Azure AD: New and updated features of September 2018

Azure Active Directory_COLOR

Here are the updated and new features of Azure AD of September 2018. Because Ignite just ended you will see a lot of improvements.

The update this month contains:

  • Changed and fixed features
  • New features
  • Plan for changes

Changed and fixed features

Updated administrator role permissions for dynamic groups

Type: Fixed
Service category: Group Management
Product capability: Collaboration

We’ve fixed an issue so specific administrator roles can now create and update dynamic membership rules, without needing to be the owner of the group.

The roles are:

  • Global administrator or Company Writer
  • Intune Service Administrator
  • User Account Administrator

For more information, see Create a dynamic group and check status

Enhanced support for custom extension properties used to create dynamic membership rules

Type: Changed feature
Service category: Group Management
Product capability: Collaboration

With this update, you can now click the Get custom extension properties link from the dynamic user group rule builder, enter your unique app ID, and receive the full list of custom extension properties to use when creating a dynamic membership rule for users. This list can also be refreshed to get any new custom extension properties for that app.

For more information about using custom extension properties for dynamic membership rules, see Extension properties and custom extension properties

Updated SAML-based app configuration UI (preview)

Type: Changed feature
Service category: Enterprise Apps
Product capability: SSO

As part of our updated SAML-based app configuration UI, you’ll get:

  • An updated walkthrough experience for configuring your SAML-based apps.
  • More visibility about what’s missing or incorrect in your configuration.
  • The ability to add multiple email addresses for expiration certificate notification.
  • New claim transformation methods, ToLower() and ToUpper(), and more.
  • A way to upload your own token signing certificate for your enterprise apps.
  • A way to set the NameID Format for SAML apps, and a way to set the NameID value as Directory Extensions.

To turn on this updated view, click the Try out our new experience link from the top of the Single Sign-On page. For more information, see Tutorial: Configure SAML-based single sign-on for an application with Azure Active Directory.

New features

Simplified Single Sign-On (SSO) configuration settings for some third-party apps

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

We realize that setting up Single Sign-On (SSO) for Software as a Service (SaaS) apps can be challenging due to the unique nature of each apps configuration. We’ve built a simplified configuration experience to auto-populate the SSO configuration settings for the following third-party SaaS apps:

  • Zendesk
  • ArcGis Online
  • Jamf Pro

To start using this one-click experience, go to the Azure portal > SSO configuration page for the app. For more information, see SaaS application integration with Azure Active Directory

Azure Active Directory – Where is your data located? page

Type: New feature
Service category: Other
Product capability: GoLocal

Select your company’s region from the Azure Active Directory – Where is your data located page to view which Azure datacenter houses your Azure AD data at rest for all Azure AD services. You can filter the information by specific Azure AD services for your company’s region.

To access this feature and for more information, see Azure Active Directory – Where is your data located.

New deployment plan available for the My Apps Access panel

Type: New feature
Service category: My Apps
Product capability: SSO

Check out the new deployment plan that’s available for the My Apps Access panel ( The My Apps Access panel provides users with a single place to find and access their apps. This portal also provides users with self-service opportunities, such as requesting access to apps and groups, or managing access to these resources on behalf of others.

For more information, see What is the My Apps portal?

New Troubleshooting and Support tab on the Sign-ins Logs page of the Azure portal

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

The new Troubleshooting and Support tab on the Sign-ins page of the Azure portal, is intended to help admins and support engineers troubleshoot issues related to Azure AD sign-ins. This new tab provides the error code, error message, and remediation recommendations (if any) to help solve the problem. If you’re unable to resolve the problem, we also give you a new way to create a support ticket using the Copy to clipboard experience, which populates the Request ID and Date (UTC) fields for the log file in your support ticket.


New support for Self-Service Password Reset from the Windows 7/8/8.1 Lock screen

Type: New feature
Service category: SSPR
Product capability: User Authentication

After you set up this new feature, your users will see a link to reset their password from the Lock screen of a device running Windows 7, Windows 8, or Windows 8.1. By clicking that link, the user is guided through the same password reset flow as through the web browser.

For more information, see How to enable password reset from Windows 7, 8, and 8.1


Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2018, we’ve added these 16 new apps with Federation support to the app gallery:

UberflipComeet Recruiting SoftwareWorkteamArcGIS EnterpriseNuclinoJDA CloudSnowflake, NavigoCloud, Figma,, ZephyrSSOSilverback, Riverbed Xirrus EasyPass, Rackspace SSO, Enlyft SSO for Azure, SurveyMonkey, Convenedmarcian

For more information about the apps, see SaaS application integration with Azure Active Directory. For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery.

Support for additional claims transformations methods

Type: New feature
Service category: Enterprise Apps
Product capability: SSO

We’ve introduced new claim transformation methods, ToLower() and ToUpper(), which can be applied to SAML tokens from the SAML-based Single Sign-On Configuration page.

For more information, see How to customize claims issued in the SAML token for enterprise applications in Azure AD


Plan for change

New approved client apps for Azure AD app-based conditional access

Type: Plan for change
Service category: Conditional access
Product capability: Identity security and protection

The following apps are on the list of approved client apps:

  • Microsoft To-Do
  • Microsoft Stream

For more information, see:

Change notice: Authorization codes will no longer be available for reuse

Type: Plan for change
Service category: Authentications (Logins)
Product capability: User Authentication

Starting on October 10, 2018, Azure AD will stop accepting previously used authentication codes for apps. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.

If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code to get a refresh token, and then use that refresh token to acquire additional tokens for other resources. Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple resources. Any app that attempts to reuse an authentication code during the OAuth code flow will get an invalid_grant error.


In an effort to help minimize broken apps, apps that rely on this pattern and have more than 10 sign-ins a day, have been give an exception.

For this and other protocols-related changes, see the full list of what’s new for authentication.



Author: Peter Stapf

Senior Consultant Identity and Access

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.