Today, Microsoft revealed a new feature within the Azure AD Portal, called Azure AD Recommendations. This feature identifies personalized opportunities for you to implement Azure AD best practices.
• The feature is at the time of writing in Public Preview. • This preview is currently only available for customers in public clouds.
We ensure that our tenant meets the Microsoft best practices with Azure AD recommendations. In addition, it will help you identify opportunities to implement Azure AD-related features and improve the state of your Azure AD tenant.
Prerequisites
The following roles can enable the Azure AD recommendations feature from a role view. When enabling this feature, it only applies to your account. Other users must turn the preview on themselves to interact with it.
• Global admin
• Global reader *
• Security admin
• Security reader *
• Reports reader *
• Security operator
• Cloud application admin
• Application admin
* These roles can’t update the status of the recommendation. They can’t complete, dismiss, postpone or reactivate a recommendation.
Available recommendations
There are five publicly available recommendations. However, not all of them may appear in your tenant. This depends on your tenant configuration. You won’t see a recommendation if it does not apply to your tenant.
- Integrate 3rd party apps with Azure AD
- Convert from per-user MFA to Conditional Access MFA
- Minimize MFA prompts for users signing in from unknown devices
- Migrate apps from AD FS to Azure AD
- Migrate eligible users from SMS and voice call to use the Authenticator app
Known issues
Public Preview features are to evaluate the new feature. Since this feature hasn’t been released at the generally available program, supplement terms of use for Microsoft Azure Previews apply. Microsoft Customer Support Services will supply support services during this phase, but normal service level agreements do not apply.
- You can update the status of a recommendation with the earlier mentioned read-only roles.
- Tenants in North America are assessed every 48-hours.
- The “Convert from per-user MFA to Conditional Access MFA” does not include the list of detected users
- Azure AD audit logs only record actions when completing a recommendation.
- Azure AD audit logs do not record actions taken by a read-only role.
Below you will find a detailed description of how to enable this feature.
Configure Azure AD recommendations
Enabling the new feature is a piece of cake and is enabled by default.
Note: During public preview, it takes some time to see the new features.
Browse the Azure Portal and go to Azure Active Directory > Overview > Preview features. Here you can toggle on the Azure AD recommendations feature.
Recommendations
The recommendations (preview) tab shows the number of recommendations found in your tenant, followed by the priority. Every 24 hours, the service scans your tenant data against a set of conditions defined for each recommendation.
In my example, you can see three recommendations.
Migrate eligible users from SMS and voice call to use the Authenticator app
In my demo tenant, a set of 796 users are still using SMS and voice calls as an authentication method. This is shown in the description field. Next, the value field explains why we should apply the recommendation. Finally, the action plan field shows us how to apply the recommendation. Most of these recommendations are refer to the Microsoft docs.
Actions you can take on recommendations.
Completed:
Mark a recommendation as complete once you have taken the necessary steps.
Dismissed:
Dismiss a recommendation if it doesn’t apply (or isn’t relevant) to your organization.
Postponed:
Postponing a recommendation allows us to set a date to address it in the future.
More information
For more information, refer to the following Microsoft docs: What is Azure Active Directory recommendations (preview)? | Microsoft Docs