What Splashtop is best at is a remote connection via your Android or iOS device, It comes with 2 side cushions and a custom bamboo tabletop. Duet Display and EasyCanvas, these are two most popular options for using iPad as a dawing tablet for PC. But which offer better value for. Splashtop · Templafy OpenID Connect · WEDO. For more information, see What is automated SaaS app user provisioning in Azure AD? New Federated. SPANISH TO ENGLISH COMODO
For example, this can cause an app requesting only user. To reduce the number of unnecessary Conditional Access prompts, Azure AD is changing the way that unrequested scopes are provided to applications. Apps will only trigger conditional access for permission they explicitly request.
For more information, read What's new in authentication. Temporary Access Pass is a time-limited passcode that serves as strong credentials and allows onboarding of Passwordless credentials and recovery when a user has lost or forgotten their strong authentication factor for example, FIDO2 security key or Microsoft Authenticator app and needs to sign in to register new strong authentication methods. The next generation of B2C user flows now supports the keep me signed in KMSI functionality that allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie.
Customers can now reinvite existing external guest users to reset their redemption status, which allows the guest user account to remain without them losing any access. Customers can now use application. Users with this role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy.
This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list. Users can now create their own groupings of apps on the My Apps app launcher. They can also reorder and hide collections shared with them by their administrator. Microsoft Authenticator provides multifactor authentication and account management capabilities, and now also will autofill passwords on sites and apps users visit on their mobile iOS and Android.
To use autofill on Authenticator, users need to add their personal Microsoft account to Authenticator and use it to sync their passwords. Work or school accounts cannot be used to sync passwords at this time. Customers can now invite internal guests to use B2B collaboration instead of sending an invitation to an existing internal account.
Users with this role can manage read, add, verify, update, and delete domain names. They can also read directory information about users, groups, and applications, as these objects have domain dependencies. For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on.
In February we have added following 37 new applications in our App gallery with Federation support:. To learn more about the new roles, refer to Administrator role permissions in Azure Active Directory. In the past, company logos weren't used on Azure Active Directory sign-in pages.
An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you will have another option, "Second level manager as alternate approver", available to choose in the alternate approver field.
If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. The refreshed Authentication Methods Activity dashboard gives admins an overview of authentication method registration and usage activity in their tenant. The report summarizes the number of users registered for each method, and also which methods are used during sign-in and password reset.
Refresh and session token lifetimes configurability in CTL are retired. Azure Active Directory no longer honors refresh and session token configuration in existing policies. This function was intended to solely be used for testing. We'll update the UI to make the field required. Customers can work around this requirement for testing purposes by using a feature flag in the browser URL.
Azure AD and Microsoft Endpoint Manager teams have combined to bring the capability to customize, scale, and secure your frontline worker devices. To learn more, refer to Customize and configure shared devices for frontline workers at scale.
To learn more, refer to Provisioning reports in the Azure Active Directory portal. Customers can assign a cloud group to Azure AD custom roles or an admin unit scoped role. To learn how to use this feature, refer to Use cloud groups to manage role assignments in Azure Active Directory. Azure AD Connect cloud moves the heavy lifting of transform logic to the cloud, reducing your on-premises footprint. Additionally, multiple light-weight agent deployments are available for higher sync availability.
Users in the Attack Simulation Administrator role have access for all simulations in the tenant and can:. Users in the Attack Payload Author role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation. However, they can't access any user level details or insights. In the Microsoft Admin Center for the two reports, we differentiate between tenant level aggregated data and user level details.
This role adds an extra layer of protection to individual user identifiable data. Learn more on how to set up a conditional access policy for app protection here. Email OTP enables organizations around the world to collaborate with anyone by sending a link or invitation via email. Invited users can verify their identity with the one-time passcode sent to their email to access their partner's resources. In January we have added following 29 new applications in our App gallery with Federation support:.
When you expand the selected access package and hover on Teams, you can launch it by clicking on the "Open" button. Learn more in Identity Protection and B2B users. B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows.
Read Set up phone sign-up and sign-in for user flows preview to learn more. To protect user accounts, all new tenants created on or after November 12, , will come with Security Defaults enabled. Security Defaults enforces multiple policies including:. For more information, read What are security defaults? When you use the new V2 endpoint , you'll experience noticeable performance gains on export and import to Azure AD.
This new endpoint supports the following scenarios:. The capabilities of Entitlement Management are now available for all tenants in the Azure China cloud. For information, visit our Identity governance documentation site. In December we have added following 18 new applications in our App gallery with Federation support:. You can now launch Teams directly from My Access portal. To do so, sign-in to My Access , navigate to Access packages , then go to the Active Tab to see all access packages you already have access to.
When you expand the access package and hover on Teams, you can launch it by clicking on the Open button. To learn more about using the My Access portal, go to Request access to an access package in Azure AD entitlement management. An extra option is now available in the approval process in Entitlement Management.
If you select Manager as approver for the First Approver, you'll have another option, Second level manager as alternate approver, available to choose in the alternate approver field. When you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.
For more information, go to Change approval settings for an access package in Azure AD entitlement management. For guidance to remove deprecating protocols dependencies, please refer to EEnable support for TLS 1. In November we have added following 52 new applications in our App gallery with Federation support:. Custom RBAC roles for delegated enterprise application management is now in public preview. These new permissions build on the custom roles for app registration management, which allows fine-grained control over what access your admins have.
Over time, additional permissions to delegate management of Azure AD will be released. Azure Active Directory Azure AD Application Proxy natively supports single sign-on access to applications that use headers for authentication. You can configure header values required by your application in Azure AD. The header values will be sent down to the application via Application Proxy. With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS.
This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies, allow developers and enterprises to communicate their brand through page customization. This can help while trying out the feature before deploying it to the entire tenant via the Home Realm Discovery policy.
With the initial preview release of the Sign-in Diagnostic, admins can now review user sign-ins. Admins can receive contextual, specific, and relevant details and guidance on what happened during a sign-in and how to fix problems. Unfamiliar sign-in properties detections has been updated.
Customers may notice more high-risk unfamiliar sign-in properties detections. For more information, see What is risk? Cloud provisioning agent has been released in public preview and is now available through the portal. This release contains several improvements including, support for GMSA for your domains, which provides better security, improved initial sync cycles, and support for large groups.
Check out the release version history for more details. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy, you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. Enhanced dynamic group service is now in Public Preview.
New customers that create dynamic groups in their tenants will be using the new service. The time required to create a dynamic group will be proportional to the size of the group that is being created instead of the size of the tenant. This update will improve performance for large tenants significantly when customers create smaller groups.
The new service also aims to complete member addition and removal because of attribute changes within a few minutes. Also, single processing failures won't block tenant processing. To learn more about creating dynamic groups, see our documentation. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates and will need to be updated to trust the new certificate issuers.
This change will result in disruption of service if you don't take action immediately. These agents include Application Proxy connectors for remote access to on-premises, Passthrough Authentication agents that allow your users to sign in to applications using the same passwords, and Cloud Provisioning Preview agents that perform AD to Azure AD sync. Activity by the SCIM provisioning service is logged in both the audit logs and provisioning logs. In the future, these events will only be published in the provisioning logs.
This change is being implemented to avoid duplicate events across logs, and additional costs incurred by customers consuming the logs in log analytics. We'll provide an update when a date is completed. This deprecation isn't planned for the calendar year This does not impact any events in the audit logs outside of the synchronization events emitted by the provisioning service. Events such as the creation of an application, conditional access policy, a user in the directory, etc.
