- private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)

- options.Events.OnRedirectToIdentityProvider += OnRedirectToIdentityProviderFunc;

-You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md)

-## Next steps

-description: Learn how to manage inactive users and remove unused accounts

-# Manage inactive users in your Azure Active Directory B2C tenant

-We recommend that you monitor your user accounts. Monitoring your user accounts enables you to discover inactive user accounts, which consume your Azure Active Directory (AD) B2C directory quota. Monitoring user accounts also help you to reduce the overall attack surface.

-## List inactive users in your Azure AD B2C tenant

-

-1. Use the steps in [Register an application](client-credentials-grant-flow.md#step-2-register-an-application) to register an app in your tenant, which uses client credentials flow. Record the **Application (client) ID** for use in a later.

-1. Use the steps in [Create a client secret](client-credentials-grant-flow.md#step-2-register-an-application) to configure a client secret for your app. Record the secret's **Value**. You will use this value for configuration in a later step.

-1. For your app to call Microsoft Graph API, you need to grant it the required permissions. To do so, use the steps in [Grant API access](microsoft-graph-get-started.md?tabs=app-reg-ga#grant-api-access), but only grant **User.Read.All** and **AuditLog.Read.All** permissions.

-1. Run the following PowerShell script. Replace:

- 1. `[TenantId]` with your Azure AD B2C tenant ID. Learn [how to read your tenant ID](tenant-management-read-tenant-name.md#get-your-tenant-id)

-

- 1. `[ClientID]` with the Application (client) ID that you copied earlier.

-

- 1. `[ClientSecret]` with the application client secret value that you copied earlier.

-```ps

-$tenantId = "[TenantId]"

-$clientId = "[ClientID]"

-$clientSecret = "[ClientSecret]"

-## Use Client Credentials flow to get token to call Graph API

-$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

-$headers.Add("Content-Type", "application/x-www-form-urlencoded")

-$body = "grant_type=client_credentials&client_id=" + $clientId + "&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=" + $clientSecret

-$endpoint = "https://login.microsoftonline.com/" + $tenantId + "/oauth2/v2.0/token"

-$response = Invoke-RestMethod $endpoint -Method "POST" -Headers $headers -Body $body

-## Call Graph API using token obtained in previous step

-$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

-$headers.Add("Authorization", "Bearer " + $response.access_token)

-$response = Invoke-RestMethod 'https://graph.microsoft.com/beta/users?$select=displayName,signInActivity' -Method 'GET' -Headers $headers

-$response | ConvertTo-Json

-```

-The following JSON shows an example of the results:

-```json

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(displayName,signInActivity)",

- "value": [

- {

- "id": "[object id]",

- "displayName": "Martin Balaz",

- "signInActivity": "@{lastSignInDateTime=2023-03-28T20:08:07Z; lastSignInRequestId=c43ac6b5-c644-456f-832d-ea323bf1cf00; lastNonInteractiveSignInDateTime=; lastNonInteractiveSignInRequestId=}"

- },

- {

- "id": "[object id]",

- "displayName": "Takuya Miura",

- "signInActivity": "@{lastSignInDateTime=2023-03-28T20:08:26Z; lastSignInRequestId=3f546eba-ba9b-4bc4-9bd3-b5b6fa5fce00; lastNonInteractiveSignInDateTime=; lastNonInteractiveSignInRequestId=}"

- }

- ]

-}

-```

-The attribute lastSignInDateTime shows the last sign in date.

-## Delete inactive users in your Azure AD B2C tenant

-To delete a user in your Azure AD B2C tenant, you need to call the [Delete a user](/graph/api/user-delete) Microsoft Graph API. To call this API you need to grant your app **User.ReadWrite.All** Microsoft Graph API permission as explained earlier.

->[!NOTE]

->DELETE /graph/api/user-delete

-The following PowerShell script reads all users with sign in date before a given date, then attempts to delete them. Before you run it, replace the `[TenantId]`, `[ClientID]` and `[ClientSecret]` placeholders with appropriate values as explained earlier. Also replace `[Date]` with a date that you consider appropriate to determine if a user is considered inactive. For example: 2023-04-30T00:00:00Z

-```ps

-$tenantId = "[TenantId]"

-$clientId = "[ClientID]"

-$clientSecret = "[ClientSecret]"

-## Use Client Credentials flow to get token to call Graph API

-$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

-$headers.Add("Content-Type", "application/x-www-form-urlencoded")

-$body = "grant_type=client_credentials&client_id=" + $clientId + "&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=" + $clientSecret

-$endpoint = "https://login.microsoftonline.com/" + $tenantId + "/oauth2/v2.0/token"

-$response = Invoke-RestMethod $endpoint -Method "POST" -Headers $headers -Body $body

-# $response | ConvertTo-Json

-## Call Graph API using token obtained in previous step

-$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

-$headers.Add("Authorization", "Bearer " + $response.access_token)

-$response = Invoke-RestMethod 'https://graph.microsoft.com/beta/users?$select=displayName,signInActivity&$filter=signInActivity/lastSignInDateTime le [Date]' -Method 'GET' -Headers $headers

-$response | ConvertTo-Json

-## Call Graph API to delete the users obtained in the previous query

-foreach ($value in $response.value) {

- $deleteEndpoint = "https://graph.microsoft.com/v1.0/users/" + $value.id

- $deleteResponse = Invoke-RestMethod $deleteEndpoint -Method 'DELETE' -Headers $headers

-}

-```

-| Scope configuration | Users, groups, and members in scope | Initial cycle time | Incremental cycle time |

-| -- | -- | -- | -- |

-| Sync assigned users and groups only | < 1,000 | < 30 minutes | < 30 minutes |

-| Sync assigned users and groups only | 1,000 - 10,000 | 142 - 708 minutes | < 30 minutes |

-| Sync assigned users and groups only | 10,000 - 100,000 | 1,170 - 2,340 minutes | < 30 minutes |

-| Sync all users and groups in Azure AD | < 1,000 | < 30 minutes | < 30 minutes |

-| Sync all users and groups in Azure AD | 1,000 - 10,000 | < 30 - 120 minutes | < 30 minutes |

-| Sync all users and groups in Azure AD | 10,000 - 100,000 | 713 - 1,425 minutes | < 30 minutes |

-| Sync all users in Azure AD| < 1,000 | < 30 minutes | < 30 minutes |

-| Sync all users in Azure AD | 1,000 - 10,000 | 43 - 86 minutes | < 30 minutes |

-The **incremental cycle** may also take longer than the duration we have documented above. Some of the factors that influence this duration are:

-Azure Active Directory allows [FIDO2 security keys](./concept-authentication-passwordless.md#fido2-security-keys) to be used as a passwordless device. The availability of FIDO2 authentication for Microsoft accounts was [announced in 2018](https://techcommunity.microsoft.com/t5/identity-standards-blog/all-about-fido2-ctap2-and-webauthn/ba-p/288910), and it became [generally available](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/passwordless-authentication-is-now-generally-available/ba-p/1994700) in March 2021. The following diagram shows which browsers and operating system combinations support passwordless authentication using FIDO2 authentication keys with Azure Active Directory. Azure AD currently supports only hardware FIDO2 keys and does not support passkeys for any platform.

-| **macOS** | ![Chrome supports USB on macOS for Azure AD accounts.][y] | ![Chrome supports NFC on macOS for Azure AD accounts.][n] | ![Chrome supports BLE on macOS for Azure AD accounts.][n] | ![Edge supports USB on macOS for Azure AD accounts.][y] | ![Edge supports NFC on macOS for Azure AD accounts.][n] | ![Edge supports BLE on macOS for Azure AD accounts.][n] | ![Firefox supports USB on macOS for Azure AD accounts.][n] | ![Firefox supports NFC on macOS for Azure AD accounts.][n] | ![Firefox supports BLE on macOS for Azure AD accounts.][n] | ![Safari supports USB on macOS for Azure AD accounts.][n] | ![Safari supports NFC on macOS for Azure AD accounts.][n] | ![Safari supports BLE on macOS for Azure AD accounts.][n] |

-| **ChromeOS** | ![Chrome supports USB on ChromeOS for Azure AD accounts.][y]* | ![Chrome supports NFC on ChromeOS for Azure AD accounts.][n] | ![Chrome supports BLE on ChromeOS for Azure AD accounts.][n] | ![Edge supports USB on ChromeOS for Azure AD accounts.][n] | ![Edge supports NFC on ChromeOS for Azure AD accounts.][n] | ![Edge supports BLE on ChromeOS for Azure AD accounts.][n] | ![Firefox supports USB on ChromeOS for Azure AD accounts.][n] | ![Firefox supports NFC on ChromeOS for Azure AD accounts.][n] | ![Firefox supports BLE on ChromeOS for Azure AD accounts.][n] | ![Safari supports USB on ChromeOS for Azure AD accounts.][n] | ![Safari supports NFC on ChromeOS for Azure AD accounts.][n] | ![Safari supports BLE on ChromeOS for Azure AD accounts.][n] |

-| **iOS** | ![Chrome supports USB on iOS for Azure AD accounts.][n] | ![Chrome supports NFC on iOS for Azure AD accounts.][n] | ![Chrome supports BLE on iOS for Azure AD accounts.][n] | ![Edge supports USB on iOS for Azure AD accounts.][n] | ![Edge supports NFC on Linux for Azure AD accounts.][n] | ![Edge supports BLE on Linux for Azure AD accounts.][n] | ![Firefox supports USB on Linux for Azure AD accounts.][n] | ![Firefox supports NFC on iOS for Azure AD accounts.][n] | ![Firefox supports BLE on iOS for Azure AD accounts.][n] | ![Safari supports USB on iOS for Azure AD accounts.][n] | ![Safari supports NFC on iOS for Azure AD accounts.][n] | ![Safari supports BLE on iOS for Azure AD accounts.][n] |

-*Key Registration is currently not supported with ChromeOS/Chrome Browser.

-The following operating system and browser combinations are not supported, but future support and testing is being investigated. If you would like to see other operating system and browser support, please leave feedback on our [product feedback site](https://feedback.azure.com/d365community/).

-| iOS | Safari |

-| [Account lockout](#account-lockout) | Temporarily lock accounts from using Azure AD Multi-Factor Authentication if there are too many denied authentication attempts in a row. This feature applies only to users who enter a PIN to authenticate. (MFA Server only) |

-## Account lockout

-To prevent repeated MFA attempts as part of an attack, the account lockout settings let you specify how many failed attempts to allow before the account becomes locked out for a period of time. The account lockout settings are applied only when a PIN code is entered for the MFA prompt.

- - **Require Re-register MFA** makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method.

-

- > [!NOTE]

- > The user's currently registered authentication methods aren't deleted when an admin requires re-registration for MFA. After a user re-registers for MFA, we recommend they review their security info and delete any previously registered authentication methods that are no longer usable.

-

-1. Select **save**, then **close**.

-> [!NOTE]

-> For more information about changes we are planning to the Custom Control capability, see the February 2020 [Archive for What's new](../fundamentals/whats-new-archive.md#upcoming-changes-to-custom-controls).

-*Authentication* is the process of proving that you are who you say you are. This is achieved by verification of the identity of a person or device. It's sometimes shortened to *AuthN*. The Microsoft identity platform uses the [OpenID Connect](https://openid.net/connect/) protocol for handling authentication.

-*Multifactor authentication* is the act of providing an additional factor of authentication to an account. This is often used to protect against brute force attacks. It is sometimes shortened to *MFA* or *2FA*. The [Microsoft Authenticator](https://support.microsoft.com/account-billing/set-up-the-microsoft-authenticator-app-as-your-verification-method-33452159-6af9-438f-8f82-63ce94cf3d29) can be used as an app for handling two-factor authentication. For more information, see [multifactor authentication](../authentication/concept-mfa-howitworks.md).

-1. Perform the steps in the **Register an application** section of [Quickstart: Register an app with the Microsoft identity platform](quickstart-register-app.md).

-1. Skip the **Add a redirect URI** and **Configure platform settings** sections. You don't need to configure a redirect URI for a web API since no user is logged in interactively.

-1. Skip the **Add credentials** section for now. Only if your API accesses a downstream API would it need its own credentials, a scenario not covered in this article.

-1. Select **Set** next to **Application ID URI** if you haven't yet configured one.

-1. Make sure that you have defined custom security attributes. For more information, see [Add or deactivate custom security attributes in Azure AD](../fundamentals/custom-security-attributes-add.md).

-## Filter users based on custom security attributes

-## PowerShell

-To manage custom security attribute assignments for users in your Azure AD organization, you can use PowerShell. The following commands can be used to manage assignments.

-#### Assign a custom security attribute with a multi-string value to a user

-Use the [Set-AzureADMSUser](/powershell/module/azuread/set-azureadmsuser) command to assign a custom security attribute with a multi-string value to a user.

-```powershell

-$attributes = @{

- Engineering = @{

- "@odata.type" = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue"

- "Project@odata.type" = "#Collection(String)"

- Project = @("Baker","Cascade")

- }

-}

-Set-AzureADMSUser -Id dbb22700-a7de-4372-ae78-0098ee60e55e -CustomSecurityAttributes $attributes

-```

-#### Update a custom security attribute with a multi-string value for a user

-Use the [Set-AzureADMSUser](/powershell/module/azuread/set-azureadmsuser) command to update a custom security attribute with a multi-string value for a user.

-$attributesUpdate = @{

- Engineering = @{

- "Project@odata.type" = "#Collection(String)"

- Project = @("Alpine","Baker")

-Set-AzureADMSUser -Id dbb22700-a7de-4372-ae78-0098ee60e55e -CustomSecurityAttributes $attributesUpdate

-```

-#### Get the custom security attribute assignments for a user

-Use the [Get-AzureADMSUser](/powershell/module/azuread/get-azureadmsuser) command to get the custom security attribute assignments for a user.

-```powershell

-$user1 = Get-AzureADMSUser -Id dbb22700-a7de-4372-ae78-0098ee60e55e -Select CustomSecurityAttributes

-$user1.CustomSecurityAttributes

-## Microsoft Graph API

-To manage custom security attribute assignments for users in your Azure AD organization, you can use the Microsoft Graph API. The following API calls can be made to manage assignments. For more information, see [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).

-#### Assign a custom security attribute with a string value to a user

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to assign a custom security attribute with a string value to a user.

- "ProjectDate":"2022-10-01"

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to assign a custom security attribute with a multi-string value to a user.

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to assign a custom security attribute with an integer value to a user.

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to assign a custom security attribute with a multi-integer value to a user.

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to assign a custom security attribute with a Boolean value to a user.

-#### Update a custom security attribute with an integer value for a user

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to update a custom security attribute with an integer value for a user.

-#### Update a custom security attribute with a Boolean value for a user

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to update a custom security attribute with a Boolean value for a user.

-Use the [Get user](/graph/api/user-get?view=graph-rest-beta&preserve-view=true) API to get the custom security attribute assignments for a user.

-Use the [List users](/graph/api/user-list?view=graph-rest-beta&preserve-view=true) API to list all users with a custom security attribute assignment that equals a value. The following example retrieves users with a custom security attribute named `AppCountry` with a value that equals `Canada`. The filter value is case sensitive. You must add `ConsistencyLevel=eventual` in the request or the header. You must also include `$count=true` to ensure the request is routed correctly.

-Use the [List users](/graph/api/user-list?view=graph-rest-beta&preserve-view=true) API to list all users with a custom security attribute assignment that starts with a value. The following example retrieves users with a custom security attribute named `EmployeeId` with a value that starts with `GS`. The filter value is case sensitive. You must add `ConsistencyLevel=eventual` in the request or the header. You must also include `$count=true` to ensure the request is routed correctly.

-Use the [List users](/graph/api/user-list?view=graph-rest-beta&preserve-view=true) API to list all users with a custom security attribute assignment that does not equal a value. The following example retrieves users with a custom security attribute named `AppCountry` with a value that does not equal `Canada`. The filter value is case sensitive. You must add `ConsistencyLevel=eventual` in the request or the header. You must also include `$count=true` to ensure the request is routed correctly.

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to remove a single-valued custom security attribute assignment from a user by setting the value to null.

-Use the [Update user](/graph/api/user-update?view=graph-rest-beta&preserve-view=true) API to remove a multi-valued custom security attribute assignment from a user by setting the value to an empty collection.

-**Where are custom security attributes for users supported?**

-Custom security attributes for users are supported in Azure portal, PowerShell, and Microsoft Graph APIs. Custom security attributes are not supported in My Apps or Microsoft 365 admin center.

-**Do I need to create an app to use custom security attributes?**

-**Are custom security attributes available for dynamic membership rules?**

-Select the Windows platform to work on by setting the startup project in the **Solution Explorer**. Make sure that your platform of choice is marked for build and deploy in the configuration manager.

-Clean the solution, rebuild the solution, and run it.

-Select the Android platform to work on by setting the startup project in the **Solution Explorer**. Make sure that your platform of choice is marked for build and deploy in the configuration manager.

-Clean the solution, rebuild the solution, and run it.

-For greater control over access to Teams meetings, you can use [Federation Controls](/microsoftteams/manage-external-access) in Teams to allow or block specific tenants, along with tenant restrictions V2 to block anonymous access to Teams meetings. Tenant restrictions prevent users from using an externally issued identity to join Teams meetings.

-To enforce tenant restrictions for Teams, you need to configure tenant restrictions V2 in your Azure AD cross-tenant access settings. You also need to set up Federation Controls in the Teams Admin portal and restart Teams. Tenant restrictions implemented on the corporate proxy won't block anonymous access to Teams meetings, SharePoint files, and other resources that don't require authentication.

-description: Learn how to add new custom security attributes or deactivate custom security attributes in Azure Active Directory.

-# Add or deactivate custom security attributes in Azure AD (Preview)

-[Custom security attributes](custom-security-attributes-overview.md) in Azure Active Directory (Azure AD) are business-specific attributes (key-value pairs) that you can define and assign to Azure AD objects. This article describes how to add, edit, or deactivate custom security attributes.

-To add or deactivate custom security attributes, you must have:

-## Add a custom security attribute

- All custom security attributes must be part of an attribute set.

-## Edit a custom security attribute

-Once you add a new custom security attribute, you can later edit some of the properties. Some properties are immutable and cannot be changed.

-## Deactivate a custom security attribute

-Once you add a custom security attribute, you can't delete it. However, you can deactivate a custom security attribute.

-## PowerShell

-To manage custom security attributes in your Azure AD organization, you can also use the PowerShell. The following command can manage attribute sets and custom security attributes.

-

-#### Get all attribute sets

-Use the [Get-AzureADMSAttributeSet](/powershell/module/azuread/get-azureadmsattributeset) command without any parameters to get all attribute sets.

-```powershell

-Get-AzureADMSAttributeSet

-```

-#### Get an attribute set

-Use the [Get-AzureADMSAttributeSet](/powershell/module/azuread/get-azureadmsattributeset) command to get an attribute set.

-Get-AzureADMSAttributeSet -Id "Engineering"

-

-#### Add an attribute set

-Use the [New-AzureADMSAttributeSet](/powershell/module/azuread/new-azureadmsattributeset) command to add a new attribute set.

-```powershell

-New-AzureADMSAttributeSet -Id "Engineering" -Description "Attributes for engineering team" -MaxAttributesPerSet 10

-#### Update an attribute set

-Use the [Set-AzureADMSAttributeSet](/powershell/module/azuread/set-azureadmsattributeset) command to update an attribute set.

-```powershell

-Set-AzureADMSAttributeSet -Id "Engineering" -Description "Attributes for cloud engineering team"

-Set-AzureADMSAttributeSet -Id "Engineering" -MaxAttributesPerSet 20

-#### Get all custom security attributes

-Use the [Get-AzureADMSCustomSecurityAttributeDefinition](/powershell/module/azuread/get-azureadmscustomsecurityattributedefinition) command without any parameters to get all custom security attribute definitions.

-Get-AzureADMSCustomSecurityAttributeDefinition

-#### Get a custom security attribute

-Use the [Get-AzureADMSCustomSecurityAttributeDefinition](/powershell/module/azuread/get-azureadmscustomsecurityattributedefinition) command to get a custom security attribute definition.

-```powershell

-Get-AzureADMSCustomSecurityAttributeDefinition -Id "Engineering_ProjectDate"

-```

-

-#### Add a custom security attribute

-Use the [New-AzureADMSCustomSecurityAttributeDefinition](/powershell/module/azuread/new-azureadmscustomsecurityattributedefinition) command to add a new custom security attribute definition.

-New-AzureADMSCustomSecurityAttributeDefinition -AttributeSet "Engineering" -Name "ProjectDate" -Description "Target completion date" -Type "String" -Status "Available" -IsCollection $false -IsSearchable $true -UsePreDefinedValuesOnly $true

-

-#### Update a custom security attribute

-Use the [Set-AzureADMSCustomSecurityAttributeDefinition](/powershell/module/azuread/set-azureadmscustomsecurityattributedefinition) command to update a custom security attribute definition.

-```powershell

-Set-AzureADMSCustomSecurityAttributeDefinition -Id "Engineering_ProjectDate" -Description "Target completion date (YYYY/MM/DD)"

-#### Deactivate a custom security attribute

-Use the [Set-AzureADMSCustomSecurityAttributeDefinition](/powershell/module/azuread/set-azureadmscustomsecurityattributedefinition) command to deactivate a custom security attribute definition.

-```powershell

-Set-AzureADMSCustomSecurityAttributeDefinition -Id "Engineering_Project" -Status "Deprecated"

-```

-#### Get all predefined values

-Use the [Get-AzureADMSCustomSecurityAttributeDefinitionAllowedValue](/powershell/module/azuread/get-azureadmscustomsecurityattributedefinitionallowedvalue) command to get all predefined values for a custom security attribute definition.

-Get-AzureADMSCustomSecurityAttributeDefinitionAllowedValue -CustomSecurityAttributeDefinitionId "Engineering_Project"

-

-#### Get a predefined value

-Use the [Get-AzureADMSCustomSecurityAttributeDefinitionAllowedValue](/powershell/module/azuread/get-azureadmscustomsecurityattributedefinitionallowedvalue) command to get a predefined value for a custom security attribute definition.

-```powershell

-Get-AzureADMSCustomSecurityAttributeDefinitionAllowedValue -CustomSecurityAttributeDefinitionId "Engineering_Project" -Id "Alpine"

-

-#### Add a predefined value

-Use the [Add-AzureADMScustomSecurityAttributeDefinitionAllowedValues](/powershell/module/azuread/add-azureadmscustomsecurityattributedefinitionallowedvalues) command to add a predefined value for a custom security attribute definition.

-```powershell

-Add-AzureADMScustomSecurityAttributeDefinitionAllowedValues -CustomSecurityAttributeDefinitionId "Engineering_Project" -Id "Alpine" -IsActive $true

-```

-

-#### Deactivate a predefined value

-Use the [Set-AzureADMSCustomSecurityAttributeDefinitionAllowedValue](/powershell/module/azuread/set-azureadmscustomsecurityattributedefinitionallowedvalue) command to deactivate a predefined value for a custom security attribute definition.

-Set-AzureADMSCustomSecurityAttributeDefinitionAllowedValue -CustomSecurityAttributeDefinitionId "Engineering_Project" -Id "Alpine" -IsActive $false

-## Microsoft Graph API

-To manage custom security attributes in your Azure AD organization, you can also use the Microsoft Graph API. The following API calls can be made to manage attribute sets and custom security attributes.

-#### Get all attribute sets

-Use the [List attributeSets](/graph/api/directory-list-attributesets) API to get all attribute sets.

-GET https://graph.microsoft.com/beta/directory/attributeSets

-#### Get top attribute sets

-Use the [List attributeSets](/graph/api/directory-list-attributesets) API to get the top attribute sets.

-```http

-GET https://graph.microsoft.com/beta/directory/attributeSets?$top=10

-#### Get attribute sets in order

-Use the [List attributeSets](/graph/api/directory-list-attributesets) API to get attribute sets in order.

-```http

-GET https://graph.microsoft.com/beta/directory/attributeSets?$orderBy=id

-```

-#### Get an attribute set

-Use the [Get attributeSet](/graph/api/attributeset-get) API to get an attribute set.

-```http

-GET https://graph.microsoft.com/beta/directory/attributeSets/Engineering

-#### Add an attribute set

-Use the [Create attributeSet](/graph/api/directory-post-attributesets) API to add a new attribute set.

-Use the [Update attributeSet](/graph/api/attributeset-update) API to update an attribute set.

-#### Get all custom security attributes

-Use the [List customSecurityAttributeDefinitions](/graph/api/directory-list-customsecurityattributedefinitions) API to get all custom security attribute definitions.

-#### Filter custom security attributes

-Use the [List customSecurityAttributeDefinitions](/graph/api/directory-list-customsecurityattributedefinitions) API to filter custom security attribute definitions.

-#### Get a custom security attribute

-Use the [Get customSecurityAttributeDefinition](/graph/api/customsecurityattributedefinition-get) API to get a custom security attribute definition.

-#### Add a custom security attribute

-Use the [Create customSecurityAttributeDefinition](/graph/api/directory-post-customsecurityattributedefinitions) API to add a new custom security attribute definition.

-#### Add a custom security attribute that supports multiple predefined values

-Use the [Create customSecurityAttributeDefinition](/graph/api/directory-post-customsecurityattributedefinitions) API to add a new custom security attribute definition that supports multiple predefined values.

-#### Add a custom security attribute with a list of predefined values

-Use the [Create customSecurityAttributeDefinition](/graph/api/directory-post-customsecurityattributedefinitions) API to add a new custom security attribute definition with a list of predefined values.

-#### Update a custom security attribute

-Use the [Update customSecurityAttributeDefinition](/graph/api/customsecurityattributedefinition-update) API to update a custom security attribute definition.

-#### Update the predefined values for a custom security attribute

-Use the [Update customSecurityAttributeDefinition](/graph/api/customsecurityattributedefinition-update) API to update the predefined values for a custom security attribute definition.

-#### Deactivate a custom security attribute

-Use the [Update customSecurityAttributeDefinition](/graph/api/customsecurityattributedefinition-update) API to deactivate a custom security attribute definition.

-Use the [List allowedValues](/graph/api/customsecurityattributedefinition-list-allowedvalues) API to get all predefined values for a custom security attribute definition.

-Use the [Get allowedValue](/graph/api/allowedvalue-get) API to get a predefined value for a custom security attribute definition.

-Use the [Create allowedValue](/graph/api/customsecurityattributedefinition-post-allowedvalues) API to add a predefined value for a custom security attribute definition.

-Use the [Update allowedValue](/graph/api/allowedvalue-update) API to deactivate a predefined value for a custom security attribute definition.

-No, you can't delete custom security attribute definitions. You can only [deactivate custom security attribute definitions](#deactivate-a-custom-security-attribute). Once you deactivate a custom security attribute, it can no longer be applied to the Azure AD objects. Custom security attribute assignments for the deactivated custom security attribute definition are not automatically removed. There is no limit to the number of deactivated custom security attributes. You can have 500 active custom security attribute definitions per tenant with 100 allowed predefined values per custom security attribute definition.

-Every custom security attribute must be part of an attribute set. An attribute set is a way to group and manage related custom security attributes. You'll need to figure out how you want to add attributes sets for your organization. For example, you might want to add attribute sets based on departments, teams, or projects. Your ability to grant access to custom security attributes will depend on how you organize your attribute sets.

