Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
1,109 votesWe’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
-
SSO / Sign in to Azure via Google Apps IDP
We'd like to enable our users for lots of Azure services (incrementally), starting with some RemoteApp services. We do *not* want to move user authentication to Azure AD (users have lots of complex Google Apps logins, with 2-Factor and U2F Keys).
Is there an easy way for us to enable Google Apps as an IdP in Azure AD?
Like, can we copy user profiles from Google Apps -> Azure, and on login attempt, redirect to the Google Apps sign in screen?
68 votesYou can federate with GSuite/Google@Work with B2B direct federation, soon to be in public preview.
-Maria Lai
-
Allow the use of all user attributes for SAML token attributes
We are developing a POC to have Cisco WebEx and Jabber integrate directly with Azure AD. Authentication works just fine. However, when there is a change to a user's profile in Active Directory, say title or phone number, in order for that change to update in WebEx or Jabber the "whenChanged" attribute needs to be sent as "updateTimeStamp" in the SAML token. "whenChanged" cannot be extended as a Directory Extension so maybe use of the "LastDirSyncTime" attribute in Azure would be a suitable replacement. Also, it would be beneficial to also allow the use of the "mobilePhone" Azure attribute in…
49 votesWe don’t have an ETA yet but this feature is in our backlog. Keep the voting to help us prioritize.
Luis
-
Include only pre-selected groups, into the claim
At the moment there will be all groups user member of, and if that number exceeds 150(200), there would be a link send instead. It is better to only include groups, which makes sense for the application.
In modern environment, half of the users in big companies are members of more than 200 groups, But for each individual application only few may be somewhat indicative. So why not have a possibility to select only groups which making sense for the each app, and only those would be included into response?37 votesThis feature is planned. We don’t have an ETA yet to share.
Please continue voting to help us prioritize.
-
SCIM defects
1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
As per, https://tools.ietf.org/html/rfc7644#section-1.3,
The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no…
30 votesThe first issue is fixed, as describe here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility
A feature to improve oAuth support is still planned
-
Workday-driven automatic AD group assignment
When a new AD account is created using Workday, it should be possible to assign birthright AD groups to the user automatically.
22 votesThank you for your feedback. We are reviewing this feature request and we will post an update on it. Please keep voting so we can prioritize it.
Thanks,
Chetan -
BUG: Unable to Delete an Application's AppRole
Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).
After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).
22 votesThanks for reporting this!
I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.
For now, there are two options to work around this:
1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697
2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).
/ Philippe Signoret
-
Azure AD Applications - Needs
- Allow applications in Azure AD to be organised into folders so business units who work in this space can 'claim' applications.
- Provide the ability to rename applications or application instances once created.
- Provide visbility of what user created an application.
- Provide the ability to 'lock' applications from being accidently deleted.
- Deletion of applications requires X global admins to approve, at the moment a rogue admin could destroy an SSO setup for an entire company in minutes...21 votesThank you for your feedback, some of the suggestions are already available:
- Ability to rename applications
- Provide visibility of what users created an application: You can use audit activity reports: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logsRegarding the other suggestions, I’ll update this once it’s a planned feature. In the meantime, keep the voting coming so we can prioritize this higher.
/Luis
Program Manager -
Workday to AAD/AD provisioning query scope
Workday to AD/AAD provisioning
please add the ability to scope the query passed to get_workers api. For instance, pass to get_workers company=schoolA.
Workday is now implementing shared tenants in the EDU space. In a shared tenant, the current query to get_workers pulls all workers and then allows scoping. but the worker data for all schools has to be pulled before it can be scoped. The result is AAD audit logs saturated with other schools employee data. Also need to be able to control audit data written to azure activity logs, or at least be able to clear the provisioning logs.18 votesHi we are working on pulling the provisioning events out of the audit logs so that they are easier to manage. I’ll reach out to people internally about being able to set the scope to a particular school.
/ Arvind
-
SAML SSO, pass Restricted Claims
It would be good if you could specify a restricted claim to be passed to the relying party such as isCompliant etc if a user is on a managed device. Clearly these claims should not be modifiable.
16 votes -
Allow BambooHR to write to AD Azure when a new starter is created so it creates a new user. HRaaM.
Okta has the ability to use HR as a source of truth and are really engaging with HR as a master for AD. I know Bamboo can do that with Okta and Workday can as well. This would be a great way to have a flawless clear process using HR systems. From recruiting, to creating an employee in the system and then pushing it to ADAzure. Otherwise it's better to go with Okta. Higher price point but lower risk.
15 votesThank you for your feedback. Please keep voting to help us prioritize this request.