This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates. These agents will need to be updated to trust the new certificate issuers. These agents include:. Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting on January 31, This date has been postponed from 30th June to 31st Jan , to give Administrators more time to remove the dependency on legacy TLS protocols and ciphers TLS 1.
For additional guidance, refer to Enable support for TLS 1. All client-server and browser-server combinations should use TLS 1. For guidance to remove deprecating protocols dependencies, please refer to Enable support for TLS 1. This feature enables the ability to assign an application SPN to an administrator role on the administrative unit scope.
To learn more, refer to Assign scoped roles to an administrative unit. Disable and delete is an advanced control in Azure AD Access Reviews to help organizations better manage external guests in Groups and Apps. If guests are denied in an access review, disable and delete will automatically block them from signing in for 30 days. After 30 days, then they'll be removed from the tenant altogether. In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers.
Reviewers will see the message in the email they receive that prompts them to complete the review. To learn more about using this feature, see step 14 of the Create a single-stage review section. This experience helps guide you in configuring your application for common scenarios.. Learn more about Microsoft identity platform best practices and recommendations.
In Azure AD, select description of the selected role. It's recommended that customers use role template IDs in their PowerShell script and code, instead of the display name. Role template ID is supported for use to directoryRoles and roleDefinition objects. API connectors enable you to use web APIs to customize your sign-up user flows and integrate with external cloud systems. You can you can use API connectors to:.
Visit the Use API connectors to customize and extend sign-up documentation to learn more. All connected organizations will now have an additional property called "State". The state will control how the connected organization will be used in policies that refer to "all configured connected organizations". The value will be either "configured" meaning the organization is in the scope of policies that use the "all" clause or "proposed" meaning that the organization isn't in scope.
Manually created connected organizations will have a default setting of "configured". Meanwhile, automatically created ones created via policies that allow any user from the internet to request access will default to "proposed. With these advanced security features, customers can now:. In October we have added following 27 new applications in our App gallery with Federation support:.
To learn how to use the feature, see Understand how provisioning integrates with Azure Monitor logs. You can now allow application owners to monitor activity by the provisioning service and troubleshoot issues without providing them a privileged role or making IT a bottleneck. This inconsistency can cause problems in automated processes.
With this update, we're renaming 10 role names to make them consistent. The following table has the new role names:. For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to remember multifactor authentication MFA on a trusted device setting.
To get started, review our latest guidance on optimizing the reauthentication experience. Azure AD Connect Cloud Provisioning public preview refresh features two major enhancements developed from customer feedback:. Attribute mapping is a feature used for standardizing the values of the attributes that flow from Active Directory to Azure Active Directory. One can determine whether to directly map the attribute value as it is from AD to Azure AD or use expressions to transform the attribute values when provisioning users.
Once you have setup your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected.
When IT admins or end users read BitLocker recovery key s they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with. End users can access their recovery keys via My Account. This role allows the user to view all devices at single glance, with the ability to search and filter devices.
The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device.
To learn more, see the documentation here , and you can also send feedback with this brief survey. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. To learn more, see Continuous access evaluation.
Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision. To learn more, see Collect additional requestor information for approval. The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages.
Changes in the preview include:. For more information, please see User management enhancements preview in Azure Active Directory. You can add free text notes to Enterprise applications. You can add any relevant information that will help you manager applications under Enterprise applications. In September we have added following 34 new applications in our App gallery with Federation support:.
A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. You can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators.
With this new role, you benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations. To learn more, see Entitlement management roles. With the recent integration of PIM experience into the Azure AD roles and administrators blade, we are removing this experience.
Any tenant with valid P2 license will be auto-onboarded to PIM. Onboarding to PIM does not have any direct adverse effect on your tenant. You can expect the following changes:. For more information, see Start using Privileged Identity Management. In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog. This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog.
The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog. To learn more, see Create a new access package in Azure AD entitlement management. If you have outbound firewall rules in your organization, update the rules so that your multifactor authentication MFA servers can communicate with all the necessary IP ranges.
The preview version with the changes will be available at the beginning of September. The changes in the preview version include:. In this preview, customers can toggle between the existing experience and the new experience. This preview will last until the end of November After the preview, the customers will automatically be directed to the new UX experience.
We've updated directory level permissions for guest users. These permissions allow administrators to require additional restrictions and controls on external guest user access. Admins can now add additional restrictions for external guests' access to user and groups' profile and membership information. With this public preview feature, customers can manage external user access at scale by obfuscating group memberships, including restricting guest users from seeing memberships of the group s they are in.
Now clients can track changes to those resources efficiently and provides the best solution to synchronize changes to those resources with a local data store. To learn how to configure these resources in a query, see Use delta query to track changes in Microsoft Graph data.
Clients can now track changes to those resources efficiently and provides the best solution to synchronize changes to those resources with a local data store. In August we have added following 25 new applications in our App gallery with Federation support:.
You can now enable authorization without password hash synchronization to use Azure AD Domain Services, including smart-card authorization. You can expand a managed domain to have more than one replica set per Azure AD tenant. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline.
Azure AD My Sign-Ins is a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. To learn more about using this feature, see View and search your recent sign-in activity from the My Sign-Ins page. You can now integrate SAP SuccessFactors as the authoritative identity source with Azure AD and automate the end-to-end identity lifecycle using HR events like new hires and terminations to drive provisioning and de-provisioning of accounts in Azure AD.
To learn how to configure this resource with APIs, see identityProvider resource type. You can now assign Azure AD built-in roles to cloud groups with this new feature. You can also use PIM to make the group an eligible member of the role, instead of granting standing access. To learn how to configure this feature, see Use cloud groups to manage role assignments in Azure Active Directory preview. Users in the Insights Business Leader role can access a set of dashboards and insights via the Microsoft Insights application.
This includes full access to all dashboards and presented insights and data exploration functionality. However, users in this role don't have access to product configuration settings, which is the responsibility of the Insights Administrator role. To learn more about this role, see Administrator role permissions in Azure Active Directory. Users in the Insights Administrator role can access the full set of administrative capabilities in the Microsoft Insights application.
A user in this role can read directory information, monitor service health, file support tickets, and access the Insights administrator settings aspects. Previously, only the Global Administrator could manage the extension property.
We're now enabling this capability for the Application Administrator and Cloud Application Administrator as well. A hotfix rollup package build 4. In addition, the MIM generic connectors build 1. With the GA release of the client apps condition in Conditional Access, new policies will now apply by default to all client applications.
This includes legacy authentication clients. When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they will be blocked. Our implementation of the SCIM standard is evolving, and we expect to make changes to our behavior around how we perform PATCH operations as well as set the property "active" on a resource. Owner settings on Groups general setting page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel.
We will soon have the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph. We will start to disable the current setting for the customers who are not using it and will offer an option to scope users for group owner privilege in the next few months.
For guidance on updating group settings, see Edit your group information using Azure Active Directory. Transport layer security TLS 1. Support for TLS 1. Learn more about TLS 1. Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication.
Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object was not being deleted. Now the group object will be deleted from the target application when it goes out of scope disabled, deleted, unassigned, or did not pass scoping filter.
When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many of our customers asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer. Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the "advanced" section of Azure AD Access Reviews.
For guidance on creating access reviews, see Create an access review of groups and applications in Azure AD access reviews. There are corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. Simplified user flow experience offers feature parity with preview features and is the home for all new features.
Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows.
