In March 2022, we announced our simplified change management process, which allows customers to predictably plan their deployments. Earlier this month at RSA, we introduced Microsoft Entra as our new product family that encompasses all of Microsoft’s identity and access capabilities. Today we’re excited to share that our newly announced change management process will expand to cover all of Microsoft Entra. We’re also sharing our June train for feature changes and breaking changes.
We communicate these changes every quarter to our customers with the blog and release notes and via email. We’re also continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the Entra portal experience. Below is a quick snapshot of our communication schedule, with biannual product retirement communication and quarterly breaking/feature changes.
Refers to the retirement of a feature, capability, or product in a specified period. This is typically accompanied by the service/feature rejecting new customers and a reduction in engineering investments to enhance retired features or capability. Eventually, the feature is no longer available to any customer and marks end-of-life.
2 x per year (Mar and Sep)
Breaking change announcement, feature change announcement
Breaking change: Expected to break the customer/partner experience if the customer doesn’t act or make a change in their workload for continued operation.
Feature change: Change to an existing Identity feature that doesn’t require customer action but is noticeable to the customer. These are typically UI/UX changes.
These changes generally happen more often and require a more frequent communication schedule.
4 x per year (Mar, June, Sep, and Nov)
Here’s the list of feature change announcements that are part of the June 2022 train:
Max configured permissions for app
Microsoft recently made a change to enforce our documented limits on the maximum number of configured permissions for an app registration. Apps that exceed these limits could enter a broken state in which consent is no longer possible. On October 31, 2022, apps that already have more than 400 configured permissions in their “requiredResourceAccess” collection will no longer be able to add additional permissions above the limit. Current permissions will remain configured on the app but adding a new permission will require the app owner to remove existing permissions until the total number is below the documented limit. This change will help customers avoid getting their apps into a broken state in which they aren’t able to give consent. For more information, see Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs and Validation differences by supported account types – Microsoft Entra | Microsoft Docs.
Admin consent for Directory.AccessAsUser.All
On August 31, 2022, Microsoft will require admin consent for the Directory.AccessAsUser.All by default on all services. Admin consent will be required by default when the permission is requested for either Azure AD Graph (graph.windows.net) or Microsoft Graph (graph.microsoft.com). Previously, the permission didn’t require admin consent by default in certain scenarios. This change will only affect new consent requests and will improve security and align Directory.AccessAsUser.All with its current documented behavior. For more information, see Azure Active Directory (AD) Graph API Permission Scopes | Microsoft Docs.
We’re switching to a new and improved service to send group-related emails. Group-related emails for the following scenarios will remain the same but will come from a new alias (email@example.com): When a Microsoft 365 group is going to expire; when a user requests to join a Microsoft 365 or security group; and when a group owner responds to a request to join a Microsoft 365 or security group. This change will help improve reliability and will enable faster email delivery and scalability for group emails.
Default consent setting
Starting September 30, 2022, Microsoft will enforce that all new tenants “Follow the Latest Microsoft Recommendation” as the new default consent setting. End users will no longer be able to grant consent to multi-tenant apps that request permissions beyond Microsoft-determined low-impact permissions without verified publishers. This change will reduce the risk of malicious applications attempting to trick users into granting access to their organization’s data.
As always, we’d love to hear your feedback or suggestions. Let us know what you think in the comments below or on the Azure AD feedback forum. You may also send your questions, open issues, and feature requests through Microsoft Q&A by using the tag #AzureADChangeManagementJune2022Train.
Learn more about Microsoft identity: