Single sign-on (SSO) allows enterprise users to use only one set of credentials for number of applications and services. This reduces the number of sign-in prompts for employees and enables one-click access to popular apps such as Concur, SAP, and Workday in addition to Office 365 and Azure. Microsoft yesterday announced that it is extending the ability to use Azure AD single sign-on for an unlimited number of cloud apps for free. This offer is applicable even to Azure AD Free plan customers.
This change allows any enterprise organization using a subscription of a commercial online service such as Azure, Office 365, Dynamics and Power Platform to enable SSO for all their cloud apps.
It is also important to note that multi-factor authentication (MFA) along with security defaults is already free across all Azure AD customers. Microsoft yesterday also announced several new features to make it easier for IT admins to secure and manage access. You can read about them below.
- Dynamic groups rule validation (Public Preview)—Dynamic groups allow administrators to set rules based on user attributes to populate group memberships. Now we have added the ability for you to validate your rules by checking if specific users will be members of a dynamic group or not. This will make it easier to troubleshoot and update rules for dynamic groups.
- Administrative units (Public Preview)—Administrative units allow you to logically group users and devices and then delegate administration of those users and devices. For example, a User account admin can update profile information, reset passwords and assign licenses only for users in their administrative unit. This is especially useful for organizations with multiple independent departments, each having their own IT admins responsible for their department.
- Bulk operations for users and groups (GA)—You can now import or exports users and groups in the directory using a CSV file! This lets you create or delete users, update group memberships as well as download users, groups and group memberships. You can also use this to invite guest users or restore deleted users.
- Token configuration (GA)—Azure AD issues tokens with a default set of claims. Token configuration allows you to customize access tokens, id tokens and SAML tokens to include additional claims. These additional claims allow you to get more details about a user when they get authenticated into your application. You can also configure how groups are represented in claims. For example, instead of using objectID of groups in the claims, you can choose group names as claims or have groups be emitted as roles for applications that require these to be role claims.
- SAML token encryption (GA)—Azure AD already sends SAML tokens on an encrypted HTTPS transport channel. In addition to this, you can now also configure encryption of SAML tokens. This provides additional assurance where needed that the content of the token can’t be intercepted, and personal or corporate data can’t be compromised.
- Invite internal users to B2B collaboration (Public Preview)—If you have been managing external users similar to regular users in your directory, you can now change them to guest users and take advantage of the benefits offered by Azure AD B2B. The users will retain their user ID, user principal name, group memberships as well as app assignments.. This provides better governance over your external users, without needing to manually delete and re-invite the user.
- Redesigned B2B collaboration invitation emails (GA)—External users invited through B2B collaboration will soon see a new design of the invitation email. The new design provides external users with more clarity to help make an informed decision for accepting the invitation.
- Secure access to SAML-based applications with Azure AD B2C (GA)—You can now integrate a SAML application with Azure AD B2C. Acting as a SAML identity provider (IdP), Azure AD B2C helps you offer many authentication options to your users without the need to change the application’s existing SAML authentication library. All OIDC, OAUTH, and SAML-based identity providers such as Salesforce, Facebook, Google, and Active Directory Federation Services (ADFS) can be offered to your users.
- Report-only mode for Azure AD Conditional Access (GA)—Sometimes it is useful to understand how many users will be impacted if you deploy a new Conditional Access policy. With report-only mode, you can now evaluate the impact of a policy before you choose to enforce it. Testing your policies and making any corrections allows you to be more in control of how your policies are rolled out and how it affects your end users.
- Combined MFA and password reset registration (GA)—This new combined security information registration experience makes it easy for your users to register for MFA and Self-Service Password Reset (SSPR) in a simple step-by-step process.
- Continuous Access Evaluation (GA)—Continuous Access Evaluation (CAE) is a step towards further enhancing security in your environment. It allows timely response to policy violations or security issues that may occur after access is granted. We are implementing our initial approach to CAE in Exchange and Teams.