Try it now by creating a user flow. In July we have added following 55 new applications in our App gallery with Federation support:. You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure AD portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see View and assign administrator roles in Azure Active Directory.
Microsoft will be shutting down the SDK service effective on September 30th, Any calls made to the SDK will fail. User risk support in Azure AD Conditional Access policy allows you to create multiple user risk-based policies. Different minimum user risk levels can be required for different users and apps.
Based on user risk, you can create policies to block access, require multifactor authentication, secure password change, or redirect to Microsoft Cloud App Security to enforce session policy, such as additional auditing. This also works for SP initiated sign-in, and IdP initiated sign-in will follow.
Azure Government tenants using the B2B collaboration features can now invite users that have a Microsoft or Google account. To find out if your tenant can use these capabilities, follow the instructions at How can I tell if B2B collaboration is available in my Azure US Government tenant? The externalUserState and externalUserStateChangedDateTime properties can be used to find invited B2B guests who have not accepted their invitations yet as well as build automation such as deleting users who haven't accepted their invitations after some number of days.
These properties are now available in MS Graph v1. For guidance on using these properties, refer to User resource type. Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers to offer more security and flexibility in your environment.
Now authentication session management will apply to multifactor authentication MFA as well. For more information, see Configure authentication session management with Conditional Access. In June we have added the following 29 new applications in our App gallery with Federation support:. This means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows.
For example, you can use API connectors to:. The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The on-demand provisioning capability allows you to pick a user and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again.
A new delegated permission EntitlementManagement. Now that they are available at the v1. For more information, please check out the Microsoft Graph docs. You can now create sensitivity labels and use the label settings to apply policies to Microsoft groups, including privacy Public or Private and external user access policy.
For guidance on using sensitivity labels, refer to Assign sensitivity labels to Microsoft groups in Azure Active Directory preview. Previously, the number of groups you could use when you conditionally change claims based on group membership within any single application configuration was limited to The use of group membership conditions in SSO claims configuration has now increased to a maximum of 50 groups.
For more information on how to configure claims, refer to Enterprise Applications SSO claims configuration. For guidance on using this functionality, see Add branding to your organization's Azure Active Directory sign-in page.
The provisioning service has been updated to reduce the time for an incremental cycle to complete. This means that users and groups will be provisioned into their applications faster than they were previously. Going forward we will represent these properties as strings.
At that date, we will be retiring the current riskType and riskEventTypes properties. Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September We will retire the current riskEventTypes enum property on June 11, in accordance with our Microsoft Graph deprecation policy. For more information, refer to Deprecation of riskEventTypes property in signIns v1. We are making the following changes to the email notifications for cloud multifactor authentication MFA :.
E-mail notifications will be sent from the following address: azure-noreply microsoft. We're updating the content of fraud alert emails to better indicate the required steps to unblock uses. Currently, users who are in domains federated in Azure AD, but who are not synced into the tenant, can't access Teams.
Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign up. This change will complete rolling out during the following two months. Watch for documentation updates here.
It currently provides the incorrect Graph endpoint graph. If you own an application within an Azure Government tenant, you must update your application to sign users in on the. Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint microsoftonline.
There will be a gradual rollout of this change with enforcement expected to be complete across all apps June For more details, please see the Azure Government blog post. When a user clicks on sign-out e. These messages contain a NameID in a persistent format. This fix makes the sign-out message consistent with the NameID configured for the application. With this new role, you no longer have to use the Global Admin role to setup and configure Cloud Provisioning.
In May , we have added the following 36 new applications in our App gallery with Federation support:. Report-only mode for Azure AD Conditional Access lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier.
With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources while letting them sign in using whatever identity they prefer. When sharing an application with external users, you might not always know in advance who will need access to the application.
With self-service sign-up , you can enable guest users to sign up and gain a guest account for your line of business LOB apps. The sign-up flow can be created and customized to support Azure AD and social identities. You can also collect additional information about the user during sign-up.
The insights and reporting workbook gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes following these instructions. The new policy details blade displays the assignments, conditions, and controls satisfied during conditional access policy evaluation.
You can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details. This will give developers the ability to quickly query our Directory Objects without workarounds such as in-memory filtering and sorting. Find out more in this blog post. We are currently in Public Preview, looking for feedback. Please send your comments with this brief survey. The feature is now generally available in all clouds.
The group claims issued in a token can now be limited to just those groups assigned to the application. This is especially important when users are members of large numbers of groups and there was a risk of exceeding token size limits. With this new capability in place, the ability to add group names to tokens is generally available. We have enhanced the Workday Writeback provisioning app to now support writeback of work phone number and mobile number attributes.
In addition to email and username, you can now configure the Workday Writeback provisioning app to flow phone number values from Azure AD to Workday. For more details on how to configure phone number writeback, refer to the Workday Writeback app tutorial. Publisher verification preview helps admins and end users understand the authenticity of application developers integrating with the Microsoft identity platform. For details, refer to Publisher verification preview. There as corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow.
Previously, the only filters you could use were "Enabled" and "Activity date. These additions should simplify locating a particular device. Previously, you had to manage your B2C consumer-facing applications separately from the rest of your apps using the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure. The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them.
Whether you need to manage a customer-facing app or an app that has access to Microsoft Graph to programmatically manage Azure AD B2C resources, you only need to learn one way to do things. The experience is also accessible from the Azure Active Directory service. The legacy "Applications" experience will be deprecated in the future.
This new registration experience enables users to register for multifactor authentication MFA and SSPR in a single, step-by-step process. When you deploy the new experience for your organization, users can register in less time and with fewer hassles. Check out the blog post here. Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD such as user account deletion.
We are rolling this feature out first for Teams and Outlook clients. For more details, please read our blog and documentation. These apps target frontline employees, deskless workers, field agents, or retail employees that may not get an email address from their employer, have access to a computer, or to IT.
This project will let these employees sign in to business applications by entering a phone number and roundtripping a code. For more details, please see our admin documentation and end user documentation. We're expanding B2B invitation capability to allow existing internal accounts to be invited to use B2B collaboration credentials going forward. This is done by passing the user object to the Invite API in addition to typical parameters like the invited email address.
For details, see the documentation. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. The new policy details blade displays which assignments, conditions, and controls were satisfied during conditional access policy evaluation.
For more information about listing your application in the Azure AD app gallery, see List your application in the Azure Active Directory application gallery. Delta query for oAuth2PermissionGrant is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. Delta query for organizational contacts is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph.
Replace any existing code that continuously polls orgContact data by delta query to significantly improve performance. Delta query for applications is generally available! Replace any existing code that continuously polls application data by delta query to significantly improve performance. Product capability: Developer Experience Delta query for administrative units is available for public preview! Now you can programmatically pre-register and manage the authenticators used for multifactor authentication MFA and self-service password reset SSPR.
Administrative units allow you to grant admin permissions that are restricted to a department, region, or other segment of your organization that you define. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level.
For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their administrative unit. For more information, see Administrative units management in Azure Active Directory preview. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports.
They can also read all connector information. Key tasks a Printer Technician cannot do are set user permissions on printers and sharing printers. Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods—Password hash synchronization PHS , Pass-through authentication PTA or Federation AD FS or 3rd party federation provider —and to deploy related on-premises infrastructure to enable them.
On-premises infrastructure includes Provisioning and PTA agents. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. Users with this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations.
Network performance for Microsoft relies on careful enterprise customer network perimeter architecture, which is generally user location-specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. You can create users, delete users, and invite guest users. And you can add and remove members from a group. You can download the list of users in the directory, the list of groups in the directory, and the members of a particular group.
