Manage Lifecycle Workflows with Microsoft Security CoPilot in Microsoft Entra

January 2025
Public Preview - Manage Lifecycle Workflows with Microsoft Security CoPilot in Microsoft Entra
Type: New feature
Service category: Lifecycle Workflows
Product capability: Identity Governance

Customers can now manage, and customize, Lifecycle Workflows using natural language with Microsoft Security CoPilot. Our Lifecycle Workflows (LCW) Copilot solution provides step-by-step guidance to perform key workflow configuration and execution tasks using natural language. It allows customers to quickly get rich insights to help monitor, and troubleshoot, workflows for compliance. For more information, see: Manage employee lifecycle using Microsoft Security Copilot (Preview).

General Availability - Microsoft Entra PowerShell
Type: New feature
Service category: MS Graph
Product capability: Developer Experience

Manage and automate Microsoft Entra resources programmatically with the scenario-focused Microsoft Entra PowerShell module. For more information, see: Microsoft Entra PowerShell module now generally available.

General Availability - Improving visibility into downstream tenant sign-ins
Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft Security wants to ensure that all customers are aware of how to notice when a partner is accessing a downstream tenant's resources. Interactive sign-in logs currently provide a list of sign in events, but there's no clear indication of which logins are from partners accessing downstream tenant resources. For example, when reviewing the logs, you might see a series of events, but without any additional context, it’s difficult to tell whether these logins are from a partner accessing another tenant’s data.

Here's a list of steps that one can take to clarify which logins are associated with partner tenants:

Take note of the "ServiceProvider" value in the CrossTenantAccessType column:
This filter can be applied to refine the log data. When activated, it immediately isolates events related to partner logins.
Utilize the "Home Tenant ID" and "Resource Tenant ID" Columns:
These two columns identify logins coming from the partner’s tenant to a downstream tenant.
After seeing a partner logging into a downstream tenant’s resources, an important follow-up activity to perform is to validate the activities that might have occurred in the downstream environment. Some examples of logs to look at are Microsoft Entra Audit logs for Microsoft Entra ID events, Microsoft 365 Unified Audit Log (UAL) for Microsoft 365 and Microsoft Entra ID events, and/or the Azure Monitor activity log for Azure events. By following these steps, you're able to clearly identify when a partner is logging into a downstream tenant’s resources and subsequent activity in the environment, enhancing your ability to manage and monitor cross-tenant access efficiently.

To increase visibility into the aforementioned columns, Microsoft Entra will begin enabling these columns to display by default when loading the sign-in logs UX starting on March 7, 2025.

Public Preview - Auditing administrator events in Microsoft Entra Connect
Type: New feature
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

We have released a new version of Microsoft Entra Connect, version 2.4.129.0, that supports the logging of the changes an administrator makes on the Connect Sync Wizard and PowerShell. For more information, see: Auditing administrator events in Microsoft Entra Connect Sync (Public Preview).

Where supported, we'll also autoupgrade customers to this version of Microsoft Entra Connect in February 2025. For customers who wish to be autoupgraded, ensure that you have auto-upgrade configured.

For upgrade-related guidance, see Microsoft Entra Connect: Upgrade from a previous version to the latest.

Public Preview - Flexible Federated Identity Credentials
Type: New feature
Service category: Authentications (Logins)
Product capability: Developer Experience

Flexible Federated Identity Credentials extend the existing Federated Identity Credential model by providing the ability to use wildcard matching against certain claims. Currently available for GitHub, GitLab, and Terraform Cloud scenarios, this functionality can be used to lower the total number of FICs required to managed similar scenarios. For more information, see: Flexible federated identity credentials (preview).

General Availability - Real-time Password Spray Detection in Microsoft Entra ID Protection
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection

Traditionally, password spray attacks are detected post breach or as part of hunting activity. Now, we’ve enhanced Microsoft Entra ID Protection to detect password spray attacks in real-time before the attacker ever obtains a token. This reduces remediation from hours to seconds by interrupting attacks during the sign-in flow.

