignment modifications will no longer be supported in the Microsoft Entra Admin Center
[Action may be required]
This is a courtesy reminder that, in mid-September, we rolled out a change that no longer supports the modification of user and group license assignments in the Microsoft Entra Admin Center and the Microsoft Azure Admin Portal. Moving forward, you will have read-only access to license assignments in these portals. If you wish to modify user and group license assignments via the user interface, you will need to visit the Microsoft 365 Admin Center. Please note that this change does not impact the API or PowerShell modules. If you experience any issues with license assignment, please reach out to Microsoft 365 support. To learn more, click here.
Dynamic type versioning in Bicep templates for Microsoft Graph
[Action may be required]
In October 2024, we’re introducing an update to the Bicep templates for Microsoft Graph public preview. The dynamic types feature enables semantic versioning for Microsoft Graph Bicep types for both beta and v1.0. During Bicep file authoring, you specify a Microsoft Graph Bicep type version referenced from the Microsoft artifact registry, instead of using a built-in Nuget package which is the current experience. Using dynamic types will allow for future breaking changes in existing Microsoft Graph Bicep resource types without impacting deployment of your existing Bicep files that use older versions of those resource types.
Built-in types are deprecated and will be retired on January 24, 2025. Until the retirement date, built-in types will coexist with the new dynamic types. Any Microsoft Graph Bicep type changes will only be available through new versions of the dynamic types.
Action required:
Switch to the new dynamic types before 24th January 2025 to avoid Bicep template deployment failures. The switch will involve making some minor updates to your bicepconfig.json and main Bicep files. Additionally, to take advantage of any updated or new Microsoft Graph resource types, you will need to update the type version that your Bicep files use. For next steps, click here.
Retirement of legacy user authentication methods management experience in Entra Portal
[No action is required]
Starting October 31st, 2024, we will retire the ability to manage user authentication methods in the Entra Portal via the legacy user interface (UI). Instead, we will only surface the modern UI which has full parity with the legacy experience in addition to the ability to manage modern methods (e.g. Temporary Access Pass, Passkeys, QR+Pin, etc.) and settings. This will not impact how end users can manage their own authentication methods or their ability to sign-in to Entra. Learn more at Manage user authentication methods for Microsoft Entra multifactor authentication.
Deprecating Enable Browser Access (EBA) UI
[No action is required]
EBA is a feature in Android broker apps (such as Company Portal and Authenticator) that enables duplicating the Entra ID device registration certificate to a global keychain location on the Android device. This allows browsers that are not integrated with brokers, such as Chrome, to access the certificate for device authentication, which is required to comply with Entra device compliance policies.
As part of our overall security hardening efforts, we’re migrating Entra ID device registration certificates and Android device identities to be hardware-bound. This will enable token protection policies in the future and protect against bypassing device compliance policies. Since the device identity will be hardware-bound, the EBA UI will no longer be able to duplicate and export keys on demand. We plan to deprecate the Enable Browser Access (EBA) UI in the Authenticator and Company Portal apps, and browser access (e.g., Chrome) will automatically be enabled during device registration.
This capability already exists for Intune MDM users. The change extends it to non-Intune users, such as those using VMWare and Jamf mobile device management (MDM) software. This will apply to all customers in the first half of the 2025 calendar year. No action is required from customers at this time.
Deferred changes to My Groups admin controls
[No action is required]
In October 2023 we shared that starting June 2024 the existing Self Service Group Management setting in the Microsoft Entra Admin Center that states “restrict user ability to access groups features in My Groups” would be retired. These changes are under review and will not take place as originally planned. A new deprecation date will be announced in the future.
My Security Info Add Sign-In Method picker user interface update
[No action is required]
This is a courtesy reminder that, starting in August 2024, the “Add Sign-In Method” dialog on the My Security Info page was updated with improved sign-in method descriptions and a modern look and feel. With this change, when users click “Add Sign-In Method,” they will initially be recommended to register the strongest method available to them, as allowed by the organization’s authentication method policy. Users will also have the option to select “Show More Options” and choose from all available sign-in methods permitted by their policy. No admin action is required.
Provisioning UX modernization
[No action is required]
We’re modernizing the current application/HR provisioning and cross-tenant sync UX. This includes a new overview page, user experience to configure connectivity to your application, scoping, and attribute mappings experience. The new experience includes all functionality available to customers today, and no customer action required. The new experience will start rolling out at the end of October 2024, but customers can still use the existing experience through January 2024.
Enhancing user experience
Moving from a browse-based to a search-based solution for access package discovery
[Action may be required]
We’re excited to introduce a new feature in My Access: a curated list of recommended access packages. This will allow users to quickly view the most relevant access packages without scrolling through a long list. The final tab will be a complete, searchable list of all visible access packages in the tenant. We’ll deploy this to all customers as an opt-in preview by the end of October, with in-product messaging to highlight the change. By the end of November, it will transition to an opt-out preview, with general availability planned for December.
Microsoft Entra ID Governance
New releases
Enable, Disable and Delete synchronized user accounts with Lifecycle workflows
Configure Lifecycle Workflow Scope Using Custom Security Attributes
Workflow History Insights in Lifecycle Workflows
Configure custom workflows to run mover tasks when a user’s job profile changes
Grace period support for entitlement management-managed guest users
Cross-tenant manager synchronization
Microsoft Entra External ID
New releases
Easy authentication with Azure App Service and Microsoft Entra External ID
Microsoft Entra External ID extension for Visual Studio Code
Microsoft Entra Verified ID
New releases
Verified ID Face Check
Enabling public publishing of custom credentials via the admin portal UI
Microsoft Entra Internet Access
New releases
Microsoft Entra Internet Access
Microsoft Entra Private Access
New releases
Microsoft Entra Private Access
Global Secure Access: Microsoft Entra Internet and Microsoft Entra Private Access
Change announcements
Upcoming license enforcement for Microsoft Entra Internet Access and Microsoft Entra Private Access
[Action may be required]
Starting early October 2024, license enforcement will begin in the Microsoft Entra admin center for Microsoft Entra Internet Access and Microsoft Entra Private Access. This is following a 90-day notification period, starting with the general availability of Microsoft Entra Internet Access and Microsoft Entra Private Access, which began in July 2024. Learn more about Global Secure Access.
30-day trials are available for both licenses. Learn more on pricing.
Best Regards,
Shobhit Sahay
What’s New in Microsoft Entra
Stay informed about Entra product updates and actionable insights with What’s New in Microsoft Entra. This new hub in the Microsoft Entra admin center offers you a centralized view of our roadmap and change announcements across the Microsoft Entra identity and network access portfolio.
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft Entra News and Insights | Microsoft Security Blog
Microsoft Entra blog | Tech Community
Microsoft Entra documentation | Microsoft Learn
Microsoft Entra discussions | Microsoft Community
Microsoft Tech Community – Latest Blogs –Read More