My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. For more information, see the Manage your users with My Staff preview and Delegate user management with My Staff preview.
At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Please note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive.
You can learn more about the updated experience here. This public preview will last until the end of July At the end of July, reviewers who have not opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, please make a request here.
Based on customer feedback, we have now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services WWS API. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. If no version is specified in the connection string, by default, the Workday inbound provisioning apps will continue to use WWS v To use the new API for writeback, there are no changes required in the Workday Writeback provisioning app.
We have updated our tutorial guide to reflect the new API version support. Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, , all new provisioning configurations allow users with the default access role to be provisioned. Gradually we will change the behavior for existing provisioning configurations to support provisioning users with this role.
We've refreshed our provisioning experience to create a more focused management view. When you navigate to the provisioning blade for an enterprise application that has already been configured, you'll be able to easily monitor the progress of provisioning and manage actions such as starting, stopping, and restarting provisioning.
On the Validate rules tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When creating or updating dynamic group rules, administrators want to know whether a user or a device will be a member of the group.
This helps evaluate whether a user or device meets the rule criteria and aids in troubleshooting when membership is not expected. For more information, see Validate a dynamic group membership rule preview. Supporting security defaults for Azure AD improvement actions: Microsoft Secure Score will be updating improvement actions to support security defaults in Azure AD , which make it easier to help protect your organization with pre-configured security settings for common attacks. This will affect the following improvement actions:.
Multifactor authentication MFA improvement action updates: To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multifactor authentication and added two. These new improvement actions require registering your users or admins for multifactor authentication MFA across your directory and establishing the right set of policies that fit your organizational needs.
The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults as of March 16th that let Microsoft decide when to challenge users for multifactor authentication MFA.
Read more about what's new in Microsoft Secure Score. Beginning on March 31, , Microsoft will no longer support the redemption of invitations by creating unmanaged Azure Active Directory Azure AD accounts and tenants for B2B collaboration scenarios.
In preparation for this, we encourage you to opt in to email one-time passcode authentication. We're working on deploying a change so that all new provisioning configurations will allow users with the default access role to be provisioned. Gradually, we'll change the behavior for existing provisioning configurations to support provisioning users with this role. No customer action is required. We'll post an update to our documentation once this change is in place.
The emails that are sent by the Azure AD B2B collaboration invitation service to invite users to the directory will be redesigned to make the invitation information and the user's next steps clearer. We fixed a bug where changes to the HomeRealmDiscovery policy were not included in the audit logs. You will now be able to see when and how the policy was changed, and by whom. To find out if your tenant is able to use these capabilities, follow the instructions at How can I tell if B2B collaboration is available in my Azure US Government tenant?
Please check out the detailed documentation as well as deployment plans for reporting and monitoring for Azure AD scenarios. For more information, see our announcement blog post. The Azure AD provisioning service provides a rich set of configuration capabilities. Customers need to be able to save their configuration so that they can refer to it later or roll back to a known good version.
We've added the ability to download your provisioning configuration as a JSON file and upload it when you need it. Previously in Microsoft Azure operated by 21Vianet Azure China 21Vianet , admins using self-service password reset SSPR to reset their own passwords needed only one "gate" challenge to prove their identity. In public and other national clouds, admins generally must use two gates to prove their identity when using SSPR. But because we didn't support SMS or phone calls in Azure China 21Vianet, we allowed one-gate password reset by admins.
Going forward, admins must use two gates when using SSPR. SMS, phone calls, and Authenticator app notifications and codes will be supported. To ensure the reliability of the Azure AD service, user passwords are now limited in length to characters.
Users with passwords longer than this will be asked to change their password on subsequent login, either by contacting their admin or by using the self-service password reset feature. See the breaking change notice for more details. Starting now, customers who have free tenants can access the Azure AD sign-in logs from the Azure portal for up to 7 days. Previously, sign-in logs were available only for customers with Azure Active Directory Premium licenses.
With this change, all tenants can access these logs through the portal. This resulted in duplicate API calls. When a user copied their username in the app drawer, they were incorrectly notified that the app's password was copied to the clipboard. A script error occurred when users with an embedded Internet Explorer browser attempted to sign in to Okta.
Range attribute retrieval for group membership attributes full support will be available in a future release. Real-time synchronization for user profiles, groups, and group memberships full support will be available in a future release. Internet Explorer local storage size for the Okta Browser Plugin has been increased. See Okta Browser Plugin version history. The auto-detection feature can be disabled by updating either property value with an accepted contrast hex value.
See Brands. See Configure an MFA enrollment policy. Custom error page templates include new macros to customize the URL href in addition to the button text for themed templates. See Use macros. If no action is taken, an expiration notice is sent when the certificate expires. See Configure a custom URL domain. See Configure SSO for native apps. This feature provides convenience and flexibility in cases where subdomains vary by only a few characters.
End users can now sort applications alphabetically or by last added on the new Okta End-User Dashboard. When enabled, this feature turns the generation of the Application Usage and the Application Password Health reports into an asynchronous process.
Okta generates a report with the results and sends an email to the admin containing a download link for the CSV file. This enhancement is ideal for orgs with large amounts of user activity, as the generated reports can cover a greater range without timing out.
Risk scoring improvements are being slowly deployed to all organizations. See Configure a password policy. You now have the flexibility to manage the default profile for Okta groups in the Profile Editor. This new functionality simplifies group management and lets you quickly add, edit, or remove custom profile attributes to groups. See Work with profiles and attributes. This allows you to add fields into the Okta user profile.
See Litmos Provisioning Guide. On the Branding page, hash marks are automatically added to the hex codes in the Primary color and Secondary color fields. The maximum allowable daily limit of Event Hooks for all orgs has increased from , to , A higher daily allocation of Event Hooks reduces the likelihood orgs will exceed their daily limits. See Workflows system limits.
To comply with accessibility contrast ratios, the default variant colors for buttons on Okta sign-in and error page have been standardized to use the Okta design system. While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.
Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required.
See Log Streaming. Super admins can now quickly and easily search for, add, and remove the resource assignments for a standard role. See Edit resources for a standard role assignment. Super admins can configure the system notifications and Okta communications for custom admin roles.
Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role. See Customize an email template. Users weren't instructed to sign out and then sign in again when the mobile device management MDM remediation screen appeared during Intune setup. When the Remove Group endpoint was called with an invalid group profile attribute, the group wasn't removed.
On the Suspicious Activity User Report , the Login field was incorrectly labeled Email and didn't display the primary email address of the user who reported the activity. Selecting the ellipses on an app card on the Okta End-User Dashboard incorrectly opened the app instead of accessing its settings.
Sometimes, when deactivated LDAP-sourced users attempted to sign in to Okta, an incorrect message appeared. Customers should use the American Express - Work integration. The following partner-built provisioning integration app is now Generally Available in the OIN as partner-built:.
This release of the Okta Provisioning agent contains vulnerability fixes. When an admin deleted an app with Federation Broker Mode enabled, users could continue to sign in to the app. Sometimes when the app group membership for a user was deactivated, any role assignments that were revoked from that user still appeared on the Administrators page.
Email address change notifications were incorrectly sent to the new email address and not the old email address. On the new Okta End-User Dashboard, end users were still able to request apps after an admin had disabled the app request feature. End users were incorrectly prompted to copy password credentials to their clipboard when accessing SWA apps that were shared between users with admin-controlled passwords.