-#### Azure portal

-#### PowerShell

-Use [New-AzureADMSRoleAssignment](/powershell/module/azuread/new-azureadmsroleassignment) to assign the role. The following example assigns the Attribute Assignment Administrator role to a principal with an attribute set scope named Engineering.

-$directoryScope = "/attributeSets/Engineering"

-$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $directoryScope -RoleDefinitionId $roleDefinitionId -PrincipalId $principalId

-#### Microsoft Graph API

-Use the [Create unified Role Assignment](/graph/api/rbacapplication-post-roleassignments?view=graph-rest-beta&preserve-view=true) API to assign the role. The following example assigns the Attribute Assignment Administrator role to a principal with an attribute set scope named Engineering.

-#### Azure portal

-#### PowerShell

-Use [New-AzureADMSRoleAssignment](/powershell/module/azuread/new-azureadmsroleassignment) to assign the role. For more information, see [Assign Azure AD roles at different scopes](../roles/assign-roles-different-scopes.md).

-#### Microsoft Graph API

-Use the [Create unified Role Assignment](/graph/api/rbacapplication-post-roleassignments?view=graph-rest-beta&preserve-view=true) API to assign the role. For more information, see [Assign Azure AD roles at different scopes](../roles/assign-roles-different-scopes.md).

-Custom security attributes requires an Azure AD Premium P1 or P2 license.

-Add and assign custom security attributes to users or enterprise applications. For more information, see [Add or deactivate custom security attributes in Azure AD](custom-security-attributes-add.md), [Assign, update, list, or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md), or [Assign, update, list, or remove custom security attributes for an application](../manage-apps/custom-security-attributes-apps.md).

-Deactivate the custom security attributes you no longer need. For more information, see [Add or deactivate custom security attributes in Azure AD](custom-security-attributes-add.md).

-[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure AD Multi-Factor Authentication](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AiDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit

-## December 2020

-### Public preview - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-

-B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. Read [Set up phone sign-up and sign-in for user flows (preview)](../../active-directory-b2c/phone-authentication-user-flows.md) to learn more.

-### General Availability - Security Defaults now enabled for all new tenants by default

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Identity Security & Protection

-

-To protect user accounts, all new tenants created on or after November 12, 2020, will come with Security Defaults enabled. Security Defaults enforces multiple policies including:

-For more information, read [What are security defaults?](../fundamentals/concept-fundamentals-security-defaults.md)

-### General availability - Support for groups with up to 250K members in AADConnect

-**Type:** Changed feature

-**Service category:** AD Connect

-**Product capability:** Identity Lifecycle Management

-

-Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. When you use the new [V2 endpoint](../hybrid/how-to-connect-sync-endpoint-api-v2.md), you'll experience noticeable performance gains on export and import to Azure AD. This new endpoint supports the following scenarios:

-### General availability - Entitlement Management available for tenants in Azure China cloud

-**Type:** New feature

-**Service category:** User Access Management

-**Product capability:** Entitlement Management

-

-The capabilities of Entitlement Management are now available for all tenants in the Azure China cloud. For information, visit our [Identity governance documentation](https://docs.azure.cn/zh-cn/active-directory/governance/) site.

-### New provisioning connectors in the Azure AD Application Gallery - December 2020

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-

-### New Federated Apps available in Azure AD Application gallery - December 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In December 2020 we have added following 18 new applications in our App gallery with Federation support:

-[AwareGo](../saas-apps/awarego-tutorial.md), [HowNow SSO](https://gethownow.com/), [ZyLAB ONE Legal Hold](https://www.zylab.com/en/product/legal-hold), [Guider](http://www.guider-ai.com/), [Softcrisis](https://www.softcrisis.se/sv/), [Pims 365](https://www.omega365.com/products/omega-pims), [InformaCast](../saas-apps/informacast-tutorial.md), [RetrieverMediaDatabase](../saas-apps/retrievermediadatabase-tutorial.md), [vonage](../saas-apps/vonage-tutorial.md), [Count Me In - Operations Dashboard](../saas-apps/count-me-in-operations-dashboard-tutorial.md), [ProProfs Knowledge Base](../saas-apps/proprofs-knowledge-base-tutorial.md), [RightCrowd Workforce Management](../saas-apps/rightcrowd-workforce-management-tutorial.md), [JLL TRIRIGA](../saas-apps/jll-tririga-tutorial.md), [Shutterstock](../saas-apps/shutterstock-tutorial.md), [FortiWeb Web Application Firewall](../saas-apps/linkedin-talent-solutions-tutorial.md), [LinkedIn Talent Solutions](../saas-apps/linkedin-talent-solutions-tutorial.md), [Equinix Federation App](../saas-apps/equinix-federation-app-tutorial.md), [KFAdvance](../saas-apps/kfadvance-tutorial.md)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial

-For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

-### Navigate to Teams directly from My Access portal

-**Type:** Changed feature

-**Service category:** User Access Management

-**Product capability:** Entitlement Management

-You can now launch Teams directly from My Access portal. To do so, sign-in to [My Access](https://myaccess.microsoft.com/), navigate to **Access packages**, then go to the **Active** Tab to see all access packages you already have access to. When you expand the access package and hover on Teams, you can launch it by clicking on the **Open** button.

-To learn more about using the My Access portal, go to [Request access to an access package in Azure AD entitlement management](../governance/entitlement-management-request-access.md#sign-in-to-the-my-access-portal).

-### Public preview - Second level manager can be set as alternate approver

-**Type:** Changed feature

-**Service category:** User Access Management

-**Product capability:** Entitlement Management

-An extra option is now available in the approval process in Entitlement Management. If you select Manager as approver for the First Approver, you'll have another option, Second level manager as alternate approver, available to choose in the alternate approver field. When you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.

-For more information, go to [Change approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).

-## November 2020

-### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES deprecation

-**Type:** Plan for change

-**Service category:** All Azure AD applications

-**Product capability:** Standards

-Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021:

-Affected environments are:

-For guidance to remove deprecating protocols dependencies, please refer to [EEnable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment).

-### New Federated Apps available in Azure AD Application gallery - November 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In November 2020 we have added following 52 new applications in our App gallery with Federation support:

-[Travel & Expense Management](https://app.expenseonce.com/Account/Login), [Tribeloo](../saas-apps/tribeloo-tutorial.md), [Itslearning File Picker](https://pmteam.itslearning.com/), [Crises Control](../saas-apps/crises-control-tutorial.md), [CourtAlert](https://www.courtalert.com/), [StealthMail](https://stealthmail.com/), [Edmentum - Study Island](https://app.studyisland.com/cfw/login/), [Virtual Risk Manager](../saas-apps/virtual-risk-manager-tutorial.md), [TIMU](../saas-apps/timu-tutorial.md), [Looker Analytics Platform](../saas-apps/looker-analytics-platform-tutorial.md), [Talview - Recruit](https://recruit.talview.com/login), Real Time Translator, [Klaxoon](https://access.klaxoon.com/login), [Podbean](../saas-apps/podbean-tutorial.md), [zcal](https://zcal.co/signup), [expensemanager](https://api.expense-manager.com/), [En-trak Tenant Experience Platform](https://portal.en-trak.app/), [Appian](../saas-apps/appian-tutorial.md), [Panorays](../saas-apps/panorays-tutorial.md), [Builterra](https://portal.builterra.com/), [EVA Check-in](https://my.evacheckin.com/organization), [HowNow WebApp SSO](../saas-apps/hownow-webapp-sso-tutorial.md), [Coupa Risk Assess](../saas-apps/coupa-risk-assess-tutorial.md), [Lucid (All Products)](../saas-apps/lucid-tutorial.md), [GoBright](https://portal.brightbooking.eu/), [SailPoint IdentityNow](../saas-apps/sailpoint-identitynow-tutorial.md),[Resource Central](../saas-apps/resource-central-tutorial.md), [UiPathStudioO365App](https://www.uipath.com/product/platform), [Jedox](../saas-apps/jedox-tutorial.md), [Cequence Application Security](../saas-apps/cequence-application-security-tutorial.md), [PerimeterX](../saas-apps/perimeterx-tutorial.md), [TrendMiner](../saas-apps/trendminer-tutorial.md), [Lexion](../saas-apps/lexion-tutorial.md), [WorkWare](../saas-apps/workware-tutorial.md), [ProdPad](../saas-apps/prodpad-tutorial.md), [AWS ClientVPN](../saas-apps/aws-clientvpn-tutorial.md), [AppSec Flow SSO](../saas-apps/appsec-flow-sso-tutorial.md), [Luum](../saas-apps/luum-tutorial.md), [Freight Measure](https://www.gpcsl.com/freight.html), [Terraform Cloud](../saas-apps/terraform-cloud-tutorial.md), [Nature Research](../saas-apps/nature-research-tutorial.md), [Play Digital Signage](https://login.playsignage.com/login), [RemotePC](../saas-apps/remotepc-tutorial.md), [Prolorus](../saas-apps/prolorus-tutorial.md), [Hirebridge ATS](../saas-apps/hirebridge-ats-tutorial.md), [Teamgage](https://teamgage.com), [Roadmunk](../saas-apps/roadmunk-tutorial.md), [Sunrise Software Relations CRM](https://cloud.relations-crm.com/), [Procaire](../saas-apps/procaire-tutorial.md), [Mentor&reg; by eDriving: Business](https://www.edriving.com/), [Gradle Enterprise](https://gradle.com/)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial

-For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

-### Public preview - Custom roles for enterprise apps

-**Type:** New feature

-**Service category:** RBAC

-**Product capability:** Access Control

-

- [Custom RBAC roles for delegated enterprise application management](../roles/custom-available-permissions.md) is now in public preview. These new permissions build on the custom roles for app registration management, which allows fine-grained control over what access your admins have. Over time, additional permissions to delegate management of Azure AD will be released.

-Some common delegation scenarios:

-### Public preview - Azure AD Application Proxy natively supports single sign-on access to applications that use headers for authentication

-**Type:** New feature

-**Service category:** App Proxy

-**Product capability:** Access Control

-

-Azure Active Directory (Azure AD) Application Proxy natively supports single sign-on access to applications that use headers for authentication. You can configure header values required by your application in Azure AD. The header values will be sent down to the application via Application Proxy. To learn more, see [Header-based single sign-on for on-premises apps with Azure AD App Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md)

-

-### General Availability - Azure AD B2C Phone Sign-up and Sign-in using Custom Policy

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies, allow developers and enterprises to communicate their brand through page customization. Find out how to [set up phone sign-up and sign-in with custom policies in Azure AD B2C](../../active-directory-b2c/phone-authentication-user-flows.md).

-

-### New provisioning connectors in the Azure AD Application Gallery - November 2020

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-

-### Public Preview - Email Sign in with ProxyAddresses now deployable via Staged Rollout

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-

-Tenant administrators can now use Staged Rollout to deploy Email Sign-In with ProxyAddresses to specific Azure AD groups. This can help while trying out the feature before deploying it to the entire tenant via the Home Realm Discovery policy. Instructions for deploying Email Sign-In with ProxyAddresses via Staged Rollout are in the [documentation](../authentication/howto-authentication-use-email-signin.md).

-

-### Limited Preview - Sign-in Diagnostic

-**Type:** New feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-

-With the initial preview release of the Sign-in Diagnostic, admins can now review user sign-ins. Admins can receive contextual, specific, and relevant details and guidance on what happened during a sign-in and how to fix problems. The diagnostic is available in both the Azure AD level, and Conditional Access Diagnose and Solve blades. The diagnostic scenarios covered in this release are Conditional Access, Azure Active Directory Multi-Factor Authentication, and successful sign-in.

-For more information, see [What is sign-in diagnostic in Azure AD?](../reports-monitoring/overview-sign-in-diagnostics.md).

-

-### Improved Unfamiliar Sign-in Properties

-**Type:** Changed feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

- Unfamiliar sign-in properties detections has been updated. Customers may notice more high-risk unfamiliar sign-in properties detections. For more information, see [What is risk?](../identity-protection/concept-identity-protection-risks.md)

-

-### Public Preview refresh of Cloud Provisioning agent now available (Version: 1.1.281.0)

-**Type:** Changed feature

-**Service category:** Azure AD Cloud Provisioning

-**Product capability:** Identity Lifecycle Management

-

-Cloud provisioning agent has been released in public preview and is now available through the portal. This release contains several improvements including, support for GMSA for your domains, which provides better security, improved initial sync cycles, and support for large groups. Check out the release version [history](../app-provisioning/provisioning-agent-release-version-history.md) for more details.

-

-### BitLocker recovery key API endpoint now under /informationProtection

-**Type:** Changed feature

-**Service category:** Device Access Management

-**Product capability:** Device Lifecycle Management

-

-Previously, you could recover BitLocker keys via the /bitlocker endpoint. We'll eventually be deprecating this endpoint, and customers should begin consuming the API that now falls under /informationProtection.

-See [BitLocker recovery API](/graph/api/resources/bitlockerrecoverykey) for updates to the documentation to reflect these changes.

-### General Availability of Application Proxy support for Remote Desktop Services HTML5 Web Client

-**Type:** Changed feature

-**Service category:** App Proxy

-**Product capability:** Access Control

-

-Azure AD Application Proxy support for Remote Desktop Services (RDS) Web Client is now in General Availability. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, and so on. Users can interact with remote apps or desktops like they would with a local device from anywhere.

-By using Azure AD Application Proxy, you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. To learn more, see [Publish Remote Desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md)

-

-### New enhanced Dynamic Group service is in Public Preview

-**Type:** Changed feature

-**Service category:** Group Management

-**Product capability:** Collaboration

-

-Enhanced dynamic group service is now in Public Preview. New customers that create dynamic groups in their tenants will be using the new service. The time required to create a dynamic group will be proportional to the size of the group that is being created instead of the size of the tenant. This update will improve performance for large tenants significantly when customers create smaller groups.

-The new service also aims to complete member addition and removal because of attribute changes within a few minutes. Also, single processing failures won't block tenant processing. To learn more about creating dynamic groups, see our [documentation](../enterprise-users/groups-create-rule.md).

-

-## October 2020

-### Azure AD on-premises Hybrid Agents Impacted by Azure TLS Certificate Changes

-**Type:** Plan for change

-**Service category:** N/A

-**Product capability:** Platform

-Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This update is due to the current CA certificates not complying with one of the CA/Browser Forum Baseline requirements. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates and will need to be updated to trust the new certificate issuers.

-This change will result in disruption of service if you don't take action immediately. These agents include [Application Proxy connectors](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AppProxy) for remote access to on-premises, [Passthrough Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that allow your users to sign in to applications using the same passwords, and [Cloud Provisioning Preview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that perform AD to Azure AD sync.

-If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you'll need to allow the following CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md).

-### Provisioning events will be removed from audit logs and published solely to provisioning logs

-**Type:** Plan for change

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-

-Activity by the SCIM [provisioning service](../app-provisioning/user-provisioning.md) is logged in both the audit logs and provisioning logs. This includes activity such as the creation of a user in ServiceNow, group in GSuite, or import of a role from AWS. In the future, these events will only be published in the provisioning logs. This change is being implemented to avoid duplicate events across logs, and additional costs incurred by customers consuming the logs in log analytics.

-We'll provide an update when a date is completed. This deprecation isn't planned for the calendar year 2020.

-> [!NOTE]

-> This does not impact any events in the audit logs outside of the synchronization events emitted by the provisioning service. Events such as the creation of an application, conditional access policy, a user in the directory, etc. will continue to be emitted in the audit logs. [Learn more](../reports-monitoring/concept-provisioning-logs.md?context=azure%2factive-directory%2fapp-provisioning%2fcontext%2fapp-provisioning-context).

-

-### Azure AD On-Premises Hybrid Agents Impacted by Azure Transport Layer Security (TLS) Certificate Changes

-**Type:** Plan for change

-**Service category:** N/A

-**Product capability:** Platform

-

-Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). There will be an update because of the current CA certificates not following one of the CA/Browser Forum Baseline requirements. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates. These agents will need to be updated to trust the new certificate issuers.

-This change will result in disruption of service if you don't take action immediately. These agents include:

-If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you'll need to allow CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md).

-[1305958](https://identitydivision.visualstudio.com/IAM/IXR/_queries?id=1305958&triage=true&fullScreen=false&_a=edit)

-### Azure Active Directory TLS 1.0 & 1.1, and 3DES Cipher Suite Deprecation

-**Type:** Plan for change

-**Service category:** N/A

-**Product capability:** Standards

-Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting on January 31, 2022 (This date has been postponed from 30th June 2021 to 31st Jan 2022, to give Administrators more time to remove the dependency on legacy TLS protocols and ciphers (TLS 1.0,1.1 and 3DES)):

-Affected environments are:

-Users, services, and applications that interact with Azure Active Directory and Microsoft Graph, should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services. For additional guidance, refer to [Enable support for TLS 1.2 in your environment, in preparation for upcoming deprecation of Azure AD TLS 1.0/1.1](/troubleshoot/azure/active-directory/enable-support-tls-environment).

-### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES Deprecation in US Gov Cloud

-**Type:** Plan for change

-**Service category:** All Azure AD applications

-**Product capability:** Standards

-

-Azure Active Directory will deprecate the following protocols starting March 31, 2021:

-All client-server and browser-server combinations should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services.

-Affected environments are:

-For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment).

-

-### Assign applications to roles on administrative unit and object scope

-**Type:** New feature

-**Service category:** RBAC

-**Product capability:** Access Control

-

-This feature enables the ability to assign an application (SPN) to an administrator role on the administrative unit scope. To learn more, refer to [Assign scoped roles to an administrative unit](../roles/admin-units-assign-roles.md).

-### Now you can disable and delete guest users when they're denied access to a resource

-**Type:** New feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-

-Disable and delete is an advanced control in Azure AD Access Reviews to help organizations better manage external guests in Groups and Apps. If guests are denied in an access review, **disable and delete** will automatically block them from signing in for 30 days. After 30 days, then they'll be removed from the tenant altogether.

-For more information about this feature, see [Disable and delete external identities with Azure AD Access Reviews](../governance/access-reviews-external-users.md#disable-and-delete-external-identities-with-azure-ad-access-reviews).

-

-### Access Review creators can add custom messages in emails to reviewers

-**Type:** New feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-

-In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers. Reviewers will see the message in the email they receive that prompts them to complete the review. To learn more about using this feature, see step 14 of the [Create a single-stage review](../governance/create-access-review.md#create-a-single-stage-access-review) section.

-### New provisioning connectors in the Azure AD Application Gallery - October 2020

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-

-### Integration assistant for Azure AD B2C

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-

-The Integration Assistant (preview) experience is now available for Azure AD B2C App registrations. This experience helps guide you in configuring your application for common scenarios.. Learn more about [Microsoft identity platform best practices and recommendations](../develop/identity-platform-integration-checklist.md).

-

-### View role template ID in Azure portal UI

-**Type:** New feature

-**Service category:** Azure roles

-**Product capability:** Access Control

-

-You can now view the template ID of each Azure AD role in the Azure portal. In Azure AD, select **description** of the selected role.

-It's recommended that customers use role template IDs in their PowerShell script and code, instead of the display name. Role template ID is supported for use to [directoryRoles](/graph/api/resources/directoryrole) and [roleDefinition](/graph/api/resources/unifiedroledefinition) objects. For more information on role template IDs, see [Azure AD built-in roles](../roles/permissions-reference.md).

-### API connectors for Azure AD B2C sign-up user flows is now in public preview

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-

-API connectors are now available for use with Azure Active Directory B2C. API connectors enable you to use web APIs to customize your sign-up user flows and integrate with external cloud systems. You can you can use API connectors to:

- Visit the [Use API connectors to customize and extend sign-up](../../active-directory-b2c/api-connectors-overview.md) documentation to learn more.

-### State property for connected organizations in entitlement management

-**Type:** New feature

-**Service category:** Directory Management

-**Product capability:** Entitlement Management

-

- All connected organizations will now have an additional property called "State". The state will control how the connected organization will be used in policies that refer to "all configured connected organizations". The value will be either "configured" (meaning the organization is in the scope of policies that use the "all" clause) or "proposed" (meaning that the organization isn't in scope).

-Manually created connected organizations will have a default setting of "configured". Meanwhile, automatically created ones (created via policies that allow any user from the internet to request access) will default to "proposed." Any connected organizations created before September 9 2020 will be set to "configured." Admins can update this property as needed. [Learn more](../governance/entitlement-management-organization.md#managing-a-connected-organization-programmatically).

-

-### Azure Active Directory External Identities now has premium advanced security settings for B2C

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-

-Risk-based Conditional Access and risk detection features of Identity Protection are now available in [Azure AD B2C](../..//active-directory-b2c/conditional-access-identity-protection-overview.md). With these advanced security features, customers can now:

-

-### New Federated Apps available in Azure AD Application gallery - October 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In October 2020 we have added following 27 new applications in our App gallery with Federation support:

-[Sentry](../saas-apps/sentry-tutorial.md), [Bumblebee - Productivity Superapp](https://app.yellowmessenger.com/user/login), [ABBYY FlexiCapture Cloud](../saas-apps/abbyy-flexicapture-cloud-tutorial.md), [EAComposer](../saas-apps/eacomposer-tutorial.md), [Genesys Cloud Integration for Azure](https://apps.mypurecloud.com/msteams-integration/), [Zone Technologies Portal](https://portail.zonetechnologie.com/signin), [Beautiful.ai](../saas-apps/beautiful.ai-tutorial.md), [Datawiza Access Broker](https://console.datawiza.com/), [ZOKRI](https://app.zokri.com/), [CheckProof](../saas-apps/checkproof-tutorial.md), [Ecochallenge.org](https://events.ecochallenge.org/users/login), [atSpoke](https://www.atspoke.com/), [Appointment Reminder](https://app.appointmentreminder.co.nz/account/login), [Cloud.Market](https://cloud.market/), [TravelPerk](../saas-apps/travelperk-tutorial.md), [Greetly](https://app.greetly.com/), [OrgVitality SSO](../saas-apps/orgvitality-sso-tutorial.md), [Web Cargo Air](../saas-apps/web-cargo-air-tutorial.md), [Loop Flow CRM](../saas-apps/loop-flow-crm-tutorial.md), [Starmind](../saas-apps/starmind-tutorial.md), [Workstem](https://hrm.workstem.com/login), [Retail Zipline](../saas-apps/retail-zipline-tutorial.md), [Hoxhunt](../saas-apps/hoxhunt-tutorial.md), [MEVISIO](../saas-apps/mevisio-tutorial.md), [Samsara](../saas-apps/samsara-tutorial.md), [Nimbus](../saas-apps/nimbus-tutorial.md), [Pulse Secure virtual Traffic Manager](../saas-apps/pulse-secure-virtual-traffic-manager-tutorial.md)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial

-For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

-### Provisioning logs can now be streamed to log analytics

-**Type:** New feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-

-Publish your provisioning logs to log analytics in order to:

-To learn how to use the feature, see [Understand how provisioning integrates with Azure Monitor logs](../app-provisioning/application-provisioning-log-analytics.md).

-

-### Provisioning logs can now be viewed by application owners

-**Type:** Changed feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-

-You can now allow application owners to monitor activity by the provisioning service and troubleshoot issues without providing them a privileged role or making IT a bottleneck. [Learn more](../reports-monitoring/concept-provisioning-logs.md).

-

-### Renaming 10 Azure Active Directory roles

-**Type:** Changed feature

-**Service category:** Azure roles

-**Product capability:** Access Control

-

-Some Azure Active Directory (AD) built-in roles have names that differ from those that appear in Microsoft 365 admin center, the Azure portal, and Microsoft Graph. This inconsistency can cause problems in automated processes. With this update, we're renaming 10 role names to make them consistent. The following table has the new role names:

-

-### Azure AD B2C support for auth code flow for SPAs using MSAL JS 2.x

-**Type:** Changed feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-

-MSAL.js version 2.x now includes support for the authorization code flow for single-page web apps (SPAs). Azure AD B2C will now support the use of the SPA app type on the Azure portal and the use of MSAL.js authorization code flow with PKCE for single-page apps. This will allow SPAs using Azure AD B2C to maintain SSO with newer browsers and abide by newer authentication protocol recommendations. Get started with the [Register a single-page application (SPA) in Azure Active Directory B2C](../../active-directory-b2c/tutorial-register-spa.md) tutorial.

-### Updates to Remember Azure Active Directory Multi-Factor Authentication (MFA) on a trusted device setting

-**Type:** Changed feature

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-

-We've recently updated the [remember Azure Active Directory Multi-Factor Authentication (MFA)](../authentication/howto-mfa-mfasettings.md#remember-multi-factor-authentication) on a trusted device feature to extend authentication for up to 365 days. Azure Active Directory (Azure AD) Premium licenses, can also use the [Conditional Access ΓÇô Sign-in Frequency policy](../conditional-access/howto-conditional-access-session-lifetime.md#user-sign-in-frequency) that provides more flexibility for reauthentication settings.

-For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to remember multifactor authentication (MFA) on a trusted device setting. To get started, review our [latest guidance on optimizing the reauthentication experience](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).

-## September 2020

-### New provisioning connectors in the Azure AD Application Gallery - September 2020

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-

-### Cloud Provisioning Public Preview Refresh

-**Type:** New feature

-**Service category:** Azure AD Cloud Provisioning

-**Product capability:** Identity Lifecycle Management

-

-Azure AD Connect Cloud Provisioning public preview refresh features two major enhancements developed from customer feedback:

- With this feature, IT Admins can map user, group, or contact attributes from AD to Azure AD using various mapping types present today. Attribute mapping is a feature used for standardizing the values of the attributes that flow from Active Directory to Azure Active Directory. One can determine whether to directly map the attribute value as it is from AD to Azure AD or use expressions to transform the attribute values when provisioning users. [Learn more](../cloud-sync/how-to-attribute-mapping.md)

- Once you have set up your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. With on-demand provisioning, IT Admins can enter the Distinguished Name (DN) of an AD user and see if they're getting synced as expected. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected. [Learn More](../cloud-sync/how-to-on-demand-provision.md)

-

-### Audited BitLocker Recovery in Azure AD - Public Preview

-**Type:** New feature

-**Service category:** Device Access Management

-**Product capability:** Device Lifecycle Management

-

-When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.

-End users can [access their recovery keys via My Account](https://support.microsoft.com/account-billing/manage-your-work-or-school-account-connected-devices-from-the-devices-page-6b5a735d-0a7f-4e94-8cfd-f5da6bc13d4e#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API](/graph/api/resources/bitlockerrecoverykey) or via the Azure portal. To learn more, see [View or copy BitLocker keys in the Azure portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).

-### Teams Devices Administrator built-in role

-**Type:** New feature

-**Service category:** RBAC

-**Product capability:** Access Control

-

-Users with the [Teams Devices Administrator](../roles/permissions-reference.md#teams-devices-administrator) role can manage [Teams-certified devices](https://www.microsoft.com/microsoft-365/microsoft-teams/across-devices/devices) from the Teams Admin Center.

-This role allows the user to view all devices at single glance, with the ability to search and filter devices. The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device.

-

-### Advanced query capabilities for Directory Objects

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-

-All the new query capabilities introduced for Directory Objects in Azure AD APIs are now available in the v1.0 endpoint and production-ready. Developers can Count, Search, Filter, and Sort Directory Objects and related links using the standard OData operators.

