Monthly Recap
The StrongDM Monthly Recap highlights the most important feature releases and product announcements for each month.
Minimum Supported Versions
StrongDM users must use the minimum supported version (or higher) of the desktop app and CLI to ensure the best experience when using the product. See our Support Policy for more details.
Current minimum versions as of October 1, 2025:
App: 21.87.0
Client: 45.19.0
Groups Now Available
As of October 2, 2025, our user groups feature is generally available!
Groups let you manage sets of users directly in StrongDM, simplifying onboarding and aligning with familiar IAM concepts. With groups, you can assign roles at scale, migrate existing roles into flexible group and role combinations, and manage membership automatically via SCIM provisioning.
Groups represent a new design for StrongDM, in which roles are distinct from groups. Previously, the StrongDM role functioned as both as a way to group users and as a role to provide access to resources. Now, you can right-size roles and define access more flexibly by using groups to group users and roles to provide access. Existing StrongDM customers can continue using roles as they are today, adopting groups gradually when ready.
If your StrongDM organization was created before Oct 2, 2025, use the Groups Migration guide to get started using groups. When you are ready, you can switch SCIM provisioning to create groups instead of roles.
If your organization was created after October 2, 2025, we recommend adding users to groups, defining access rules in roles, and assigning groups to roles to provide access to the users within groups. Your SCIM provisioning will create groups by default.
September 2025
StrongDM Discovery (GA): Made StrongDM Discovery generally available. Our discovery feature automatically detects the most common types of AWS, Azure, and GCP resources from your clouds, helping you to streamline onboarding in quickly changing environments.
Just-In-Time (JIT) Access for Microsoft Cloud (GA): Made the Microsoft Entra ID cloud resource type generally available. StrongDM admins can now securely elevate user privileges by dynamically managing Entra ID group memberships to enable time-bound access across Entra ID admin roles, Azure IaaS console roles, and Microsoft 365 admin roles.
Log Stream to GCS and Azure (GA): Added support for streaming logs to Azure Blob Storage and Google Cloud Storage (GCS) in addition to the existing capability to stream logs to AWS S3.
August 2025
Entitlements Visibility (GA): Made our Entitlements Visibility feature generally available. StrongDM admins can now view user, resource, and role entitlements in one place within the StrongDM Admin UI, making it easier than ever to audit and manage access.
RDP Certificate-Based Authentication Updates: To align with a Microsoft change on September 9, 2025, that directly impacts how StrongDM handles RDP certificate-based authentication for Windows systems, released updates to support explicit SID configuration in RDP certificate-based resource configuration. Customers can add SIDs in two ways: for leased credentials, retrieve SIDs for AD accounts used in resource configuration; for Identity Aliases, provision SIDs via their identity provider (for example, Okta via SCIM). Please see the documentation for configuration information.
Added support for the following datasources and authentication enhancements:
Amazon MQ (AMQP): There are now resource types for both 0.9.1 and 1.0.0 AMQP servers.
July 2025
Selective Log Storage in StrongDM: Made selective log storage options in the Admin UI generally available. Admins can now select which log types and replay types are stored centrally with StrongDM, as well as view a summary of where all logs will be stored and what that means.
RSA ID Plus MFA: Made RSA ID Plus MFA generally available. Support for RSA ID Plus MFA allows admins to secure logins to StrongDM as well as the resources they manage with StrongDM as part of the connect action powered via StrongDM policies.
Virtual Networking Mode (GA): Made Virtual Networking Mode generally available for organizations with the enterprise plan. An alternative connectivity mode to the default Loopback Mode, Virtual Networking Mode supports high-scale resource onboarding, enables resources to be accessed via both DNS and IP address, and more.
June 2025
Entitlements Visibility (Beta): Added entitlements visibility to the Admin UI, which provides views that enable admins to know who has access to which resources and why at any given point in time.
Resource Discovery (Beta): Added a tool that can be used to locate assets hosted in your cloud provider and then onboard them as resources in StrongDM quickly and efficiently.
May 2025
Desktop App Region Field: Added the Region field to the desktop app login screen and CLI login. This field allows users to set the StrongDM control plane they intend to log in to and use.
Manager-Based Approvals: Made manager-based approvals generally available. This enhancement allows admins to configure dynamic approval workflows using a requester’s manager and/or manager’s manager as approvers.