Sometimes, the System Log displayed Grant user privilege success events for admins when there were no changes to their privileges. When a super admin changed the role notification settings for an admin, some third-party admins with that role were included in the notification subscription. When an admin assigned an app to a user, the Edit User Assignments window appeared too small. When a super admin edited the User Account customization settings, an error occurred after they verified their password.
End users were unable to add org-managed apps to the Okta End-User Dashboard after admins had enabled self-service. App approval forms incorrectly listed deactivation options and available licenses for Google Workspace. When using the Self-Service Registration feature, users with slower internet connections could click Register again while the account was being created.
Sometimes when a third-party admin role was assigned though the public API, the admin's status didn't change in the Okta Help Center. When Veeva Vault was provisioned, the authentication rate limit was incorrectly applied to bulk operations. Unique attributes were retained when admins used a CSV file to import user attributes and the import was unsuccessful.
When previously deactivated users with expired passwords were reactivated and allowed to sign in using their Personal Identity Verification PIV cards, they were required to reset their passwords. Clearwage : For configuration information, see Single Sign-On configuration guide.
For orgs that enable this feature through self-service EA, end users can now generate passwords from the Okta Browser Plugin pop-up window. You can use the SAML 2. The flow enables a client app to reuse an authorization by supplying a valid, signed SAML assertion to the authorization server in exchange for an access token.
This flow is often used in migration scenarios from legacy Identity Providers that don't support OAuth. Users who access the new Okta End-User Dashboard from mobile or desktop can now show and copy passwords for their apps to their clipboard. They can also use a new password management modal to edit the username or password fields for their apps.
The option to incrementally import user data is now available for the Okta Provisioning agent. Incremental imports reduce the time required for synchronization by only downloading user information that has changed since the last successful import. See Okta Provisioning Agent incremental import. The Schemas API now includes unique attributes for custom properties in Okta user profiles and the Okta group profile. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile.
This feature helps prevent the duplication of data and ensures data integrity. Okta ThreatInsight now has enhanced attack detection capability. When a threat is detected, the algorithms are optimized to block all malicious requests while creating a System Log event to alert on the attack. After the attack subsides, threatInsight returns into its normal mode of operation.
This capability enables quick blocking action during an attack. See About Okta ThreatInsight. With Branding enabled, admins can now hide the Powered by Okta message in the footer of their Okta-hosted sign-in page and End-User Dashboard. See Configure the footer for your org. Performance enhancements on the Routing Rules page include optimized adding, editing, dragging, and deactivating of rules, and improved loading when the number of rules exceeds 1, See Configure Identity Provider routing rules.
Client-based rate limits are now in Log per client mode for all orgs for both OAuth 2. This offers additional isolation to prevent frequent rate limit violations. When LDAP delegated authentication was enabled, an incorrect event type was used to process user profile updates. When users were deleted asynchronously, the entries associated with the user weren't removed from the UniqueEntityProperty table. When Self-Service Registration was enabled, a change to a user's email address in their profile source caused their UPN user principal name in Okta to also change, despite it being mapped to the username.
When a custom admin role was assigned to an existing group with standard roles, the System Log displayed duplicate Grant user privilege events for the members of the group. For orgs with Custom Administrator Roles enabled, the page filters on the Roles , Resources , and Admins tabs of the Administrators page were labeled incorrectly.
When an admin role was constrained to a group, users with that role sometimes experienced time-out errors on the People page. OAuth applications granted authorization tokens on accounts for which users had not yet completed registration.
Admins who viewed completed tasks on the new Okta End-User Dashboard couldn't see who approved or rejected the tasks. A Internal Server error appeared when sensitive attributes were included in attribute search results. When using the Firefox browser, users were unable to edit the Forgot Password Text Message section of the Settings page. When admins used the Add Person dialog in the new Admin Console to add users, automatic resizing of the dialog resulted in a "The field cannot be left blank" error message.
This version includes hardening around certain security vulnerabilities. Stronger signals are now used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new and trusted applications must send a unique identifier for each device as a device token.
See Behavior detection and evaluation. For new orgs, the default mode for ThreatInsight is now set to Audit mode. Previously, with no mode set by default, events weren't logged unless Audit mode or Block mode was enabled manually.
Now with Audit mode set by default for new orgs, the security. See Okta ThreatInsight. The Delete Person and Delete Group dialogs now include statements to clarify what is removed when a person or group is deleted. This can include application assignments, sign-on policies, routing rules, and user profiles. This change helps admins better understand the ramifications of deleting people and groups.
See Deactivate and delete user accounts and Manage groups. A new grant type, Token Exchange , is available for Authorization Server configuration. Admins can select the grant type to enable SSO for native apps. The View IDP Metadata link incorrectly required an active session when application-specific certificates were enabled. A gap between the deactivation of a contractor and the activation of that user to a full-time employee caused incremental imports for Workday to fail.
Users weren't added to groups when the locale attribute filter was set to equals in the group rule. If an admin added an app integration but didn't complete the process and subsequently assigned it to a group, then clicking the link for the app integration through the Groups directory opened the Add app integration process instead of the settings page for that app integration. Adding an expiration date macro to the Password Reset email template resulted in an Invalid Expression error.
End users were able to add bookmark apps after their admins configured the App Catalog Setting to allow org-managed apps only. Some error messages in the Sign-In Widget were translated from English to other languages when the user's language was English. For active users with no assigned roles, the button to add privileges was mislabeled Edit individual admin privileges. ThreatInsight didn't always block IP addresses that were identified as the source of password spray attacks.
Pop : For configuration information, see Pop: Okta Integration. If an admin added a rule to an app sign-on policy and named it Default sign on rule , they were unable to edit or delete the rule. If client-based rate limiting was enabled, end users were sometimes presented with a error instead of the sign-in page when their session expired or they signed out.
When Enhanced Email Macros was enabled, using required variables without brackets resulted in a validation error. Some Preview org customers received an error when accessing end-user pages after they changed their browser language to Chinese-Traditional.
KnowBe4 : For configuration information, see here you need to sign in to KnowBe4 to access their documentation. If an app sign-on policy required re-authentication every 0 minutes, some users were unable to reset their passwords. When a third-party admin role was assigned, the admin's status didn't change in Salesforce and the Exclude admin from receiving all admin-related communications rule wasn't enforced.
When Branding was enabled and later disabled, the sign-in and error pages that were customized with HTML code editors during the enabled period could be reset to their defaults. The default password policy was sometimes being evaluated for users instead of the configured password policy. To help admins identify their Okta solution, the version number in the footer of the Admin Console is now appended with C for Classic Engine orgs and E for Identity Engine orgs.
See Identify your Okta solution. This version includes bug fixes, security enhancements, and a new version of the Log4J library. This version includes bug fixes and security enhancements. Support for multiple active user statuses : When importing users from SuccessFactors into Okta, admins can now select more than one active user status, such as Leave of Absence.
All existing data associated with a schema property is now removed when a schema property is deleted. To prevent data corruption, the property cannot be recreated until the existing data is fully removed. Previous data is no longer restored when recreating a deleted schema property with the same definition. This new functionality prevents the corruption of profile data and the associated Elastic search issues.
See Add or remove custom directory schema attributes. A warning now appears if a gateway or proxy has an IP range with more than 5 million addresses. See Create zones for IP addresses. The Rate Limit Dashboard now displays the start time and end time of the rate limit window for each data point. This helps you analyze each data point with more granularity. On the new Okta End-User Dashboard, text color in the side navigation has been updated.
