Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
1,363 votesWe’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
-
Allow the use of all user attributes for SAML token attributes
We are developing a POC to have Cisco WebEx and Jabber integrate directly with Azure AD. Authentication works just fine. However, when there is a change to a user's profile in Active Directory, say title or phone number, in order for that change to update in WebEx or Jabber the "whenChanged" attribute needs to be sent as "updateTimeStamp" in the SAML token. "whenChanged" cannot be extended as a Directory Extension so maybe use of the "LastDirSyncTime" attribute in Azure would be a suitable replacement. Also, it would be beneficial to also allow the use of the "mobilePhone" Azure attribute in…
55 votesWe don’t have an ETA yet but this feature is in our backlog. Keep the voting to help us prioritize.
Luis
-
Include only pre-selected groups, into the claim
At the moment there will be all groups user member of, and if that number exceeds 150(200), there would be a link send instead. It is better to only include groups, which makes sense for the application.
In modern environment, half of the users in big companies are members of more than 200 groups, But for each individual application only few may be somewhat indicative. So why not have a possibility to select only groups which making sense for the each app, and only those would be included into response?51 votesThis feature is planned. We don’t have an ETA yet to share.
Please continue voting to help us prioritize.
-
BUG: Unable to Delete an Application's AppRole
Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).
After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).
25 votesThanks for reporting this!
I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.
For now, there are two options to work around this:
1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697
2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).
/ Philippe Signoret
-
Enterprise Applications - Gallery Apps - Deploy Via API or Powershell
We have hundreds of AWS accounts that need to be federated with our Azure Active Directory. We in turn create an Enterprise Application thru Gallery Apps per AWS account to enable provisioning and sync all roles into Azure. Unfortunately, scaling and automating this is not possible thru Gallery Apps.
We need a way to deploy Gallery Apps for AWS / SalesForce programmatically.
Currently, we are configuring these accounts one at a time. We need to be able to automate this process as we cannot onboard AWS accounts into Azure Active Directory.
23 votes -
Azure AD Applications - Needs
- Allow applications in Azure AD to be organised into folders so business units who work in this space can 'claim' applications.
- Provide the ability to rename applications or application instances once created.
- Provide visbility of what user created an application.
- Provide the ability to 'lock' applications from being accidently deleted.
- Deletion of applications requires X global admins to approve, at the moment a rogue admin could destroy an SSO setup for an entire company in minutes...
22 votesThank you for your feedback, some of the suggestions are already available:
- Ability to rename applications
- Provide visibility of what users created an application: You can use audit activity reports: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logsRegarding the other suggestions, I’ll update this once it’s a planned feature. In the meantime, keep the voting coming so we can prioritize this higher.
/Luis
Program Manager -
Workday to AAD/AD provisioning query scope
Workday to AD/AAD provisioning
please add the ability to scope the query passed to getworkers api. For instance, pass to getworkers company=schoolA.
Workday is now implementing shared tenants in the EDU space. In a shared tenant, the current query to get_workers pulls all workers and then allows scoping. but the worker data for all schools has to be pulled before it can be scoped. The result is AAD audit logs saturated with other schools employee data. Also need to be able to control audit data written to azure activity logs, or at least be able to clear the…19 votesHi we are working on pulling the provisioning events out of the audit logs so that they are easier to manage. I’ll reach out to people internally about being able to set the scope to a particular school.
/ Arvind
-
Default 'approval required' method for apps (new/unused)
Please can we have a global catchall for all new or previously unused applications that link to Office365 accounts/resources?
An example. draw.io has not yet been used and therefore there is no enterprise app to configure in Azure AD.
One first attempt to log in to draw.io with an Office365 account an approval request should be sent to the Office365 administrators to review the application and the permissions/access it requires.
Then the enterprise app can be configured accordingly - utilising Self-Service, assignment and approvals as deemed necessary.18 votesWe’re running a limited private preview for this feature. Based on the results, we will be able to provide an ETA on public preview.
Targeting November.
Thanks,
Luis -
Workday Email Writeback API Version
According to the Workday provisioning docs, the current API call (MaintainContactInformation) for email writeback is v26.1. Can this be updated to use v30.0 or later and use the "ChangeWorkContact_Information" api call instead, as it's specific to work contact information and less likely to be blocked by other business processes in Workday?
16 votesThank you for your feedback. This feature request work is in progress.