Session IDs in Log Stream Queries: Updated query logs to pass metadata that includes the session ID field, which uniquely identifies the Microsoft SQL Server session in which a user performed a particular query. Metadata is now available in the output of
sdm audit queries
in the CLI and in Log Stream query logs.
April 2025
Multi-Step Approval Workflows: Added the ability to create multi-step approval workflows. With this enhancement, complex multi-step approval workflows that require one or all approvers to approve the request can be created, allowing you to incorporate a more complex, custom approval process for temporary access via access workflows.
Added support for the following datasources and authentication enhancements:
Amazon Elasticsearch (IAM): Provides support for IAM authentication to Elasticsearch/Opensearch.
Redis Cluster: Supports clustered Redis configurations.
Redshift (IAM): Provides support for IAM authentication to Redshift.
Vertica: Now supported as a managed datasource.
Identity Aliases with SSH (Customer Managed Key): Added the ability to use Identity Aliases with StrongDM to proxy authentication with your SSH (Customer Managed Key) resources.
Kubernetes Deployment Guide: Updated the documentation to provide information on how to configure and manage supported Kubernetes deployments.
March 2025
Database Operator Permission Level: Added the ability for StrongDM admins to assign the Database Operator permission level to users. This permission level allows the user to:
View, search, and filter the resource lists
Add/update/remove resources
Troubleshoot issues by reviewing resource logs (but not view Activities or Policy logs)
Concurrent Requests Setting: Added a new setting, Number of concurrent pending requests, at the organization level. Admins can use it to control how many access requests to the same resource can be pending at once from a single user. By default, it is set to 1 (only one pending request per resource allowed), but you can increase it to allow multiple requests (for example, to schedule future access or request different privilege levels). It is available in the Admin UI (Settings > Workflows), CLI, or SDK.
Kubernetes Management: StrongDM's new Kubernetes capabilities provide streamlined onboarding, simplified management, and fine-grained authorization. Automated cluster registration minimizes operational overhead in dynamic environments, while fine-grained, policy-based authorization ensures users have only the access they need. And with just-in-time privilege escalation, users can securely request elevated access when required, reducing standing privileges and improving overall security posture.
Managed Secrets: StrongDM Managed Secrets now provide vault-agnostic, Zero Trust access to Active Directory (AD) credentials. Administrators can allow privileged users to securely retrieve, rotate, and validate AD credentials, all governed by StrongDM’s policies. New features include:
Vault-agnostic secure storage of Active Directory credentials
Vaults supported: Azure Vault, AWS Secrets Manager, GCP Secret Manager, and HashiCorp Vault
Policy-based secure access to the vaulted credentials
On-demand or periodic rotation of Active Directory credentials
Coming soon: detailed reporting on the usage of the secrets that we manage
Proxy Clusters: Released our new deployment model for proxying user traffic to your resources. Proxy clusters offer simplified deployment, improved visibility, scalability, high availability, and seamless migrations.
Athena (IAM): Added Athena (IAM) as a datasource resource type to provide IAM authentication support for Athena.
February 2025
Kubernetes Management (Beta): Added beta support for account and groups discovery and auto-registration of Kubernetes clusters, and added fine-grained access control at the cluster groups level.
Managed Secrets (Beta): Added beta support for managing access to secrets and facilitating the rotation of managed secrets stored in the secret store of your organization’s choice.
January 2025
Maximum or Fixed Durations for Access Requests: Added new access workflow settings that let you override your organization-level settings and specify a maximum or fixed duration for user access requests processed via workflows.
Added support for the following datasources and authentication enhancements:
GCP (Workforce Identity Federation): This release provides support for admin access to the Google Cloud Platform through GCP's Workforce Identity Federation. There are two resource types available for this purpose: GCP CLI/SDK (Workforce Identity Federation) for command line administration and GCP Web Console (Workforce Identity Federation) for use of the Web Console in the browser.
ClickHouse: Added support for HTTP, MySQL, Postgres, and TCP for connection to ClickHouse.
December 2024
Multiple Resource Access Requests: Released the ability to request access to multiple resources via all methods, including the Admin UI and integrations with Jira, ServiceNow, Slack, and Teams.
Cedar-Go 1.0.0: Released version 1.0.0 of our Cedar-Go implementation. Cedar-Go is the native GoLang port of the open-source Cedar Authorization language, which powers StrongDM’s Zero Trust policies. This release delivers performance and usability improvements for developers that use the Go port of Cedar.
November 2024
Integration with Jira: Made integration with Jira generally available, enabling users to browse the resource catalog, request access, and be approved from within Jira.