-
Default 'approval required' method for apps (new/unused)
Please can we have a global catchall for all new or previously unused applications that link to Office365 accounts/resources?
An example. draw.io has not yet been used and therefore there is no enterprise app to configure in Azure AD.
One first attempt to log in to draw.io with an Office365 account an approval request should be sent to the Office365 administrators to review the application and the permissions/access it requires.
Then the enterprise app can be configured accordingly - utilising Self-Service, assignment and approvals as deemed necessary.13 votesWe have started the work on this feature.
I’ll update this thread when we have a clear ETA but we’re targeting June for an initial release.
-
Workday Email Writeback API Version
According to the Workday provisioning docs, the current API call (Maintain_Contact_Information) for email writeback is v26.1. Can this be updated to use v30.0 or later and use the "Change_Work_Contact_Information" api call instead, as it's specific to work contact information and less likely to be blocked by other business processes in Workday?
9 votesThank you for your feedback. This feature request work is in progress.
-
Enhanced AAD Support for SAP SuccessFactors
Hi
SAP SalesForce (SF) is pre-integrated with AAD, but SalesForce is comprised of numerous applications (HR modules). It would be nice if AAD conditional access, user provisioning and MFA rules could be applied differently based on the SF applications.
1. MFA: It would helpful if AAD supported MFA for SAP SuccessFactors by SuccessFactors module. e.g. ability to force MFA for the Performance Management & Goals application, but not force MFA for the Learning Management System (Training) application.
2. User Provisioning: It would helpful if AAD supported automated user (de)provisioning of accounts in SAP SuccessFactors, again based on SF application.
Take…
9 votes -
Find and Replace Claims Transformation Function
When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:
If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.
8 votesWe will be working on enabling this transformation soon. Thanks for the feedback.
/Luis
-
Workday trigger delta sync
The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.
8 votesHi we are working on the ability to sync a specific user / group on demand so you don’t have to wait for the next sync cycle.
/Arvind
-
Engage Approval process when attempting to use the app directly
Please can we initiate the approval process at the application level, not just when being added into the application portal (myapps)?
An example. draw.io has been configured to require authentication and assignment. A user goes to draw.io and logs in with their Office365 account. They see a user-unfriendly error message as below: -
[OneDriveSDK Error] errorType: badResponse, message: AADSTS50105:+The+signed+in+user+is+not+assigned+to+a+role+for+the+application+'01234567-89ab-cdef-0123-56789abcdef0'. Trace+ID:+01234567-89ab-cdef-0123-56789abcdef0 Correlation+ID:+01234567-89ab-cdef-0123-56789abcdef0 Timestamp:+2000-01-01+00:00:00Z
Instead - I would want the application to prompt with the same approval process notification/initiator that is seen when attempting to add the app via MyApps.
8 votesFirst, we’re working to allow end-users to request Admins to consent to an application that requires Admin permissions.
As a next step for this feature, we’re considering to add other scenarios like this one where user assignment is required.
Please keep voting to help us prioritize
/Luis
-
Custom error messages per SaaS App and tenant-wide also
It would be really awesome, if Microsoft would provide developers with an option to provide custom error messages per Azure AD SaaS Apps and Global Admin to define some tenant-wide custom error messages as well. The error messages provided from Microsoft is not especially user-friendly or customer specific yet. This creates some confusions among internal and B2B users.
I hope this would be taken into considerations like the Azure Conditional Access custom error messages.
/Peter Selch Dahl
Azure MVPAlso see these related request:
---------------------------------------------------------------------Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6795635-fix-error-aadsts50020-when-logged-in-user-doesn-tCustomize…
7 votesWe don’t plan to provide the capability to customize the error message for now. But, we have been working on making the error messages more actionable.
If you have any suggestions for improving an specific error message. Please create another post and the team will improve it.
/Luis
Program Manager -
Allow Directory Extensions as claim in SAML Token
This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.
If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).
I have found that you can include a directory extension attribute as an optional claim in the…
7 votesWe have work in progress to enable directory extension attributes from the Enterprise apps UI. You can use PowerShell to get unblocked: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping
In the comments, Ross has shared a link to a forum where you can find the exact policy.
-
IDP-Initiated SAML flow option for all gallery applications
Gallery integration for some SaaS applications (such as ServiceNow) use SP-Initiated sign-in flows. This makes ADFS -> Azure AD "migrations" for customers difficult as there is no way to validate the user experience without making Azure AD the default SSO provider. Additionally, some customers rely on just-in-time SAML provisioning, which is seamless with IDP-Initiated flow.
7 votes
- Don't see your idea?