Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add Azure CLI support for B2C Custom Policies

    I am trying to manage Custom Policies in B2C from the command line.

    There should be support for deleting and uploading B2C Custom Policies from Azure CLI.

    55 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. Spring Security Support

    Storm Path is an example of an API/Service that provides all the same functionality as Azure AD B2C, and actually integrates with Spring Security very easily.

                https://stormpath.com/
    

    They provide code samples too:

    https://docs.stormpath.com/java/

    It would be fantastic, and ensure a much wider adoption market, if you were to create an open source project that provided the same easy integration and adoption.

    55 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add Directory Roles to B2C

    Today all operations in B2C require GlobalAdmin role. Security wise this is BAD idea as people have different roles in a organization and delegation is be based on "least privilege principle". Hence, roles for (in prioritized order) must be added:

    1) application management that allow developers to register their own app definitions
    2) user management that allow 1-line support to assist end users with account problems
    3) policy management that allow specialized admins to mange built-in and custom policies
    4) read only roles that can give other IT people view access to apps and users

    54 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow MFA to be enabled for selected set of B2C users

    We would like users to choose if they want MFA enabled, and therefore a policy should trigger MFA only if the user or admin opts in for it.

    54 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure AD B2C Support Social IDP Profile Picture

    Add support for a built-in attribute type for storing a profile picture URL. Azure AD B2C should then store the profile picture URL as a user attribute when signing in with a social provider. This attribute can then be selected as an application claim attribute so applications can have access to social provider profile pictures. The attribute should also update on any subsequent successful sign in attempts when there is an updated profile picture from the social provider.

    Alternatively, just update AD B2C to set the user's social profile picture as the AD thumbnail photo when creating an account.

    54 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Although we do not directly support this feature, there is a new workaround available which is to use the IdP token (like Facebook’s token) to grab the profile photo. You can do this by calling Facebook directly from the app using the facebook token.

    Azure AD B2C now allows the access tokens of OAuth 2.0 identity providers to be passed as a claim in the B2C token. Please try it out (see instructions below) and give us feedback at aadb2cpreview@microsoft.com.

    User flows (built-in policies)

    https://docs.microsoft.com/azure/active-directory-b2c/idp-pa

    Custom policies

    https://docs.microsoft.com/azure/active-directory-b2c/idp-pass-through-custom

  6. Avoid verification code emails when the user is not registered

    Azure B2C is gives a false impression that the user is in the directory when they try to reset their password.

    Following is steps in reset password:
    1) User clicks the Reset Password link
    2) B2C presents a page with “Email Address” field and says “Verification is necessary. Please click Send button.”
    3) User enters his email address and clicks “Send Verification Code”
    4) B2C sends the verification code this that email address (Even if no user is associated with that email address. This is where the user thinks he is registered with the system)
    5) Now the user enters…

    53 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow Azure AD B2C users to access PowerBI dashboards

    Add support for PowerBI Dashboards in Azure B2C

    50 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure Key Vault compatibility with Azure AD B2C

    It will be really useful to be able to use Azure Key Vault with AD B2C. I just spent a good amount of time getting ready to use Azure Key Vault to find out that I couldn't use it because the app is leveraging AD B2C!!

    That is really unfortunate as the Azure Key Vault usage is especially useful for B2C applications.

    Please make this possible - I know resources are limited but this shouldn't be that much of an effort to extend the capability. Should be an easy win! :)

    48 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  9. 45 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  10. AADB2C: Add multiply reply URLs with the same domain

    If you create an Azure Active Directory B2C and then add an Application for your Web API, your Web API will only be able to receive tokens from a client that shares the same Application ID.

    Currently, building a Web API that is accessed from several different clients is not supported.

    This means that if you want to add different clients, you can configure them with the restriction that redirect URLs must all belong to the same domain.

    But when you try to add them, for example:
    https://client1.domain.com

    https://client2.domain.com

    I receive an error saying that the reply URLs are not…

    45 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    It is possible to add multiple reply URLs within the same domain, unfortunately the experience is a bit clunky and we’re working on fixing this.