Integration with Teams: Made integration with Teams generally available, enabling users to browse the resource catalog, request access, and be approved from within Teams.
Utilization Report and Reports Enhancements: Added the new Utilization report and enhanced all other reporting dashboards with performance updates and improved filtering.
AWS (Instance Profile): Added AWS (Instance Profile) as a cloud resource type to provide EC2 instance profile support for the AWS CLI.
Healthchecks for node/resource pairs: Added the ability to list the latest healthcheck for every node/resource pair in the SDKs and in the CLI.
Improved API Keys: Changed the format of API access keys from a long Base64-encoded string to a hex string in the format
auth-0123abcd
.
October 2024
Time Context in Policies: Added time in context attributes for policies, allowing policies to be written against properties of the current time (in UTC) when authorization is performed.
Desktop App Updates: Updated the desktop app menu by changing the name of the menu button, adding new menu categories, and reorganizing the menu options.
Log Stream Organization IDs: Added a StrongDM organization identifier to logs emitted through Log Stream.
UK Region Support: Added support for the UK region, allowing StrongDM to be used in the UK or US; updated the documentation to include tabbed contents for each region for information related to Admin UI URLs, node installation, binary downloads, MFA configurations that use Okta Verify, and SSO configurations that use Okta.
September 2024
New StrongDM Experience: Updated the Admin UI with a new left navigation menu, and updated both the Admin UI and desktop app with a refreshed layout, colors, and styling.
Couchbase: Made the Couchbase resource type generally available in the Admin UI, CLI, SDKs, and StrongDM Terraform Provider.
Enforce Single Session Setting: Added the Enforce Single Session setting, which allows admins to restrict concurrent sessions for logged-in users to a single session for the Admin UI and a single session for the desktop app.
Email Identity Set: Added support for email addresses to pass through Identity Sets, so that all Identity Aliases in the Identity Set are the user's corresponding email address.
August 2024
Cisco Duo Device Trust: Released support for Cisco Duo Device Trust.
SSO With Ping Identity (OIDC): Released Ping Identity SSO (OIDC).
Kubernetes Management (Beta): Added beta support for Kubernetes Management tools, which includes Resource Discovery and Principal Bindings for Kubernetes clusters.
CLI, SDK, and Terraform Support for PBAC: Added CLI, API Reference, and Terraform support for Policy Based Action Control (PBAC), enabling admins to automate the delivery of policies into production environments.
Enhanced StrongDM UI and UX: Announced the new StrongDM experience for the Admin UI and desktop app. Starting as early as September 10, the desktop app will have a refreshed layout, colors, and styling. Then on September 17, those changes along with updates to the left navigation menu of the Admin UI will be applied to all environments.
July 2024
PBAC for Postgres: Released Policy Based Action Control for Postgres, which allows Enterprise organizations to use policies to respond to particular actions on supported Postgres resource types. Now policy can be enacted for over 180 specific actions on Postgres resources, including CRUD operations, and can be combined with the context, MFA, and justification requirements that are available for other resource types. In addition, this release adds the Policy Editor and builder controls to the Admin UI, enabling admins to create policies in the Cedar policy language.
MFA with Okta Verify: Added Okta Verify as a multi-factor authentication (MFA) option for your StrongDM users.
Desktop App Updates: Updated the desktop app with usability enhancements, including a new location for the Account menu and a new option to connect to all resources.
Loopback IP Ranges: Added the ability for admins to modify the loopback range available on local machines, so that resources may be assigned to a larger range of IP addresses and ports than was previously possible on only
127.0.0.1
. This is significant for organizations that require more resources than the number of ports that were originally available, or around 60,000.
June 2024
Policies (Beta): Beta for Policies includes Policy Based Action Control, which allows policies to respond to particular actions on supported resources. In addition, the beta introduces the Policy Editor that enables Policy Creation by allowing them to be written in the Cedar policy language. It also provides a set of builder controls to create policies easily, even if you are unfamiliar with Cedar.
Identity Aliases: Changed "Remote Identity" to "Identity Alias" and introduced Identity Sets. An Identity Alias is a username that is used when connecting to a resource, and an Identity Set is a group of Identity Aliases that are allowed to be used to connect to specific resources. Admins can now add the Identity Aliases of StrongDM users to Identity Sets, and configure resources to use those Identity Sets for connection.
MongoDB (Sharded Cluster): Added support for the MongoDB (sharded cluster) resource type with load balancing. Also expanded MongoDB support in general to cover versions 7 and 8.
