Azure Active Directory

Welcome to the Azure Active Directory Forum.

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Return null when group cannot be found by MailNickname instead of throwing NullReferenceException

    See stack overflow:
    https://stackoverflow.com/questions/46376306/group-lookup-using-microsoft-azure-activedirectory-graphclient-2-1-1

    The same pasted below for convenience:

    Issue

    I'm encountering a null reference exception when looking up a group by MailNickname. Note, the nickname in question does not exist in Active Directory, however, I would expect the library to handle this gracefully and not result in a null reference exception.

    It's also worth noting, I am able to use the same code to lookup groups which do exist in Active Directory. I do not control the nicknames my code operate over since they're user input. I would simply like to lookup the group's info, or move on…

    1 vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Graph API  ·  Flag idea as inappropriate…  ·  Admin →
    • add additional local administrators to Azure AD joined devices

      I have been testing the feature in Devices->Device Settings to add additional local administrators to Azure AD joined devices using the Azure Portal. If I click 'Selected' to add a new user, the list of users already selected is lost and I have to add all the original users again in addition to the new user. I have been using the Classic Portal to add new local device administrators, but Azure AD support will be removed from that in November.

      2 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
      • Don't make the invoices impossible to find.

        Don't make the invoices impossible to find. Where did my billing go?

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
        • Ability to Grant Permissions via API or Powershell

          Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

          Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your…

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
          • New Sign-in experience UX prompt 'I sign in frequently on this device. don't ask me to approve requests here' miss-leading!

            Re-word the New Sign-in experience UX prompt as it is miss-leading, 'I sign in frequently on this device. don't ask me to approve requests here"

            In reality the tenant set MFA configuration is enforced, which in our case is for a single day.

            I believe that the wording of the new sign-in prompt is highly miss-leading and should be altered as this message implies a loser security than is actually in place, which gives completely the wrong message to my users.

            My user base will also be of the opinion that Office 365 isn’t working correctly as the behaviour will…

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
            • Can the default sync interval from Azure AD to the SaaS application which is 20 mins, be modified? If yes, how?

              The default user identity sync interval between Azure AD and SaaS app (example: salesforce) is 20 mins. This default value should be modifiable.

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                The sync interval from Azure AD to SaaS applications is not currently configurable (nor is it constant, it may be adjusted to manage performance and throughput).

                Suppose it was configurable: what value would you set it to? (Use the comments to let us know.)

                /Philippe Signoret

              • Fix AD Connect auto-update mechanism so it doesn't cause VSS SQL failures

                Issue has been going on for at least a year. When AD Connect auto-updates, it messes something up with its 'SQL Server 2012 Express LocalDB' instance such that VSS backups of the server fail until addressed.

                'Fix' is to run a repair installation of the LocalDB instance, after which the VSS operations succeed without requiring a server reboot.

                https://forums.veeam.com/veeam-backup-replication-f2/bunch-of-servers-vss-writer-errror-0x800423f4-t37483.html

                1 vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                • Support logout and single logout with SAML 2.0 claims provider

                  Support for logout and single logout with SAML 2.0 IdP configured as claims provider on B2C.

                  The logout and single logout os both requested in some customer cases and in relation to the Danish governments IdP called "NemLog-in". In relation to the Danish governments IdP it is a requirement to support logout and single logout to connect to the central federation.

                  1 vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                  • Premium b2c

                    I have not able to able to assign groups to my Apps in my B2C. Help? I don’t have an option to add Azure prem license to my B2C tenant. Is this supported?

                    1 vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                    • verify signature on jwt.ms

                      it would be helpful if https://jwt.ms verified the signatures of JWTs like the https://jwt.io/ does :)

                      especially b/c their signature validator doesn't validate b2c tokens: https://stackoverflow.com/questions/44330242/azure-ad-b2c-token-validation-does-not-work

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                      • Reports to find that how many users have skipped MFA because of IP White list option in MFA

                        Reports to find that how many users have skipped MFA because of IP White list option in MFA

                        9 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                        • Allow removal/deletion of Group based License Assignments without a valid Azure AD P1/P2 or EMS License

                          While adding Group based License Assignments is only possible with a valid Azure AD P1/P2 License or EMS License the removal of those Group based License Assignments should be possible when the needed Plan is expired or deleted.