The Apps for Good category has been added to the selectable categories list. If available, support contact information now appears on the details page for app integrations. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. It allows you to upload your own brand assets colors, background image, logo, and favicon to replace Okta's default brand assets.
Users were able to make too many attempts to enter an SMS one-time passcode when performing a self-service unlock. Using an Office thick client to open documents from the SharePoint Server didn't work consistently. When updating the provisioning settings for an app integration, some admins had to reload the page because the Admin Console showed a verification message and then stopped responding. On the Admin Console Tasks page, the first 10 tasks were duplicated when Show more tasks was selected and 10 or more tasks were already listed.
If an app integration with provisioning enabled was upgraded to support the Push Groups feature, admins were repeatedly prompted to enable provisioning. The following partner-built provisioning integration app is now Generally Available in the OIN catalog as partner-built:.
Users who enrolled in multifactor authentication using the Active Directory Federation Services integration were unable to download the Okta Verify app from the Apple App Store and the Google Play store during enrollment. The password management modal was incorrectly minimized on the new Okta End-User Dashboard after an end user responded to the copy confirmation modal.
The following partner-built provisioning integration apps are now Generally Available in the OIN catalog as partner-built:. The scroll bar didn't function as expected while adding a new access policy to an authorization server. The Note for requester field within the self-service app request approval settings didn't properly display messages. End users who attempted to use a custom sign out URL were presented with a blank page on Internet Explorer When an admin clicked Custom roles from the Overview section on the Administrators page, the Roles tab opened with the incorrect filters applied.
Some tabs and buttons on the user and group profile pages of the Custom Administrator Roles user interface were labeled incorrectly. Also, the Admin role assignment report page was called Custom reporting. On the People page, the last user with super admin permissions could be deleted without generating an error. Hone : For configuration information, see Logging in with Okta single sign-on.
This enhancement offers direct access to independent online help sites for these products from help. The new sites provide several benefits:. This release includes internal code refactoring. The certificateSourcetype is a required property that indicates whether the Certificate is provided by the user.
The accepted value is Manual. See Domains API. New orgs, including those created through the org creator API or the developer. Learn more about this migration and other frequently asked questions in our support article. Admins can now choose whether or not to import groups with all SCIM integrations. This new option is available when you set up provisioning for a SCIM integration. Okta Access Gateway customers can now download and deploy the Access Gateway virtual appliance on Nutanix Acropolis Hypervisor or Nutanix AHV , a hyper-converged infrastructure platform popular among larger organizations.
Note: This is not applicable for orgs that didn't have Admin Experience Redesign enabled and used the legacy experience until Windows Hello as an MFA factor is no longer supported for new orgs. Existing orgs already using this feature can continue using it. Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments.
Sending the test email to their primary email address eliminates their need to create a real end-to-end workflow to test customization. For more information, see Test a customized email template. You can now create group password policies for LDAP sourced users. This gives you the flexibility to provide users with the same password policy requirements as your local LDAP directory, easing the user experience of an LDAP integration with Okta.
See About group password policies and Sign-on policies. Event Hook preview lets admins easily test and troubleshoot their Event Hooks, as well as send sample requests without manually triggering an actual event. This means admins can preview the payload of a specific Event Hook type and make sure that it's what they need to move forward before a full deployment to production.
See Event Hook Preview. Supporting user type designations enables access for frontline and deskless workers. For each app integration in the OIN App Catalog, the details page has been updated to use tabs that display the overview and the specific capabilities of the app integration. The details page also shows the Capabilities in the side navigation. Clicking a specific capability returns the administrator to the main Add Application page with that capability pre-selected in the filter.
When an admin searches for app integrations, the filter is now persistent through category changes or when they refresh the page. Admins can create new OIDC applications without assigning them to a group. Velocity-based email templates are now processed by an HTML sanitizer. Session-user and User rate violation events are now logged as operation-level events instead of org-wide events. This allows you to distinguish between rate limit violations at an org level and individual level.
When an admin attempted to add an app integration to their org for which the org was not entitled, the error message didn't display the org's edition name. A user-created on-the-fly app incorrectly appeared on the Tasks page under Number of apps that can have provisioning enabled.
When OpenLDAP was used with delegated authentication, an error message containing unnecessary information appeared if users attempted to change their password and it didn't meet the LDAP complexity requirements. Group Push for Slack caused group members to be reset and gradually re-added, during which time group members couldn't access the app.
Sometimes, during SAML app configuration, the metadata link improperly required a sign-in session. The following partner-built provisioning integration apps are now Generally Available in the OIN as partner-built:. Google Chrome users saw a session lifetime warning if they accessed an end-user dashboard embedded in an iFrame.
Users saw the wrong error message if they attempted self-service registration with a unique attribute such as Customer Account Number that was already in use. During searches for Lightweight Directory Access Protocol-sourced users, concurrency limit violations caused Too Many Requests errors. End users who were unable to sign in successfully with Just-in-Time provisioning were sometimes redirected back to the sign-in page without seeing an error message. Some orgs experienced an issue where the More Integrations section of the Okta App Catalog appeared empty.
This release is based on Python 3, to support macOS It addresses the known issue of device enrollment failures. When creating a sign on policy, you can now create rules that apply only to LDAP Interface user authentications. With this change, you can apply a sign on policy to LDAP Interface authentications and exclude other authentication methods.
See Sign-on policies. The Import Safeguard event is available for use as an Event Hook. Admins can use the Import Safeguard event to generate a notification when an import safeguard occurs. See Import safeguards and Event Types. The App Integration Wizard has been updated with several usability improvements. For quicker access, you can now launch the wizard from either the Applications page or the Browse App Integration Catalog page. The platform and sign-on method selection process has been streamlined to remove unnecessary inputs.
Help hints in the wizard have been improved to eliminate the need to look up definitions and guidance from the documentation. To save time, trusted origins and group assignment tasks can now be completed as part of the process rather than after the wizard creates the app integration. See Create custom app integrations. For users authenticating with ADSSO or IWA during peak periods, this change increases the likelihood that a server will be available to process their authentication request.
Okta Verify with Push now supports risk-based authentication. With this feature, admins can assess the level of risk when an end user signs in to their org and attempts to authenticate with Okta Verify. A Recently Used apps section has been added to the top of the Okta End-User Dashboard and the Okta Browser Plugin to make it easier for end users to access their applications.
When enabled, the Recently Used apps section is visible at the top of the Okta End-User Dashboard regardless of the number of apps assigned to the end user or whether any apps have been launched. If an end user re-enables the Recently Used apps section, apps that were used when the feature was previously enabled are not preserved.
See Recently used applications. ISVs can also now select up to three categories for their app integration. See Submit an app integration. See OIDC settings. The system. See Event Types. When user consent is required for an OAuth scope, a new check box is available to enable Flexible consent, which blocks services from requesting the scope.
See Create Scopes. To reduce system load and operational cost, a single app. If an app integration doesn't support the Create only option in the Application username format drop-down menu, the option is now disabled rather than hidden. Hidden username and password fields in the Sign-In Widget are no longer identifiable by screen readers.
When a custom sign-out page was configured, users who reset their password with SMS and then clicked Back to sign in were redirected to the custom page. Admins were unable to view the Import Monitoring dashboard for applications when the application admin role was assigned to specific applications. Okta erroneously pushed profile updates to Rally upon user reactivation when updates to user attributes were disabled. The Sign-In Widget appeared blank for users who attempted to sign in while using multiple WebAuthn authenticator enrollments.