Device Trust: Added support for Microsoft Defender as a Device Trust provider.
Multi-factor Authentication: Added a guide that covers the MFA options for user authentication to StrongDM as well as options for adding MFA prompts on resource connection through policies.
May 2024
Keyfactor EJBCA (SSH): Released Keyfactor EJBCA (SSH), a new third-party certificate authority (CA) integration that allows certificate-based SSH resources to authenticate using certificates issued by Keyfactor EJBCA. This third-party CA type is available for organizations that have the Enterprise plan enabled.
Added AWS Auth to Vault: Added AWS EC2-based authentication and AWS IAM-based authentication methods to HashiCorp Vault secret store integration.
MFA with Okta Verify: Added Okta Verify as an MFA option.
April 2024
Keyfactor EJBCA (RDP): Released Keyfactor EJBCA (RDP), a new third-party certificate authority (CA) integration that allows certificate-based RDP resources to authenticate with certificates issued by Keyfactor EJBCA. This third-party CA type is available for organizations that have the Enterprise plan enabled.
March 2024
Policies: Released context-based policy features in the Admin UI. Available to Enterprise organizations, context-based policy allows admins to require MFA or text justifications or to require approval workflows to be followed in order to allow users to access resources. Policies can consider conditions such as the geographic location of the user and the Device Trust score of the user's machine when making access decisions.
Approval Workflows: Released approval workflows, the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied. This release separates the approval criteria from access workflows, which enables the same approval steps to be reused by multiple workflows and/or policies. As such, organizations with workflows enabled now have two access pages in the Admin UI: Access Workflows, for defining what can be requested and by whom; and Approval Workflows, for defining approval criteria, such as auto-approval, manual approval, and so forth. Approval workflows may be created and managed in the Admin UI, CLI, and SDKs.
Certificate Authorities: Released third-party certificate authority (CA) integrations that allow Enterprise organizations to bring their own CA provider for SSH and RDP certificate generation. Third-party CA integration allows any supported CA, instead of the default Strong CA provided by StrongDM, to be used for authentication of certificate-based RDP and SSH resources. At this time, StrongDM supports the following third-party CA integrations:
Managed Installer Client Updates: Updated the PKG (macOS) and EXE (Windows) installers to install Virtual Networking Mode (VNM) if run with admin privilege.
Updated Permission Level Restrictions on SDKs: Updated the SDKs and Terraform provider to allow a user’s permission level to be modified (for example, change User to DBA, or change DBA to Team Leader). When creating an API key and selecting the Delegate scope to enable this behavior, there is a new option, Allow Changes to Admins, which is a new scope on API keys that allows admin users to be modified via the SDKs and Terraform as well. This update applies to server version 85.46.0 and higher, all SDK (Go, Java, Python, Ruby) versions 7.0.0 and higher, and Terraform provider version 8.0.0 and higher.
February 2024
Explicit Routing: Released Explicit Routing, an advanced feature that allows network administrators to define their organization’s network topology by segmenting gateways, relays, and resources into explicitly declared peering groups. The CLI, SDKs, and Terraform are supported.
RDP (Certificate Auth): Released the RDP (Certificate Based) server resource type and added support for Identity Aliases.
SSH (Certificate Auth): Changed the "Secret Store" property on certificate-based RDP and SSH server forms in the Admin UI to "Certificate Authority" to allow selection of a desired certificate authority (default is Strong CA).
Integration With Slack: Updated the StrongDM integration for Slack to a new version, which offers channel-based approvals, multiple-resource requests, improved request/resource filtering, and various UI/UX improvements. Current users of the Slack app will need to reinstall it, as the new version requires additional scopes to be approved. Please note that if your organization does not update its Slack app to approve the new scopes, it will still be compatible with the latest changes and will receive the UI updates. However, users will not be able to use channel-based approvals until the app is updated.
Log Stream: Changed the file format and path location of replay data stored to Amazon S3 with Log Stream enabled.
January 2024
Certificate Authorities: Added the Certificate Authorities page to the Admin UI, enabling Strong CA certificates to be managed and rotated.
Fixed Duration Setting for Access Requests: Added a fixed duration setting for access requests on the Workflows settings page of the Admin UI.
Reports: Revitalized the Admin UI Reports Library with new dashboards providing in-depth analysis of access grants to resources, organization posture and risks, and more.
Last updated
Was this helpful?