-To learn more, see the documentation [here](https://aka.ms/BlogPostMezzoGA), and you can also send feedback with this [brief survey](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR_yN8EPoGo5OpR1hgmCp1XxUMENJRkNQTk5RQkpWTE44NEk2U0RIV0VZRy4u).

-

-### Public preview: continuous access evaluation for tenants who configured Conditional Access policies

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** Identity Security & Protection

-

-Continuous access evaluation (CAE) is now available in public preview for Azure AD tenants with Conditional Access policies. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. To learn more, see [Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md).

-### Public preview: ask users requesting an access package additional questions to improve approval decisions

-**Type:** New feature

-**Service category:** User Access Management

-**Product capability:** Entitlement Management

-

-Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision. To learn more, see [Collect additional requestor information for approval](../governance/entitlement-management-access-package-approval-policy.md#collect-additional-requestor-information-for-approval).

-

-### Public preview: Enhanced user management

-**Type:** New feature

-**Service category:** User Management

-**Product capability:** User Management

-

-The Azure portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:

-For more information, please see [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md).

-### New notes field for Enterprise applications

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-You can add free text notes to Enterprise applications. You can add any relevant information that will help manager applications under Enterprise applications. For more information, see [Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-configure.md).

-### New Federated Apps available in Azure AD Application gallery - September 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In September 2020 we have added following 34 new applications in our App gallery with Federation support:

-[VMware Horizon - Unified Access Gateway](), [Pulse Secure PCS](../saas-apps/vmware-horizon-unified-access-gateway-tutorial.md), [Inventory360](../saas-apps/pulse-secure-pcs-tutorial.md), [Frontitude](https://services.enteksystems.de/sso/microsoft/signup), [BookWidgets](https://www.bookwidgets.com/sso/office365), [ZVD_Server](https://zaas.zenmutech.com/user/signin), [HashData for Business](https://hashdata.app/login.xhtml), [SecureLogin](https://securelogin.securelogin.nu/sso/azure/login), [CyberSolutions MAILBASEΣ/CMSS](../saas-apps/cybersolutions-mailbase-tutorial.md), [CyberSolutions CYBERMAILΣ](../saas-apps/cybersolutions-cybermail-tutorial.md), [LimbleCMMS](https://auth.limblecmms.com/), [Glint Inc](../saas-apps/glint-inc-tutorial.md), [zeroheight](../saas-apps/zeroheight-tutorial.md), [Gender Fitness](https://app.genderfitness.com/), [Coeo Portal](https://my.coeo.com/), [Grammarly](../saas-apps/grammarly-tutorial.md), [Fivetran](../saas-apps/fivetran-tutorial.md), [Kumolus](../saas-apps/kumolus-tutorial.md), [RSA Archer Suite](../saas-apps/rsa-archer-suite-tutorial.md), [TeamzSkill](../saas-apps/teamzskill-tutorial.md), [raumfürraum](../saas-apps/raumfurraum-tutorial.md), [Saviynt](../saas-apps/saviynt-tutorial.md), [BizMerlinHR](https://marketplace.bizmerlin.net/bmone/signup), [Mobile Locker](../saas-apps/mobile-locker-tutorial.md), [Zengine](../saas-apps/zengine-tutorial.md), [CloudCADI](https://cloudcadi.com/), [Simfoni Analytics](https://simfonianalytics.com/accounts/microsoft/login/), [Priva Identity & Access Management](https://my.priva.com/), [Nitro Pro](https://www.gonitro.com/nps/product-details/downloads), [Eventfinity](../saas-apps/eventfinity-tutorial.md), [Fexa](../saas-apps/fexa-tutorial.md), [Secured Signing Enterprise Portal](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Secured Signing Enterprise Portal AAD Setup](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Wistec Online](https://wisteconline.com/auth/oidc), [Oracle PeopleSoft - Protected by F5 BIG-IP APM](../saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md)

-You can also find the documentation of all the applications from here: https://aka.ms/AppsTutorial.

-For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest.

-### New delegation role in Azure AD entitlement management: Access package assignment manager

-**Type:** New feature

-**Service category:** User Access Management

-**Product capability:** Entitlement Management

-

-A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. You can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators.

-With this new role, you benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations. To learn more, see [Entitlement management roles](../governance/entitlement-management-delegate.md#entitlement-management-roles).

-

-### Changes to Privileged Identity Management's onboarding flow

-**Type:** Changed feature

-**Service category:** Privileged Identity Management

-**Product capability:** Privileged Identity Management

-

-Previously, onboarding to Privileged Identity Management (PIM) required user consent and an onboarding flow in PIM's blade that included enrollment in Azure Active Directory Multi-Factor Authentication (MFA). With the recent integration of PIM experience into the Azure AD roles and administrators blade, we are removing this experience. Any tenant with valid P2 license will be auto-onboarded to PIM.

-Onboarding to PIM does not have any direct adverse effect on your tenant. You can expect the following changes:

- For more information, see [Start using Privileged Identity Management](../privileged-identity-management/pim-getting-started.md).

-### Azure AD Entitlement Management: The Select pane of access package resources now shows by default the resources currently in the selected catalog

-**Type:** Changed feature

-**Service category:** User Access Management

-**Product capability:** Entitlement Management

-

-In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog.

-This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog. The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog. To learn more, see [Create a new access package in Azure AD entitlement management](../governance/entitlement-management-access-package-create.md#resource-roles).

-

-## August 2020

-

-### Updates to Azure Active Directory Multi-Factor Authentication Server firewall requirements

-**Type:** Plan for change

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-

-Starting 1 October 2020, Azure AD Multi-Factor Authentication (MFA) Server firewall requirements will require additional IP ranges.

-If you have outbound firewall rules in your organization, update the rules so that your multifactor authentication (MFA) servers can communicate with all the necessary IP ranges. The IP ranges are documented in [Azure Active Directory Multi-Factor Authentication Server firewall requirements](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements).

-### Upcoming changes to user experience in Identity Secure Score

-**Type:** Plan for change

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-We're updating the Identity Secure Score portal to align with the changes introduced in Microsoft Secure Score's [new release](/microsoft-365/security/mtp/microsoft-secure-score-whats-new).

-The preview version with the changes will be available at the beginning of September. The changes in the preview version include:

-In this preview, customers can toggle between the existing experience and the new experience. This preview will last until the end of November 2020. After the preview, the customers will automatically be directed to the new UX experience.

-### New Restricted Guest Access Permissions in Azure AD - Public Preview

-**Type:** New feature

-**Service category:** Access Control

-**Product capability:** User Management

-We've updated directory level permissions for guest users. These permissions allow administrators to require additional restrictions and controls on external guest user access. Admins can now add additional restrictions for external guests' access to user and groups' profile and membership information. With this public preview feature, customers can manage external user access at scale by obfuscating group memberships, including restricting guest users from seeing memberships of the group(s) they are in.

-To learn more, see [Restricted Guest Access Permissions](../enterprise-users/users-restrict-guest-permissions.md) and [Users Default Permissions](./users-default-permissions.md).

-

-### General availability of delta queries for service principals

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-

-Microsoft Graph Delta Query now supports the resource type in v1.0:

-Now clients can track changes to those resources efficiently and provides the best solution to synchronize changes to those resources with a local data store. To learn how to configure these resources in a query, see [Use delta query to track changes in Microsoft Graph data](/graph/delta-query-overview).

-

-### General availability of delta queries for oAuth2PermissionGrant

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-Microsoft Graph Delta Query now supports the resource type in v1.0:

-Clients can now track changes to those resources efficiently and provides the best solution to synchronize changes to those resources with a local data store. To learn how to configure these resources in a query, see [Use delta query to track changes in Microsoft Graph data](/graph/delta-query-overview).

-### New Federated Apps available in Azure AD Application gallery - August 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In August 2020 we have added following 25 new applications in our App gallery with Federation support:

-[Backup365](https://portal.backup365.io/login), [Soapbox](https://app.soapboxhq.com/create?step=auth&provider=azure-ad2-oauth2), [Enlyft Dynamics 365 Connector](http://enlyft.com/), [Serraview Space Utilization Software Solutions](../saas-apps/serraview-space-utilization-software-solutions-tutorial.md), [Uniq](https://web.uniq.app/), [Visibly](../saas-apps/visibly-tutorial.md), [Zylo](../saas-apps/zylo-tutorial.md), [Edmentum - Courseware Assessments Exact Path](https://auth.edmentum.com/elf/login), [CyberLAB](https://cyberlab.evolvesecurity.com/#/welcome), [Altamira HRM](../saas-apps/altamira-hrm-tutorial.md), [WireWheel](../saas-apps/wirewheel-tutorial.md), [Zix Compliance and Capture](https://sminstall.zixcorp.com/teams/teams.php?install_request=true&tenant_id=common), [Greenlight Enterprise Business Controls Platform](../saas-apps/greenlight-enterprise-business-controls-platform-tutorial.md), [Genetec Clearance](https://www.clearance.network/), [iSAMS](../saas-apps/isams-tutorial.md), [VeraSMART](../saas-apps/verasmart-tutorial.md), [Amiko](https://amiko.io/), [Twingate](https://auth.twingate.com/signup), [Funnel Leasing](https://nestiolistings.com/sso/oidc/azure/authorize/), [Scalefusion](https://scalefusion.com/users/sign_in/), [Bpanda](https://goto.bpanda.com/login), [Vivun Calendar Connect](https://app.vivun.com/dashboard/calendar/connect), [FortiGate SSL VPN](../saas-apps/fortigate-ssl-vpn-tutorial.md), [Wandera End User](https://www.wandera.com/)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial

-For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

-### Resource Forests now available for Azure AD DS

-**Type:** New feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-

-The capability of resource forests in Azure AD Domain Services is now generally available. You can now enable authorization without password hash synchronization to use Azure AD Domain Services, including smart-card authorization. To learn more, see [Replica sets concepts and features for Azure Active Directory Domain Services (preview)](../../active-directory-domain-services/concepts-replica-sets.md).

-

-### Regional replica support for Azure AD DS managed domains now available

-**Type:** New feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-

-You can expand a managed domain to have more than one replica set per Azure AD tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Azure AD Domain Services. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. To learn more, see [Replica sets concepts and features for Azure Active Directory Domain Services (preview)](../../active-directory-domain-services/concepts-replica-sets.md).

-### General Availability of Azure AD My sign-ins

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** End User Experiences

-

-Azure AD My sign-ins is a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. Additionally, this feature allows end users to report "This wasn't me" or "This was me" on suspicious activities. To learn more about using this feature, see [View and search your recent sign-in activity from the My sign-ins page](https://support.microsoft.com/account-billing/view-and-search-your-work-or-school-account-sign-in-activity-from-my-sign-ins-9e7d108c-8e3f-42aa-ac3a-bca892898972#confirm-unusual-activity).

-

-### SAP SuccessFactors HR driven user provisioning to Azure AD is now generally available

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-

-You can now integrate SAP SuccessFactors as the authoritative identity source with Azure AD and automate the end-to-end identity lifecycle using HR events like new hires and terminations to drive provisioning and de-provisioning of accounts in Azure AD.

-To learn more about how to configure SAP SuccessFactors inbound provisioning to Azure AD, refer to the tutorial [Configure SAP SuccessFactors to Active Directory user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md).

-

-### Custom Open ID Connect MS Graph API support for Azure AD B2C

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-

-Previously, Custom Open ID Connect providers could only be added or managed through the Azure portal. Now the Azure AD B2C customers can add and manage them through Microsoft Graph APIs beta version as well. To learn how to configure this resource with APIs, see [identityProvider resource type](/graph/api/resources/identityprovider).

-

-### Assign Azure AD built-in roles to cloud groups

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-You can now assign Azure AD built-in roles to cloud groups with this new feature. For example, you can assign the SharePoint Administrator role to Contoso_SharePoint_Admins group. You can also use PIM to make the group an eligible member of the role, instead of granting standing access. To learn how to configure this feature, see [Use cloud groups to manage role assignments in Azure Active Directory (preview)](../roles/groups-concept.md).

-

-### Insights Business Leader built-in role now available

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-

-Users in the Insights Business Leader role can access a set of dashboards and insights via the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). This includes full access to all dashboards and presented insights and data exploration functionality. However, users in this role don't have access to product configuration settings, which is the responsibility of the Insights Administrator role. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-business-leader)

-

-### Insights Administrator built-in role now available

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-

-Users in the Insights Administrator role can access the full set of administrative capabilities in the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). A user in this role can read directory information, monitor service health, file support tickets, and access the Insights administrator settings aspects. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-administrator)

-

-

-### Application Admin and Cloud Application Admin can manage extension properties of applications

-**Type:** Changed feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-

-Previously, only the Global Administrator could manage the [extension property](/graph/api/application-post-extensionproperty). We're now enabling this capability for the Application Administrator and Cloud Application Administrator as well.

-

-### MIM 2016 SP2 hotfix 4.6.263.0 and connectors 1.1.1301.0

-**Type:** Changed feature

-**Service category:** Microsoft Identity Manager

-**Product capability:** Identity Lifecycle Management

-A [hotfix rollup package (build 4.6.263.0)](https://support.microsoft.com/help/4576473/hotfix-rollup-package-build-4-6-263-0-is-available-for-microsoft-ident) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package contains updates for the MIM CM, MIM Synchronization Manager, and PAM components. In addition, the MIM generic connectors build 1.1.1301.0 includes updates for the Graph connector.

-## July 2020

-### As an IT Admin, I want to target client apps using Conditional Access

-**Type:** Plan for change

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-

-With the GA release of the client apps condition in Conditional Access, new policies will now apply by default to all client applications. This includes legacy authentication clients. Existing policies will remain unchanged, but the *Configure Yes/No* toggle will be removed from existing policies to easily see which client apps are applied to by the policy.

-When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they'll be blocked. [Learn more](../conditional-access/concept-conditional-access-conditions.md).

-

-### Upcoming SCIM compliance fixes

-**Type:** Plan for change

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-

-The Azure AD provisioning service uses the SCIM standard for integrating with applications. Our implementation of the SCIM standard is evolving, and we expect to make changes to our behavior around how we perform PATCH operations and set the property "active" on a resource. [Learn more](../app-provisioning/application-provisioning-config-problem-scim-compatibility.md).

-

-### Group owner setting on Azure Admin portal will be changed

-**Type:** Plan for change

-**Service category:** Group Management

-**Product capability:** Collaboration

-Owner settings on Groups general setting page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. We'll soon have the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph.

-We'll start to disable the current setting for the customers who aren't using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using [Azure Active Directory](./active-directory-groups-settings-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).

-### Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1

-**Type:** Plan for change

-**Service category:** Device Registration and Management

-**Product capability:** Platform

-Transport layer security (TLS) 1.2 and update servers and clients will soon communicate with Azure Active Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device Registration service will retire:

-[Learn more](../devices/reference-device-registration-tls-1-2.md) about TLS 1.2 for the Azure AD Registration Service.

-### Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs

-**Type:** Fixed

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-

-Windows Hello for Business allows end users to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication.

-Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD sign-ins blade in the Azure portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting Sign-In Logs, please see the [Sign-In Logs documentation](../reports-monitoring/concept-sign-ins.md).

-

-### Fixes to group deletion behavior and performance improvements

-**Type:** Fixed

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-

-Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object wasn't being deleted. Now the group object will be deleted from the target application when it goes out of scope (disabled, deleted, unassigned, or didn't pass scoping filter). [Learn more](../app-provisioning/how-provisioning-works.md#incremental-cycles).

-

-### Public Preview: Admins can now add custom content in the email to reviewers when creating an access review

-**Type:** New feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-

-When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many of our customers asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer.

-Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the "advanced" section of Azure AD Access Reviews. For guidance on creating access reviews, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md).

-

-### Authorization Code Flow for Single-page apps available

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** Developer Experience

-

-Because of modern browser 3rd party cookie restrictions such as Safari ITP, SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO, and MSAL.js v 2.x will now support the authorization code flow.

-There are corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. See [Sign in users and get an access token in a JavaScript SPA using the auth code flow](../develop/quickstart-v2-javascript-auth-code.md) for further guidance.

-

-### Azure AD Application Proxy now supports the Remote Desktop Services Web Client

-**Type:** New feature

-**Service category:** App Proxy

-**Product capability:** Access Control

-Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For guidance, see [Publish Remote Desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md).

-

-### Next generation Azure AD B2C user flows in public preview

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-

-Simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows. Try it now by [creating a user flow](../../active-directory-b2c/tutorial-create-user-flows.md).

-For more information about users flows, see [User flow versions in Azure Active Directory B2C](../../active-directory-b2c/user-flow-versions.md).

-### New Federated Apps available in Azure AD Application gallery - July 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In July 2020 we have added following 55 new applications in our App gallery with Federation support:

-[Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://www.alohacloud.com/), Control Tower, [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngage&trade;](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub Single Sign-On](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://www.moduleq.com/), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-### View role assignments across all scopes and ability to download them to a csv file

-**Type:** Changed feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-

-You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see [View and assign administrator roles in Azure Active Directory](../roles/manage-roles-portal.md).

-

-### Azure Active Directory Multi-Factor Authentication Software Development (Azure MFA SDK) Deprecation

-**Type:** Deprecated

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-

-The Azure Active Directory Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.

-If your organization is using the Azure MFA SDK, you need to migrate by September 30th, 2020:

-## June 2020

-### User risk condition in Conditional Access policy

-**Type:** Plan for change

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-

-User risk support in Azure AD Conditional Access policy allows you to create multiple user risk-based policies. Different minimum user risk levels can be required for different users and apps. Based on user risk, you can create policies to block access, require multifactor authentication, secure password change, or redirect to Microsoft Cloud App Security to enforce session policy, such as additional auditing.

-The user risk condition requires Azure AD Premium P2 because it uses Azure Identity Protection, which is a P2 offering. for more information about conditional access, refer to [Azure AD Conditional Access documentation](../conditional-access/index.yml).

-### SAML SSO now supports apps that require SPNameQualifier to be set when requested

-**Type:** Fixed

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow.

-### Azure AD B2B Collaboration supports inviting MSA and Google users in Azure Government tenants

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-Azure Government tenants using the B2B collaboration features can now invite users that have a Microsoft or Google account. To find out if your tenant can use these capabilities, follow the instructions at [How can I tell if B2B collaboration is available in my Azure US Government tenant?](../external-identities/b2b-government-national-clouds.md#how-can-i-tell-if-b2b-collaboration-is-available-in-my-azure-us-government-tenant).

-

-

-### User object in MS Graph v1 now includes externalUserState and externalUserStateChangedDateTime properties

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-The externalUserState and externalUserStateChangedDateTime properties can be used to find invited B2B guests who have not accepted their invitations yet as well as build automation such as deleting users who haven't accepted their invitations after some number of days. These properties are now available in MS Graph v1. For guidance on using these properties, refer to [User resource type](/graph/api/resources/user).

-

-### Manage authentication sessions in Azure AD Conditional Access is now generally available

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-

-Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers to offer more security and flexibility in your environment.

-

-Additionally, authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Now authentication session management will apply to multifactor authentication (MFA) as well. For more information, see [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).

-### New Federated Apps available in Azure AD Application gallery - June 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In June 2020 we've added the following 29 new applications in our App gallery with Federation support:

-[Shopify Plus](../saas-apps/shopify-plus-tutorial.md), [Ekarda](../saas-apps/ekarda-tutorial.md), [MailGates](../saas-apps/mailgates-tutorial.md), [BullseyeTDP](../saas-apps/bullseyetdp-tutorial.md), [Raketa](../saas-apps/raketa-tutorial.md), [Segment](../saas-apps/segment-tutorial.md), [Ai Auditor](https://www.mindbridge.ai/products/ai-auditor/), [Pobuca Connect](https://app.pobu.c), [Smallstep SSH](https://smallstep.com/sso-ssh/)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

-For listing your application in the Azure AD app gallery, please read the details here: https://aka.ms/AzureADAppRequest.

-### API connectors for External Identities self-service sign-up are now in public preview

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-External Identities API connectors enable you to leverage web APIs to integrate self-service sign-up with external cloud systems. This means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows. For example, you can use API connectors to:

-For more information about all of the experiences possible with API connectors, see [Use API connectors to customize and extend self-service sign-up](../external-identities/api-connectors-overview.md), or [Customize External Identities self-service sign-up with web API integrations](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/customize-external-identities-self-service-sign-up-with-web-api/ba-p/1257364#.XvNz2fImuQg.linkedin).

-

-### Provision on-demand and get users into your apps in seconds

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-

-The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The [on-demand provisioning capability](https://aka.ms/provisionondemand) allows you to pick a user and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again.

-

-### New permission for using Azure AD entitlement management in Graph

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Entitlement Management

-

-A new delegated permission EntitlementManagement.Read.All is now available for use with the Entitlement Management API in Microsoft Graph beta. To find out more about the available APIs, see [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview).

-### Identity Protection APIs available in v1.0

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-

-The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they're available at the v1.0 endpoint, we invite you to use them in production. For more information, please check out the [Microsoft Graph docs](/graph/api/resources/identityprotectionroot).

-

-### Sensitivity labels to apply policies to Microsoft 365 groups is now generally available

-**Type:** New feature

-**Service category:** Group Management

-**Product capability:** Collaboration

-

-You can now create sensitivity labels and use the label settings to apply policies to Microsoft 365 groups, including privacy (Public or Private) and external user access policy. You can create a label with the privacy policy to be Private, and external user access policy to not allow to add guest users. When a user applies this label to a group, the group will be private, and no guest users are allowed to be added to the group.

-Sensitivity labels are important to protect your business-critical data and enable you to manage groups at scale, in a compliant and secure fashion. For guidance on using sensitivity labels, refer to [Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory (preview)](../enterprise-users/groups-assign-sensitivity-labels.md).

-

-### Updates to support for Microsoft Identity Manager for Azure AD Premium customers

-**Type:** Changed feature

-**Service category:** Microsoft Identity Manager

-**Product capability:** Identity Lifecycle Management

-

-Azure Support is now available for Azure AD integration components of Microsoft Identity Manager 2016, through the end of Extended Support for Microsoft Identity Manager 2016. Read more at [Support update for Azure AD Premium customers using Microsoft Identity Manager](/microsoft-identity-manager/support-update-for-azure-active-directory-premium-customers).

-### The use of group membership conditions in SSO claims configuration is increased

-**Type:** Changed feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-Previously, the number of groups you could use when you conditionally change claims based on group membership within any single application configuration was limited to 10. The use of group membership conditions in SSO claims configuration has now increased to a maximum of 50 groups. For more information on how to configure claims, refer to [Enterprise Applications SSO claims configuration](../develop/active-directory-saml-claims-customization.md).

-### Enabling basic formatting on the Sign In Page Text component in Company Branding.

-**Type:** Changed feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-

-The Company Branding functionality on the Azure AD/Microsoft 365 login experience has been updated to allow the customer to add hyperlinks and simple formatting, including bold font, underline, and italics. For guidance on using this functionality, see [Add branding to your organization's Azure Active Directory sign-in page](./customize-branding.md).

-### Provisioning performance improvements

-**Type:** Changed feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-

-The provisioning service has been updated to reduce the time for an [incremental cycle](../app-provisioning/how-provisioning-works.md#incremental-cycles) to complete. This means that users and groups will be provisioned into their applications faster than they were previously. All new provisioning jobs created after 6/10/2020 will automatically benefit from the performance improvements. Any applications configured for provisioning before 6/10/2020 will need to restart once after 6/10/2020 to take advantage of the performance improvements.

-### Announcing the deprecation of ADAL and MS Graph Parity

-**Type:** Deprecated

-**Service category:** N/A

-**Product capability:** Device Lifecycle Management

-Now that Microsoft Authentication Libraries (MSAL) is available, we'll no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. For more information on how to migrate to MSAL, refer to [Migrate applications to Microsoft Authentication Library (MSAL)](../develop/msal-migration.md).

-Additionally, we've finished the work to make all Azure AD Graph functionality available through MS Graph. So, Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. For more information, see [Update your applications to use Microsoft Authentication Library and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363)

-

-## May 2020

-### Retirement of properties in signIns, riskyUsers, and riskDetections APIs

-**Type:** Plan for change

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-Currently, enumerated types are used to represent the riskType property in both the riskDetections API and riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the signIns API. Going forward we'll represent these properties as strings.

-Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API, and to riskEventTypes_v2 property in the beta signIns API by September 9th, 2020. At that date, we'll be retiring the current riskType and riskEventTypes properties. For more information, refer to [Changes to risk event properties and Identity Protection APIs on Microsoft Graph](https://developer.microsoft.com/graph/blogs/changes-to-risk-event-properties-and-identity-protection-apis-on-microsoft-graph/).

-

-### Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph

-**Type:** Plan for change

-**Service category:** Reporting

-**Product capability:** Identity Security & Protection

-Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September 2020. In addition to impacting the preview APIs, this change will also impact the in-production signIns API.

-We have introduced a new riskEventsTypes_v2 (string) property to the signIns v1.0 API. We'll retire the current riskEventTypes (enum) property on June 11, 2022 in accordance with our Microsoft Graph deprecation policy. Customers should transition to the riskEventTypes_v2 property in the v1.0 signIns API by June 11, 2022. For more information, see [Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph](https://developer.microsoft.com/graph/blogs/deprecation-of-riskeventtypes-property-in-signins-v1-0-api-on-microsoft-graph//).

-

-### Upcoming changes to multifactor authentication (MFA) email notifications

-**Type:** Plan for change

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-

-We're making the following changes to the email notifications for cloud multifactor authentication (MFA):

-E-mail notifications will be sent from the following address: azure-noreply@microsoft.com and msonlineservicesteam@microsoftonline.com. We're updating the content of fraud alert emails to better indicate the required steps to unblock uses.

-### New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't synced to Azure Active Directory.

-**Type:** Plan for change

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-

-Currently, users who are in domains federated in Azure AD, but who aren't synced into the tenant, can't access Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign-up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign-up." This is an extension of the existing capability to do email verified self-sign up that users in managed domains can do and can be controlled using the same flag. This change will complete rolling out during the following two months. Watch for documentation updates [here](../enterprise-users/directory-self-service-signup.md).

-

-### Upcoming fix: The OIDC discovery document for the Azure Government cloud is being updated to reference the correct Graph endpoints.

-**Type:** Plan for change

-**Service category:** Sovereign Clouds

-**Product capability:** User Authentication

-

-Starting in June, the OIDC discovery document [Microsoft identity platform and OpenID Connect protocol](../develop/v2-protocols-oidc.md) on the [Azure Government cloud](../develop/authentication-national-cloud.md) endpoint (login.microsoftonline.us), will begin to return the correct [National cloud graph](/graph/deployments) endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently provides the incorrect Graph endpoint (graph.microsoft.com) "msgraph_host" field.

-This bug fix will be rolled out gradually over approximately 2 months.

-### Azure Government users will no longer be able to sign in on login.microsoftonline.com

-**Type:** Plan for Change

-**Service category:** Sovereign Clouds

-**Product capability:** User Authentication

-

-On 1 June 2018, the official Azure Active Directory (Azure AD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the.us endpoint.

-Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint (microsoftonline.com). Impacted apps will begin seeing an error AADSTS900439 - USGClientNotSupportedOnPublicEndpoint.

-There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020. For more details, please see the [Azure Government blog post](https://devblogs.microsoft.com/azuregov/azure-government-aad-authority-endpoint-update/).

