Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Transform SamAccountName to include domain\ prefix using the distinguished name to get the domain name

    Applications need Domain\UserName as a claim. Can we transform the SamAccountName to add the domain\ prefix by getting it from the distiguished name. So the SamAccountName would be Contoso\John.Smith.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  2. Optional claims from https endpoint

    It would be great it we could have an optional claim fetched from an external https endpoint (secured with an Azure AD application token).

    We have some requirement where some privacy rule requires us to decrypt an encrypted user attribute, before sending it to the external application.

    By allowing us to specify an url endpoint for that claim we could manage the encryption ourself. Azure should send the user id (or allow us to include some user attribute in the request)

    It should also pass an azure ad jwt token with the application id that is used in the current…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. Require IsMemberOf filter for users sync

    Azure Databricks SCIM Provisioning Connector needs IsMemberOf filter for users sync.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Implement "Admin Permit" for Azure AD Apps which then allows users to consent

    As an admin of a tenant where user consent is disabled, we require the ability to permit users to consent to approved applications, without granting a tenant-wide admin consent to those applications.

    Users would see the normal consent page for approved applications and the admin approval workflow for unapproved.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow group for admin consent requests (Enterprise applications)

    I know admin consent requests are still in preview, but maybe this will help to get a better GA version:

    Currently, if you configure admin consent requests for enterprise apps, you can only add user accounts for review, that have the required role. Only accounts that have a required role assigned are being displayed. This sort of breaks a strategy of zero standing administrative privileges and zero standing access (which MS has successfully deployed themselves) in a customer environment.

    In my view, the best option would be to be able to add a distribution list or group for consent review…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. workday-AAD please add support for sending email notifications after provisioning operations complete

    From the FAQ: "Does the solution support sending email notifications after provisioning operations complete?
    No, sending email notifications after completing provisioning operations is not supported in the current release."
    This would be useful as all of our current processes include emailing a few people per region a user is created in.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. Update instructions to integrate sales force

    Customer reported instructions to integrated salesforce must be updated.

    Hi Andres,

    I was able to resolve the issue earlier today. In addition to the URL, there were three things that had to be done:

    In Salesforce, the SAML identity type must be set to Federation ID.
    In Salesforce, the Azure username must be placed in the Federation ID field.
    In the Azure application, in the Single Sign On settings, a claim must be added with the name FederationIdentifier with a value of user.userprincipalname.

    The MS support case may be closed, but I would suggest an update to the instructions. From…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Application Registration Portal - error when saving edited manifest with optionalClaims

    On apps.dev.microsoft.com I'm trying to edit a manifest to enable the optional "email" claim. I'm adding a block near the bottom of the manifest, and it looks valid:

    "optionalClaims": {
    
    "idToken": [
    {
    "name": "verified_primary_email",
    "essential": false
    }
    ]
    }

    Based on this reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

    but when saving I get:

    The request body contains unexpected characters/content for the specified content type and encoding.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. We have a few non-gallery applications we would like to be added.

    We are a K-12 School District and cannot afford the Premium upgrade. The apps are:
    ez-proxy - https://www.oclc.org/en/ezproxy.html
    Frontlineeducation.com (Absense Management and Professional Growth)
    GoGuardian
    Schoolwires (part of Blackboard.com)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure App registration export, import and/or install process

    We have an Azure App registration we want to share with another tenant. No code, but has many setting and permission changes. No apparent way to export, package, or share these objects for moving or installing. Clearly, unique guids would come from new tenant.

    Would it make sense to have such a feature?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. Filter Source Object Scope when Provisioning Enterprise Application

    Is there the ability to reduce the scope of user objects provisioned to an enterprise application? We only want to provision a few accounts to test connectivity and in future do not want to synchronise our entire Azure AD to the application (See attached greyed out 'Source Object Scope')

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Amend the userprincipalname within a SAML Token Attribute

    A really useful feature would be to allow us to amend the userprincipalname (email address) before passing it (to an SaaS Application such as salesforce) as part of a SAML Token Attribute using the Single sign on connector with Azure AD.

    We currently have two instances of SalesForce/RemedyForce and we need our users to have logins into both but the logins need to be unique so I want to add .ds to the end of the userprincipalname in one of the instances but still allow them to use single sign on.

    I have been informed that it is not possible…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. Possibility to map custom fields from ServiceNow

    We had some custom field on serviceNow user table, and we don't be able to map these fields in Add attribute mapping in AAD (see attached file)

    It is the normal behavior (FYI we use ServiceNow Helinski release)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. 2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow variable attributes for password SSO

    We currently use Onelogin which allows us to use variables from user profiles. We want to use Azure AD password SSO to push custom variables to the form such as the user's first name, last name, email, etc...

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  16. Auto configure single sign-on to Google Apps set wrong signout URL

    Currently, auto configure set same URL to sign in and sign out in Google Apps config.
    but, correct sign out URL is https://login.windows.net/common/wsfederation?wa=wsignout1.0

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow Relying Party AutoUpdateEnabled

    Hello,

    Azure AD does not provide a way to automatically update the application configuration based on changes within the Relying Party federation metadata.

    For most of us, it's a big drawback because IT admins have to handle this change and only a few admins IT have identity technical background.

    As Microsoft pushes Azure AD to be used as the Identity provider for most apps (and Microsoft provide tools to migrate from ADFS to Azure AD), this feature becomes essential!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow Regex or String Processing for Claim Tranformation

    I have tried multiple permutations of existing functions and am unable to get a result that is very simple with ADFS - and yes I have opened a case on this issue (120070721001865).

    We have designated an extensionattribute as a "saas information attribute" which means we have placed a delimited string in the attribute so that we can provide applications with claim information. A sample string would be "AP1:App 1 data|BP1: Business App Data|BP2:Business App2 Data|ETC: and so on"

    With regex this is a very simple routine to isolate the attribute in question - such as "BP2:([^\|]+)" which would get…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add claim manipulation for padding

    It could be an independent function such as PadLeftWith() or PadRightWith() to pad, let's say an employee number by 0s. Or a combination of functions such as Join() and followed by ExtractNums(), allowing exact number of characters retrieval, e.g., Join 0000000, 2233835, and ExtractNums() 9 of previous function's output retrieves 002233835.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Deactivating of users in ServiceNow do not happen when the user is removed from the ServiceNow group or from Azure AD itself.

    After removing the user from the ServiceNow Assignment or Removing the user from the Azure AD itself, there is no information passed to ServiceNow about the user and the user remains active in ServiceNow.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base