Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
1,900 votesWe’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.
Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups -
Allow the use of all user attributes for SAML token attributes
We are developing a POC to have Cisco WebEx and Jabber integrate directly with Azure AD. Authentication works just fine. However, when there is a change to a user's profile in Active Directory, say title or phone number, in order for that change to update in WebEx or Jabber the "whenChanged" attribute needs to be sent as "updateTimeStamp" in the SAML token. "whenChanged" cannot be extended as a Directory Extension so maybe use of the "LastDirSyncTime" attribute in Azure would be a suitable replacement. Also, it would be beneficial to also allow the use of the "mobilePhone" Azure attribute in…
86 votesWe don’t have an ETA yet but this feature is in our backlog. Keep the voting to help us prioritize.
Luis
-
Add group as owner on Azure AD Application and Service Principal
When managing Application and Service Principal objects in Azure Active Directory, it's difficult to provide granular access controls.
Azure currently supports adding "Users" as Owners through the Azure Portal, and we can also assign other "Service Principals" as Owners using PowerShell (or by creating the new SPN with an existing SPN), however it's not possible to add a Group.
When you try to do this, you get the following error message:
#
PS C:> Add-AzureADApplicationOwner -ObjectId <removed> -RefObjectId <removed>
Add-AzureADApplicationOwner : Error occurred while executing AddApplicationOwner
Code: RequestBadRequest
Message: The reference target 'Group<removed>' of type 'Group' is invalid…81 votes -
Find and Replace Claims Transformation Function
When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:
If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.
27 votesWe have enabled a contains() function. We will be working on the capability to Replace().
/Luis
-
BUG: Unable to Delete an Application's AppRole
Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).
After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).
27 votesThanks for reporting this!
I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.
For now, there are two options to work around this:
1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697
2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).
/ Philippe Signoret
-
Azure AD Applications - Needs
- Allow applications in Azure AD to be organised into folders so business units who work in this space can 'claim' applications.
- Provide the ability to rename applications or application instances once created.
- Provide visbility of what user created an application.
- Provide the ability to 'lock' applications from being accidently deleted.
- Deletion of applications requires X global admins to approve, at the moment a rogue admin could destroy an SSO setup for an entire company in minutes...
24 votesThank you for your feedback, some of the suggestions are already available:
- Ability to rename applications
- Provide visibility of what users created an application: You can use audit activity reports: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logsRegarding the other suggestions, I’ll update this once it’s a planned feature. In the meantime, keep the voting coming so we can prioritize this higher.
/Luis
Program Manager -
SAML SSO, pass Restricted Claims
It would be good if you could specify a restricted claim to be passed to the relying party such as isCompliant etc if a user is on a managed device. Clearly these claims should not be modifiable.
22 votesHello – Thanks for your feedback. We’re currently considering this request.
As a workaround for emitting the ‘upn’ claim, you could use the Optional claim capability in App registration: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-optional-claims
-
Allow User Consent per Scope
Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".
Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.
18 votesWe have started the work on this capability. I’ll share more information about the ETA as we get closer to a public preview. Current ETA is by end of April.
Thanks,
Luis -
Allow Directory Extensions as claim in SAML Token
This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.
If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).
I have found that you can include a directory extension attribute as an optional claim in the…
13 votesWe have work in progress to enable directory extension attributes from the Enterprise apps UI. You can use PowerShell to get unblocked: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping
In the comments, Ross has shared a link to a forum where you can find the exact policy.
-
Add some more fields to the App Registration
When adding an app to the app registration there should be additional fields to capture metadata about the app like a description and some other fields. Or If you could implement the Tags features around the App Registration that would work as well.
13 votes -
Custom error messages per SaaS App and tenant-wide also
It would be really awesome, if Microsoft would provide developers with an option to provide custom error messages per Azure AD SaaS Apps and Global Admin to define some tenant-wide custom error messages as well. The error messages provided from Microsoft is not especially user-friendly or customer specific yet. This creates some confusions among internal and B2B users.
I hope this would be taken into considerations like the Azure Conditional Access custom error messages.
/Peter Selch Dahl
Azure MVPAlso see these related request:
Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6795635-fix-error-aadsts50020-when-logged-in-user-doesn-tCustomize error…
11 votesWe don’t plan to provide the capability to customize the error message for now. But, we have been working on making the error messages more actionable.
If you have any suggestions for improving an specific error message. Please create another post and the team will improve it.
/Luis
Program Manager -
Support claims transformation on user.assignedroles
I can't apply a claim transformation method to the source attribute user.assignedroles or any multi value.
9 votesThanks for the feedback. Currently, this capability is unplanned but please keep voting to help us prioritize.
Thanks,
Luis -
Better governance for SaaS apps (App Registration description)
Azure App Registration needs some kind of better governance. The amount of applications is exploding within companies with all kind of apps all ranging from breakfast to compliance applications. Microsoft needs to add some some extra property fields that can be used for description of the application purpose, but also a field that can be used for service management. I do not think that a Azure Tag would be sufficient. It must be some kind of value that can be set on the application.
9 votesHi Peter, thanks for the feedback. If you could reach out to me I would love to chat more to understand your scenario.
/Arvind
-
Force Azure AD to verify the signature in the SAML request
Enable optional SAML request signature when federating with a SAML 2.0 IDP
SAML Authn request from AAD to a third party SAML 2.0 IDP are not signed. This leaves the third party IDP open to DoS attacks on their credential repository.
8 votesThanks for the feedback.
We would like to hear why you absolutely need this option before you move to Azure AD.
Azure AD accepts a signed SAML request; however, it will not verify the signature. Azure AD has different methods to protect against malicious calls. For example, Azure AD uses the reply URLs configured in the application to validate the SAML request. Azure AD will only send a token to reply URLs configured for the application.
-
Add support for Chrome OS
We need users access Exchange only from Android and iOS. In Conditional Access rule, "Any device" is selected and grant access only if user access from "Approved Client App". But users are able to access email from Outlook in Chrome OS. As per Microsoft, neither conditional access nor Approve app support Chrome OS. So users are able to access emails from Chrome OS.
Can Chrome OS support be added as part of Conditional Access rule? This is a major security threat for us as we are finance.organization.
7 votes -
IDP-Initiated SAML flow option for all gallery applications
Gallery integration for some SaaS applications (such as ServiceNow) use SP-Initiated sign-in flows. This makes ADFS -> Azure AD "migrations" for customers difficult as there is no way to validate the user experience without making Azure AD the default SSO provider. Additionally, some customers rely on just-in-time SAML provisioning, which is seamless with IDP-Initiated flow.
7 votes -
Managed Whitelist of Enterprise Applications
Please provide facility to whitelist which 3rd party applications are 'approved'.
Ideally this would be more than just single 'bit' of information, and allow multiple lists - for example, a whitelist for 'regular company business' and another for TOPSECRET, to be integrated with other parts of the azure framework, such as being used in Conditional Access Policy and the EMS E5 features.
Currently OAuth consent by any user will automatically register an application and this cannot be disabled. Blacklist is possible, but whitelist is not without completely removing ability for users to manage their own consent, which is undesirable from…
7 votesWe have started worked on this features. For an initial release, we’re thinking on allowing admins to select the set of permissions users will be able to consent.
-
Engage Approval process when attempting to use the app directly
Please can we initiate the approval process at the application level, not just when being added into the application portal (myapps)?
An example. draw.io has been configured to require authentication and assignment. A user goes to draw.io and logs in with their Office365 account. They see a user-unfriendly error message as below: -
[OneDriveSDK Error] errorType: badResponse, message: AADSTS50105:+The+signed+in+user+is+not+assigned+to+a+role+for+the+application+'01234567-89ab-cdef-0123-56789abcdef0'. Trace+ID:+01234567-89ab-cdef-0123-56789abcdef0 Correlation+ID:+01234567-89ab-cdef-0123-56789abcdef0 Timestamp:+2000-01-01+00:00:00Z
Instead - I would want the application to prompt with the same approval process notification/initiator that is seen when attempting to add the app via MyApps.
7 votesFirst, we’re working to allow end-users to request Admins to consent to an application that requires Admin permissions.
As a next step for this feature, we’re considering to add other scenarios like this one where user assignment is required.
Please keep voting to help us prioritize
/Luis
-
Adding the managedBy attribute to the ServiceNow API for Group Provisioning
Would it be possible to add a mapping for the Active Directory Group attribute managedBy and map it to the ServiceNow attribute Manager? I have been in contact with Premier Support under case # [REG:216032413880333001] SaaS group provisioning manager attribute missing regarding this request.
7 votes -
Rename Azure AD Application "Office 365 Exchange Online" to "Outlook"
Users with Office 365 license when accessing myapps.microsoft.com do not understand that in order to open "Outlook Web App" they should use "Office 365 Exchange Online" icon. Please rename Azure AD Application "Office 365 Exchange Online" to "Outlook" or "Outlook Web App".
6 votesHi we will look into this capability
/ Arvind
- Don't see your idea?