-### SAML Single Logout request now sends NameID in the correct format

-**Type:** Fixed

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-

-When a user clicks on sign-out (for example, in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.

-If the original SAML sign-in token used a different format for NameID (for example, email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.

-### Hybrid Identity Administrator role is now available with Cloud Provisioning

-**Type:** New feature

-**Service category:** Azure AD Cloud Provisioning

-**Product capability:** Identity Lifecycle Management

-

-IT Admins can start using the new "Hybrid Admin" role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, you no longer have to use the Global Administrator role to set up and configure Cloud Provisioning. [Learn more](../roles/delegate-by-task.md#connect).

-

-### New Federated Apps available in Azure AD Application gallery - May 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In May 2020, we've added the following 36 new applications in our App gallery with Federation support:

-[Moula](https://moula.com.au/pay/merchants), [Surveypal](https://www.surveypal.com/app), [Kbot365](https://www.konverso.ai/), [Powell Teams](https://powell-software.com/en/powell-teams-en/), [Talentsoft Assistant](https://msteams.talent-soft.com/), [ASC Recording Insights](https://teams.asc-recording.app/product), [GO1](https://www.go1.com/), [B-Engaged](https://b-engaged.se/), [Competella Contact Center Workgroup](http://www.competella.com/), [Asite](http://www.asite.com/), [ImageSoft Identity](https://identity.imagesoftinc.com/), [My IBISWorld](https://identity.imagesoftinc.com/), [insuite](../saas-apps/insuite-tutorial.md), [Change Process Management](../saas-apps/change-process-management-tutorial.md), [Cyara CX Assurance Platform](../saas-apps/cyara-cx-assurance-platform-tutorial.md), [Smart Global Governance](../saas-apps/smart-global-governance-tutorial.md), [Prezi](../saas-apps/prezi-tutorial.md), [Mapbox](../saas-apps/mapbox-tutorial.md), [Datava Enterprise Service Platform](../saas-apps/datava-enterprise-service-platform-tutorial.md), [Whimsical](../saas-apps/whimsical-tutorial.md), [Trelica](../saas-apps/trelica-tutorial.md), [EasySSO for Confluence](../saas-apps/easysso-for-confluence-tutorial.md), [EasySSO for BitBucket](../saas-apps/easysso-for-bitbucket-tutorial.md), [EasySSO for Bamboo](../saas-apps/easysso-for-bamboo-tutorial.md), [Torii](../saas-apps/torii-tutorial.md), [Axiad Cloud](../saas-apps/axiad-cloud-tutorial.md), [Humanage](../saas-apps/humanage-tutorial.md), [ColorTokens ZTNA](../saas-apps/colortokens-ztna-tutorial.md), [CCH Tagetik](../saas-apps/cch-tagetik-tutorial.md), [ShareVault](../saas-apps/sharevault-tutorial.md), [Vyond](../saas-apps/vyond-tutorial.md), [TextExpander](../saas-apps/textexpander-tutorial.md), [Anyone Home CRM](../saas-apps/anyone-home-crm-tutorial.md), [askSpoke](../saas-apps/askspoke-tutorial.md), [ice Contact Center](../saas-apps/ice-contact-center-tutorial.md)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest.

-### Report-only mode for Conditional Access is now generally available

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we've seen strong adoption of report-only modeΓÇöover 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they're created. And for those of you who use the MS Graph APIs, you can [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy) as well.

-### Self-service sign up for guest users

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources while letting them sign in using whatever identity they prefer. When sharing an application with external users, you might not always know in advance who will need access to the application. With [self-service sign-up](../external-identities/self-service-sign-up-overview.md), you can enable guest users to sign up and gain a guest account for your line of business (LOB) apps. The sign-up flow can be created and customized to support Azure AD and social identities. You can also collect additional information about the user during sign-up.

- ### Conditional Access Insights and Reporting workbook is generally available

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-The [insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes [following these instructions](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). To make the dashboard more discoverable, we've moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.

-### Policy details blade for Conditional Access is in public preview

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-The new [policy details blade](../conditional-access/troubleshoot-conditional-access.md) displays the assignments, conditions, and controls satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details.

-### New query capabilities for Directory Objects in Microsoft Graph are in Public Preview

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter, and Sort operations. This will give developers the ability to quickly query our Directory Objects without workarounds such as in-memory filtering and sorting. Find out more in this [blog post](https://aka.ms/CountFilterMSGraphAAD).

-We're currently in Public Preview, looking for feedback. Please send your comments with this [brief survey](https://aka.ms/MsGraphAADSurveyDocs).

-### Configure SAML-based single sign-on using Microsoft Graph API (Beta)

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-Support for creating and configuring an application from the Azure AD Gallery using MS Graph APIs in Beta is now available.

-If you need to set up SAML-based single sign-on for multiple instances of an application, save time by using the Microsoft Graph APIs to [automate the configuration of SAML-based single sign-on](/graph/application-saml-sso-configure-api).

-

-### New provisioning connectors in the Azure AD Application Gallery - May 2020

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-* [8x8](../saas-apps/8x8-provisioning-tutorial.md)

-* [Juno Journey](../saas-apps/juno-journey-provisioning-tutorial.md)

-* [MediusFlow](../saas-apps/mediusflow-provisioning-tutorial.md)

-* [New Relic by Organization](../saas-apps/new-relic-by-organization-provisioning-tutorial.md)

-* [Oracle Cloud Infrastructure Console](../saas-apps/oracle-cloud-infrastructure-console-provisioning-tutorial.md)

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-### SAML Token Encryption is Generally Available

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-[SAML token encryption](../manage-apps/howto-saml-token-encryption.md) allows applications to be configured to receive encrypted SAML assertions. The feature is now generally available in all clouds.

-

-### Group name claims in application tokens is Generally Available

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-The group claims issued in a token can now be limited to just those groups assigned to the application. This is especially important when users are members of large numbers of groups and there was a risk of exceeding token size limits. With this new capability in place, the ability to [add group names to tokens](../hybrid/how-to-connect-fed-group-claims.md) is generally available.

-

-### Workday Writeback now supports setting work phone number attributes

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-

-We have enhanced the Workday Writeback provisioning app to now support writeback of work phone number and mobile number attributes. In addition to email and username, you can now configure the Workday Writeback provisioning app to flow phone number values from Azure AD to Workday. For more details on how to configure phone number writeback, refer to the [Workday Writeback](../saas-apps/workday-writeback-tutorial.md) app tutorial.

-### Publisher Verification (preview)

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Developer Experience

-

-Publisher verification (preview) helps admins and end users understand the authenticity of application developers integrating with the Microsoft identity platform. For details, refer to [Publisher verification (preview)](../develop/publisher-verification-overview.md).

-

-### Authorization Code Flow for Single-page apps

-**Type:** Changed feature

-**Service category:** Authentication

-**Product capability:** Developer Experience

-Because of modern browser [3rd party cookie restrictions such as Safari ITP](../develop/reference-third-party-cookies-spas.md), SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO; MSAL.js v 2.x will now support the authorization code flow. There as corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. For guidance, refer to [Quickstart: Sign in users and get an access token in a JavaScript SPA using the auth code flow](../develop/quickstart-v2-javascript-auth-code.md).

-### Improved Filtering for Devices is in Public Preview

-**Type:** Changed Feature

-**Service category:** Device Management

-**Product capability:** Device Lifecycle Management

-

-Previously, the only filters you could use were "Enabled" and "Activity date." Now, you can [filter your list of devices on more properties](../devices/device-management-azure-portal.md#view-and-filter-your-devices-preview), including OS type, join type, compliance, and more. These additions should simplify locating a particular device.

-### The new App registrations experience for Azure AD B2C is now generally available

-**Type:** Changed Feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** Identity Lifecycle Management

-

-The new App registrations experience for Azure AD B2C is now generally available.

-Previously, you had to manage your B2C consumer-facing applications separately from the rest of your apps using the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure.

-The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. Whether you need to manage a customer-facing app or an app that has access to Microsoft Graph to programmatically manage Azure AD B2C resources, you only need to learn one way to do things.

-You can reach the new experience by navigating the Azure AD B2C service and selecting the App registrations blade. The experience is also accessible from the Azure Active Directory service.

-The Azure AD B2C App registrations experience is based on the general [App Registration experience](https://developer.microsoft.com/identity/blogs/new-app-registrations-experience-is-now-generally-available/) for Azure AD tenants but is tailored for Azure AD B2C. The legacy "Applications" experience will be deprecated in the future.

-For more information, visit [The New app registration experience for Azure AD B2C](../../active-directory-b2c/app-registrations-training-guide.md).

-## April 2020

-### Combined security info registration experience is now generally available

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** Identity Security & Protection

-The combined registration experience for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) is now generally available. This new registration experience enables users to register for multifactor authentication (MFA) and SSPR in a single, step-by-step process. When you deploy the new experience for your organization, users can register in less time and with fewer hassles. Check out the blog post [here](https://bit.ly/3etiRyQ).

-### Continuous Access Evaluation

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** Identity Security & Protection

-Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). We're rolling this feature out first for Teams and Outlook clients. For more details, please read our [blog](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933) and [documentation](../conditional-access/concept-continuous-access-evaluation.md).

-### SMS Sign-in: Firstline Workers can sign in to Azure AD-backed applications with their phone number and no password

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-Office is launching a series of mobile-first business apps that cater to non-traditional organizations, and to employees in large organizations that don't use email as their primary communication method. These apps target frontline employees, deskless workers, field agents, or retail employees that may not get an email address from their employer, have access to a computer, or to IT. This project will let these employees sign in to business applications by entering a phone number and roundtripping a code. For more details, please see our [admin documentation](../authentication/howto-authentication-sms-signin.md) and [end user documentation](https://support.microsoft.com/account-billing/set-up-sms-sign-in-as-a-phone-verification-method-0aa5b3b3-a716-4ff2-b0d6-31d2bcfbac42).

-### Invite internal users to use B2B collaboration

-**Type:** New feature

-**Service category:** B2B

-**Product capability:**

-We're expanding B2B invitation capability to allow existing internal accounts to be invited to use B2B collaboration credentials going forward. This is done by passing the user object to the Invite API in addition to typical parameters like the invited email address. The user's object ID, UPN, group membership, app assignment, etc. remain intact, but going forward they'll use B2B to authenticate with their home tenant credentials rather than the internal credentials they used before the invitation. For details, see the [documentation](../external-identities/invite-internal-users.md).

-### Report-only mode for Conditional Access is now generally available

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we've seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they're created. And for those of you who use the MS Graph APIs, you can also [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy).

-### Conditional Access insights and reporting workbook is generally available

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-The Conditional Access [insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes [following these instructions](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). To make the dashboard more discoverable, we've moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.

-### Policy details blade for Conditional Access is in public preview

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-The new [policy details blade](../conditional-access/troubleshoot-conditional-access.md) displays which assignments, conditions, and controls were satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the **Conditional Access** or **Report-only** tabs of the Sign-in details.

-### New Federated Apps available in Azure AD App gallery - April 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In April 2020, we've added these 31 new apps with Federation support to the app gallery:

-[SincroPool Apps](https://www.sincropool.com/), [SmartDB](https://hibiki.dreamarts.co.jp/smartdb/trial/), [Float](../saas-apps/float-tutorial.md), [LMS365](https://lms.365.systems/), [IWT Procurement Suite](../saas-apps/iwt-procurement-suite-tutorial.md), [Lunni](https://lunni.fi/), [EasySSO for Jira](../saas-apps/easysso-for-jira-tutorial.md), [Virtual Training Academy](https://vta.c3p.c)

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-### Microsoft Graph delta query support for oAuth2PermissionGrant available for Public Preview

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-Delta query for oAuth2PermissionGrant is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. [Learn more.](/graph/api/oAuth2PermissionGrant-delta?tabs=http&view=graph-rest-beta&preserve-view=true)

-### Microsoft Graph delta query support for organizational contact generally available

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-Delta query for organizational contacts is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls orgContact data by delta query to significantly improve performance. [Learn more.](/graph/api/orgcontact-delta?tabs=http)

-### Microsoft Graph delta query support for application generally available

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-Delta query for applications is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls application data by delta query to significantly improve performance. [Learn more.](/graph/api/application-delta)

-### Microsoft Graph delta query support for administrative units available for Public Preview

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-Delta query for administrative units is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. [Learn more.](/graph/api/administrativeunit-delta?tabs=http&view=graph-rest-beta&preserve-view=true)

-### Manage authentication phone numbers and more in new Microsoft Graph beta APIs

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Developer Experience

-These APIs are a key tool for managing your users' authentication methods. Now you can programmatically pre-register and manage the authenticators used for multifactor authentication (MFA) and self-service password reset (SSPR). This has been one of the most-requested features in the Azure AD Multi-Factor Authentication (MFA), SSPR, and Microsoft Graph spaces. The new APIs we've released in this wave give you the ability to:

-For more information, see [Azure AD authentication methods API overview](/graph/api/resources/authenticationmethods-overview).

-### Administrative Units Public Preview

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-Administrative units allow you to grant admin permissions that are restricted to a department, region, or other segment of your organization that you define. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their administrative unit.

-Using administrative units, a central administrator could:

-For more information, see [Administrative units management in Azure Active Directory (preview)](../roles/administrative-units.md).

-### Printer Administrator and Printer Technician built-in roles

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-**Printer Administrator**: Users with this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports.

-**Printer Technician**: Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician can't do are set user permissions on printers and sharing printers. [Learn more.](../roles/permissions-reference.md#printer-administrator)

-### Hybrid Identity Admin built-in role

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods&#8212;Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider)&#8212;and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents. This role grants the ability to enable seamless single sign-on (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. [Learn more.](../roles/permissions-reference.md#hybrid-identity-administrator)

-### Network Administrator built-in role

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-Users with this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture, which is generally user location-specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. [Learn more.](../roles/permissions-reference.md#network-administrator)

-### Bulk activity and downloads in the Azure portal experience

-**Type:** New feature

-**Service category:** User Management

-**Product capability:** Directory

-Now you can perform bulk activities on users and groups in Azure AD by uploading a CSV file in the Azure portal experience. You can create users, delete users, and invite guest users. And you can add and remove members from a group.

-You can also download lists of Azure AD resources from the Azure portal experience. You can download the list of users in the directory, the list of groups in the directory, and the members of a particular group.

-For more information, check out the following:

-### My Staff delegated user management

-**Type:** New feature

-**Service category:** User Management

-**Product capability:**

-My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who can't access their account can re-gain access in just a couple of selections, with no helpdesk or IT staff required. For more information, see the [Manage your users with My Staff (preview)](../roles/my-staff-configure.md) and [Delegate user management with My Staff (preview)](https://support.microsoft.com/account-billing/manage-front-line-users-with-my-staff-c65b9673-7e1c-4ad6-812b-1a31ce4460bd).

-### An upgraded end user experience in access reviews

-**Type:** Changed feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-We have updated the reviewer experience for Azure AD access reviews in the My Apps portal. At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive. [You can learn more about the updated experience here](../governance/perform-access-review.md). This public preview will last until the end of July 2020. At the end of July, reviewers who haven't opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, [please make a request here](https://forms.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5dv-S62099HtxdeKIcgO-NUOFJaRDFDWUpHRk8zQ1BWVU1MMTcyQ1FFUi4u).

-### Workday inbound user provisioning and writeback apps now support the latest versions of Workday Web Services API

-**Type:** Changed feature

-**Service category:** App Provisioning

-**Product capability:**

-Based on customer feedback, we've now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services (WWS) API. With this change, customers can specify the WWS API version that they would like to use in the connection string. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. The Workday Writeback app now uses the recommended Change_Work_Contact_Info Workday web service to overcome the limitations of Maintain_Contact_Info.

-If no version is specified in the connection string, by default, the Workday inbound provisioning apps will continue to use WWS v21.1 To switch to the latest Workday APIs for inbound user provisioning, customers need to update the connection string as documented [in the tutorial](../saas-apps/workday-inbound-tutorial.md#which-workday-apis-does-the-solution-use-to-query-and-update-workday-worker-profiles) and also update the XPATHs used for Workday attributes as documented in the [Workday attribute reference guide](../app-provisioning/workday-attribute-reference.md#xpath-values-for-workday-web-services-wws-api-v30).

-To use the new API for writeback, there are no changes required in the Workday Writeback provisioning app. On the Workday side, ensure that the Workday Integration System User (ISU) account has permissions to invoke the Change_Work_Contact business process as documented in the tutorial section, [Configure business process security policy permissions](../saas-apps/workday-inbound-tutorial.md#configuring-business-process-security-policy-permissions).

-We have updated our [tutorial guide](../saas-apps/workday-inbound-tutorial.md) to reflect the new API version support.

-### Users with default access role are now in scope for provisioning

-**Type:** Changed feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually we'll change the behavior for existing provisioning configurations to support provisioning users with this role. [Learn more.](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md)

-### Updated provisioning UI

-**Type:** Changed feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-We've refreshed our provisioning experience to create a more focused management view. When you navigate to the provisioning blade for an enterprise application that has already been configured, you'll be able to easily monitor the progress of provisioning and manage actions such as starting, stopping, and restarting provisioning. [Learn more.](../app-provisioning/configure-automatic-user-provisioning-portal.md)

-### Dynamic Group rule validation is now available for Public Preview

-**Type:** Changed feature

-**Service category:** Group Management

-**Product capability:** Collaboration

-Azure Active Directory (Azure AD) now provides the means to validate dynamic group rules. On the **Validate rules** tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When creating or updating dynamic group rules, administrators want to know whether a user or a device will be a member of the group. This helps evaluate whether a user or device meets the rule criteria and aids in troubleshooting when membership is not expected.

-For more information, see [Validate a dynamic group membership rule (preview)](../enterprise-users/groups-dynamic-rule-validation.md).

-### Identity Secure Score - Security Defaults and multifactor authentication (MFA) improvement action updates

-**Type:** Changed feature

-**Service category:** N/A

-**Product capability:** Identity Security & Protection

-**Supporting security defaults for Azure AD improvement actions:** Microsoft Secure Score will be updating improvement actions to support [security defaults in Azure AD](./concept-fundamentals-security-defaults.md), which make it easier to help protect your organization with pre-configured security settings for common attacks. This will affect the following improvement actions:

-

-**Multifactor authentication (MFA) improvement action updates:** To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multifactor authentication and added two.

-Removed improvement actions:

-Added improvement actions:

-These new improvement actions require registering your users or admins for multifactor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for multifactor authentication (MFA). [Read more about what's new in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score#whats-new).

-## March 2020

-### Unmanaged Azure Active Directory accounts in B2B update for March 2021

-**Type:** Plan for change

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-**Beginning on March 31, 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure Active Directory (Azure AD) accounts and tenants for B2B collaboration scenarios. In preparation for this, we encourage you to opt in to [email one-time passcode authentication](../external-identities/one-time-passcode.md).

-### Users with the default access role will be in scope for provisioning

-**Type:** Plan for change

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-

-Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. We're working on deploying a change so that all new provisioning configurations will allow users with the default access role to be provisioned. Gradually, we'll change the behavior for existing provisioning configurations to support provisioning users with this role. No customer action is required. We'll post an update to our [documentation](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md) once this change is in place.

-### Azure AD B2B collaboration will be available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants

-**Type:** Plan for change

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-The Azure AD B2B collaboration capabilities will be made available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants, enabling users in an Azure China 21Vianet tenant to collaborate seamlessly with users in other Azure China 21Vianet tenants. [Learn more about Azure AD B2B collaboration](/azure/active-directory/b2b/).

-

-### Azure AD B2B Collaboration invitation email redesign

-**Type:** Plan for change

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-The [emails](../external-identities/invitation-email-elements.md) that are sent by the Azure AD B2B collaboration invitation service to invite users to the directory will be redesigned to make the invitation information and the user's next steps clearer.

-### HomeRealmDiscovery policy changes will appear in the audit logs

-**Type:** Fixed

-**Service category:** Audit

-**Product capability:** Monitoring & Reporting

-

-We fixed a bug where changes to the [HomeRealmDiscovery policy](../manage-apps/configure-authentication-for-federated-users-portal.md) weren't included in the audit logs. You'll now be able to see when and how the policy was changed, and by whom.

-### New Federated Apps available in Azure AD App gallery - March 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In March 2020, we've added these 51 new apps with Federation support to the app gallery:

-[Cisco AnyConnect](../saas-apps/cisco-anyconnect.md), [Zoho One China](../saas-apps/zoho-one-china-tutorial.md), [PlusPlus](https://test.plusplus.app/auth/login/azuread-outlook/), [Profit.co SAML App](../saas-apps/profitco-saml-app-tutorial.md), [iPoint Service Provider](../saas-apps/ipoint-service-provider-tutorial.md), [contexxt.ai SPHERE](https://contexxt-sphere.com/login), [Wisdom By Invictus](../saas-apps/wisdom-by-invictus-tutorial.md), [Flare Digital Signage](https://pixelnebula.com/), [Logz.io - Cloud Observability for Engineers](../saas-apps/logzio-cloud-observability-for-engineers-tutorial.md), [SpectrumU](../saas-apps/spectrumu-tutorial.md), [BizzContact](https://www.bizzcontact.app/), [Elqano SSO](../saas-apps/elqano-sso-tutorial.md), [MarketSignShare](http://www.signshare.com/), [CrossKnowledge Learning Suite](../saas-apps/crossknowledge-learning-suite-tutorial.md), [Netvision Compas](../saas-apps/netvision-compas-tutorial.md), [FCM HUB](../saas-apps/fcm-hub-tutorial.md), [RIB )

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-### Azure AD B2B Collaboration available in Azure Government tenants

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-The Azure AD B2B collaboration features are now available between some Azure Government tenants. To find out if your tenant is able to use these capabilities, follow the instructions at [How can I tell if B2B collaboration is available in my Azure US Government tenant?](../external-identities/b2b-government-national-clouds.md#how-can-i-tell-if-b2b-collaboration-is-available-in-my-azure-us-government-tenant).

-### Azure Monitor integration for Azure Logs is now available in Azure Government

-**Type:** New feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-

-Azure Monitor integration with Azure AD logs is now available in Azure Government. You can route Azure AD Logs (Audit and Sign-in Logs) to a storage account, event hub and Log Analytics. Please check out the [detailed documentation](../reports-monitoring/concept-activity-logs-azure-monitor.md) as well as [deployment plans for reporting and monitoring](../reports-monitoring/plan-monitoring-and-reporting.md) for Azure AD scenarios.

-### Identity Protection Refresh in Azure Government

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-We're excited to share that we've now rolled out the refreshed [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) experience in the [Microsoft Azure Government portal](https://portal.azure.us/). For more information, see our [announcement blog post](https://techcommunity.microsoft.com/t5/public-sector-blog/identity-protection-refresh-in-microsoft-azure-government/ba-p/1223667).

-### Disaster recovery: Download and store your provisioning configuration

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-

-The Azure AD provisioning service provides a rich set of configuration capabilities. Customers need to be able to save their configuration so that they can refer to it later or roll back to a known good version. We've added the ability to download your provisioning configuration as a JSON file and upload it when you need it. [Learn more](../app-provisioning/export-import-provisioning-configuration.md).

-

-### SSPR (self-service password reset) now requires two gates for admins in Microsoft Azure operated by 21Vianet (Azure China 21Vianet)

-**Type:** Changed feature

-**Service category:** Self-Service Password Reset

-**Product capability:** Identity Security & Protection

-

-Previously in Microsoft Azure operated by 21Vianet (Azure China 21Vianet), admins using self-service password reset (SSPR) to reset their own passwords needed only one "gate" (challenge) to prove their identity. In public and other national clouds, admins generally must use two gates to prove their identity when using SSPR. But because we didn't support SMS or phone calls in Azure China 21Vianet, we allowed one-gate password reset by admins.

-We're creating SSPR feature parity between Azure China 21Vianet and the public cloud. Going forward, admins must use two gates when using SSPR. SMS, phone calls, and Authenticator app notifications and codes will be supported. [Learn more](../authentication/concept-sspr-policy.md#administrator-reset-policy-differences).

-### Password length is limited to 256 characters

-**Type:** Changed feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-

-To ensure the reliability of the Azure AD service, user passwords are now limited in length to 256 characters. Users with passwords longer than this will be asked to change their password on subsequent login, either by contacting their admin or by using the self-service password reset feature.

-This change was enabled on March 13th, 2020, at 10AM PST (18:00 UTC), and the error is AADSTS 50052, InvalidPasswordExceedsMaxLength. See the [breaking change notice](../develop/reference-breaking-changes.md#user-passwords-will-be-restricted-to-256-characters) for more details.

-### Azure AD sign-in logs are now available for all free tenants through the Azure portal

-**Type:** Changed feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-

-Starting now, customers who have free tenants can access the [Azure AD sign-in logs from the Azure portal](../reports-monitoring/concept-sign-ins.md) for up to 7 days. Previously, sign-in logs were available only for customers with Azure Active Directory Premium licenses. With this change, all tenants can access these logs through the portal.

-> [!NOTE]

-> Customers still need a premium license (Azure Active Directory Premium P1 or P2) to access the sign-in logs through Microsoft Graph API and Azure Monitor.

-### Deprecation of Directory-wide groups option from Groups General Settings on Azure portal

-**Type:** Deprecated

-**Service category:** Group Management

-**Product capability:** Collaboration

-To provide a more flexible way for customers to create directory-wide groups that best meet their needs, we've replaced the **Directory-wide Groups** option from the **Groups** > **General** settings in the Azure portal with a link to [dynamic group documentation](../enterprise-users/groups-dynamic-membership.md). We've improved our documentation to include more instructions so administrators can create all-user groups that include or exclude guest users.

-## February 2020

-### Upcoming changes to custom controls

-**Type:** Plan for change

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-

-We're planning to replace the current custom controls preview with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences. Today, partner multifactor authentication (MFA) solutions face the following limitations: they work only after a password has been entered; they don't serve as multifactor authentication (MFA) for step-up authentication in other key scenarios; and they don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including registration, usage, multifactor authentication (MFA) claims, step up authentication, reporting, and logging.

-Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We're working closely with customers and providers and will communicate the timeline as we get closer. [Learn more](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-controls/ba-p/1144696#).

-### Identity Secure Score - multifactor authentication (MFA) improvement action updates

-**Type:** Plan for change

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-

-To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multifactor authentication (MFA), and adding two.

-The following improvement actions will be removed:

-The following improvement actions will be added:

-These new improvement actions will require registering your users or admins for multifactor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of setting security defaults that let Microsoft decide when to challenge users for multifactor authentication (MFA), or having multiple policies that apply scoped decisions. As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations. [Read more about what's coming in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score-whats-coming).

-### Azure AD Domain Services SKU selection

-**Type:** New feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-

-We've heard feedback that Azure AD Domain Services customers want more flexibility in selecting performance levels for their instances. Starting on February 1, 2020, we switched from a dynamic model (where Azure AD determines the performance and pricing tier based on object count) to a self-selection model. Now customers can choose a performance tier that matches their environment. This change also allows us to enable new scenarios like Resource Forests, and Premium features like daily backups. The object count is now unlimited for all SKUs, but we'll continue to offer object count suggestions for each tier.

-**No immediate customer action is required.** For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we'll no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the [Azure AD DS SKUs documentation](../../active-directory-domain-services/administration-concepts.md#azure-ad-ds-skus) and the [Azure AD Domain Services pricing page](https://azure.microsoft.com/pricing/details/active-directory-ds/).

