Reminder: Azure Active Directory – Enable support for TLS 1.2 protocol to avoid service impact

Note: If you have already transitioned to TLS 1.2, you can safely disregard this message.

As previously announced we will soon begin to retire support for following protocols and ciphers, in Azure Active Directory:


Location Based Access Control

Many of our largest customers, typically in the banking and financial industries, are governed by strict standards. Their employees have access to very sensitive data and can only access that data within the boundaries of a single country. Admins currently restrict access to sensitive data based on IP address. However, IP address is less accurate and less reliable than GPS data. Thus, admins need the ability to restrict access based off of GPS data.

Now, admins will have the ability to create Conditional Access policies to allow/deny access using a new type of Named Location based off GPS data. When the policy is enabled, end users will need to share their GPS location from the mobile device on which Microsoft Authenticator is installed. The user’s mobile device is a good indication of the user’s actual location at the time.


New Azure AD built-in roles to reduce Global administrator dependency

We’ve created two new roles, Authentication policy administrator and Domain name administrator, to help reduce the number of Global Administrators in your organization. 


Microsoft Authenticator code matching for MFA notifications

This release of Code Match for Multi-Factor Authentication is available for Android and iOS and will allow you to turn on code matching for the Microsoft Authenticator app and apply the behavior to specific users or groups. Once enabled, users will be required to match the number on the sign-in screen with the number in the app.

This message is associated with Microsoft 365 Roadmap ID 70617.


Azure SSL/TLS Certificate Changes

In early November, DigiCert replaced the certificate of an Intermediate Certificate Authority (ICA) which issues SSL/TLS certificates used by Azure Active Directory (Azure AD) services, such as Microsoft 365 and Dynamics 365, in the Public and US Government Clouds. In most cases, no action is required. However, if you explicitly hard code (i.e. “pin”) the ICA certificates to be trusted or have custom solutions that depend on storing ICA certificates in a trust store, you will need to take action as soon as possible in order to avoid service disruptions.

Note: We expect that most customers will not be impacted. You may be impacted, however, if you have applications that explicitly specify a list of trusted ICAs, either by hard coding them (“certificate pinning”) or by operating a trust store.


I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.