Azure Active Directory

Welcome to the Azure Active Directory Forum.

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Admin Consent Portal

    Allow users to request admin consent to an application and have that appear within the portal, as an administrator it's a challenge to source the application_id and approve the application for all users if required.

    1 vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    • Link a connector to a different Application Proxy service region.

      We have AAD Application Proxy Connectors installed in both Australia and Singapore however the Azure AD tenant in Australia so all traffic has to loop via the Australian Application Proxy Service.

      This is a problem for our Indonesian users. We setup servers and AADAP connectors in Azure Singapore with the expectation it would provide low latency to Indonesia but that is not the case.

      Please allow us to associate a Connector Group with a specific region so that the connectors and applications linked to the connector group are routed via the expected Application Proxy service region.

      1 vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
      • 1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)

          We’ll send you updates on this idea

          2 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
        • Possibility to set attribute LastPasswordChangeTimestamp

          Following to the article
          https://support.microsoft.com/en-us/help/4025960/federated-users-in-azure-ad-are-forced-to-sign-in-frequently we're trying to set the attribute LastPasswordChangeTimestamp with powershell.

          By using the CMDlet "Set-MsolUser" with the parameter "LastPasswordChangeTimestamp" nothing happens. The value stays empty / does not change. No error message from the CMDlet. Seems to be a bug!

          The new CMDlet "Set-AzureADUser" does not like to support this action, at least there is no parameter like “LastPasswordChangeTimestamp”: https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0

          Please give us a way to programmatically set the attribute LastPasswordChangeTimestamp for an azure ad user.

          4 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
          • Change email policy

            Could you plan "change email policy" for B2C users? my customers wants to change login email address themself.
            Now we can't change the email address for local account users.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
            • Add support guest user login on common endpoint.

              Current Azure AD B2B doesn't support guest/external users login on common endpoint. Hence it is very difficult to develop a multi-tenant application supporting guest users login. Developers have to set a specific tenant id to use OpenId Connect Authentication.

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
              • Make it possible to update LastPasswordChangeTimestamp via Graph API

                As mentioned in this article: https://support.microsoft.com/en-ph/help/4025960/federated-users-in-azure-ad-are-forced-to-sign-in-frequently , some federated users are required frequent login.

                Although the article present resolutions that LastPasswordChangeTimestamp can be updated via PowerShell, it actually cannot. It should be fixed and, more generally, the value should be updated via Graph API.

                5 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                • Add Directory Roles to B2C

                  Today all operations in B2C require GlobalAdmin role. Security wise this is BAD idea as people have different roles in a organization and delegation is be based on "least privilege principle". Hence, roles for (in prioritized order) must be added:

                  1) application management that allow developers to register their own app definitions
                  2) user management that allow 1-line support to assist end users with account problems
                  3) policy management that allow specialized admins to mange built-in and custom policies
                  4) read only roles that can give other IT people view access to apps and users

                  9 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                  • URL field to Active directory groups and users

                    Currently it seems that the active directory group and user models do not contain URL fields?
                    We are for example using Teams channels for communication. It would be nice to configure these in Azure through either groups or users.

                    1 vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Graph API  ·  Flag idea as inappropriate…  ·  Admin →
                    • When the user signin with username INSTEAD OF EMAIL, there is no way we are able to retrieve email id entered by user for validation.

                      When the user signin with username INSTEAD OF EMAIL, there is no way we are able to retrieve email id entered by user for validation. We would want this feature to retrieve email entered by user for communication with them. We really dont like to have one more field to capture email id again from user. Please make email id entered by user during email validation in GraphAPI of /users method.

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                      • Mark all events as "False positive"

                        The report "Users flagged for risk". Today its only possible to Dismiss all events, effectively mark them as ignored. We need the ability to mark all events as “False positive” As a company in the travel industry a lot of our staff travel and sign in from a lot of new locations.

                        1 vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Optionable Automatic Fallback from PTA to PHS

                          If last PTA agent fail and sync group has only invalid agents, there should be a optionable configuration to start Password Sync automatically if admin choose this for trully HA with local disaster (or internet connectivity fail down). And also, send notification when authentication endpoint will fail will be great.

                          1 vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                          • Allow MFA to be enabled for selected set of B2C users

                            We would like users to choose if they want MFA enabled, and therefore a policy should trigger MFA only if the user or admin opts in for it.

                            3 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                            • Keep same element IDs on new Azure AD sign-in page

                              As an automation tester, I want the credential input on the new Azure AD web-based sign-in page to be able to be found and used the same way as on the old page so that my scripts don't break.

                              Currently, the old Azure AD web-based signin page has this for the username: <input id="cred_userid_inputtext" class="login_textfield textfield required email field normaltext" placeholder="username@egov.com" type="email" name="login" spellcheck="false" alt="username@egov.com" aria-label="User account" value="" autocomplete="off" aria-describedby="accessibleError">

                              And this for the password: <input id="cred_password_inputtext" class="login_textfield textfield required field normaltext" placeholder="Password" spellcheck="false" aria-label="Password" alt="Password" type="password" name="passwd" value="" aria-describedby="accessibleError">

                              Both of these elements have ID…

                              1 vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                              • NIST 800-63B Digital Identity Guidelines

                                Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.

                                Also the ability to build a password blacklist.

                                3 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                • Identity synchronization and duplicate attribute resiliency issues

                                  We receive an email every 30 minutes when an account has a duplicate and or Azure Synchronization error. We thought that after the first error that the error would be quarantined and viewable in the Dirsync error status within Office 365 admin center. I have not seen this happen once yet. Also, When I put in individual email addresses into the Azure portal for notification those email addresses do not receive notification. Only the technical contact get an email. I attached a screenshot of where I put separate email addresses.

                                  1 vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                  • Change MFA sender phone number and content

                                    Currently is not possible to change the phone number or the content of the SMS to validate the user's number or for MFA.

                                    B2C would be more useful for financial and/or government organizations if the MFA had more branding options in order give peace of mind to wary customers.

                                    1 vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Eliminate the 15 device CAP on Azure enrollment by a single O365 admin account

                                      There is a 15 device CAP on Azure enrollment by a single O365 admin account. There is a program through Intune that allows up to 1000 devices in a corporate network, but there's a fair gap between 15 devices and an environment large enough to support an Intune account.

                                      Let's say you've been using admin@contoso.com as your global admin account and adding computers to the Azure AD account. Currently, after enrolling 15 devices you have to create another, unlicensed Global Admin Account, such as admin2@contoso.com. Use that to add additional computers until you use up another 15 devices, then…

                                      2 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
                                      • The external user cannot access the application

                                        My external users are unable to access my application. The user settings have given the same permissions as the average user. The error message is:
                                        AADSTS50020: User account 'CwMars@outlook.com' from identity provider 'live.com' does not exist in tenant 'UI.VS' and cannot access the application 'f357dd9b-8b62-4b02-9ad8-10f7287bd900' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

                                        2 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                                        • What does the time stamp represent in "Users with leaked credentials" report, as it will show up with a date/time days in the past?

                                          What does the time stamp represent in "Users with leaked credentials" report, as an entry will show up with a date/time days in the past?

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 48 49
                                          • Don't see your idea?

                                          Feedback and Knowledge Base