Some Firefox An incorrect error message was displayed when a user was created with a duplicate unique property. Existing app instances should be migrated to the new app, see the Adobe Sign Migration Guide for details. Automation rules that were created to delete inactive users sometimes failed due to deprovisioning errors. The Sign On page was unresponsive after the Credentials Details section of Bookmark apps was updated.
Provisioning errors occurred when email addresses were pushed from Okta to UltiPro after being updated in Active Directory. The existing Cacoo integration is deprecated and renamed Cacoo deprecated. Silent Activation was blocked for certain orgs if the app sign on-policy required MFA reauthentication. Admins could create an app using the App Integration Wizard even when their trusted origin configuration was incorrect.
Admins weren't able to use the tab key to navigate in the Upload Logo section of the App Integration Wizard. Factor enrollment with Device Trust failed for some users when they attempted to sign in to Airwatch Workspace One for the first time. Admin permissions were sometimes revoked unexpectedly when new permissions were assigned to the admin. For details, see Okta user management with Zoom. When admins clicked the Application requests waiting task in the new Admin Dashboard, nothing happened.
The OIDC default scopes link sometimes added non-default scopes to access policy rules for authorization servers. On the Applications page, the cursor changed to show an extended hand cursor for non-clickable items. The Browse App Catalog button on the Applications page was disabled for app admins. The password policy requirements for LDAP-sourced user passwords were shown in a sentence format instead of a list.
Headspace : For configuration information, see Configuring Provisioning for Headspace. Agentless Desktop Single Sign-on ADSSO authentication progress screens have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.
When admins create a group push mapping and link it to a group whose members were imported through another method, those users are now Okta sourced. The addition of a Select assignments to convert screen to the Okta Admin Console makes the conversion of app assignments from individually-managed to group-managed easier. With the click of a button you can now quickly locate, select, and then convert individual users, or convert all eligible assignments.
See Convert an individual assignment to a group assignment. System Log events now display information that indicates whether an OAuth refresh token is rotating or persistent. System Log Advanced Filters no longer support the Contains operator for the following fields:.
To identify the Okta Active Directory agent used to process a delegated authentication request, the actionId value has been added to the user. For orgs that use multiple agents, this value makes it easier to identify the specific location of log data used to resolve authentication issues. See Configure protocol-specific settings. The TLS certificate for okta. The updated certificate will be signed with a new trust chain and Root Certificate Authority CA trust anchor.
To avoid negative impact and service outages, customers who have a limited or non-standard set of certificates in their trust stores must take action prior to May 6th, See FAQs. The Okta Admin Console Groups page has been updated to simplify the addition of large numbers of users to groups and reduce the likelihood that all users can be accidentally removed from a group.
In addition, search functionality has been significantly improved to make adding and removing users from groups quicker and easier. See Manage groups. In some cases, end users who verified with IdP as a factor and selected the option to Remember this device were unable to save their configuration.
In some cases, the security. The catalog descriptions for many OIN app integrations have been updated to improve accuracy and show available capabilities. End users were incorrectly redirected to the sign-out page if they reset their password through SMS and clicked the Back to Sign In link on the Code Verification page.
When an application was edited, the Initiate login URI field was erroneously auto-populated with a default value. Sheetgo : For configuration information, see the Sheetgo Okta configuration guide. End users who attempted to sign in to the new Okta End-User Dashboard while access was prevented were not redirected to the proper error page.
When some users updated their recovery question, the password import inline hook was erroneously triggered. Admins couldn't use the Tab key to advance to the next text field in the Test Delegated Authentication modal. Creating new users in Coupa through Okta provisioning failed with a password length error even though the Sync password option was not selected.
The Current Assignment report in Application Access Audit sometimes failed to load and returned a error. The Client Credentials Flow could not implement a custom claim named scope. Authress : For configuration information, see the Authress Okta integration guide. Content security policy is now enforced for end-user pages.
Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release. Suspended users were automatically unlocked but appeared as suspended in the Admin Console.
Automatic provisioning of users to Google Workspace sometimes failed with a java. IOException error. If the users and groups in an app-level policy were deleted, the Admin Console incorrectly showed the policy as applied to all users and groups. Additionally, admins can now use the not equal, ends with, and is present operators in the System Log search bar. These operators provide greater flexibility when filtering System Log events. See System Log filters and search. An Agents page in the Okta Admin Dashboard that shows the status and version of every Okta agent that is connected to customers' on-premises servers.
This improves the accessibility of the product, improves admin productivity, and helps admins to be more proactive with security issues. See Admin Experience Redesign. Previously, sign-on policies couldn't be configured for these first party applications. With this release, policy based on context such as user location, device, behavior, risk level, group membership, and more is included.
This gives admins more flexibility and granular control over sign-on requirements for these first party apps. This change prevents new orgs from unintentionally sending email notifications to end users. See General Security. End users can now request an app through the link in the footer of the new Okta End-User Dashboard.
The ability to customize your Okta domain has now been rolled out to all orgs. With this feature, you can customize your Okta organization by replacing the Okta domain name with your own domain name. This allows you to create a seamless branded experience for your users so that all URLs look like your application. For some orgs, the user activation page didn't display logos correctly if it was accessed through the redirect link in the User Activation email.
The Okta Admin Dashboard reached the rate limit threshold rapidly, causing a failure to load data in the Admin Dashboard widgets. Self-Service Registration incorrectly appeared in the Directory menu for group admins. This feature is available to super admins only. Sometimes the public OAuth metadata API responses did not include a Vary: Origin header, resulting in some browsers incorrectly caching the response across Origins.
The Applications page in Developer orgs didn't have clear instructions about how to create more custom apps by upgrading to an Enterprise plan. Errors on the App Sign On Policy page were displayed at the top of the page rather than near the respective fields.
Attributes with the number data type were reported to have been updated after CSV Directory imports even if nothing had changed. Self-Service Registration, a super admin feature, incorrectly appeared in the Directory menu for group admins. Developer org admins were incorrectly redirected to the user app page instead of the Admin Dashboard. In some cases, the OAuth access token for Salesforce expired daily, which caused issues with provisioning.
In some cases, admins received a error while creating a new user with JIT provisioning. The Trusted Origin field in the new App Integration Wizard appeared even if the user didn't have the permission to manage the field. During a full import, profile updates occurred in Workday even if no attributes were changed for the user in Okta. AD-sourced users received misleading error messages when they attempted to reset their passwords while the AD agent was down.
Some LDAP-sourced users' temporary passwords became their main passwords after they used them to sign in. Some AD-sourced users were redirected to the default Okta org when they clicked the activation link in their welcome email. Previously scheduled Workday imports were still shown on the Import Monitoring dashboard after provisioning was disabled. Admins received timeout errors when they deactivated AD-sourced users through imports from Active Directory. In some cases when the new Okta End-User Dashboard was enabled, Okta incorrectly made hourly token renewal requests that caused user sessions to be active longer than configured.
Account Settings Logout. All Files. Submit Search. Documentation Release notes. Developer documentation. Community Questions. Product Ideas. March February January Archive March Okta Military Cloud support. Okta Active Directory Password Sync agent, version 1. Okta AD agent, version 3. Bug fixes. Okta LDAP agent, version 5. Okta Provisioning agent, version 2. Event hooks for custom admin roles Custom admin role events are now available for use as Event Hooks.
