Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Under MFA Server >activity report it'd be nice if we could schedule an email to be sent

    Under MFA Server>activity report instead of having to download the report manually it'd be nice if a report could be scheduled to be sent via email.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add a filter to show "disabled" multi-factor users

    The multi-factor authentication users list has three filters currently

    All
    Enabled
    Enforced

    When the most important thing for me to know is the users who DONT have multi-factor enabled, wouldn't it make sense to have a filter for "disabled" ?

    Right now I have to page through 300 users looking for any that are "disabled" because I cant even sort by this column.

    Anyway, I am requesting that a filter for "disabled" be added and the ability to click the column headers to sort.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. unable to search the users to reset MFA

    Today when i was trying to reset MFA for one of the users through Azure MFA portal.i was unable to find the user eventhough user has necessary license assigned.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Adding non-listed 3rd Party MFA via Azure AD Custom Controls

    How do you get an MFA Server on the list, as at present it seems to be restricted to RSA, Duo and Trusona. Or when will you open up support for the general MFA providers, and/or provide the information that will allow another vendor to integrate in the same fashion.

    Reason:
    We have a very large customer we are working on with their whole of Staff UAM 2FA upgrade. They are looking at both on-premise and cloud options, but require the 2FA to be on-premise. Azure's approach with ADFS will be restrictive as compared to AWS and GCP's approach, especially…

    48 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Make Trusted IPs a Standard Feature of MFA for Office 365 and MFA for Azure AD Admins

    Not being able to set Trusted IPs for MFA for our Office 365 users and Azure AD admins is the primary reason we have not implemented MFA.
    For admins, admin tasks are done almost exclusively while on our LAN. When we tried enabling MFA, it was too cumbersome to use when authenticating to each service in PowerShell.
    For Office 365 users, our biggest threat is compromised credentials being used by malicious actors from outside of our company. Requiring MFA to be used while on our LAN slows down the adoption of all but the most basic Office 365 services (in…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. two step verification using microsoft authenticator

    Our organization has moved the email to office 365 which is the worst thing that can happen. This two-step verification is very annoying and we need to wait indefinitely to receive the text message or receive the call. It sucks. Hence it should be integrated with Microsoft authenticator so that we can generate the code on the fly which will be very easy.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Pre-Provision MFA "StrongAuthenticationUserDetails" via PowerShell?

    We have over 12,000 users we need to provision for MFA.

    I know we can enable MFA via PowerShell, but there doesn't seem to be a way to update the "StrongAuthenticationUserDetails" attribute (Alt. Phone, Email, etc.) programmatically.

    This is turning out to be a huge pain for us. Does anyone have a timeline for when we'll be able to do this?

    101 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure AD - Conditional Access Policy - On-Premise MFA Server

    Azure AD should allow for redirect via a conditional access rule to On-Premise MFA Server and not just the cloud version of MFA. You can create a conditional access rule to redirect to other 3rd party MFA solutions such as DUO, but not you own Microsoft On-Premise MFA solution. This will allow for companies to leverage their on-premise MFA server to which may already have a large technology investment.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Integrate Azure MFA with the Windows login process, maybe through Windows Hello for Business.

    From what I can see it's not currently possible to integrate Azure MFA into the Windows domain login process as a second factor. For example, if a user was to authenticate to the local AD first and then be required to use Azure MFA to add a second factor, using the Microsoft Authenticator app. This would remove the need for third party smartcards or hardware tokens.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. MFA only allow initial setup from inside corporate network.

    Please allow configuration of initial MFA setup for users so that they can only do initial setup of their MFA from within our corporate network. Also the ability to pre-provision and lock-down their MFA settings (cell phones etc). We need to be able to make sure that not just anyone from outside can do the initial provisioning of a users MFA setup. In case a users password is compromised.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. MFA only allow initial setup from inside corporate network.

    Please allow configuration of initial MFA setup for users so that they can only provision MFA from within our corporate network. Also the ability to pre-provision and lock-down their MFA settings (cell phones etc). We need to be able to make sure that not just anyone from outside can do the initial provisioning of a users MFA setup. In case a users password is compromised.

    46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add AD container option for Tags

    Tags can only be assigned to users via security groups. I would also like to be able to automatically assign tags to users based on a container.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Require users to select 2 digit number to minimize accidental approvals

    I worry that the one click "approve" is a bit too easy and our users might click approve on a unexpected log in. I like what you did with consumers where the user must tap one of three two digit codes in the Authenticator app.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add company preferred MFA option

    Company should have option to choose preferred option for MFA for users. For example, we allow Mobile Phone and App. But in onboarding, portal asks only for phone setup and not for app. Users complain about SMS codes, they do not find an App option in advance settings.

    37 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Where are my MFA configuration settings for Azure Cloud based MFA services!

    Since the retirement of the classic portal...the link still redirects there and I cant find where to manage my azure mfa settings now.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure AD MFA enhancements

    Like to suggests a couple of enhancements to Azure MFA (not MFA server).

    Ability to pre-provision users at scale (send QR code to selected users via email, import mobile numbers to protected 'authentication contact info' area in users profile via PowerShell, etc.)

    Provide method for users to change MFA device or bypass MFA if device isn't available (security / secret questions in lieu of MFA, alternate email - personal, etc. )

    Provide administrators a method to bypass MFA for a user (one time bypass, bypass MFA for 'x' amount of time, provide temp code that will work for 'x' amount…

    52 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Control “Remember MFA for devices that users trust” on an application basis

    At the moment “Remember Multi-Factor Authentication for devices that users trust” is only a global setting

    For most of our application InfoSec is fine to have 14 day before reauthentication and that’s a fair compromise between usability and security especially for things like the SfB App on the mobile

    Nevertheless for some applications we want to have AAD enforce MFA for every login as the data in those systems is highly confidential, e.g. the system that manages the payroll and benefits for our top executives

    So we’re asking to have an option to overwrite the “Remember Multi-Factor Authentication for devices…

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Port Azure MFA Server (PhoneFactor) reports from "classic portal" to "new"/current portal and give "Security Reader" role access to them.

    Port Azure MFA Server (PhoneFactor) reports from "classic portal" to "new"/current portal and give "Security Reader" role access to them.

    The Azure MFA Server - Activity Report which is currently available in the "new"/current Azure portal and all of the MFA Server reports that are only available in the "Classic" are only consumable by "Global Admin" role members. This makes it difficult to utilize with the rest of the security protection model available to the "Security Reader" role members.
    It would be useful to get these reports moved to the "new"/current Azure portal and get them accessible to the "Security…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow removal of Office Phone option in Azure MFA cloud portal

    We sync Office Phone so that its in the GAL for our o365 deployment, but we do not want that listed in the Azure MFA portal (aka.ms/mfasetup). We want only the primary and backup phone options that the user must enter themselves during enrollment.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Improve handling of LDAPS to Azure MFA server to mirror LDAP

    DC1 -> using LDP, connect & bind to MFA server with credentials using LDAPS (TCP 636). Do the search with default attribute list (objectClass;name;description;canonicalName) -> output shows all expected users.

    DC1 -> using LDP, connect & bind to MFA server with credentials using LDAPS (TCP 636). Do the search with attribute list of * -> output is cut short after 2-3 users. Ends up failing with "Failed to decrypt message: 0x8009030F The message or signature supplied for verification has been altered"

    DC1 -> using LDP, connect & bind to DC2 server with credentials using LDAPS (TCP 636). Do the search…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base