Risk-based Conditional Access can automatically respond to this new signal by raising session risk, immediately challenging the sign-in attempt, and stopping password spray attempts in their tracks. This cutting-edge detection, now Generally Available, works alongside existing detections for advanced attacks such as Adversary-in-the-Middle (AitM) phishing and token theft, to ensure comprehensive coverage against modern attacks. For more information, see: What is Microsoft Entra ID Protection?

General Availability - Protected actions for hard deletions
Type: New feature
Service category: Other
Product capability: Identity Security & Protection

Customers can now configure Conditional Access policies to protect against early hard deletions. Protected action for hard deletion protects hard deletion of users, Microsoft 365 groups, and applications. For more information, see: What are protected actions in Microsoft Entra ID?

Deprecated - Action Required by February 1, 2025: Azure AD Graph retirement
Type: Deprecated
Service category: Azure AD Graph
Product capability: Developer Experience

The Azure AD Graph API service was [deprecated] in 2020. Retirement of the Azure AD Graph API service began in September 2024, and the next phase of this retirement starts February 1, 2025. This phase will impact new and existing applications unless action is taken. The latest updates on Azure AD Graph retirement can be found here: Take action by February 1: Azure AD Graph is retiring.

Starting from February 1, both new and existing applications will be prevented from calling Azure AD Graph APIs, unless they're configured for an extension. You might not see impact right away, as we’re rolling out this change in stages across tenants. We anticipate full deployment of this change around the end of February, and by the end of March for national cloud deployments.

If you haven't already, it's now urgent to review the applications on your tenant to see which ones depend on Azure AD Graph API access, and mitigate or migrate these before the February 1 cutoff date. For applications that haven't migrated to Microsoft Graph APIs, an extension can be set to allow the application access to Azure AD Graph through June 30, 2025.

Microsoft Entra Recommendations are the best tool to identify applications that are using Azure AD Graph APIs in your tenant and require action. Reference this blog post: Action required: Azure AD Graph API retirement for step by step guidance.

General Availability - Microsoft Entra Connect Version 2.4.129.0
Type: Changed feature
Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

On January 15, 2025, we released Microsoft Entra Connect Sync Version 2.4.129.0 which supports auditing administrator events. More details are available in the release notes. We'll automatically upgrade eligible customers to this latest version of Microsoft Entra Connect in February 2025. For customers who wish to be autoupgraded, ensure that you have auto-upgrade configured.

Public Preview - Elevate Access events are now exportable via Microsoft Entra Audit Logs
Type: New feature
Service category: RBAC
Product capability: Monitoring & Reporting

This feature enables administrators to export and stream Elevate Access events to both first-party and third-party SIEM solutions via Microsoft Entra Audit logs. It enhances detection and improves logging capabilities, allowing visibility into who in their tenant has utilized Elevate Access. For more information on how to use the feature, see: View elevate access log entries.

Deprecated - Take action to avoid impact when legacy MSOnline and AzureAD PowerShell modules retire
Type: Deprecated
Service category: Legacy MSOnline and AzureAD PowerShell modules
Product capability: Developer Experience

As announced in Microsoft Entra change announcements and in the Microsoft Entra Blog, the MSOnline, and Microsoft Azure AD PowerShell modules (for Microsoft Entra ID) retired on March 30, 2024.

The retirement for MSOnline PowerShell module starts in early April 2025, and ends in late May 2025. If you're using MSOnline PowerShell, you must take action by March 30, 2025 to avoid impact after the retirement by migrating any use of MSOnline to Microsoft Graph PowerShell SDK or Microsoft Entra PowerShell.

Key points

MSOnline PowerShell will retire, and stop working, between early April 2025 and late May 2025
AzureAD PowerShell will no longer be supported after March 30, 2025, but its retirement will happen in early July 2025. This postponement is to allow you time to finish the MSOnline PowerShell migration
To ensure customer readiness for MSOnline PowerShell retirement, a series of temporary outage tests will occur for all tenants between January 2025 and March 2025.
For more information, see: Action required: MSOnline and AzureAD PowerShell retirement - 2025 info and resources.