Retirement of (Azure AD) Graph and license assignment operations and updates to license management APIs and PowerShell

Today, as communicated on Tech Community, we are providing a reminder that the end of support for Azure Active Directory (Azure AD) Graph will be on June 30, 2022. Apps using Azure AD Graph after this time will no longer receive responses from the Azure AD Graph endpoint.

Since the Azure AD Graph APIs are being retired, we are also retiring the license assignment operation in the MSOnline and Azure AD PowerShell modules.


Passwordless phone sign-in with Microsoft Authenticator experience changing

We are modifying the experience in the Microsoft Authenticator app when approving passwordless phone sign-in requests.

When will this happen:


The settings that allow users to create groups in the Azure portal have been improved

The Azure Active Directory settings that control how users can create security and Microsoft 365 groups have been updated.


Ability to assign roles to Azure AD groups is now generally available!

Note: If you do not have the Azure Active Directory (AAD) Premium P1 or the Azure Active Directory (AAD) Premium P2 license, you can safely ignore this message.

Ability to assign roles to Azure Active Directory groups is now generally available. Assigning roles to groups can simplify the management of role assignments in Azure Active Directory in two ways:


Reminder: Azure Active Directory – Enable support for TLS 1.2 protocol to avoid service impact

Note: If you have already transitioned to TLS 1.2, you can safely disregard this message.

As previously announced we will soon begin to retire support for following protocols and ciphers, in Azure Active Directory:


Location Based Access Control

Many of our largest customers, typically in the banking and financial industries, are governed by strict standards. Their employees have access to very sensitive data and can only access that data within the boundaries of a single country. Admins currently restrict access to sensitive data based on IP address. However, IP address is less accurate and less reliable than GPS data. Thus, admins need the ability to restrict access based off of GPS data.

Now, admins will have the ability to create Conditional Access policies to allow/deny access using a new type of Named Location based off GPS data. When the policy is enabled, end users will need to share their GPS location from the mobile device on which Microsoft Authenticator is installed. The user’s mobile device is a good indication of the user’s actual location at the time.


New Azure AD built-in roles to reduce Global administrator dependency

We’ve created two new roles, Authentication policy administrator and Domain name administrator, to help reduce the number of Global Administrators in your organization. 


Microsoft Authenticator code matching for MFA notifications

This release of Code Match for Multi-Factor Authentication is available for Android and iOS and will allow you to turn on code matching for the Microsoft Authenticator app and apply the behavior to specific users or groups. Once enabled, users will be required to match the number on the sign-in screen with the number in the app.

This message is associated with Microsoft 365 Roadmap ID 70617.


Azure SSL/TLS Certificate Changes

In early November, DigiCert replaced the certificate of an Intermediate Certificate Authority (ICA) which issues SSL/TLS certificates used by Azure Active Directory (Azure AD) services, such as Microsoft 365 and Dynamics 365, in the Public and US Government Clouds. In most cases, no action is required. However, if you explicitly hard code (i.e. “pin”) the ICA certificates to be trusted or have custom solutions that depend on storing ICA certificates in a trust store, you will need to take action as soon as possible in order to avoid service disruptions.

Note: We expect that most customers will not be impacted. You may be impacted, however, if you have applications that explicitly specify a list of trusted ICAs, either by hard coding them (“certificate pinning”) or by operating a trust store.


I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.