-

-### New Federated Apps available in Azure AD App gallery - February 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In February 2020, we've added these 31 new apps with Federation support to the app gallery:

-[IamIP Patent Platform](../saas-apps/iamip-patent-platform-tutorial.md),

- [Experience Cloud](../saas-apps/experience-cloud-tutorial.md),

- [NS1 SSO For Azure](../saas-apps/ns1-sso-azure-tutorial.md),

- [Barracuda Email Security Service](https://ess.barracudanetworks.com/sso/azure),

- [ABa Reporting](https://myaba.co.uk/client-access/signin/auth/msad),

- [In Case of Crisis - Online Portal](../saas-apps/in-case-of-crisis-online-portal-tutorial.md),

- [BIC Cloud Design](../saas-apps/bic-cloud-design-tutorial.md),

- [Beekeeper Azure AD Data Connector](../saas-apps/beekeeper-azure-ad-data-connector-tutorial.md),

- [Korn Ferry Assessments](https://www.kornferry.com/solutions/kf-digital/kf-assess),

- [Verkada Command](../saas-apps/verkada-command-tutorial.md),

- [Splashtop](../saas-apps/splashtop-tutorial.md),

- [Syxsense](../saas-apps/syxsense-tutorial.md),

- [EAB Navigate](../saas-apps/eab-navigate-tutorial.md),

- [New Relic (Limited Release)](../saas-apps/new-relic-limited-release-tutorial.md),

- [Thulium](https://admin.thulium.com/login/instance),

- [Ticket Manager](../saas-apps/ticketmanager-tutorial.md),

- [Template Chooser for Teams](https://links.officeatwork.com/templatechooser-download-teams),

- [Beesy](https://www.beesy.me/index.php/site/login),

- [Health Support System](../saas-apps/health-support-system-tutorial.md),

- [MURAL](https://app.mural.co/signup),

- [Hive](../saas-apps/hive-tutorial.md),

- [LavaDo](https://appsource.microsoft.com/product/web-apps/lavaloon.lavado_standard?tab=Overview),

- [Wakelet](https://wakelet.com/login),

- [Firmex VDR](../saas-apps/firmex-vdr-tutorial.md),

- [ThingLink for Teachers and Schools](https://www.thinglink.com/),

- [Coda](../saas-apps/coda-tutorial.md),

- [NearpodApp](https://nearpod.com/signup/?oc=Microsoft&utm_campaign=Microsoft&utm_medium=site&utm_source=product),

- [WEDO](../saas-apps/wedo-tutorial.md),

- [InvitePeople](https://invitepeople.com/login),

- [Reprints Desk - Article Galaxy](../saas-apps/reprints-desk-article-galaxy-tutorial.md),

- [TeamViewer](../saas-apps/teamviewer-tutorial.md)

-

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-

-### New provisioning connectors in the Azure AD Application Gallery - February 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-

-### Azure AD support for FIDO2 security keys in hybrid environments

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-

-We're announcing the public preview of Azure AD support for FIDO2 security keys in Hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get seamless sign-on to their on-premises and cloud resources. Support for Hybrid environments has been the top most-requested feature from our passwordless customers since we initially launched the public preview for FIDO2 support in Azure AD joined devices. Passwordless authentication using advanced technologies like biometrics and public/private key cryptography provide convenience and ease-of-use while being secure. With this public preview, you can now use modern authentication like FIDO2 security keys to access traditional Active Directory resources. For more information, go to [SSO to on-premises resources](../authentication/howto-authentication-passwordless-security-key-on-premises.md).

-To get started, visit [enable FIDO2 security keys for your tenant](../authentication/howto-authentication-passwordless-security-key.md) for step-by-step instructions.

-

-### The new My Account experience is now generally available

-**Type:** Changed feature

-**Service category:** My Profile/Account

-**Product capability:** End User Experiences

-

-My Account, the one stop shop for all end-user account management needs, is now generally available! End users can access this new site via URL, or in the header of the new My Apps experience. Learn more about all the self-service capabilities the new experience offers at [My Account Portal Overview](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd).

-

-### My Account site URL updating to myaccount.microsoft.com

-**Type:** Changed feature

-**Service category:** My Profile/Account

-**Product capability:** End User Experiences

-

-The new My Account end user experience will be updating its URL to `https://myaccount.microsoft.com` in the next month. Find more information about the experience and all the account self-service capabilities it offers to end users at [My Account portal help](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd).

-## January 2020

-

-### The new My Apps portal is now generally available

-**Type:** Plan for change

-**Service category:** My Apps

-**Product capability:** End User Experiences

-

-Upgrade your organization to the new My Apps portal that is now generally available! Find more information on the new portal and collections at [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md).

-

-### Workspaces in Azure AD have been renamed to collections

-**Type:** Changed feature

-**Service category:** My Apps

-**Product capability:** End User Experiences

-

-Workspaces, the filters admins can configure to organize their users' apps, will now be referred to as collections. Find more info on how to configure them at [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md).

-

-### Azure AD B2C Phone sign-up and sign-in using custom policy (Public Preview)

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-

-With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies and phone sign-up and sign-in, allows developers and enterprises to communicate their brand through page customization. Find out how to [set up phone sign-up and sign-in with custom policies in Azure AD B2C](../../active-directory-b2c/phone-authentication-user-flows.md).

-

-

-### New provisioning connectors in the Azure AD Application Gallery - January 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-

-### New Federated Apps available in Azure AD App gallery - January 2020

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In January 2020, we've added these 33 new apps with Federation support to the app gallery:

-[JOSA](../saas-apps/josa-tutorial.md), [Fastly Edge Cloud](../saas-apps/fastly-edge-cloud-tutorial.md), [Terraform Enterprise](../saas-apps/terraform-enterprise-tutorial.md), [Spintr SSO](../saas-apps/spintr-sso-tutorial.md), [Abibot Netlogistik](https://azuremarketplace.microsoft.com/marketplace/apps/aad.abibotnetlogistik), [SkyKick](https://login.skykick.com/login?state=g6Fo2SBTd3M5Q0xBT0JMd3luS2JUTGlYN3pYTE1remJQZnR1c6N0aWTZIDhCSkwzYVQxX2ZMZjNUaWxNUHhCSXg2OHJzbllTcmYto2NpZNkgM0h6czk3ZlF6aFNJV1VNVWQzMmpHeFFDbDRIMkx5VEc&client=3Hzs97fQzhSIWUMUd32jGxQCl4H2LyTG&protocol=oauth2&audience=https://papi.skykick.com&response_type=code&redirect_uri=https://portal.skykick.com/callback&scope=openid%20profile%20offline_access), [Upshotly](../saas-apps/upshotly-tutorial.md), [LeaveBot](https://appsource.microsoft.com/en-us/product/office/WA200001175), [DataCamp](../saas-apps/datacamp-tutorial.md), [TripActions](../saas-apps/tripactions-tutorial.md), [SmartWork](https://www.intumit.com/teams-smartwork/), [Dotcom-Monitor](../saas-apps/dotcom-monitor-tutorial.md), [SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE](../saas-apps/ssogen-tutorial.md), [Hosted MyCirqa SSO](../saas-apps/hosted-mycirqa-sso-tutorial.md), [Yuhu Property Management Platform](../saas-apps/yuhu-property-management-platform-tutorial.md), [LumApps](https://sites.lumapps.com/login), [Upwork Enterprise](../saas-apps/upwork-enterprise-tutorial.md), [Talentsoft](../saas-apps/talentsoft-tutorial.md), [SmartDB for Microsoft Teams](http://teams.smartdb.jp/login/), [PressPage](../saas-apps/presspage-tutorial.md), [ContractSafe Saml2 SSO](../saas-apps/contractsafe-saml2-sso-tutorial.md), [Maxient Conduct Manager Software](../saas-apps/maxient-conduct-manager-software-tutorial.md), [Helpshift](../saas-apps/helpshift-tutorial.md), [PortalTalk 365](https://www.portaltalk.com/), [CoreView](https://portal.coreview.com/), Squelch Cloud Office365 Connector, [PingFlow Authentication](https://app-staging.pingview.io/), [ PrinterLogic SaaS](../saas-apps/printerlogic-saas-tutorial.md), [Taskize Connect](../saas-apps/taskize-connect-tutorial.md), [Sandwai](https://app.sandwai.com/), [EZRentOut](../saas-apps/ezrentout-tutorial.md), [AssetSonar](../saas-apps/assetsonar-tutorial.md), [Akari Virtual Assistant](https://akari.io/akari-virtual-assistant/)

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-### Two new Identity Protection detections

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-

-We've added two new sign-in linked detection types to Identity Protection: Suspicious inbox manipulation rules and Impossible travel. These offline detections are discovered by Microsoft Cloud App Security (MCAS) and influence the user and sign-in risk in Identity Protection. For more information on these detections, see our [sign-in risk types](../identity-protection/concept-identity-protection-risks.md#sign-in-risk).

-

-

-### Breaking Change: URI Fragments will not be carried through the login redirect

-**Type:** Changed feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-

-Starting on February 8, 2020, when a request is sent to login.microsoftonline.com to sign in a user, the service will append an empty fragment to the request. This prevents a class of redirect attacks by ensuring that the browser wipes out any existing fragment in the request. No application should have a dependency on this behavior. For more information, see [Breaking changes](../develop/reference-breaking-changes.md#february-2020) in the Microsoft identity platform documentation.

-## December 2019

-### Integrate SAP SuccessFactors provisioning into Azure AD and on-premises AD (Public Preview)

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-You can now integrate SAP SuccessFactors as an authoritative identity source in Azure AD. This integration helps you automate the end-to-end identity lifecycle, including using HR-based events, like new hires or terminations, to control provisioning of Azure AD accounts.

-For more information about how to set up SAP SuccessFactors inbound provisioning to Azure AD, see the [Configure SAP SuccessFactors automatic provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md) tutorial.

-### Support for customized emails in Azure AD B2C (Public Preview)

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-You can now use Azure AD B2C to create customized emails when your users sign up to use your apps. By using DisplayControls (currently in preview) and a third-party email provider (such as, [SendGrid](https://sendgrid.com/), [SparkPost](https://sparkpost.com/), or a custom REST API), you can use your own email template, **From** address, and subject text, as well as support localization and custom one-time password (OTP) settings.

-For more information, see [Custom email verification in Azure Active Directory B2C](../../active-directory-b2c/custom-email-sendgrid.md).

-### Replacement of baseline policies with security defaults

-**Type:** Changed feature

-**Service category:** Other

-**Product capability:** Identity Security and Protection

-As part of a secure-by-default model for authentication, we're removing the existing baseline protection policies from all tenants. This removal is targeted for completion at the end of February. The replacement for these baseline protection policies is security defaults. If you've been using baseline protection policies, you must plan to move to the new security defaults policy or to Conditional Access. If you haven't used these policies, there is no action for you to take.

-For more information about the new security defaults, see [What are security defaults?](./concept-fundamentals-security-defaults.md) For more information about Conditional Access policies, see [Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md).

-## November 2019

-### Support for the SameSite attribute and Chrome 80

-**Type:** Plan for change

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the `SameSite` attribute. Any cookie that doesn't specify the `SameSite` attribute will be treated as though it was set to `SameSite=Lax`, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that your app may depend on. To maintain the older Chrome behavior, you can use the `SameSite=None` attribute and add an additional `Secure` attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020.

-We recommend all our developers test their apps using this guidance:

-For more information, see [Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core](https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/) and [Potential disruption to customer websites and Microsoft products and services in Chrome version 79 and later](https://support.microsoft.com/help/4522904/potential-disruption-to-microsoft-services-in-chrome-beta-version-79).

-### New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2)

-**Type:** Fixed

-**Service category:** Microsoft Identity Manager

-**Product capability:** Identity Lifecycle Management

-A hotfix rollup package (build 4.6.34.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the "Issues fixed and improvements added in this update" section.

-For more information and to download the hotfix package, see [Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available](https://support.microsoft.com/help/4512924/microsoft-identity-manager-2016-service-pack-2-build-4-6-34-0-update-r).

-### New AD FS app activity report to help migrate apps to Azure AD (Public Preview)

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-Use the new Active Directory Federation Services (AD FS) app activity report, in the Azure portal, to identify which of your apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration.

-For more information, see [Use the AD FS application activity report to migrate applications to Azure AD](../manage-apps/migrate-adfs-application-activity.md).

-### New workflow for users to request administrator consent (Public Preview)

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** Access Control

-The new admin consent workflow gives admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that's accessible from the Azure portal, to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action.

-For more information, see [Configure the admin consent workflow (preview)](../manage-apps/configure-admin-consent-workflow.md).

-### New Azure AD App Registrations Token configuration experience for managing optional claims (Public Preview)

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Developer Experience

-The new **Azure AD App Registrations Token configuration** blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations.

-For more information, see [Provide optional claims to your Azure AD app](../develop/active-directory-optional-claims.md).

-### New two-stage approval workflow in Azure AD entitlement management (Public Preview)

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Entitlement Management

-We've introduced a new two-stage approval workflow that allows you to require two approvers to approve a user's request to an access package. For example, you can set it so the requesting user's manager must first approve, and then you can also require a resource owner to approve. If one of the approvers doesn't approve, access isn't granted.

-For more information, see [Change request and approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-request-policy.md).

-### Updates to the My Apps page along with new workspaces (Public Preview)

-**Type:** New feature

-**Service category:** My Apps

-**Product capability:** 3rd Party Integration

-You can now customize the way your organization's users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for your users to find and organize apps.

-For more information about the new My Apps experience and creating workspaces, see [Create workspaces on the My Apps portal](../manage-apps/access-panel-collections.md).

-### Google social ID support for Azure AD B2B collaboration (General Availability)

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** User Authentication

-New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for your users and partners. There's no longer a need for your partners to create and manage a new Microsoft-specific account. Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints.

-For more information, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md).

-### Microsoft Edge Mobile Support for Conditional Access and Single Sign-on (General Availability)

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-Azure AD for Microsoft Edge on iOS and Android now supports Azure AD single sign-on and Conditional Access:

-For more information about conditional access and SSO with Microsoft Edge, see the [Microsoft Edge Mobile Support for Conditional Access and single sign-on Now Generally Available](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Edge-Mobile-Support-for-Conditional-Access-and-Single/ba-p/988179) blog post. For more information about how to set up your client apps using [app-based conditional access](../conditional-access/app-based-conditional-access.md) or [device-based conditional access](../conditional-access/require-managed-devices.md), see [Manage web access using a Microsoft Intune policy-protected browser](/intune/apps/app-configuration-managed-browser).

-### Azure AD entitlement management (General Availability)

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Entitlement Management

-Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites.

-With Azure AD entitlement management, you can more efficiently manage access both for employees and also for users outside your organization who need access to those resources.

-For more information, see [What is Azure AD entitlement management?](../governance/entitlement-management-overview.md#license-requirements)

-### Automate user account provisioning for these newly supported SaaS apps

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-[SAP Cloud Platform Identity Authentication Service](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md), [RingCentral](../saas-apps/ringcentral-provisioning-tutorial.md), [SpaceIQ](../saas-apps/spaceiq-provisioning-tutorial.md), [Miro](../saas-apps/miro-provisioning-tutorial.md), [Cloudgate](../saas-apps/soloinsight-cloudgate-sso-provisioning-tutorial.md), [Infor CloudSuite](../saas-apps/infor-cloudsuite-provisioning-tutorial.md), [OfficeSpace Software](../saas-apps/officespace-software-provisioning-tutorial.md), [Priority Matrix](../saas-apps/priority-matrix-provisioning-tutorial.md)

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-### New Federated Apps available in Azure AD App gallery - November 2019

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In November 2019, we've added these 21 new apps with Federation support to the app gallery:

-[Airtable](../saas-apps/airtable-tutorial.md), [Hootsuite](../saas-apps/hootsuite-tutorial.md), [Blue Access for Members (BAM)](../saas-apps/blue-access-for-members-tutorial.md), [Bitly](../saas-apps/bitly-tutorial.md), [Riva](../saas-apps/riva-tutorial.md), [ResLife Portal](https://app.reslifecloud.com/hub5_signin/microsoft_azuread/?g=44BBB1F90915236A97502FF4BE2952CB&c=5&uid=0&ht=2&ref=), [NegometrixPortal Single Sign On (SSO)](../saas-apps/negometrixportal-tutorial.md), [TeamsChamp](https://login.microsoftonline.com/551f45da-b68e-4498-a7f5-a6e1efaeb41c/adminconsent?client_id=ca9bbfa4-1316-4c0f-a9ee-1248ac27f8ab&redirect_uri=https://admin.teamschamp.com/api/adminconsent&state=6883c143-cb59-42ee-a53a-bdb5faabf279), [Motus](../saas-apps/motus-tutorial.md), [MyAryaka](../saas-apps/myaryaka-tutorial.md), [BlueMail](https://loginself1.bluemail.me/), [Beedle](https://teams-web.beedle.co/#/), [Visma](../saas-apps/visma-tutorial.md), [OneDesk](../saas-apps/onedesk-tutorial.md), [Foko Retail](../saas-apps/foko-retail-tutorial.md), [Qmarkets Idea & Innovation Management](../saas-apps/qmarkets-idea-innovation-management-tutorial.md), [Netskope User Authentication](../saas-apps/netskope-user-authentication-tutorial.md), [uniFLOW Online](../saas-apps/uniflow-online-tutorial.md), [Claromentis](../saas-apps/claromentis-tutorial.md), [Jisc Student Voter Registration](../saas-apps/jisc-student-voter-registration-tutorial.md), [e4enable](https://portal.e4enable.com/)

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-### New and improved Azure AD application gallery

-**Type:** Changed feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-We've updated the Azure AD application gallery to make it easier for you to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on your Azure Active Directory tenant.

-For more information, see [Add an application to your Azure Active Directory tenant](../manage-apps/add-application-portal.md).

-### Increased app role definition length limit from 120 to 240 characters

-**Type:** Changed feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-We've heard from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. In response, we've increased the maximum length of the role value definition to 240 characters.

-For more information about using application-specific role definitions, see [Add app roles in your application and receive them in the token](../develop/howto-add-app-roles-in-azure-ad-apps.md).

-## October 2019

-### Deprecation of the identityRiskEvent API for Azure AD Identity Protection risk detections

-**Type:** Plan for change

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-In response to developer feedback, Azure AD Premium P2 subscribers can now perform complex queries on Azure AD Identity Protection's risk detection data by using the new riskDetection API for Microsoft Graph. The existing [identityRiskEvent](/graph/api/resources/identityprotection-root) API beta version will stop returning data around **January 10, 2020**. If your organization is using the identityRiskEvent API, you should transition to the new riskDetection API.

-For more information about the new riskDetection API, see the [Risk detection API reference documentation](/graph/api/resources/riskdetection).

-### Application Proxy support for the SameSite Attribute and Chrome 80

-**Type:** Plan for change

-**Service category:** App Proxy

-**Product capability:** Access Control

-A couple of weeks prior to the Chrome 80 browser release, we plan to update how Application Proxy cookies treat the **SameSite** attribute. With the release of Chrome 80, any cookie that doesn't specify the **SameSite** attribute will be treated as though it was set to `SameSite=Lax`.

-To help avoid potentially negative impacts due to this change, we're updating Application Proxy access and session cookies by:

- >[!NOTE]

- > Application Proxy access cookies have always been transmitted exclusively over secure channels. These changes only apply to session cookies.

-For more information about the Application Proxy cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](../app-proxy/application-proxy-configure-cookie-settings.md).

-### App registrations (legacy) and app management in the Application Registration Portal (apps.dev.microsoft.com) is no longer available

-**Type:** Plan for change

-**Service category:** N/A

-**Product capability:** Developer Experience

-Users with Azure AD accounts can no longer register or manage applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage applications in the App registrations (legacy) experience in the Azure portal.

-To learn more about the new App registrations experience, see the [App registrations in the Azure portal training guide](../develop/quickstart-register-app.md).

-### Users are no longer required to re-register during migration from per-user multifactor authentication (MFA) to Conditional Access-based multifactor authentication (MFA)

-**Type:** Fixed

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user MultiFactor Authentication (MFA) and then enabled for multifactor authentication (MFA) through a Conditional Access policy.

-To require users to re-register, you can select the **Required re-register multifactor authentication (MFA)** option from the user's authentication methods in the Azure portal.

-### New capabilities to transform and send claims in your SAML token

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-We've added additional capabilities to help you to customize and send claims in your SAML token. These new capabilities include:

-For detailed information about these new capabilities, including how to use them, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md).

-### New My Sign-ins page for end users in Azure AD

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** Monitoring & Reporting

-We've added a new **My Sign-ins** page (https://mysignins.microsoft.com) to let your organization's users view their recent sign-in history to check for any unusual activity. This new page allows your users to see:

-For more information, see the [Users can now check their sign-in history for unusual activity](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Users-can-now-check-their-sign-in-history-for-unusual-activity/ba-p/916066) blog.

-### Migration of Azure AD Domain Services (Azure AD DS) from classic to Azure Resource Manager virtual networks

-**Type:** New feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-To our customers who have been stuck on classic virtual networks -- we have great news for you! You can now perform a one-time migration from a classic virtual network to an existing Resource Manager virtual network. After moving to the Resource Manager virtual network, you'll be able to take advantage of the additional and upgraded features such as, fine-grained password policies, email notifications, and audit logs.

-### Updates to the Azure AD B2C page contract layout

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-We've introduced some new changes to version 1.2.0 of the page contract for Azure AD B2C. In this updated version, you can now control the load order for your elements, which can also help to stop the flicker that happens when the style sheet (CSS) is loaded.

-For a full list of the changes made to the page contract, see the [Version change log](../../active-directory-b2c/page-layout.md#other-pages-providerselection-claimsconsent-unifiedssd).

-### Update to the My Apps page along with new workspaces (Public preview)

-**Type:** New feature

-**Service category:** My Apps

-**Product capability:** Access Control

-You can now customize the way your organization's users view and access the brand-new My Apps experience, including using the new workspaces feature to make it easier for them to find apps. The new workspaces functionality acts as a filter for the apps your organization's users already have access to.

-For more information on rolling out the new My Apps experience and creating workspaces, see [Create workspaces on the My Apps (preview) portal](../manage-apps/access-panel-collections.md).

-### Support for the monthly active user-based billing model (General availability)

-**Type:** New feature

-**Service category:** B2C - Consumer Identity Management

-**Product capability:** B2B/B2C

-Azure AD B2C now supports monthly active users (MAU) billing. MAU billing is based on the number of unique users with authentication activity during a calendar month. Existing customers can switch to this new billing method at any time.

-Starting on November 1, 2019, all new customers will automatically be billed using this method. This billing method benefits customers through cost benefits and the ability to plan ahead.

-For more information, see [Upgrade to monthly active users billing model](../../active-directory-b2c/billing.md#switch-to-mau-billing-pre-november-2019-azure-ad-b2c-tenants).

-### New Federated Apps available in Azure AD App gallery - October 2019

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In October 2019, we've added these 35 new apps with Federation support to the app gallery:

-[In Case of Crisis ΓÇô Mobile](../saas-apps/in-case-of-crisis-mobile-tutorial.md), [Juno Journey](../saas-apps/juno-journey-tutorial.md), [ExponentHR](../saas-apps/exponenthr-tutorial.md), [Tact](https://www.tact.ai/products/tact-assistant), [OpusCapita Cash Management](https://appsource.microsoft.com/product/web-apps/opuscapitagroupoy-1036255.opuscapita-cm), [Salestim](https://www.salestim.com/), [Learnster](../saas-apps/learnster-tutorial.md), [Dynatrace](../saas-apps/dynatrace-tutorial.md), [HunchBuzz](https://login.hunchbuzz.com/integrations/azure/process), [Freshworks](../saas-apps/freshworks-tutorial.md), [eCornell](../saas-apps/ecornell-tutorial.md), [ShipHazmat](../saas-apps/shiphazmat-tutorial.md), [Netskope Cloud Security](../saas-apps/netskope-cloud-security-tutorial.md), [Contentful](../saas-apps/contentful-tutorial.md), [Bindtuning](https://bindtuning.com/login), [HireVue Coordinate ΓÇô Europe](https://www.hirevue.com/), [HireVue Coordinate - USOnly](https://www.hirevue.com/), [HireVue Coordinate - US](https://www.hirevue.com/), [WittyParrot Knowledge Box](https://wittyapi.wittyparrot.com/wittyparrot/api/provision/trail/signup), [Cloudmore](../saas-apps/cloudmore-tutorial.md), [Visit.org](../saas-apps/visitorg-tutorial.md), [Cambium Xirrus EasyPass Portal](https://login.xirrus.com/azure-signup), [Paylocity](../saas-apps/paylocity-tutorial.md), [Mail Luck!](../saas-apps/mail-luck-tutorial.md), [Teamie](https://theteamie.com/), [Velocity for Teams](https://velocity.peakup.org/teams/login), [SIGNL4](https://account.signl4.com/manage), [EAB Navigate IMPL](../saas-apps/eab-navigate-impl-tutorial.md), [ScreenMeet](https://console.screenmeet.com/), [Omega Point](https://pi.ompnt.com/), [Speaking Email for Intune (iPhone)](https://speaking.email/FAQ/98/email-access-via-microsoft-intune), [Speaking Email for Office 365 Direct (iPhone/Android)](https://speaking.email/FAQ/126/email-access-via-microsoft-office-365-direct), [ExactCare SSO](../saas-apps/exactcare-sso-tutorial.md), [iHealthHome Care Navigation System](https://ihealthnav.com/account/signin), [Qubie](https://www.qubie.app/)

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-### Consolidated Security menu item in the Azure portal

-**Type:** Changed feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-You can now access all of the available Azure AD security features from the new **Security** menu item, and from the **Search** bar, in the Azure portal. Additionally, the new **Security** landing page, called **Security - Getting started**, will provide links to our public documentation, security guidance, and deployment guides.

-The new **Security** menu includes:

-For more information, see [Security - Getting started](https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/GettingStarted).

-### Office 365 groups expiration policy enhanced with autorenewal

-**Type:** Changed feature

-**Service category:** Group Management

-**Product capability:** Identity Lifecycle Management

-The Office 365 groups expiration policy has been enhanced to automatically renew groups that are actively in use by its members. Groups will be autorenewed based on user activity across all the Office 365 apps, including Outlook, SharePoint, and Teams.

-This enhancement helps to reduce your group expiration notifications and helps to make sure that active groups continue to be available. If you already have an active expiration policy for your Office 365 groups, you don't need to do anything to turn on this new functionality.

-For more information, see [Configure the expiration policy for Office 365 groups](../enterprise-users/groups-lifecycle.md).

-### Updated Azure AD Domain Services (Azure AD DS) creation experience

-**Type:** Changed feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-We've updated Azure AD Domain Services (Azure AD DS) to include a new and improved creation experience, helping you to create a managed domain in just three clicks! In addition, you can now upload and deploy Azure AD DS from a template.

-For more information, see [Tutorial: Create and configure an Azure Active Directory Domain Services instance](../../active-directory-domain-services/tutorial-create-instance.md).

-## September 2019

-### Plan for change: Deprecation of the Power BI content packs

-**Type:** Plan for change

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-Starting on October 1, 2019, Power BI will begin to deprecate all content packs, including the Azure AD Power BI content pack. As an alternative to this content pack, you can use Azure AD Workbooks to gain insights into your Azure AD-related services. Additional workbooks are coming, including workbooks about Conditional Access policies in report-only mode, app consent-based insights, and more.