    At this time, in order to achieve this a setup with client1.domain.com and client2.domain.com as redirect URIs, you must first add the overarching domain as a redirect URI and then add the sub-domains, like so:

    1) https://domain.com
    2) https://client1.domain.com
    3) https://client2.domain.com

    Check out this article for more info:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-limitations#restrictions-on-redirect-uris

  11. Azure B2C should allow to customize the text message.

    Currently the SMS sent from Azure B2C tenent while enabling MFA has Microsoft stamp on it, Which doesnt make sense to any user.

    When we use B2C tenent for my product and enabled MFA i dont have option to remove MS stamp from the SMS or not able to add my product name in the SMS

    44 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  12. Fix tab order for B2C login

    Please fix the tab order for B2C logins. Currently tab goes from the username field to the "Forgot your password" link. It should go from username to password.

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  13. AAD B2C: Add support for EC key type to OpenID Connect jwks

    The configuration for a New Identity Provider in B2C using the "New OpenID Connect Provider" option returns
    "The key type 'EC' from the JSON web keys endpoint 'https://<IDP Provider>/ext/pf/JWKS' is not a supported key type." I've put in a support request and it was confirmed that EC keys are not supported yet.

    Also documented on stackexchange by another user; https://stackoverflow.com/questions/50884146/aad-b2c-yahoo-openid-connect-failed-to-create-in-azure-portal

    This issue will prevent us from migrating +1m potential users to azure.
    Thank you for your consideration!

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow redirect Url´s from different domain´s for b2c app´s

    The current implementation only allow´s to use redirect url´s from one domain name.

    Some 3rd party service´s specify multiple redirect url´s and so are not usable with the b2c backend

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  15. Terms of use and privacy policy

    It would be great if AD B2C could manage all the process for terms of use and privacy policy management.
    There is actually no way to manage it in the sign-up policy...

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We have created samples to do this in custom policies here:

    Sample: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/source/aadb2c-ief-terms-of-use

    Readme: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/scenarios/readme.md

    While we realize this is only works for custom policies (the part where you can track versions of consent), we currently don’t have plans to implement this in built in policies.

  16. U2F HID Multi factor authentication (YubiKeys)

    Hi, We have option for multi factor authentication in B2C using phone. Is there any future plans to implement this for U2F HID e.g. YubiKes?

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure Active Directory B2C: Don't charge for token refresh

    Azure AD B2C is great and the pricing too, except for the fact, that token refreshs carried out by the application (as opposed to being carried out by the user) are charged separately. An application that keeps a logical connection to the server while in the background, might carry out quite many token refreshs over time. A regular frequency of one refresh per hour leads to ~700 refreshs per month. Assuming 1.000.000 users, this sums up to ~500.000$/month. This exceeds the capacity of start-ups like ours by a factor of 1000 (!). Although AD B2C would be the perfect fit…

    40 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  18. Log user authentications in Azure Active Directory B2C

    The logs available in Azure Active Directory, "Audit Logs" and "Sign-in" don't show activity related to consumer authentications. Having a view of consumer logins via the Azure Active Directory or Azure AD B2C sections would be very useful.

    39 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. token revocation endpoint

    I can't find that token revocation endpoint from B2C documentations.
    If not implemented token revocation endpoint, I need it for protect customer from malicious attacker.

    https://tools.ietf.org/html/rfc7009

    39 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add TOTP support to B2C (e.g. Google Authenticator)

    Add support for TOTP (e.g. Google Authenticator) to B2C.

    The current MFA support is very limited, SMS is already regarded as non-secure due to the lack of security in SS7 (https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin).

    Support for TOTP (Time based one time password) should be added and is already widely available e.g. support Google Authenticator. Please avoid a Msft eco-system only approach (e.g. only support Msft authenticator - this is not as widely used).

    37 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base