SSO provides admins with a secure way to manage sign-ins across multiple apps with only one set of credentials. By leveraging the tools, organizations cut back on sign-in prompts and employees can sign in with one click. It works on Microsoft services like Office 365 in Azure AD, but also on third-party tools such as SAP and Workday. Now that SSO is unlimited and free, Microsoft says any customer using Azure, Office 365, Dynamics and Power Platform can access the feature across all their cloud apps. That was not all Microsoft announced regarding Azure AD. In a blog post, the company discussed several important new features. Among them is the public preview of Dynamic groups rule validation. Elsewhere, administration units have also been announced in public preview. The feature allows admins to group users and devices efficiently and then manage them more easily. Several tools also moved to general availability, including bulk operations, token configuration, and SAML token encryption.
Full changelog
“Dynamic groups rule validation (Public Preview)—Dynamic groups allow administrators to set rules based on user attributes to populate group memberships. Now we have added the ability for you to validate your rules by checking if specific users will be members of a dynamic group or not. This will make it easier to troubleshoot and update rules for dynamic groups. Administrative units (Public Preview)—Administrative units allow you to logically group users and devices and then delegate administration of those users and devices. For example, a User account admin can update profile information, reset passwords and assign licenses only for users in their administrative unit. This is especially useful for organizations with multiple independent departments, each having their own IT admins responsible for their department. Bulk operations for users and groups (GA)—You can now import or exports users and groups in the directory using a CSV file! This lets you create or delete users, update group memberships as well as download users, groups and group memberships. You can also use this to invite guest users or restore deleted users. Token configuration (GA)—Azure AD issues tokens with a default set of claims. Token configuration allows you to customize access tokens, id tokens and SAML tokens to include additional claims. These additional claims allow you to get more details about a user when they get authenticated into your application. You can also configure how groups are represented in claims. For example, instead of using objectID of groups in the claims, you can choose group names as claims or have groups be emitted as roles for applications that require these to be role claims. SAML token encryption (GA)—Azure AD already sends SAML tokens on an encrypted HTTPS transport channel. In addition to this, you can now also configure encryption of SAML tokens. This provides additional assurance where needed that the content of the token can’t be intercepted, and personal or corporate data can’t be compromised. Invite internal users to B2B collaboration (Public Preview)—If you have been managing external users similar to regular users in your directory, you can now change them to guest users and take advantage of the benefits offered by Azure AD B2B. The users will retain their user ID, user principal name, group memberships as well as app assignments.. This provides better governance over your external users, without needing to manually delete and re-invite the user. Redesigned B2B collaboration invitation emails (GA)—External users invited through B2B collaboration will soon see a new design of the invitation email. The new design provides external users with more clarity to help make an informed decision for accepting the invitation. Secure access to SAML-based applications with Azure AD B2C (GA)—You can now integrate a SAML application with Azure AD B2C. Acting as a SAML identity provider (IdP), Azure AD B2C helps you offer many authentication options to your users without the need to change the application’s existing SAML authentication library. All OIDC, OAUTH, and SAML-based identity providers such as Salesforce, Facebook, Google, and Active Directory Federation Services (ADFS) can be offered to your users. Report-only mode for Azure AD Conditional Access (GA)—Sometimes it is useful to understand how many users will be impacted if you deploy a new Conditional Access policy. With report-only mode, you can now evaluate the impact of a policy before you choose to enforce it. Testing your policies and making any corrections allows you to be more in control of how your policies are rolled out and how it affects your end users. Combined MFA and password reset registration (GA)—This new combined security information registration experience makes it easy for your users to register for MFA and Self-Service Password Reset (SSPR) in a simple step-by-step process. Continuous Access Evaluation (GA)—Continuous Access Evaluation (CAE) is a step towards further enhancing security in your environment. It allows timely response to policy violations or security issues that may occur after access is granted. We are implementing our initial approach to CAE in Exchange and Teams.”