-For more information about the workbooks, see [How to use Azure Monitor workbooks for Azure Active Directory reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). For more information about the deprecation of the content packs, see the [Announcing Power BI template apps general availability](https://powerbi.microsoft.com/blog/announcing-power-bi-template-apps-general-availability/) blog post.

-### My Profile is renaming and integrating with the Microsoft Office account page

-**Type:** Plan for change

-**Service category:** My Profile/Account

-**Product capability:** Collaboration

-Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that currently says, **My Profile** will change to **My Account**. On top of the naming change and some design improvements, the updated experience will offer additional integration with the Microsoft Office account page. Specifically, you'll be able to access Office installations and subscriptions from the **Overview Account** page, along with Office-related contact preferences from the **Privacy** page.

-For more information about the My Profile (preview) experience, see [My Profile (preview) portal overview](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd).

-### Bulk manage groups and members using CSV files in the Azure portal (Public Preview)

-**Type:** New feature

-**Service category:** Group Management

-**Product capability:** Collaboration

-We're pleased to announce public preview availability of the bulk group management experiences in the Azure portal. You can now use a CSV file and the Azure portal to manage groups and member lists, including:

-For more information, see [Bulk add members](../enterprise-users/groups-bulk-import-members.md), [Bulk remove members](../enterprise-users/groups-bulk-remove-members.md), [Bulk download members list](../enterprise-users/groups-bulk-download-members.md), and [Bulk download groups list](../enterprise-users/groups-bulk-download.md).

-### Dynamic consent is now supported through a new admin consent endpoint

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-We've created a new admin consent endpoint to support dynamic consent, which is helpful for apps that want to use the dynamic consent model on the Microsoft Identity platform.

-For more information about how to use this new endpoint, see [Using the admin consent endpoint](../develop/v2-admin-consent.md).

-### New Federated Apps available in Azure AD App gallery - September 2019

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In September 2019, we've added these 29 new apps with Federation support to the app gallery:

-[ScheduleLook](https://schedulelook.bbsonlineservices.net/), [MS Azure SSO Access for Ethidex Compliance Office&trade; - Single sign-on](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [iServer Portal](../saas-apps/iserver-portal-tutorial.md), [SKYSITE](../saas-apps/skysite-tutorial.md), [Concur Travel and Expense](../saas-apps/concur-travel-and-expense-tutorial.md), [WorkBoard](../saas-apps/workboard-tutorial.md), `https://apps.yeeflow.com/`, [ARC Facilities](../saas-apps/arc-facilities-tutorial.md), [Luware Stratus Team](https://stratus.emea.luware.cloud/login), [Wide Ideas](https://wideideas.online/wideideas/), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), [RENRAKU](../saas-apps/renraku-tutorial.md), [SealPath Secure Browser](https://protection.sealpath.com/SealPathInterceptorWopiSaas/Open/InstallSealPathEditorOneDrive), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), `https://app.penneo.com/`, `https://app.testhtm.com/settings/email-integration`, [Cintoo Cloud](https://aec.cintoo.com/login), [Whitesource](../saas-apps/whitesource-tutorial.md), [Hosted Heritage Online SSO](../saas-apps/hosted-heritage-online-sso-tutorial.md), [IDC](../saas-apps/idc-tutorial.md), [CakeHR](../saas-apps/cakehr-tutorial.md), [BIS](../saas-apps/bis-tutorial.md), [Coo Kai Team Build](https://ms-contacts.coo-kai.jp/), [Sonarqube](../saas-apps/sonarqube-tutorial.md), [Adobe Identity Management](../saas-apps/tutorial-list.md), [Discovery Benefits SSO](../saas-apps/discovery-benefits-sso-tutorial.md), [Amelio](https://app.amelio.co/), `https://itask.yipinapp.com/`

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-### New Azure AD Global Reader role

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-Starting on September 24, 2019, we're going to start rolling out a new Azure Active Directory (AD) role called Global Reader. This rollout will start with production and Global cloud customers (GCC), finishing up worldwide in October.

-The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can't take management actions. We've created the Global Reader role to help reduce the number of Global Administrators in your organization. Because Global Administrator accounts are powerful and vulnerable to attack, we recommend that you have fewer than five Global Administrators. We recommend using the Global Reader role for planning, audits, or investigations. We also recommend using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role.

-The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Microsoft Purview compliance portal, Azure portal, and the Device Management Admin Center.

->[!NOTE]

-> At the start of public preview, the Global Reader role won't work with: SharePoint, Privileged Access Management, Customer Lockbox, sensitivity labels, Teams Lifecycle, Teams Reporting & Call Analytics, Teams IP Phone Device Management, and Teams App Catalog.

-For more information, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md).

-### Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application Proxy

-**Type:** New feature

-**Service category:** App Proxy

-**Product capability:** Access Control

-New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization's reports hosted on the on-premises Power BI Report Server.

-For information about the Power BI Mobile app, including where to download the app, see the [Power BI site](https://powerbi.microsoft.com/mobile/). For more information about how to set up the Power BI mobile app with Azure AD Application Proxy, see [Enable remote access to Power BI Mobile with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-power-bi.md).

-### New version of the AzureADPreview PowerShell module is available

-**Type:** Changed feature

-**Service category:** Other

-**Product capability:** Directory

-New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:

-### New version of Azure AD Connect

-**Type:** Changed feature

-**Service category:** Other

-**Product capability:** Directory

-We've released an updated version of Azure AD Connect for auto-upgrade customers. This new version includes several new features, improvements, and bug fixes.

-### Azure Active Directory Multi-Factor Authentication (MFA) Server, version 8.0.2 is now available

-**Type:** Fixed

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-If you're an existing customer, who activated Azure AD Multi-Factor Authentication (MFA) Server prior to July 1, 2019, you can now download the latest version of Azure AD Multi-Factor Authentication (MFA) Server (version 8.0.2). In this new version, we:

-Starting July 1, 2019, Microsoft stopped offering multifactor authentication (MFA) Server for new deployments. New customers who require multifactor authentication should use cloud-based Azure AD Multi-Factor Authentication. For more information, see [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).

-## August 2019

-### Enhanced search, filtering, and sorting for groups is available in the Azure portal (Public Preview)

-**Type:** New feature

-**Service category:** Group Management

-**Product capability:** Collaboration

-We're pleased to announce public preview availability of the enhanced groups-related experiences in the Azure portal. These enhancements help you better manage groups and member lists, by providing:

-For more information, see [Manage groups in the Azure portal](./active-directory-groups-members-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).

-### New custom roles are available for app registration management (Public Preview)

-**Type:** New feature

-**Service category:** Azure AD roles

-**Product capability:** Access Control

-Custom roles (available with an Azure AD P1 or P2 subscription) can now help provide you with fine-grained access, by letting you create role definitions with specific permissions and then to assign those roles to specific resources. Currently, you create custom roles by using permissions for managing app registrations and then assigning the role to a specific app. For more information about custom roles, see [Custom administrator roles in Azure Active Directory (preview)](../roles/custom-overview.md).

-If you need other permissions or resources supported, which you don't currently see, you can send feedback to our [Azure feedback site](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) and we'll add your request to our update road map.

-### New provisioning logs can help you monitor and troubleshoot your app provisioning deployment (Public Preview)

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** Identity Lifecycle Management

-New provisioning logs are available to help you monitor and troubleshoot the user and group provisioning deployment. These new log files include information about:

-For more information, see [Provisioning reports in the Azure portal (preview)](../reports-monitoring/concept-provisioning-logs.md).

-### New security reports for all Azure AD administrators (General Availability)

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, you'll be able to use the banner at the top of the modern security reports to return to the old reports.

-The modern security reports will provide more capabilities from the older versions, including:

-For more information, see [Risky users](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users), [Risky sign-ins](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins), and [Risk detections](../identity-protection/howto-identity-protection-investigate-risk.md#risk-detections).

-### User-assigned managed identity is available for Virtual Machines and Virtual Machine Scale Sets (General Availability)

-**Type:** New feature

-**Service category:** Managed identities for Azure resources

-**Product capability:** Developer Experience

-User-assigned managed identities are now generally available for Virtual Machines and Virtual Machine Scale Sets. As part of this, Azure can create an identity in the Azure AD tenant that's trusted by the subscription in use, and can be assigned to one or more Azure service instances. For more information about user-assigned managed identities, see [What is managed identities for Azure resources?](../managed-identities-azure-resources/overview.md).

-### Users can reset their passwords using a mobile app or hardware token (General Availability)

-**Type:** Changed feature

-**Service category:** Self Service Password Reset

-**Product capability:** User Authentication

-Users who have registered a mobile app with your organization can now reset their own password by approving a notification from the Microsoft Authenticator app or by entering a code from their mobile app or hardware token.

-For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md). For more information about the user experience, see [Reset your own work or school password overview](https://support.microsoft.com/account-billing/register-the-password-reset-verification-method-for-a-work-or-school-account-47a55d4a-05b0-4f67-9a63-f39a43dbe20a).

-### ADAL.NET ignores the MSAL.NET shared cache for on-behalf-of scenarios

-**Type:** Fixed

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-Starting with Azure AD authentication library (ADAL.NET) version 5.0.0-preview, app developers must [serialize one cache per account for web apps and web APIs](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Token-cache-serialization#custom-token-cache-serialization-in-web-applications--web-api). Otherwise, some scenarios using the [on-behalf-of flow](../develop/scenario-web-api-call-api-app-configuration.md?tabs=java) for Java, along with some specific use cases of `UserAssertion`, may result in an elevation of privilege. To avoid this vulnerability, ADAL.NET now ignores the Microsoft Authentication Library for dotnet (MSAL.NET) shared cache for on-behalf-of scenarios.

-For more information about this issue, see [Azure Active Directory Authentication Library Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1258).

-### New Federated Apps available in Azure AD App gallery - August 2019

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In August 2019, we've added these 26 new apps with Federation support to the app gallery:

-[Civic Platform](../saas-apps/civic-platform-tutorial.md), [Amazon Business](../saas-apps/amazon-business-tutorial.md), [ProNovos Ops Manager](../saas-apps/pronovos-ops-manager-tutorial.md), [Cognidox](../saas-apps/cognidox-tutorial.md), [Viareport's Inativ Portal (Europe)](../saas-apps/viareports-inativ-portal-europe-tutorial.md), [Azure Databricks](https://azure.microsoft.com/services/databricks), [Robin](../saas-apps/robin-tutorial.md), [Academy Attendance](../saas-apps/academy-attendance-tutorial.md), [Cousto MySpace](https://cousto.platformers.be/account/login), [Uploadcare](https://uploadcare.com/accounts/signup/), [Carbonite Endpoint Backup](../saas-apps/carbonite-endpoint-backup-tutorial.md), [CPQSync by Cincom](../saas-apps/cpqsync-by-cincom-tutorial.md), [Chargebee](../saas-apps/chargebee-tutorial.md), [deliver.media&trade; Portal](https://portal.deliver.media), [Frontline Education](../saas-apps/frontline-education-tutorial.md), [F5](https://www.f5.com/products/security/access-policy-manager), [stashcat AD connect](https://www.stashcat.com), [Blink](../saas-apps/blink-tutorial.md), [Vocoli](../saas-apps/vocoli-tutorial.md), [ProNovos Analytics](../saas-apps/pronovos-analytics-tutorial.md), [Sigstr](../saas-apps/sigstr-tutorial.md), [Darwinbox](../saas-apps/darwinbox-tutorial.md), [Watch by Colors](../saas-apps/watch-by-colors-tutorial.md), [Harness](../saas-apps/harness-tutorial.md), [EAB Navigate Strategic Care](../saas-apps/eab-navigate-strategic-care-tutorial.md)

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-### New versions of the AzureAD PowerShell and AzureADPreview PowerShell modules are available

-**Type:** Changed feature

-**Service category:** Other

-**Product capability:** Directory

-New updates to the AzureAD and AzureAD Preview PowerShell modules are available:

- - `Get-AzureADMSRoleAssignment`

- - `Get-AzureADMSRoleDefinition`

- - `New-AzureADMSRoleAssignment`

- - `New-AzureADMSRoleDefinition`

- - `Remove-AzureADMSRoleAssignment`

- - `Remove-AzureADMSRoleDefinition`

- - `Set-AzureADMSRoleDefinition`

-### Improvements to the UI of the dynamic group rule builder in the Azure portal

-**Type:** Changed feature

-**Service category:** Group Management

-**Product capability:** Collaboration

-We've made some UI improvements to the dynamic group rule builder, available in the Azure portal, to help you more easily set up a new rule, or change existing rules. This design improvement allows you to create rules with up to five expressions, instead of just one. We've also updated the device property list to remove deprecated device properties.

-For more information, see [Manage dynamic membership rules](../enterprise-users/groups-dynamic-membership.md).

-### New Microsoft Graph app permission available for use with access reviews

-**Type:** Changed feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-We've introduced a new Microsoft Graph app permission, `AccessReview.ReadWrite.Membership`, which allows apps to automatically create and retrieve access reviews for group memberships and app assignments. This permission can be used by your scheduled jobs or as part of your automation, without requiring a logged-in user context.

-For more information, see the [Example how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell blog](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-how-to-create-Azure-AD-access-reviews-using-Microsoft/m-p/807241).

-### Azure AD activity logs are now available for government cloud instances in Azure Monitor

-**Type:** Changed feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-We're excited to announce that Azure AD activity logs are now available for government cloud instances in Azure Monitor. You can now send Azure AD logs to your storage account or to an event hub to integrate with your SIEM tools, like [Sumologic](../reports-monitoring/howto-integrate-activity-logs-with-sumologic.md), [Splunk](../reports-monitoring/howto-integrate-activity-logs-with-splunk.md), and [ArcSight](../reports-monitoring/howto-integrate-activity-logs-with-arcsight.md).

-For more information about setting up Azure Monitor, see [Azure AD activity logs in Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md#cost-considerations).

-### Update your users to the new, enhanced security info experience

-**Type:** Changed feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-On September 25, 2019, we'll be turning off the old, non-enhanced security info experience for registering and managing user security info and only turning on the new, [enhanced version](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Cool-enhancements-to-the-Azure-AD-combined-MFA-and-password/ba-p/354271). This means that your users will no longer be able to use the old experience.

-For more information about the enhanced security info experience, see our [admin documentation](../authentication/concept-registration-mfa-sspr-combined.md) and our [user documentation](https://support.microsoft.com/account-billing/set-up-your-security-info-from-a-sign-in-prompt-28180870-c256-4ebf-8bd7-5335571bf9a8).

-#### To turn on this new experience, you must:

-1. Sign in to the Azure portal as a Global Administrator or User Administrator.

-2. Go to **Azure Active Directory > User settings > Manage settings for access panel preview features**.

-3. In the **Users can use preview features for registering and managing security info - enhanced** area, select **Selected**, and then either choose a group of users or choose **All** to turn on this feature for all users in the tenant.

-4. In the **Users can use preview features for registering and managing security **info**** area, select **None**.

-5. Save your settings.

- After you save your settings, you'll no longer have access to the old security info experience.

->[!Important]

->If you don't complete these steps before September 25, 2019, your Azure Active Directory tenant will be automatically enabled for the enhanced experience. If you have questions, please contact us at registrationpreview@microsoft.com.

-### Authentication requests using POST logins will be more strictly validated

-**Type:** Changed feature

-**Service category:** Authentications (Logins)

-**Product capability:** Standards

-Starting on September 2, 2019, authentication requests using the POST method will be more strictly validated against the HTTP standards. Specifically, spaces and double-quotes (") will no longer be removed from request form values. These changes aren't expected to break any existing clients, and will help to make sure that requests sent to Azure AD are reliably handled every time.

-For more information, see the [Azure AD breaking changes notices](../develop/reference-breaking-changes.md#post-form-semantics-will-be-enforced-more-strictlyspaces-and-quotes-will-be-ignored).

-## July 2019

-### Plan for change: Application Proxy service update to support only TLS 1.2

-**Type:** Plan for change

-**Service category:** App Proxy

-**Product capability:** Access Control

-To help provide you with our strongest encryption, we're going to begin limiting Application Proxy service access to only TLS 1.2 protocols. This limitation will initially be rolled out to customers who are already using TLS 1.2 protocols, so you won't see the impact. Complete deprecation of the TLS 1.0 and TLS 1.1 protocols will be complete on August 31, 2019. Customers still using TLS 1.0 and TLS 1.1 will receive advanced notice to prepare for this change.

-To maintain the connection to the Application Proxy service throughout this change, we recommend that you make sure your client-server and browser-server combinations are updated to use TLS 1.2. We also recommend that you make sure to include any client systems used by your employees to access apps published through the Application Proxy service.

-For more information, see [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md).

-### Plan for change: Design updates are coming for the Application Gallery

-**Type:** Plan for change

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-New user interface changes are coming to the design of the **Add from the gallery** area of the **Add an application** blade. These changes will help you more easily find your apps that support automatic provisioning, OpenID Connect, Security Assertion Markup Language (SAML), and Password single sign-on (SSO).

-### Plan for change: Removal of the multifactor authentication (MFA) server IP address from the Office 365 IP address

-**Type:** Plan for change

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-We're removing the multifactor authentication (MFA) server IP address from the [Office 365 IP Address and URL Web service](/office365/enterprise/office-365-ip-web-service). If you currently rely on these pages to update your firewall settings, you must make sure you're also including the list of IP addresses documented in the **Azure Active Directory Multi-Factor Authentication Server firewall requirements** section of the [Getting started with the Azure Active Directory Multi-Factor Authentication Server](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements) article.

-### App-only tokens now require the client app to exist in the resource tenant

-**Type:** Fixed

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-On July 26, 2019, we changed how we provide app-only tokens through the [client credentials grant](../develop/v2-oauth2-client-creds-grant-flow.md). Previously, apps could get tokens to call other apps, regardless of whether the client app was in the tenant. We've updated this behavior so single-tenant resources, sometimes called Web APIs, can only be called by client apps that exist in the resource tenant.

-If your app isn't located in the resource tenant, you'll get an error message that says, `The service principal named <app_name> was not found in the tenant named <tenant_name>. This can happen if the application has not been installed by the administrator of the tenant.` To fix this problem, you must create the client app service principal in the tenant, using either the [admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint) or [through PowerShell](../develop/howto-authenticate-service-principal-powershell.md), which ensures your tenant has given the app permission to operate within the tenant.

-For more information, see [What's new for authentication?](../develop/reference-breaking-changes.md#app-only-tokens-for-single-tenant-applications-are-only-issued-if-the-client-app-exists-in-the-resource-tenant).

-> [!NOTE]

-> Existing consent between the client and the API continues to not be required. Apps should still be doing their own authorization checks.

-### New passwordless sign-in to Azure AD using FIDO2 security keys

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-Azure AD customers can now set policies to manage FIDO2 security keys for their organization's users and groups. End users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, and sign-in to their Azure AD-joined Windows 10 devices.

-For more information, see [Enable passwordless sign in for Azure AD (preview)](../authentication/concept-authentication-passwordless.md) for administrator-related information, and [Set up security info to use a security key (Preview)](https://support.microsoft.com/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698) for end-user-related information.

-### New Federated Apps available in Azure AD App gallery - July 2019

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In July 2019, we've added these 18 new apps with Federation support to the app gallery:

-[Ungerboeck Software](../saas-apps/ungerboeck-software-tutorial.md), [Bright Pattern Omnichannel Contact Center](../saas-apps/bright-pattern-omnichannel-contact-center-tutorial.md), [Clever Nelly](../saas-apps/clever-nelly-tutorial.md), [AcquireIO](../saas-apps/acquireio-tutorial.md), [Looop](https://www.looop.co/schedule-a-demo/), [productboard](../saas-apps/productboard-tutorial.md), [MS Azure SSO Access for Ethidex Compliance Office&trade;](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [Hype](../saas-apps/hype-tutorial.md), [Abstract](../saas-apps/abstract-tutorial.md), [Ascentis](../saas-apps/ascentis-tutorial.md), [Flipsnack](https://www.flipsnack.com/accounts/sign-in-sso.html), [Wandera](../saas-apps/wandera-tutorial.md), [TwineSocial](https://twinesocial.com/), [Kallidus](../saas-apps/kallidus-tutorial.md), [HyperAnna](../saas-apps/hyperanna-tutorial.md), [PharmID WasteWitness](https://pharmid.com/), [i2B Connect](https://www.i2b-online.com/sign-up-to-use-i2b-connect-here-sso-access/), [JFrog Artifactory](../saas-apps/jfrog-artifactory-tutorial.md)

-For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).

-### Automate user account provisioning for these newly supported SaaS apps

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** Monitoring & Reporting

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md)

-### New Azure AD Domain Services service tag for Network Security Group

-**Type:** New feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-If you're tired of managing long lists of IP addresses and ranges, you can use the new **AzureActiveDirectoryDomainServices** network service tag in your Azure network security group to help secure inbound traffic to your Azure AD Domain Services virtual network subnet.

-For more information about this new service tag, see [Network Security Groups for Azure AD Domain Services](../../active-directory-domain-services/network-considerations.md#network-security-groups-and-required-ports).

-### New Security Audits for Azure AD Domain Services (Public Preview)

-**Type:** New feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hubs, using the Azure AD Domain Service portal.

-For more information, see [Enable Security Audits for Azure AD Domain Services (Preview)](../../active-directory-domain-services/security-audit-events.md).

-### New Authentication methods usage & insights (Public Preview)

-**Type:** New feature

-**Service category:** Self Service Password Reset

-**Product capability:** Monitoring & Reporting

-The new Authentication methods usage & insights reports can help you to understand how features like Azure AD Multi-Factor Authentication and self-service password reset are being registered and used in your organization, including the number of registered users for each feature, how often self-service password reset is used to reset passwords, and by which method the reset happens.

-For more information, see [Authentication methods usage & insights (preview)](../authentication/howto-authentication-methods-activity.md).

-### New security reports are available for all Azure AD administrators (Public Preview)

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-All Azure AD administrators can now select the banner at the top of existing security reports, such as the **Users flagged for risk** report, to start using the new security experience as shown in the **Risky users** and the **Risky sign-ins** reports. Over time, all of the security reports will move from the older versions to the new versions, with the new reports providing you the following additional capabilities:

-For more information, see [Risky users report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users) and [Risky sign-ins report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins).

-### New Security Audits for Azure AD Domain Services (Public Preview)

-**Type:** New feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hubs, using the Azure AD Domain Service portal.

-For more information, see [Enable Security Audits for Azure AD Domain Services (Preview)](../../active-directory-domain-services/security-audit-events.md).

-### New B2B direct federation using SAML/WS-Fed (Public Preview)

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-Direct federation helps to make it easier for you to work with partners whose IT-managed identity solution is not Azure AD, by working with identity systems that support the SAML or WS-Fed standards. After you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account, making the user experience for your guests more seamless.

-For more information, see [Direct federation with AD FS and third-party providers for guest users (preview)](../external-identities/direct-federation.md).

-### Automate user account provisioning for these newly supported SaaS apps

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** Monitoring & Reporting

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-### New check for duplicate group names in the Azure portal

-**Type:** New feature

-**Service category:** Group Management

-**Product capability:** Collaboration

-Now, when you create or update a group name from the Azure portal, we'll perform a check to see if you are duplicating an existing group name in your resource. If we determine that the name is already in use by another group, you'll be asked to modify your name.

-For more information, see [Manage groups in the Azure portal](./active-directory-groups-create-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).

-### Azure AD now supports static query parameters in reply (redirect) URIs

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-Azure AD apps can now register and use reply (redirect) URIs with static query parameters (for example, `https://contoso.com/oauth2?idp=microsoft`) for OAuth 2.0 requests. The static query parameter is subject to string matching for reply URIs, just like any other part of the reply URI. If there's no registered string that matches the URL-decoded redirect-uri, the request is rejected. If the reply URI is found, the entire string is used to redirect the user, including the static query parameter.

-Dynamic reply URIs are still forbidden because they represent a security risk and can't be used to retain state information across an authentication request. For this purpose, use the `state` parameter.

-Currently, the app registration screens of the Azure portal still block query parameters. However, you can manually edit the app manifest to add and test query parameters in your app. For more information, see [What's new for authentication?](../develop/reference-breaking-changes.md#redirect-uris-can-now-contain-query-string-parameters).

-### Activity logs (MS Graph APIs) for Azure AD are now available through PowerShell Cmdlets

-**Type:** New feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-We're excited to announce that Azure AD activity logs (Audit and Sign-ins reports) are now available through the Azure AD PowerShell module. Previously, you could create your own scripts using MS Graph API endpoints, and now we've extended that capability to PowerShell cmdlets.

-For more information about how to use these cmdlets, see [Azure AD PowerShell cmdlets for reporting](../reports-monitoring/reference-powershell-reporting.md).

-### Updated filter controls for Audit and Sign-in logs in Azure AD

-**Type:** Changed feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-We've updated the Audit and Sign-in log reports so you can now apply various filters without having to add them as columns on the report screens. Additionally, you can now decide how many filters you want to show on the screen. These updates all work together to make your reports easier to read and more scoped to your needs.

-For more information about these updates, see [Filter audit logs](../reports-monitoring/concept-audit-logs.md#filtering-audit-logs) and [Filter sign-in activities](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities).

-Managed identities are a part of the Azure infrastructure, simplifying how developers handle credentials and secrets to access cloud resources. With Managed Identities, developers do not need to manually handle credential retrieval and security. Instead, they can rely on an automatically managed set of identities to connect to resources that support Azure Active Directory (AAD) authentication. You can learn more in [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)

-Due to a technical issue, we have recently started to emit additional audit logs for terms of use. The additional audit logs will be turned off by the first of May and are tagged with the core directory service and the agreement category. If you have built a dependency on the additional audit logs, you must switch to the regular audit logs tagged with the terms of use service.

-### General Availability - Apple Watch companion app removed from Authenticator for iOS

-**Type:** Deprecated

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-In the January 2023 release of Authenticator for iOS, there's no companion app for watchOS due to it being incompatible with Authenticator security features, meaning you aren't able to install or use Authenticator on Apple Watch. This change only impacts Apple Watch, so you can still use Authenticator on your other devices. For more information, see: [Common questions about the Microsoft Authenticator app](https://support.microsoft.com/account-billing/common-questions-about-the-microsoft-authenticator-app-12d283d1-bcef-4875-9ae5-ac360e2945dd).

- "category": "joiner",

- "continueOnError": true,

- "description": "Send welcome email to new hire",

- "displayName": "Send Welcome Email",

- "isEnabled": true,

- "taskDefinitionId": "70b29d51-b59a-4773-9280-8841dfd3f2ea",

- "arguments": [

- {

- "name": "cc",

- "value": "b47471b9-af8f-4a5a-bfa2-b78e82398f6e, a7a23ce0-909b-40b9-82cf-95d31f0aaca2"

- },

- {

- "name": "customSubject",

- "value": "Welcome to the organization {{userDisplayName}}!"

- },

- {

- "name": "customBody",

- "value": "Welcome to our organization {{userGivenName}} {{userSurname}}. \nFor more information, reach out to your manager {{managerDisplayName}} at {{managerEmail}}."

