New Conditional Access Template Requiring Device Compliance

September 2024
Public preview - New Conditional Access Template Requiring Device Compliance
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection

• A new Conditional Access template requiring device compliance is now available in Public Preview. This template restricts access to company resources exclusively to devices enrolled in mobile device management (MDM) and compliant with company policy. Requiring device compliance improves data security, reducing risk of data breaches, malware infections, and unauthorized access. This is a recommended best practice for users and devices targeted by compliance policy through MDM. For more information, see: Common policy: Create a Conditional Access policy requiring device compliance.

Public preview - Tenant admin can fail certificate based auth when the end user certificate issuer isn't configured with a certificate revocation list
Type: New feature
Service category: Authentications (Logins)
Product capability: User Authentication

With Certificate based authentication, a CA can be uploaded without a CRL endpoint, and certificate-based authentication won't fail if an issuing CA doesn't have a CRL specified.
To strengthen security and avoid misconfigurations, an Authentication Policy Administrator can require CBA authentication to fail if no CRL is configured for a CA that issues an end user certificate. For more information, see: Understanding CRL validation (Preview).

General Availability: Microsoft Authenticator on Android is FIPS 140 compliant for Microsoft Entra authentication
Type: New feature
Service category: Microsoft Authenticator App
Product capability: User Authentication

Beginning with version 6.2408.5807, Microsoft Authenticator for Android is compliant with Federal Information Processing Standard (FIPS 140-3) for all Microsoft Entra authentications, including phishing-resistant device-bound passkeys, push multifactor authentication (MFA), passwordless phone sign-in (PSI), and time-based one-time passcodes (TOTP). No changes in configuration are required in Microsoft Authenticator or Microsoft Entra ID Admin Portal to enable this capability. Microsoft Authenticator on iOS is already FIPS 140 compliant, as announced last year. For more information, see: Authentication methods in Microsoft Entra ID - Microsoft Authenticator app.

General Availability - Microsoft Entra External ID extension for Visual Studio Code
Type: Changed feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C

Microsoft Entra External ID Extension for VS Code provides a streamlined, guided experience to help you kickstart identity integration for customer-facing apps. With this extension, you can create external tenants, set up a customized and branded sign-in experience for external users, and quickly bootstrap your projects with preconfigured External ID samples—all within Visual Studio Code. Additionally, you can view and manage your external tenants, applications, user flows, and branding settings directly within the extension.

For more information, see: Quickstart: Get started with the Microsoft Entra External ID extension for Visual Studio Code.

Public Preview - Custom Claims API for Claims Configuration of Enterprise Apps
Type: New feature
Service category: Enterprise Apps
Product capability: SSO

Custom Claims API allows admins to manage and update additional claims for their Enterprise Applications seamlessly through MS Graph. The Custom Claims API offers a simplified and user friendly API experience for claims management for our customers. With the introduction of Custom Claims API, we achieved UX and API interoperability. Admins can now use Microsoft Entra admin center and MS Graph API interchangeably to manage claims configurations for their Enterprise Applications. It facilitates admins to execute their automations using the API while allowing the flexibility to update claims on the Microsoft Entra admin center as required on the same policy object. For more information, see: Customize claims using Microsoft Graph Custom Claims Policy (preview).

General Availability - Cross-tenant manager synchronization
Type: New feature
Service category: Provisioning
Product capability: Identity Governance

Support for synchronizing the manager attribute using cross-tenant synchronization is now generally available. For more information, see: Attributes.

Public Preview - Request on behalf of
Type: New feature
Service category: Entitlement Management
Product capability: Entitlement Management

Entitlement Management enables admins to create access packages to manage their organization’s resources. Admins can either directly assign users to an access package, or configure an access package policy that allows users and group members to request access. This option to create self-service processes is useful, especially as organizations scale and hire more employees. However, new employees joining an organization might not always know what they need access to, or how they can request access. In this case, a new employee would likely rely on their manager to guide them through the access request process.

Instead of having new employees navigate the request process, managers can request access packages for their employees, making onboarding faster and more seamless. To enable this functionality for managers, admins can select an option when setting up an access package policy that allows managers to request access on their employees' behalf.

Expanding self-service request flows to allow requests on behalf of employees ensures that users have timely access to necessary resources, and increases productivity. For more information, see: Request access package on-behalf-of other users (Preview).