Release 5.18

July 2021

ActiveSync now supported for Microsoft Office 365 with OAuth 2 device code authentication

Identity as a Service now supports ActiveSync using OAuth 2 device code authentication. A new setting has been added to the ActiveSync Access page to migrate existing administration from using basic authentication to OAuth 2 device code authentication.

Group-based Policy

The existing Settings menu has been split into two menus: Configuration and Policies.

Configuration settings apply globally to the tenant. Using Policies, administrators can adjust settings on a per group basis. For example, you can configure users in different groups to use different levels of security, such as the length of the OTP and lockout attempts.

One-step Multi-factor Authentication

One-step multi-factor authentication is been added to RADIUS applications.

New settings have been added under RADIUS Application page to enable one-step multi-factor authentication and to specify the length of second factor response. When enabled, the user must enter their password and second-factor response in the same password field. Only temporary access code and token are supported as second-factor authenticators. Also, the second factor can be opted from the resource rules page. As a second factor authenticator, Soft token and Temporary access code are supported.

Changes to Administration Portal

The following enhancements have been made to the administration portal:

• The Risk-based authentication (RBA) Location History table has been refreshed to include a delete and add expected location options for each row in the table. In addition, filter options have been added to search by Last Authentication Time and Country.

Trial Account Expiry

Trial accounts now expire after 60 days instead of 30 days.

Additional enhancements to OTP-based authentication

Administrators can now set the default OTP delivery attribute for each type of delivery - Email, SMS and Voice.

Users can now set their own OTP delivery attributes in the user portal.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.

Changes to Identity as a Service APIs

The following changes have been made to the authentication API:

• supportChoosingOtpDelivery has been deprecated from UserAuthenticateQueryParameters. Clients who support choosing OTP delivery can still work without having to supply this flag.
• supportChoosingOtpDelivery has been deprecated from UserAuthenticateQueryParameters. Clients who support choosing OTP delivery can still work without having to supply this flag.

The following changes have been made to the administration API:

The following attributes have been added to models in the administration API.

• otpSmsDefaultDeliveryAttribute has been added to OTPAuthenticatorSettings. This setting specifies the user attribute to be used to deliver the SMS OTP when no attribute is specified.
• otpEmailDefaultDeliveryAttribute has been added to OTPAuthenticatorSettings. This setting specifies the user attribute to be used to deliver the Email OTP when no attribute is specified.
• otpVoiceDefaultDeliveryAttribute has been added to OTPAuthenticatorSettings. This setting specifies the user attribute to be used to deliver the Voice OTP when no attribute is specified.
• the attribute registrationEnabled has been added to User. This attribute indicates if registration is enabled for the specified user.

The value NONE has been deprecated from the enumerated type OTPDeliveryType in OTPAuthenticatorSettings. Use of default attribute specific to delivery mechanism is recommended eg. otpSmsDefaultDeliveryAttribute, otpEmailDefaultDeliveryAttribute"