- },

- {

- "name": "locale",

- "value": "en-us"

- }

- ]

- "category": "joiner",

- "continueOnError": true,

- "description": "Send onboarding reminder email to userΓÇÖs manager",

- "displayName": "Send onboarding reminder email",

- "isEnabled": true,

- "taskDefinitionId": "3C860712-2D37-42A4-928F-5C93935D26A1",

- "arguments": [

- {

- "name": "cc",

- "value": "b47471b9-af8f-4a5a-bfa2-b78e82398f6e, a7a23ce0-909b-40b9-82cf-95d31f0aaca2"

- },

- {

- "name": "customSubject",

- "value": "Reminder to onboard {{userDisplayName}}!"

- },

- {

- "name": "customBody",

- "value": "Hello {{managerDisplayName}}. \n This is a reminder to onboard {{userDisplayName}}."

- },

- {

- "name": "locale",

- "value": "en-us"

- }

- ]

-|arguments | Argument contains the name parameter "tapLifetimeInMinutes", which is the lifetime of the temporaryAccessPass in minutes starting at startDateTime. Minimum 10, Maximum 43200 (equivalent to 30 days). The argument also contains the tapIsUsableOnce parameter, which determines whether the passcode is limited to a one time use. If true, the pass can be used once; if false, the pass can be used multiple times within the temporaryAccessPass lifetime. |

- "category": "joiner",

- "description": "Generate Temporary Access Pass and send via email to user's manager",

- "displayName": "GenerateTAPAndSendEmail",

- "isEnabled": true,

- "continueOnError": true,

- "taskDefinitionId": "1b555e50-7f65-41d5-b514-5894a026d10d",

- "arguments": [

- {

- "name": "cc",

- "value": "b47471b9-af8f-4a5a-bfa2-b78e82398f6e, a7a23ce0-909b-40b9-82cf-95d31f0aaca2"

- },

- {

- "name": "customSubject",

- "value": "Your new employees Temporary Access Pass {{managerDisplayName}}"

- },

- {

- "name": "customBody",

- "value": "Hello {{managerDisplayName}}. \nThe temporary Access Pass {{temporaryAccessPass}} has been generated for {{userDisplayName}}."

- },

- {

- "name": "locale",

- "value": "en-us"

- },

- {

- "name": "tapLifetimeMinutes",

- "value": "60"

- },

- {

- "name": "tapIsUsableOnce",

- "value": "true"

- }

- ]

- "category": "mover",

- "continueOnError": true,

- "displayName": "Send email to notify manager of user move",

- "description": "Send email to notify userΓÇÖs manager of user move",

- "isEnabled": true,

- "taskDefinitionId": "aab41899-9972-422a-9d97-f626014578b7",

- "arguments": [

- {

- "name": "cc",

- "value": "b47471b9-af8f-4a5a-bfa2-b78e82398f6e, a7a23ce0-909b-40b9-82cf-95d31f0aaca2"

- },

- {

- "name": "customSubject",

- "value": "Reminder that {{userDisplayName}} has moved."

- },

- {

- "name": "customBody",

- "value": "Hello {{managerDisplayName}}. \nThis is a reminder that {{userDisplayName}} has moved roles in the organization."

- },

- {

- "name": "locale",

- "value": "en-us"

- },

- ]

-Allows you to request an access package assignment for users. Access packages are bundles of resources, with specific access, that a user would need to accomplish tasks. For more information on access packages, see [What are access packages and what resources can I manage with them?](entitlement-management-overview.md#what-are-access-packages-and-what-resources-can-i-manage-with-them).

-You're able to customize the task name and task description for this task. You must also select an access package that is provided to the user, and the access package policy.

- "category": "joiner",

- "description": "Request user assignment to selected access package",

- "displayName": "Request user access package assignment",

- "id": "c1ec1e76-f374-4375-aaa6-0bb6bd4c60be",

- "parameters": [

- {

- "name": "assignmentPolicyId",

- "values": [],

- "valueType": "string"

- },

- {

- "name": "accessPackageId",

- "values": [],

- "valueType": "string"

- }

- ]

- }

-Allows you to remove an access package assignment from users. Access packages are bundles of resources, with specific access, that a user would need to accomplish tasks. For more information on access packages, see [What are access packages and what resources can I manage with them?](entitlement-management-overview.md#what-are-access-packages-and-what-resources-can-i-manage-with-them).

-You're able to customize the task name and description for this task in the Azure portal. You must also select the access package which you want to unassign from users.

- "category": "leaver",

- "description": "Remove user assignment of selected access package",

- "displayName": "Remove access package assignment for user",

- "id": "4a0b64f2-c7ec-46ba-b117-18f262946c50",

- "parameters": [

- {

- "name": "accessPackageId",

- "values": [],

- "valueType": "string"

- }

- ]

-Allows you to remove all access package assignments from users. Access packages are bundles of resources, with specific access, that a user would need to accomplish tasks. For more information on access packages, see [What are access packages and what resources can I manage with them?](entitlement-management-overview.md#what-are-access-packages-and-what-resources-can-i-manage-with-them).

- "category": "leaver",

- "description": "Remove all access packages assigned to the user",

- "displayName": "Remove all access package assignments for user",

- "id": "42ae2956-193d-4f39-be06-691b8ac4fa1d",

- "parameters": []

-Allows you to remove all access package assignments from users. Access packages are bundles of resources, with specific access, that a user would need to accomplish tasks. For more information on access packages, see [What are access packages and what resources can I manage with them?](entitlement-management-overview.md#what-are-access-packages-and-what-resources-can-i-manage-with-them).

- "category": "leaver",

- "description": "Cancel all pending access packages assignment requests for the user",

- "displayName": "Cancel pending access package assignment requests for user",

- "id": "498770d9-bab7-4e4c-b73d-5ded82a1d0b3",

- "parameters": []

- "category": "leaver",

- "continueOnError": true,

- "displayName": "Send email before userΓÇÖs last day",

- "description": "Send offboarding email to userΓÇÖs manager before the last day of work",

- "isEnabled": true,

- "taskDefinitionId": "52853a3e-f4e5-4eb8-bb24-1ac09a1da935",

- "arguments": [

- {

- "name": "cc",

- "value": "b47471b9-af8f-4a5a-bfa2-b78e82398f6e, a7a23ce0-909b-40b9-82cf-95d31f0aaca2"

- },

- {

- "name": "customSubject",

- "value": "Reminder that {{userDisplayName}}'s last day is coming up."

- },

- {

- "name": "customBody",

- "value": "Hello {{managerDisplayName}}. \nThis is a reminder that {{userDisplayName}}'s last date is coming up."

- },

- {

- "name": "locale",

- "value": "en-us"

- },

- ]

- "category": "leaver",

- "continueOnError": true,

- "displayName": "Send email on userΓÇÖs last day",

- "description": "Send offboarding email to userΓÇÖs manager on the last day of work",

- "isEnabled": true,

- "taskDefinitionId": "9c0a1eaf-5bda-4392-9d9e-6e155bb57411",

- "arguments": [

- {

- "name": "cc",

- "value": "b47471b9-af8f-4a5a-bfa2-b78e82398f6e, a7a23ce0-909b-40b9-82cf-95d31f0aaca2"

- },

- {

- "name": "customSubject",

- "value": "{{userDisplayName}}'s last day"

- },

- {

- "name": "customBody",

- "value": "Hello {{managerDisplayName}}. \nThis is a reminder that {{userDisplayName}}'s last day is today, {{userEmployeeLeaveDateTime}}."

- },

- {

- "name": "locale",

- "value": "en-us"

- },

- ]

- "category": "leaver",

- "continueOnError": true,

- "displayName": "Send offboarding email to userΓÇÖs manager after the last day of work",

- "description": "Send email after userΓÇÖs last day",

- "isEnabled": true,

- "taskDefinitionId": "6f22ddd4-b3a5-47a4-a846-0d7c201a49ce",

- "arguments": [

- {

- "name": "cc",

- "value": "b47471b9-af8f-4a5a-bfa2-b78e82398f6e, a7a23ce0-909b-40b9-82cf-95d31f0aaca2"

- },

- {

- "name": "customSubject",

- "value": "{{userDisplayName}} left on {{userEmployeeLeaveDateTime}}"

- },

- {

- "name": "customBody",

- "value": "Hello {{managerDisplayName}}. This is a reminder that {{userDisplayName}} left on{{UserEmployeeLeaveDateTime}}."

- },

- {

- "name": "locale",

- "value": "en-us"

- },

-]

-* Use the lightweight Azure AD provisioning agent and [web services connector](/azure/active-directory/app-provisioning/on-premises-web-services-connector) to provision users into apps such as SAP ECC.

-For other similar Microsoft Graph API examples for users, see [Assign, update, list, or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md#microsoft-graph-api) and [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).

-9. Review the user attributes that are synchronized from Azure AD to AWS IAM Identity Center in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in AWS IAM Identity Center for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the AWS IAM Identity Center API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

-When exporting a user to AWS, they are required to have the following attributes

-AWS does not support the following multi-valued attributes:

- csi.storage.k8s.io/pv/name: $PV-csi

-[kured-install]: https://github.com/kubereboot/kured/tree/main/cmd/kured

-> Performing the `az aks update` operation upgrades only Windows Server node pools. Linux node pools are not affected.

-> Performing the `Set-AzAksCluster` operation upgrades only Windows Server node pools. Linux node pools are not affected.

-* Converts the query string parameters to template parameters.

-If you prefer a different behavior, you can either:

-* Manually change via form-based editor, or

-* Remove the "required" attribute from the OpenAPI definition, thus not converting them to template parameters.

-> This policy is currently in preview.

-Azure [availability zones](../reliability/availability-zones-overview.md) are physically separate locations within an Azure region that are tolerant to datacenter-level failures. Each zone is composed of one or more datacenters equipped with independent power, cooling, and networking infrastructure. To ensure resiliency, a minimum of three separate availability zones are present in all availability zone-enabled regions.

-Enabling [zone redundancy](../reliability/migrate-api-mgt.md) for an API Management instance in a supported region provides redundancy for all [service components](api-management-key-concepts.md#api-management-components): gateway, management plane, and developer portal. Azure automatically replicates all service components across the zones that you select. Zone redundancy is only available in the Premium SKU.

-The combination of availability zones for redundancy within a region, and multi-region deployments to improve the gateway availability if there is a regional outage, helps enhance both the reliability and performance of your API Management instance.

-* Configure policies to route requests conditionally to different backends if there is backend failure in a particular region.

-description: In this tutorial, you import an OpenAPI Specification API into Azure API Management, and then test your API in the Azure portal.

-This tutorial shows how to import an OpenAPI Specification backend API in JSON format into Azure API Management. Microsoft provides the backend API used in this example, and hosts it on Azure at [https://conferenceapi.azurewebsites.net?format=json](https://conferenceapi.azurewebsites.net?format=json).

-This section shows how to import and publish an OpenAPI Specification backend API.

- :::image type="content" source="media/import-and-publish/open-api-specs.png" alt-text="Create an API":::

- |**OpenAPI specification**|*https:\//conferenceapi.azurewebsites.net?format=json*|Specifies the backend service implementing the API. API Management forwards requests to this address. <br/><br/>The backend service URL appears later as the **Web service URL** on the API's **Settings** page. |

- |**Display name**|After you enter the preceding service URL, API Management fills out this field based on the JSON.|The name displayed in the [developer portal](api-management-howto-developer-portal.md).|

- |**Name**|After you enter the preceding service URL, API Management fills out this field based on the JSON.|A unique name for the API.|

- |**Description**|After you enter the preceding service URL, API Management fills out this field based on the JSON.|An optional description of the API.|

- |**Products**|**Unlimited**|Association of one or more APIs. Each API Management instance comes with two sample products: **Starter** and **Unlimited**. You publish an API by associating the API with a product, **Unlimited** in this example.<br/><br/> You can include several APIs in a product and offer them to developers through the developer portal. To add this API to another product, type or select the product name. Repeat this step to add the API to multiple products. You can also add APIs to products later from the **Settings** page.<br/><br/> For more information about products, see [Create and publish a product](api-management-howto-add-products.md).|

-You can call API operations directly from the Azure portal, which provides a convenient way to view and test the operations.

-1. Select the **Test** tab, and then select **GetSpeakers**. The page shows **Query parameters** and **Headers**, if any. The **Ocp-Apim-Subscription-Key** is filled in automatically for the subscription key associated with this API.

- :::image type="content" source="media/import-and-publish/test-new-api.png" alt-text="Test API in Azure portal":::

-> This policy is currently in preview.

-### Configure arrays in app settings

-You can also configure arrays in app settings as shown in the following table.

-|App setting name | App setting value |

-|--|-|

-|MY_ENV_VAR | ['entry1', 'entry2', 'entry3'] |

-[GeoReplication]: ./media/web-sites-scale/scale12SQLGeoReplication.png

-* [Tutorial: Run a load test to identify performance bottlenecks in a web app](../load-testing/tutorial-identify-bottlenecks-azure-portal.md)

-Since the application gateway resource is deployed inside a virtual network, we also perform a check to verify the permission on the provided virtual network resource. This validation is performed during both creation and management operations. You should check your [Azure role-based access control](../role-based-access-control/role-assignments-list-portal.md) to verify the users (and service principals) that operate application gateways also have at least **Microsoft.Network/virtualNetworks/subnets/join/action** permission on the Virtual Network or Subnet. This is also applies to the [Managed Identities for Application Gateway Ingress Controller](./tutorial-ingress-controller-add-on-new.md#deploy-an-aks-cluster-with-the-add-on-enabled).

-Network security groups (NSGs) are supported on Application Gateway.

-Fine grain control over the Application Gateway subnet via NSG rules is possible in public preview. More details can be found [here](application-gateway-private-deployment.md#network-security-group-control).

-With current functionality there are some restrictions:

- - Don't remove the default outbound rules.

- - Don't create other outbound rules that deny any outbound connectivity.

-### Allow access to a few source IPs

-For this scenario, use NSGs on the Application Gateway subnet. Put the following restrictions on the subnet in this order of priority:

-1. Allow incoming traffic from a source IP or IP range with the destination as the entire Application Gateway subnet address range and destination port as your inbound access port, for example, port 80 for HTTP access.

-2. Allow incoming requests from source as **GatewayManager** service tag and destination as **Any** and destination ports as 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for v2 SKU for [backend health status communication](./application-gateway-diagnostics.md). This port range is required for Azure infrastructure communication. These ports are protected (locked down) by Azure certificates. Without appropriate certificates in place, external entities can't initiate changes on those endpoints.

-3. Allow incoming Azure Load Balancer probes (*AzureLoadBalancer* tag) on the [network security group](../virtual-network/network-security-groups-overview.md).

-4. Allow expected inbound traffic to match your listener configuration (i.e. if you have listeners configured for port 80, you will want an allow inbound rule for port 80)

-5. Block all other incoming traffic by using a deny-all rule.

-6. Allow outbound traffic to the Internet for all destinations.

-### Managed identity

-Enable a system-assigned managed identity for your Form Recognizer resource. A system-assigned managed identity is enabled directly on a service instance. It isn't enabled by default; you must go to your resource and update the identity setting.

-For more information, *see*, [Enable a system-assigned managed identity](../managed-identities.md#enable-a-system-assigned-managed-identity)

-### Role-based access control (RBAC)

-Grant your Form Recognizer managed identity access to your storage account using Azure role-based access control (Azure RBAC). The [Storage Blob Data Contributor](../../..//role-based-access-control/built-in-roles.md#storage-blob-data-reader) role grants read, write, and delete permissions for Azure Storage containers and blobs.

-For more information, *see*, [Grant access to your storage account](../managed-identities.md#grant-access-to-your-storage-account)

-### Configure cross origin resource sharing (CORS)

-CORS needs to be configured in your Azure storage account for it to be accessible to the Form Recognizer Studio. You can update the CORS setting in the Azure portal.

-Form more information, *see* [Configure CORS](../quickstarts/try-form-recognizer-studio.md#configure-cors)

-### User sharing requirements

-Users sharing the project need to create a project [**`ListAccountSAS`**](/rest/api/storagerp/storage-accounts/list-account-sas) to configure the storage account CORS and a [**`ListServiceSAS`**](/rest/api/storagerp/storage-accounts/list-service-sas) to generate a SAS token for *read*, *write* and *list* container's file in addition to blob storage data *update* permissions.

-### User importing requirements

-Users who want to import the project need a [**`ListServiceSAS`**](/rest/api/storagerp/storage-accounts/list-service-sas) to generate a SAS token for *read*, *write* and *list* container's file in addition to blob storage data *update* permissions.

-# Connect to Azure with system-assigned managed identity

-# set and store context

-$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription `

- -DefaultProfile $AzureContext

-# Check for already running or new runbooks

-$runbookName = "runbookName"

-$resourceGroupName = "resourceGroupName"

-$jobs = Get-AzAutomationJob -ResourceGroupName $resourceGroupName `

- -AutomationAccountName $automationAccountName `

- -RunbookName $runbookName `

- -DefaultProfile $AzureContext

-# Check to see if it is already running

-$runningCount = ($jobs.Where( { $_.Status -eq 'Running' })).count

-if (($jobs.Status -contains 'Running' -and $runningCount -gt 1 ) -or ($jobs.Status -eq 'New')) {

- # Exit code

- Write-Output "Runbook $runbookName is already running"

- exit 1

-} else {

- # Insert Your code here

- Write-Output "Runbook $runbookName is not running"

-The following configuration was used to benchmark throughput:

-### RedisListsTrigger

-The `RedisListsTrigger` pops elements from a list and surfaces those elements to the function. The trigger polls Redis at a configurable fixed interval, and uses [`LPOP`](https://redis.io/commands/lpop/)/[`RPOP`](https://redis.io/commands/rpop/)/[`LMPOP`](https://redis.io/commands/lmpop/) to pop elements from the lists.

-#### Inputs for RedisListsTrigger

-[FunctionName(nameof(ListsTrigger))]

-public static void ListsTrigger(

- [RedisListsTrigger(ConnectionString = "127.0.0.1:6379", Keys = "listTest")] RedisMessageModel model,

-### RedisStreamsTrigger

-The `RedisStreamsTrigger` pops elements from a stream and surfaces those elements to the function.

-#### Inputs for RedisStreamsTrigger

- - Default: "AzureFunctionRedisExtension"

-[FunctionName(nameof(StreamsTrigger))]

-public static void StreamsTrigger(

- [RedisStreamsTrigger(ConnectionString = "127.0.0.1:6379", Keys = "streamTest")] RedisMessageModel model,

- :::image type="content" source="media/cache-how-to-upgrade/blue-banner-upgrade-cache.png" alt-text="Screenshot informing you that you can upgrade your cache to Redis 6 with additional features. Upgrading your cache instance cannot be reversed.":::

- :::image type="content" source="media/cache-how-to-upgrade/upgrade-status.png" alt-text="Screenshot showing Overview in the Resource menu. Status shows cache is being upgraded.":::

-```

-description: Understand usage of Azure Data Explorer input bindings for Azure Functions (Query data from Azure Data Explorer)

-The following example shows a [C# function](functions-dotnet-class-library.md) that retrieves a list of products given a productId. The function is triggered by an HTTP request that uses a parameter for the ID. That ID is used to retrieve a list of `Product` that matches the query.

-> The HTTP query string parameter is case-sensitive.

-The following example shows a [C# function](functions-dotnet-class-library.md) that retrieves documents returned by the query. The function is triggered by an HTTP request that uses route data to specify the value of a KQL function parameter. GetProductsByName is a simple function that retrieves a set of products that match a product name

-> The HTTP query string parameter is case-sensitive.

-The following example shows a [C# function](functions-dotnet-class-library.md) that retrieves records returned by the query (based on the name of product in this case). The function is triggered by an HTTP request that uses route data to specify the value of a query parameter. That parameter is used to filter the `Product` records in the specified query.

-More samples for the java Azure Data Explorer input binding are available in the [GitHub repository](https://github.com/Azure/Webjobs.Extensions.Kusto/tree/main/samples/samples-java).

-The examples refer to a `Product` class (in a separate file `Product.java`) and a corresponding database table:

-The following example shows a query the products table by the product name. The function is triggered by an HTTP request that uses a query string to specify the value of a query parameter. That parameter is used to filter the `Product` records in the specified query.

-The following example shows an Azure Data Explorer input binding in a function.json file and a JavaScript function that reads from a query and returns the results in the HTTP response.

-The following is binding data in the function.json file:

-The following is sample JavaScript code:

-The following example shows a query the products table by the product name. The function is triggered by an HTTP request that uses a query string to specify the value of a query parameter. That parameter is used to filter the `Product` records in the specified query.

-The following is binding data in the function.json file:

-The following is sample JavaScript code:

-* [HTTP trigger, get records using a KQL Function](#http-trigger-look-up-id-from-query-string-python)

-The following example shows an Azure Data Explorer input binding in a function.json file and a Python function that reads from a query and returns the results in the HTTP response.

-The following is binding data in the function.json file:

-The following is sample Python code:

-The following example shows a query the products table by the product name. The function is triggered by an HTTP request that uses a query string to specify the value of a query parameter. That parameter is used to filter the `Product` records in the specified query.

-The following is binding data in the function.json file:

-The following is sample Python code:

-The [C# library](functions-dotnet-class-library.md) uses the [KustoAttribute](https://github.com/Azure/Webjobs.Extensions.Kusto/blob/main/src/KustoAttribute.cs) attribute to declare the Azure Data Explorer bindings on the function, which has the following properties:

-| **Database** | Required. The database against which the query has to be executed. |

-| **Connection** | Required. The _**name**_ of the variable that holds the connection string, resolved through environment variables or through function app settings. Defaults to look up on the variable _**KustoConnectionString**_, at runtime this variable is looked up against the environment. Documentation on connection string can be found at [Kusto connection strings](/azure/data-explorer/kusto/api/connection-strings/kusto) for example:`"KustoConnectionString": "Data Source=https://your_cluster.kusto.windows.net;Database=your_Database;Fed=True;AppClientId=your_AppId;AppKey=your_AppKey;Authority Id=your_TenantId` |

-| **KqlCommand** | Required. The KqlQuery that has to be executed. Can be a KQL query or a KQL Function call|

-| **KqlParameters** | Optional. Parameters that act as predicate variables for the KqlCommand. For example "@name={name},@Id={id}" where the parameters {name} and {id} is substituted at runtime with actual values acting as predicates. Neither the parameter name nor the parameter value can contain a comma (`,`) or an equals sign (`=`). |

-| **ManagedServiceIdentity** | Optional. A managed identity can be used to connect to Azure Data Explorer. To use a System managed identity, use "system", any other identity names are interpreted as user managed identity |

-In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), uses the [`@KustoInput`](https://github.com/Azure/Webjobs.Extensions.Kusto/blob/main/java-library/src/main/java/com/microsoft/azure/functions/kusto/annotation/KustoInput.java) annotation (`com.microsoft.azure.functions.kusto.annotation.KustoInput`):

-| **name** | Required. The name of the variable that represents the query results in function code. |

-| **database** | Required. The database against which the query has to be executed. |

-| **connection** | Required. The _**name**_ of the variable that holds the connection string, resolved through environment variables or through function app settings. Defaults to look up on the variable _**KustoConnectionString**_, at runtime this variable is looked up against the environment. Documentation on connection string can be found at [Kusto connection strings](/azure/data-explorer/kusto/api/connection-strings/kusto) for example:`"KustoConnectionString": "Data Source=https://your_cluster.kusto.windows.net;Database=your_Database;Fed=True;AppClientId=your_AppId;AppKey=your_AppKey;Authority Id=your_TenantId` |

-| **kqlCommand** | Required. The KqlQuery that has to be executed. Can be a KQL query or a KQL Function call|

-|**kqlParameters** | Optional. Parameters that act as \predicate variables for the KqlCommand. For example "@name={name},@Id={id}" where the parameters {name} and {id} is substituted at runtime with actual values acting as predicates. Neither the parameter name nor the parameter value can contain a comma (`,`) or an equals sign (`=`). |

-| **managedServiceIdentity** | A managed identity can be used to connect to Azure Data Explorer. To use a System managed identity, use "system", any other identity names are interpreted as user managed identity|

-The following table explains the binding configuration properties that you set in the function.json file.

-|**type** | Required. Must be set to `kusto`. |

-|**direction** | Required. Must be set to `in`. |

-|**name** | Required. The name of the variable that represents the query results in function code. |

-| **database** | Required. The database against which the query has to be executed. |

-| **connection** | Required. The _**name**_ of the variable that holds the connection string, resolved through environment variables or through function app settings. Defaults to look up on the variable _**KustoConnectionString**_, at runtime this variable is looked up against the environment. Documentation on connection string can be found at [Kusto connection strings](/azure/data-explorer/kusto/api/connection-strings/kusto) for example:`"KustoConnectionString": "Data Source=https://your_cluster.kusto.windows.net;Database=your_Database;Fed=True;AppClientId=your_AppId;AppKey=your_AppKey;Authority Id=your_TenantId` |

-| **kqlCommand** | Required. The KqlQuery that has to be executed. Can be a KQL query or a KQL Function call|

-|**kqlParameters** | Optional. Parameters that act as predicate variables for the KqlCommand. For example "@name={name},@Id={id}" where the parameters {name} and {id} is substituted at runtime with actual values acting as predicates. Neither the parameter name nor the parameter value can contain a comma (`,`) or an equals sign (`=`). |

-| **managedServiceIdentity** | A managed identity can be used to connect to Azure Data Explorer. To use a System managed identity, use "system", any other identity names are interpreted as user managed identity|

-The attribute's constructor takes the **Database** and the attributes **KQLCommand**, KQLParameters, and the Connection setting name. The **KQLCommand** can be a KQL statement or a KQL function. The connection string setting name corresponds to the application setting (in `local.settings.json` for local development) that contains the [Kusto connection strings](/azure/data-explorer/kusto/api/connection-strings/kusto) for example: `"KustoConnectionString": "Data Source=https://your_cluster.kusto.windows.net;Database=your_Database;Fed=True;AppClientId=your_AppId;AppKey=your_AppKey;Authority Id=your_TenantId`. Queries executed by the input binding are parameterized and the values provided in the KQLParameters are used at runtime.

-* [Save data to a table (Output binding)](functions-bindings-azure-data-explorer-output.md)

-description: Understand usage of Azure Data Explorer output bindings for Azure Functions (Ingest data to Azure Data Explorer)

-The following example shows a [C# function](functions-dotnet-class-library.md) that adds a record to a database, using data provided in an HTTP POST request as a JSON body.

-The following example shows a [C# function](functions-dotnet-class-library.md) that adds records to a database in two different tables (`Products` and `ProductsChangeLog`), using data provided in an HTTP POST request as a JSON body and multiple output bindings.

-The following example shows a [C# function](functions-dotnet-class-library.md) that ingests a set of records to a table, using data provided in an HTTP POST body JSON array.

-The following example shows a [C# function](functions-dotnet-class-library.md) that adds a record to a database, using data provided in an HTTP POST request as a JSON body.

-The following example shows a [C# function](functions-dotnet-class-library.md) that adds a collection of records to a database, using a mapping that transforms a `Product` to `Item`.

-To transform data from `Product` to `Item`, the function uses a mapping reference

-More samples for the java Azure Data Explorer input binding are available in the [GitHub repository](https://github.com/Azure/Webjobs.Extensions.Kusto/tree/main/samples/samples-java).