Enforce limit and log per client mode for OAuth 2. New ThreatInsight enforcement option ThreatInsight evaluates authentication requests to detect potentially malicious activity from IP addresses exhibiting suspicious behavior. The Custom Administrator Roles feature allows super admins to: Create admin assignments with granular roles, which include specific user, group, and application permissions.
Constrain these admin assignments to resource sets. Use Custom Administrators Roles to: Increase admin productivity. Decentralize the span of access that any one admin has. Grant autonomy to different business units for self-management. Some important things to note: The Administrators page has been updated with a new, more intuitive interface for managing roles and permissions.
You can continue using the pre-existing roles and your existing assignments remain the same. You can also assign custom roles to users who have standard roles assigned. System Log events for group app assignments When an admin role is assigned to a group, the Okta Admin Console is now assigned to the group members much faster, and an Add assigned application to group event group.
Support for additional social Identity Providers Social login is a form of SSO that uses existing information from a service such as Facebook, Twitter, or Google to sign in, instead of creating a new account specifically for a third-party website. Risk and behavior evaluation To improve the visibility of risk scoring and behavior detection, all sign-in requests are evaluated for risk factors and changes in behavior. Copy button updates In the app settings panel of the Okta End-User Dashboard, the copy buttons for the username and password fields are renamed Copy username and Copy password.
Group assignment priority If a group rule results in a higher group app assignment priority on an existing app user, the user is now remapped to the higher priority group assignment. Extensibility for notifications of group push failure circumstances Group push failure event hooks now allow customers to monitor for failures that won't be retried and use them to trigger automations, such as execution of a flow in Okta Workflows.
Group push notification improvements Group push failure notifications have been repurposed and improved to provide better error descriptions for customers. Group search in the Admin Console Admins can now use the Search bar to quickly find groups, in addition to users and apps. User accounts report Use this report to view users with accounts in Okta and their profile information.
OKTA Okta will schedule group reconciliation for any assigned user that is operationalized. Weekly Updates Fixes General Fixes. OKTA Admins whose custom role contained the Edit users' lifecycle states permission but not the View users and their details permission could view the Profile tab on the user page. OKTA Confirmation messages shown when app assignments were removed or when groups were removed from app instances were inconsistent and unclear.
OKTA Send test email failed with a error for some email templates. February Internal improvements and bug fixes. Burst rate limits for authentication and authorization flows Burst rate limits provide peace of mind by ensuring an unplanned spike doesn't negatively affect the end user's experience. Configure a custom error page You can customize the text and the look and feel of error pages using an embedded HTML editor. Configure a custom Okta-hosted sign-in page You can customize the text and the look and feel of the Okta-hosted sign-in page using form controls and an embedded HTML editor.
New features for HealthInsight Administrators can now enable end user email notifications when an end user changes or resets their password. See General Security and HealthInsight. HealthInsight now includes a recommendation for admins to enable Password Changed email notifications if the notification isn't yet enabled for the org.
See Password changed notification for end users. HealthInsight now displays a suspicious sign-in count within the recommendation that users enable ThreatInsight in block mode. Risk scoring improvements Risk scoring has been improved to detect suspicious sign-in attempts based on additional IP signals. Custom URL domain certificate expiration reminders Email reminders for custom URL domain certificate expiration are now sent to super admins and org admins only. Error message and logging improvements An error message for group push mapping to alert that a group is not active or not found has been added.
New behavior for Custom User Profile link When users click the Custom User Profile link, the page now opens in a new browser tab or window. New System Log event when user signs in Admins now see the user. App notes App notes written by an admin are now displayed for users who hover over the app on the Okta End-User Dashboard. Masking for eight digit phone numbers The masking algorithm now reveals fewer digits for shorter phone numbers. Client secret rotation and key management Rotating client secrets without service or application downtime is a challenge.
Okta Epic Hyperspace agent, version 1. OKTA Repeatedly assigning and unassigning a user to a group that provisions applications converted that user from a group assignment to an individual assignment.
Duet Display is one of the most popular apps that turns your iPad as a second display for your PC and Mac. On Mac, at least, the arrival of Sidecar mode makes third-party solutions somewhat questionable. But here in Windows-land, Duet is a great means of augmenting your productivity through your iPad.
While Duet Display meets this requirement, but by way of a pricier Duet Pro subscription service targeted specifically towards designers and artists. Is this the best option? This is where EasyCanvas comes into the picture. EasyCanvas is the new kid on the block. However, it has two main advantages over Duet. For starters, its primary focus is on providing a great drawing experience, as opposed to being a secondary display.
With that kind of a value proposition in mind, I just had to get my hands on both and try them out. Which is better, Duet or EasyCanvas? EasyCanvas simply does all this for free after purchasing the app. What exactly are you getting for this extra amount? Duet claims that Pro mode adds in pressure and tilt sensitivity, together with palm rejection. Together with the lag-free video output, this is supposed to add up to a pro-friendly drawing solution.
But what about EasyCanvas? As long as it offers something broadly comparable to Duet, the value proposition is a moot point. Well, the good news is that EasyCanvas is on equal footing with Duet when it comes to features. You get all the core goodies: tilt sensitivity, pressure sensitivity, and palm rejection.
In addition, you also get support for the Wacom pen, whereas Duet is tailored specifically for Apple Pencil. Both require a bit of extra effort to set up, particularly on the primary device. You have to first install the desktop app for Duet and EasyCanvas respectively from their websites.
Keep in mind here that EasyCanvas only supports machines on Windows 8 and higher. But there are plenty of 7 users still clinging to enhanced privacy and a lack of forced updates. I tried it out on an aging Intel Atom netbook with Windows 7 and got an error message for my trouble. Duet surprised me, though. Once installed, it appears as a system tray icon.
It turns the iPad into a secondary display. EasyCanvas was similarly easy to set up. You get your secondary display when you connect your iPad. There are a few more steps here, though. The input device selection at the top left corner lets you switch between Apple Pencil, Wacom Bamboo Stylus, and finger input.
Apple Pencil pairing works out of the box: if your Pencil is paired with your iPad it will just work with EasyCanvas. Wacom Bamboo pairing is a bit more complicated. Both of these solutions support hardware acceleration. The issue here is that hardware acceleration is highly dependent on your desktop configuration.
The Intel Atom system gave wildly differing results in comparison with my main Ryzen work system. Simple, secure, ready-to-use remote access software for professionals and enterprises. Toolkits and solutions for integrating secure, real-time remote access. The quick and easy way to connect to a Windows remote desktop from your tablet, PC, or smartphone. Seamlessly connect to and support your macOS computers from any location or device.
Educate, monitor and innovate — instantly connect to and control all your remote Raspberry Pi devices. Secure, easy-to-use remote access software for educational institutions. Business and technology insights to help evolve your remote access strategy. Join our world-class, multi-disciplinary team in Cambridge, UK. Our software is built from the ground up with security and privacy in mind.
Device access and instant support together cover every remote access use case. Provide a consolidated remote access strategy that evolves with your business. Learn how our customers save time and money, increase efficiency and reduce risk. All our whitepapers, product brochures, ebooks and webinars in one place. Download to the local computer or mobile device you want to control from. If you have an Enterprise subscription, remotely configure and lock down apps.
Difference bamboo connect and splashtop how to enable ftp over tls in filezilla serverSplashtop Business Access Review: Affordable and Effective
CITRIX XENDESKTOP EDITION COMPARISON
Difference bamboo connect and splashtop apartments near 59th ave and thunderbirdHow to View and Control an Android Device with Splashtop SOS
Consider, reinstalling thunderbird pity
Следующая статья mysql workbench уроки