-
SAML SSO, pass Restricted Claims
It would be good if you could specify a restricted claim to be passed to the relying party such as isCompliant etc if a user is on a managed device. Clearly these claims should not be modifiable.
16 votes -
Find and Replace Claims Transformation Function
When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:
If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.
13 votesWe will be working on enabling this transformation soon. Thanks for the feedback.
/Luis
-
Allow User Consent per Scope
Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".
Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.
13 votesHi,
Thanks for your feedback. This feature is currently in our backlog. We expect to make good progress on the incoming months.
The idea is that as an Admin, you can have a list of low risk permissions that the users can consent to.
Please keep voting and subscribing so we can update you when we have a more concrete plan.
/Luis
-
Workday trigger delta sync
The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.
12 votesHi we are working on the ability to sync a specific user / group on demand so you don’t have to wait for the next sync cycle.
/Arvind
-
Enhanced AAD Support for SAP SuccessFactors
Hi
SAP SalesForce (SF) is pre-integrated with AAD, but SalesForce is comprised of numerous applications (HR modules). It would be nice if AAD conditional access, user provisioning and MFA rules could be applied differently based on the SF applications.
MFA: It would helpful if AAD supported MFA for SAP SuccessFactors by SuccessFactors module. e.g. ability to force MFA for the Performance Management & Goals application, but not force MFA for the Learning Management System (Training) application.
User Provisioning: It would helpful if AAD supported automated user (de)provisioning of accounts in SAP SuccessFactors, again based on SF application.
Take care,
Shayne10 votes -
Allow Directory Extensions as claim in SAML Token
This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.
If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).
I have found that you can include a directory extension attribute as an optional claim in the…
9 votesWe have work in progress to enable directory extension attributes from the Enterprise apps UI. You can use PowerShell to get unblocked: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping
In the comments, Ross has shared a link to a forum where you can find the exact policy.
-
Workday to OnPremise Sync with non Global Admin Account
In the current configuration of the "Workday to Active Directory Provisioning" you are required to create an account in Azure with Global Admin permissions to be used by the onPremise agent. All changes made to Active directory are made in the onPremise AD and not in Azure and the permissions appear to be above the needed level in order to maintain our security delegation of lowest level required to perform a task.
Is there are a solution to have the interaction between onPremise Agent, Azure and Workday that does not require this level of permission?9 votesThanks for your feedback. This is work planned for the next version of the agent.
/Luis
-
Custom error messages per SaaS App and tenant-wide also
It would be really awesome, if Microsoft would provide developers with an option to provide custom error messages per Azure AD SaaS Apps and Global Admin to define some tenant-wide custom error messages as well. The error messages provided from Microsoft is not especially user-friendly or customer specific yet. This creates some confusions among internal and B2B users.
I hope this would be taken into considerations like the Azure Conditional Access custom error messages.
/Peter Selch Dahl
Azure MVPAlso see these related request:
Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6795635-fix-error-aadsts50020-when-logged-in-user-doesn-tCustomize error…
8 votesWe don’t plan to provide the capability to customize the error message for now. But, we have been working on making the error messages more actionable.
If you have any suggestions for improving an specific error message. Please create another post and the team will improve it.
/Luis
Program Manager -
Allow user folder provisioning for Box upon user assignment in Azure ADP
We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.
One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.
We would like…
8 votesThank you for your feedback. Please keep voting to help us prioritize.
/Luis
-
IDP-Initiated SAML flow option for all gallery applications
Gallery integration for some SaaS applications (such as ServiceNow) use SP-Initiated sign-in flows. This makes ADFS -> Azure AD "migrations" for customers difficult as there is no way to validate the user experience without making Azure AD the default SSO provider. Additionally, some customers rely on just-in-time SAML provisioning, which is seamless with IDP-Initiated flow.
7 votes -
Managed Whitelist of Enterprise Applications
Please provide facility to whitelist which 3rd party applications are 'approved'.
Ideally this would be more than just single 'bit' of information, and allow multiple lists - for example, a whitelist for 'regular company business' and another for TOPSECRET, to be integrated with other parts of the azure framework, such as being used in Conditional Access Policy and the EMS E5 features.
Currently OAuth consent by any user will automatically register an application and this cannot be disabled. Blacklist is possible, but whitelist is not without completely removing ability for users to manage their own consent, which is undesirable from…
7 votesWe have started worked on this features. For an initial release, we’re thinking on allowing admins to select the set of permissions users will be able to consent.
- Don't see your idea?