-The following example shows an Azure Data Explorer output binding in a Java function that adds a product record to a table, using data provided in an HTTP POST request as a JSON body. The function takes another dependency on the [com.fasterxml.jackson.core](https://github.com/FasterXML/jackson) library to parse the JSON body.

-The following example shows an Azure Data Explorer output binding in a Java function that adds records to a database in two different tables (`Product` and `ProductChangeLog`), using data provided in an HTTP POST request as a JSON body and multiple output bindings. The function takes another dependency on the [com.fasterxml.jackson.core](https://github.com/FasterXML/jackson) library to parse the JSON body.

-The examples refer to a database table:

-The examples refer to the tables `Products` and `ProductsChangeLog` (defined earlier):

-The following example shows an Azure Data Explorer output binding in a function.json file and a JavaScript function that adds records to a table, using data provided in an HTTP POST request as a JSON body.

-The following example is binding data in the function.json file:

-The following is sample JavaScript code:

-The following example shows an Azure Data Explorer output binding in a function.json file and a JavaScript function that adds records to a database in two different tables (`Products` and `ProductsChangeLog`), using data provided in an HTTP POST request as a JSON body and multiple output bindings.

-The following is binding data in the function.json file:

-The following is sample JavaScript code:

-The examples refer to the tables `Products` and `ProductsChangeLog` (defined earlier):

-The following example shows an Azure Data Explorer output binding in a function.json file and a Python function that adds records to a table, using data provided in an HTTP POST request as a JSON body.

-The following is binding data in the function.json file:

-The following is sample Python code:

-The following example shows an Azure Data Explorer output binding in a function.json file and a JavaScript function that adds records to a database in two different tables (`Products` and `ProductsChangeLog`), using data provided in an HTTP POST request as a JSON body and multiple output bindings. The second table, `ProductsChangeLog`, corresponds to the following definition:

-The following is binding data in the function.json file:

-The following is sample Python code:

-The [C# library](functions-dotnet-class-library.md) uses the [KustoAttribute](https://github.com/Azure/Webjobs.Extensions.Kusto/blob/main/src/KustoAttribute.cs) attribute to declare the Azure Data Explorer bindings on the function, which has the following properties:

-| **Database** | Required. The database against which the query has to be executed. |

-| **Connection** | Required. The _**name**_ of the variable that holds the connection string, resolved through environment variables or through function app settings. Defaults to look up on the variable _**KustoConnectionString**_, at runtime this variable is looked up against the environment. Documentation on connection string can be found at [Kusto connection strings](/azure/data-explorer/kusto/api/connection-strings/kusto) for example:`"KustoConnectionString": "Data Source=https://your_cluster.kusto.windows.net;Database=your_Database;Fed=True;AppClientId=your_AppId;AppKey=your_AppKey;Authority Id=your_TenantId` .|

-| **TableName** | Required. The table to ingest the data into.|

-| **MappingRef** | Optional. attribute to pass a [mapping ref](/azure/data-explorer/kusto/management/create-ingestion-mapping-command) that is already defined in the cluster. |

-| **ManagedServiceIdentity** | Optional. A managed identity can be used to connect to Azure Data Explorer. To use a System managed identity, use "system", any other identity names are interpreted as user managed identity |

-| **DataFormat** | Optional. The default data format is `multijson/json`. This can be set to _**text**_ formats supported in the datasource format [enumeration](/azure/data-explorer/kusto/api/netfx/kusto-ingest-client-reference#enum-datasourceformat). Samples are validated and provided for csv and JSON formats. |

-In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), uses the [`@KustoInput`](https://github.com/Azure/Webjobs.Extensions.Kusto/blob/main/java-library/src/main/java/com/microsoft/azure/functions/kusto/annotation/KustoInput.java) annotation (`com.microsoft.azure.functions.kusto.annotation.KustoOutput`):

-| **name** | Required. The name of the variable that represents the query results in function code. |

-| **database** | Required. The database against which the query has to be executed. |

-| **connection** | Required. The _**name**_ of the variable that holds the connection string, resolved through environment variables or through function app settings. Defaults to look up on the variable _**KustoConnectionString**_, at runtime this variable is looked up against the environment. Documentation on connection string can be found at [Kusto connection strings](/azure/data-explorer/kusto/api/connection-strings/kusto) for example:`"KustoConnectionString": "Data Source=https://your_cluster.kusto.windows.net;Database=your_Database;Fed=True;AppClientId=your_AppId;AppKey=your_AppKey;Authority Id=your_TenantId` |

-| **tableName** | Required. The table to ingest the data into.|

-| **mappingRef** | Optional. attribute to pass a [mapping ref](/azure/data-explorer/kusto/management/create-ingestion-mapping-command) that is already defined in the cluster. |

-| **dataFormat** | Optional. The default data format is `multijson/json`. This can be set to _**text**_ formats supported in the datasource format [enumeration](/azure/data-explorer/kusto/api/netfx/kusto-ingest-client-reference#enum-datasourceformat). Samples are validated and provided for csv and JSON formats. |

-| **managedServiceIdentity** | A managed identity can be used to connect to Azure Data Explorer. To use a System managed identity, use "system", any other identity names are interpreted as user managed identity|

-The following table explains the binding configuration properties that you set in the function.json file.

-|**type** | Required. Must be set to `kusto`. |

-|**direction** | Required. Must be set to `out`. |

-|**name** | Required. The name of the variable that represents the query results in function code. |

-| **database** | Required. The database against which the query has to be executed. |

-| **connection** | Required. The _**name**_ of the variable that holds the connection string, resolved through environment variables or through function app settings. Defaults to look up on the variable _**KustoConnectionString**_, at runtime this variable is looked up against the environment. Documentation on connection string can be found at [Kusto connection strings](/azure/data-explorer/kusto/api/connection-strings/kusto) for example: `"KustoConnectionString": "Data Source=https://your_cluster.kusto.windows.net;Database=your_Database;Fed=True;AppClientId=your_AppId;AppKey=your_AppKey;Authority Id=your_TenantId` |

-| **tableName** | Required. The table to ingest the data into.|

-| **mappingRef** | Optional. attribute to pass a [mapping ref](/azure/data-explorer/kusto/management/create-ingestion-mapping-command) that is already defined in the cluster. |

-| **dataFormat** | Optional. The default data format is `multijson/json`. This can be set to _**text**_ formats supported in the datasource format [enumeration](/azure/data-explorer/kusto/api/netfx/kusto-ingest-client-reference#enum-datasourceformat). Samples are validated and provided for csv and JSON formats. |

-| **managedServiceIdentity** | A managed identity can be used to connect to Azure Data Explorer. To use a System managed identity, use "system", any other identity names are interpreted as user managed identity|

-The attribute's constructor takes the Database and the attributes TableName, MappingRef, DataFormat and the Connection setting name. The **KQLCommand** can be a KQL statement or a KQL function. The connection string setting name corresponds to the application setting (in `local.settings.json` for local development) that contains the [Kusto connection strings](/azure/data-explorer/kusto/api/connection-strings/kusto) for example:`"KustoConnectionString": "Data Source=https://your_cluster.kusto.windows.net;Database=your_Database;Fed=True;AppClientId=your_AppId;AppKey=your_AppKey;Authority Id=your_TenantId`. Queries executed by the input binding are parameterized and the values provided in the KQLParameters are used at runtime.

-* [Read data from a table (Input binding)](functions-bindings-azure-data-explorer-input.md)

-## Install extension

-The extension NuGet package you install depends on the C# mode you're using in your function app:

-Functions execute in the same process as the Functions host. To learn more, see [Develop C# class library functions using Azure Functions](functions-dotnet-class-library.md).

-Add the extension to your project by installing this [NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Kusto).

-Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

-Add the extension to your project by installing this [NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Kusto/).

-## Install bundle

-Azure Data Explorer bindings extension is part of a preview [extension bundle], which is specified in your host.json project file.

-You can add the preview extension bundle by adding or replacing the following code in your `host.json` file:

-Azure Data Explorer bindings for Azure Functions aren't available for the v3 version of the functions runtime.

-> Python language support for the Azure Data Explorer bindings extension is available starting with v4.6.0 or later of the [functions runtime](set-runtime-version.md#view-and-update-the-current-runtime-version). You may need to update your install of Azure Functions [Core Tools](functions-run-local.md) for local development.

-## Install bundle

-The Azure Data Explorer bindings extension is part of a preview [extension bundle], which is specified in your host.json project file.

-You can add the preview extension bundle by adding or replacing the following code in your `host.json` file:

-Azure Data Explorer bindings for Azure Functions aren't available for the v3 version of the functions runtime.

-## Install bundle

-Azure Data Explorer bindings extension is part of a preview [extension bundle], which is specified in your host.json project file.

-You can add the preview extension bundle by adding or replacing the following code in your `host.json` file:

-Azure Data Explorer bindings for Azure Functions aren't available for the v3 version of the functions runtime.

-Add the Java library for Azure Data Explorer bindings to your functions project with an update to the `pom.xml` file in your Python Azure Functions project, as follows:

-> [!NOTE]

-> Configuration source customization is available beginning in Azure Functions host versions 2.0.14192.0 and 3.0.14191.0.

-> [!IMPORTANT]

-> For function apps running in the Consumption or Premium plans, modifications to configuration values used in triggers can cause scaling errors. Any changes to these properties by the `FunctionsStartup` class results in a function app startup error.

-# [Windows](#tab/windows-setting-the-node-version)

-For Windows function apps, target the version in Azure by setting the `WEBSITE_NODE_DEFAULT_VERSION` [app setting](functions-how-to-use-azure-function-app-settings.md#settings) to a supported LTS version, such as `~18`.

-# [Linux](#tab/linux-setting-the-node-version)

-For Linux function apps, run the following Azure CLI command to update the Node version.

-```azurecli

-az functionapp config set --linux-fx-version "node|18" --name "<MY_APP_NAME>" --resource-group "<MY_RESOURCE_GROUP_NAME>"

-To learn more about Azure Functions runtime support policy, refer to this [article](./language-support-policy.md).

-|Node 12|30 Apr 2022|13 December 2022|

- 2. Import the *Azure Maps Indoor* module JavaScript and Style Sheet in a source file:

-description: Learn how to use the Spatial IO module provided by the Azure Maps Web SDK. This module provides robust features to make it easy for developers to integrate spatial data with the Azure Maps web sdk.

-In this guide, we'll learn how to integrate and use the Spatial IO module in a web application.

-> Only use data and services that are from a source you trust, especially if referencing it from another domain. The spatial IO module does take steps to minimize risk, however the safest approach is too not allow any danagerous data into your application to begin with.

-* An [Azure Maps account]

-* A [subscription key]

-* The globally hosted Azure CDN for the Azure Maps spatial IO module. For this option, you add a reference to the JavaScript in the `<head>` element of the HTML file.

-* The source code for [azure-maps-spatial-io](https://www.npmjs.com/package/azure-maps-spatial-io) can be loaded locally, and then hosted with your app. This package also includes TypeScript definitions. For this option, use the following command to install the package:

-2. Load the Azure Maps Web SDK and initialize the map control. See the [Azure Maps map control](./how-to-use-map-control.md) guide for the details. Once you're done with this step, your HTML file should look like this:

-2. Load the Azure Maps spatial IO module. For this exercise, use the CDN for the Azure Maps spatial IO module. Add the reference below to the `<head>` element of your HTML file:

-3. Initialize a `datasource`, and add the data source to the map. Initialize a `layer`, and add the data source to the map layer. Then, render both the data source and the layer. Before you scroll down to see the full code in the next step, think about the best places to put the data source and layer code snippets. Recall that, before we programmatically manipulate the map, we should wait until the map resource are ready.

-4. Putting it all together, your HTML code should look like the following code. This sample demonstrates how to read an XML file from a URL. Then, load and display the file's feature data on the map.

-5. Remember to replace `<Your Azure Maps Key>` with your subscription key. Open your HTML file, and you'll see results similar to the following image:

-The feature we demonstrated here is only one of the many features available in the Spatial IO module. Read the guides below to learn how to use other functionalities in the Spatial IO module:

-> [Add a simple data layer](spatial-io-add-simple-data-layer.md)

-> [Read and write spatial data](spatial-io-read-write-spatial-data.md)

-> [Add an OGC map layer](spatial-io-add-ogc-map-layer.md)

-> [Connect to a WFS service](spatial-io-connect-wfs-service.md)

-> [Leverage core operations](spatial-io-core-operations.md)

-> [Supported data format details](spatial-io-supported-data-format-details.md)

-> [Azure Maps Spatial IO package](/javascript/api/azure-maps-spatial-io/)

-This article shows you how to view the API usage metrics, for your Azure Maps account, in the [Azure portal](https://portal.azure.com). The metrics are shown in a convenient graph format along a customizable time duration.

-1. Sign in to your Azure subscription in the [portal](https://portal.azure.com).

-> [!div class="nextstepaction"]

-> [Azure Maps Web SDK How-To](how-to-use-map-control.md)

-> [!div class="nextstepaction"]

-> [Azure Maps Android SDK How-To](how-to-use-android-map-control-library.md)

-> [Azure Maps REST API documentation](/rest/api/maps)

-For more information, see the [Navigating the map](how-to-use-ios-map-control-library.md) article on how to interact with the map and trigger events.

-> [Drawing tools accessibility](drawing-tools-interactions-keyboard-shortcuts.md)

-> [Accessibility in Action Digital Badge learning path](https://techcommunity.microsoft.com/t5/microsoft-learn/how-to-get-accessibility-in-action-badge/m-p/1735188)

-> [Developing accessible apps](https://developer.microsoft.com/windows/accessible-apps)

-> [WAI-ARIA Overview](https://www.w3.org/WAI/standards-guidelines/aria/)

-> [Web Accessibility Evaluation Tool (WAVE)](https://wave.webaim.org/)

-> [WebAim color contrast checker](https://webaim.org/resources/contrastchecker/)

-> [No Coffee Vision Simulator](https://uxpro.cc/toolbox/nocoffee/)

-Be sure to complete the steps in the [Quickstart: Create an Android app](quick-android-map.md) document. Code blocks in this article can be inserted into the maps `onReady` event handler.

-> [Create a data source](create-data-source-android-sdk.md)

-> [Cluster point data](clustering-point-data-android-sdk.md)

-> [Add a symbol layer](how-to-add-symbol-to-android-map.md)

-> [Use data-driven style expressions](data-driven-style-expressions-android-sdk.md)

-> [Display feature information](display-feature-information-android.md)

-> [BubbleLayer](/javascript/api/azure-maps-control/atlas.layer.bubblelayer)

-> [BubbleLayerOptions](/javascript/api/azure-maps-control/atlas.bubblelayeroptions)

-> [Create a data source](create-data-source-web-sdk.md)

-> [Add a symbol layer](map-add-pin.md)

-> [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md)

-> [Code samples](/samples/browse/?products=azure-maps)

-This article shows you how to add controls to a map. You'll also learn how to create a map with all controls and a [style picker].

-Multiple controls can be put into an array and added to the map all at once and positioned in the same area of the map to simplify development. The following adds the standard navigation controls to the map using this approach.

-The following code creates an HTML marker, and sets the color property to "DodgerBlue" and the text property to "10". A popup is attached to the marker and `click` event is used to toggle the visibility of the popup.

-This article shows you how to use the Drawing Tools module and display the drawing toolbar on the map. The [DrawingToolbar](/javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar) control adds the drawing toolbar on the map. You will learn how to create maps with only one and all drawing tools and how to customize the rendering of the drawing shapes in the drawing manager.

-The following code gets the rendering layers from the drawing manager and modifies their options to change rendering style for drawing. In this case, points will be rendered with a blue marker icon. Lines will be red and four pixels wide. Polygons will have a green fill color and an orange outline. It then changes the styles of the drag handles to be square icons.

-Learn how to use additional features of the drawing tools module:

-> [Get shape data](map-get-shape-data.md)

-> [React to drawing events](drawing-tools-events.md)

-> [Interaction types and keyboard shortcuts](drawing-tools-interactions-keyboard-shortcuts.md)

-> [Map](/javascript/api/azure-maps-control/atlas.map)

-> [Drawing toolbar](/javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar)

-> [Drawing manager](/javascript/api/azure-maps-drawing-tools/atlas.drawing.drawingmanager)

-Be sure to complete the steps in the [Quickstart: Create an Android app](quick-android-map.md) document. Code blocks in this article can be inserted into the maps `onReady` event handler.

-The following code sample loads a GeoJSON feed of earthquakes from the past week and renders them as a heat map. Each data point is rendered with a radius of 10 pixels at all zoom levels. To ensure a better user experience, the heat map is below the label layer so the labels stay clearly visible. The data in this sample is from the [USGS Earthquake Hazards Program](https://earthquake.usgs.gov/). This sample loads GeoJSON data from the web using the data import utility code block provided in the [Create a data source](create-data-source-android-sdk.md) document.

-This following is an example of a heat map where a liner interpolation expression is used to create a smooth color gradient. The `mag` property defined in the data is used with an exponential interpolation to set the weight or relevance of each data point.

-The `zoom` expression can only be used in `step` and `interpolate` expressions. The following expression can be used to approximate a radius in meters. This expression uses a placeholder `radiusMeters` which you should replace with your desired radius. This expression calculates the approximate pixel radius for a zoom level at the equator for zoom levels 0 and 24, and uses an `exponential interpolation` expression to scale between these values the same way the tiling system in the map works.

-> [Create a data source](create-data-source-android-sdk.md)

-> [Use data-driven style expressions](data-driven-style-expressions-android-sdk.md)

- Then, import the JavaScript and CSS stylesheet in a source file:

-Similarly, when the map initially loads often it's desired to load data on it as quickly as possible, so the user isn't looking at an empty map. Since the map loads resources asynchronously, you have to wait until the map is ready to be interacted with before trying to render your own data on it. There are two events you can wait for, a `load` event and a `ready` event. The load event will fire after the map has finished completely loading the initial map view and every map tile has loaded. The ready event fires when the minimal map resources needed to start interacting with the map. The ready event can often fire in half the time of the load event and thus allow you to start loading your data into the map sooner.

-[Simple Symbol Animation sample code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Animations/Simple%20Symbol%20Animation/Simple%20Symbol%20Animation.html

-For example, assume we've set the preceding alert rule to monitor for CPU above 70%. In the evaluated time period, that is, the last 5 minutes:

-The alert rule triggers on *myVM1* but not *myVM2*. These triggered alerts are independent. They can also resolve at different times depending on the individual behavior of each of the virtual machines.

- - **Metric**: *Percentage CPU*

- - **Threshold**: *70*

- - **Metric**: *Network In Total*

- * API name = *GetBlob, DeleteBlob, PutPage*

-> If you don't already have one, now is a great time to [Create an Application Insights Resource](create-workspace-resource.md#create-a-workspace-based-resource).

-| ASimNetworkSessionLogs, ASimWebSessionLogs | |

-| AUIEventsAudit | |

-| AUIEventsOperational | |

-| NetworkMonitoring | |

-| SfBAssessmentRecommendation | |

-| SfBOnlineAssessmentRecommendation | |

-| StorageAntimalwareScanResults | |

-| UCDOAggregatedStatus | |

-| W3CIISLog | Partial support. Data arriving from the Azure Monitor Agent is fully supported in export. Data arriving via the Diagnostics extension agent is collected through storage. This path isn't supported in export. |

-Azure SQL Edge is built on the latest version of the SQL Database Engine. It supports a subset of the features supported in SQL Server 2019 on Linux, in addition to some features that are currently not supported or available in SQL Server 2019 on Linux (or in SQL Server on Windows).

-For a complete list of the features supported in SQL Server on Linux, see [Editions and supported features of SQL Server 2019 on Linux](/sql/linux/sql-server-linux-editions-and-components-2019). For editions and supported features of SQL Server on Windows, see [Editions and supported features of SQL Server 2019 (15.x)](/sql/sql-server/editions-and-components-of-sql-server-version-15).

- | **Plan** | **Description** |

- | | |

- | Azure SQL Edge Developer | For development only. Each Azure SQL Edge Developer container is limited to a maximum of 4 cores and 32 GB of RAM. |

- | Azure SQL Edge | For production. Each Azure SQL Edge container is limited to a maximum of 8 cores and 64 GB of RAM. |

-Azure SQL Edge only supports the database engine. It doesn't include support for other components available with SQL Server 2019 on Windows or with SQL Server 2019 on Linux. Specifically, Azure SQL Edge doesn't support SQL Server components like Analysis Services, Reporting Services, Integration Services, Master Data Services, Machine Learning Services (In-Database), and Machine Learning Server (standalone).

-The following list includes the SQL Server 2019 on Linux features that aren't currently supported in Azure SQL Edge.

-| **Database Design** | In-memory OLTP, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

-| | `HierarchyID` data type, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

-| | `Spatial` data type, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

-| | Stretch DB, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

-| | Full-text indexes and search, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

-| | `FileTable`, `FILESTREAM`, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

-| | Language extensibility through Java and Spark. |

-| | Active Directory integration. |

-| | Database Auto Shrink. The Auto shrink property for a database can be set using the `ALTER DATABASE <database_name> SET AUTO_SHRINK ON` command, however that change has no effect. The automatic shrink task won't run against the database. Users can still shrink the database files using the 'DBCC' commands. |

-| | Database snapshots. |

-| | Support for persistent memory. |

-| | Microsoft Distributed Transaction Coordinator. |

-| | Resource governor and IO resource governance. |

-| | Buffer pool extension. |

-| | Distributed query with third-party connections. |

-| | Linked servers. |

-| | System extended stored procedures (such as `XP_CMDSHELL`). |

-| | CLR assemblies, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

-| | CLR-dependent T-SQL functions, such as `ASSEMBLYPROPERTY`, `FORMAT`, `PARSE`, and `TRY_PARSE`. |

-| | CLR-dependent date and time catalog views, functions, and query clauses. |

-| | Buffer pool extension. |

-| | Database mail. |

-| **SQL Server Agent** | Subsystems: CmdExec, PowerShell, Queue Reader, SSIS, SSAS, and SSRS. |

-| | Alerts. |

-| | Managed backup. |

-| **High Availability** | Always On availability groups. |

-| | Basic availability groups. |

-| | Always On failover cluster instance. |

-| | Database mirroring. |

-| | Hot add memory and CPU. |

-| **Security** | Extensible key management. |

-| | Active Directory integration. |

-| | Support for secure enclaves. |

-| **Services** | SQL Server Browser. |

-| | Machine Learning through R and Python. |

-| | StreamInsight. |

-| | Analysis Services. |

-| | Reporting Services. |

-| | Data Quality Services. |

-| | Master Data Services. |

-| | Distributed Replay. |

-| **Manageability** | SQL Server Utility Control Point. |

-# Azure SQL Edge release notes

-SQL engine build 15.0.2000.1574

-SQL engine build 15.0.2000.1565

-SQL engine build 15.0.2000.1562

-SQL engine build 15.0.2000.1559

- - Improvements in handling of null data in PREDICT for ONNX

-SQL engine build 15.0.2000.1557

-

-SQL engine build 15.0.2000.1557

- - Fix in ownership and permissions for streaming objects

- - Logging improvements with log rotation and log prefixing

- - Azure Stream Analytics: Logging improvements, improve error code/ error messages in adapters

- - Bug fixes for parallel query scenario and model cleanup failures

- - Upgraded ONNX runtime to 1.5.1

-SQL engine build 15.0.2000.1553

-SQL engine build 15.0.2000.1552

- - Ring buffer support for a retention cleanup task for troubleshooting

- - Fast recovery

- - Automatic tuning of queries

- - Parallel-execution scenarios

- - [Snapshot windows](/stream-analytics-query/snapshot-window-azure-stream-analytics): A new window type allows you to group by events that arrive at the same time.

- - [TopOne](/stream-analytics-query/topone-azure-stream-analytics) and [CollectTop](/stream-analytics-query/collecttop-azure-stream-analytics) can be enabled as analytic functions. You can return records ordered by the column of your choice. They don't need to be part of a window.

- - Improvements to [MATCH_RECOGNIZE](/stream-analytics-query/match-recognize-stream-analytics).

- - Cleanup for stopped streaming jobs

- - Fixes for localization

- - Improved Unicode handling

- - Improved debugging for SQL Edge T-SQL streaming, allowing users to query job-failure errors from get_streaming_job

- - Fixes for retention-policy creation and cleanup scenarios

-### Known issues

-SQL engine build 15.0.2000.1549

- - DDL support for enabling the retention policy

- - Cleanup for stored procedures and the background cleanup task

- - Extended events to monitor cleanup tasks

- - Fix for stuck watermark in the substreamed hopping window

- - Fix for framework exception handling to make sure it's collected as a user-actionable error

-SQL engine build 15.0.2000.1546

- - Support for Unicode characters for stream object names

- - Process cleanup improvements

- - Logging and diagnostics improvements

-## CTP 2.1

-SQL engine build 15.0.2000.1545

-## CTP 2.0

-SQL engine build 15.0.2000.1401

- - Support for Date, Time, and DateTime types

- - ONNX requirement for the RUNTIME parameter

-

-You can request support on the [support page](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). Select the following fields:

-SQL engine build 15.0.2000.1331

- - Support for the DateTimeOffset type

- - NVARCHAR support

-

-SQL engine build 15.0.2000.1247

- - VARCHAR support

- - Migration to ONNX runtime version 1.0

-

-SQL engine build 15.0.2000.1147

- - Support for deploying AMD64 and ARM images

-You cannot run the downloaded executable on the same backed-up VM if the backed up VM has Windows Storage Spaces. Choose an alternate machine.

-|Component | Version |

-| | - |

-| bash | 4 and above |

-| Python | 2.6.6 and above |

-| .NET | 4.6.2 and above |

-| TLS | 1.2 should be supported |

- 

-Any file Access Control List (ACL) present in the parent/backed up VM is preserved in the mounted file system as well.

-| Description | Adds a time delay before, between, or after other actions. This fault is useful for waiting for the effect of a fault to appear in a service, or for waiting for an activity outside of the experiment to complete. An example is waiting for autohealing to occur before injecting another fault. |

-az role assignment create --role "Azure Kubernetes Cluster Admin Role" --assignee-object-id $EXPERIMENT_PRINCIPAL_ID --scope $RESOURCE_ID

-### Azure Container Instance Id

-| Container Subnet Name | Defaults to `cloudshellsubnet`. Enter the name of the subnet containing your container. |

-| Instance details | Value |

-| | -- |

-| Region | Prefilled with your default region.<br>For this example, we're using `East US`. |

-| Existing VNET Name | For this example, we're using `vnet-cloudshell-eastus`. |

-| Existing Storage Subnet Name | Fill in the name of the resource created by the network template. |

-| Existing Container Subnet Name | Fill in the name of the resource created by the network template. |

-| Storage Account Name | Create a name for the new storage account.<br>For this example, we're using `MyVnetStorage`. |

-| File Share Name | Defaults to `acsshare`. Enter the name of the file share want to create. |

-| Resource Tags | Defaults to `{"Environment":"cloudshell"}`. Leave unchanged or add more tags. |

-| Location | Defaults to `[resourceGroup().location]`. Leave unchanged. |

-You can use Image Analysis through a client library SDK or by calling the [REST API](https://aka.ms/vision-4-0-ref) directly. Follow the [quickstart](quickstarts-sdk/image-analysis-client-library.md) to get started.

-> [Quickstart](quickstarts-sdk/image-analysis-client-library.md)