                          In my case I had a EMS Trial running and configured Group Based Licensing. After the EMS Trial expired I was unable to delete the Group Based Licensing assignment. I had to enable a Azure AD P2 Trial to delete the Assignment.

                          1 vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Group Based Licensing  ·  Flag idea as inappropriate…  ·  Admin →
                          • Allow approval only for specific users in specific roles

                            We would like to enable approval for specific users in specific roles only. This way some people are exempt from approval, but others will have to request approval anyhow. Right now this is role based, but for example we have a few Global Administrators who need to be able to activate without approval, and some we would like to request approval.

                            1 vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                            • Allow time bound admin access

                              Currently we have the need to allow someone to add a user to an admin role which is then automatically deleted after a specific time period or date/time. The role should be completely removed at that point in time, so the user should also not be eligible anymore to activate the role.

                              1 vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                              • Source of Authority in user overview page should show same info as Source in user profile

                                In New Azure Portal it would be of more use if
                                Azure Active Directory -> Users and Groups -> All users
                                page column "Source of Authority" would show that same value as in
                                Azure Active Directory -> Users and Groups -> All users -> <click a user>-> Profile and field Source

                                Ps. This works better in Azure Classic Portal. Ds.

                                2 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
                                • How can i change the service name to report my correct domain name rather then .onmicrosoft.com

                                  I've recently configured AD Connect between my on prem AD and Azure AD, its successfully syncing users and passwords between my test OU and Azure, however, in the Azure AD Connect Health blade, it reports my service name as mydomain.onmicrosoft.com and not the default domain name mydomain.com. Any ideas if this is correct or can be changed?

                                  1 vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Allow access and use of Citrix Xenapp applications via Azure AD Application Proxy

                                    There doesn't seem much documentation available for configuration of Rich protocol support (Citrix)
                                    Unlike previous UAG support where there is at least some communications around the connectivity of using UAG to connect to Citrix applications.

                                    https://blogs.technet.microsoft.com/edgeaccessblog/2010/03/25/how-to-publish-citrix-xenapp-5-x-with-uag-2010/

                                    It would be good to be able to replicate the above, which refers to UAG, in the Azure AD Application proxy.

                                    1 vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Conditional Access: Session Controls for Exchange Online (Outlook on the Web)

                                      Expand the cloud app Session Controls area to be able to apply OWA policies on-the-fly.

                                      Allow admins to do things like block download access unless the user is within a trusted location or on a compliant or domain joined device.

                                      Effectively this, but without the need for ADFS: https://technet.microsoft.com/en-us/library/dn530630(v=exchg.150).aspx

                                      Combining that with the SharePoint session controls will result in a more complete browser-only experience for unmanaged/untrusted devices.

                                      ---
                                      Cross-posted from Intune UV: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/31460965-conditional-access-session-controls-for-exchange

                                      3 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)

                                        Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.

                                        I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.

                                        Aaron posted a great workaround solution:
                                        https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/

                                        We would like something built-in Active AD Connect that solves this out of the box

                                        1 vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                        • Block Sign In Source-of-Authority issue

                                          It is very confusing for customers that they have the option to change the "Block Sign In" state, when the users source-of-authority is "Windows AD Server" (Active Directory).

                                          Why is this not disabled like all other attributes. It doesn't make any sense to have the control enabled, when the UserAccountAttribute overwrite the setting during Azure AD Connect sync.

                                          You should at least have a popup box telling the users that this setting will be overwritten by Azure AD Connect sync, if the Azure AD Connect is configured to update the AccountEnabled value based on the UserControlControl state in the local…

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                          ← Previous 1 3 4 5 51 52
                                          • Don't see your idea?

                                          Feedback and Knowledge Base