Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Improve Azure Authenticator App to require password or touch id validation before approving push request.

    Currently, if you receive a push notification to the Azure Authenticator app while the phone is locked, merely swiping the notification and selecting View allows access to approve (or deny) the request. Other authenticator apps (Google, Lastpass, etc.) require the device password or touch id (on iOS) before the request can be approved. This is a security flaw and needs to be fixed.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure MFA Trusted IP limitation of 50 address ranges

    Currently per the article: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next the Trusted IP for configuration "For requests from a specific range of public IPs" is restricted to a hard limit of 50 IP Address ranges.

    Please provide the ability to extend this number as there are companies like ours where the limit of 50 IP Address ranges makes this not usable for production environments.

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Restrict MFA App registration to device with the same phone number assigned.

    Some organizations would like to prevent a user from having Mobile text/SMS/App from being 2 separate devices but rather require by policy that they be the same device. IE during registration of the OATH token in Azure Authentication check that mobile phone on the device matches the mobile phone registered in Azure MFA.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Auto-Upgrade support for Azure MFA server

    Please add support for automatic upgrade of the Azure MFA server like you did with the Azure AD Connect.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add Windows Server 2016 support for Azure MFA server

    I hope that Microsoft will soon add for Windows Server 2016 for the Azure MFA server. Perhaps it should be added to Windows as a new role

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Improve the support of the MFA product for clients setup up the initial configuration. Offering links to a forum is poor & dissappointing !

    Initial setups/configurations can often be the stage that requires the most support, and offering links to a forum are insufficient support, for a paid product. There should be at least an improved support level for the first month, during which setup and config questions should be able to be submitted by email for a tech support reply or phone call. The current documentation is quite vague in areas such as setting up a VPN to use the MFA on-premises solution, with many users submitting questions to forums, trying to get it working.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Better documentation on Multi Factor Authentication

    For Office 365 users, the MFA on-boarding documentation does not cover the need to turn on ADAL for Exchange Online and Skype For Business. Documentation should be updated or ADAL should default to ON for these applications in Office 365.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Automatically enable MFA for all members of an Azure AD Group.

    Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

    74 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

  9. Please allow granular RADIUS authentication filtering

    As it stands, we can use the on-premises MFA server to authenticate RADIUS clients in an all-or-nothing fashion. Our real-world requirements include only letting people in a specific group into a specific VPN endpoint (RADIUS client), while allowing a different group to get into a different client. It would also be very useful to be able to say, for a single client to accept users in group A with MFA challenge, but group B without. A rich rule set like ADFS provides would be even nicer, but intermediate steps in that direction soon would be a huge improvements.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. User Opt-In to Azure MFA with Office 365

    We have enabled MFA at our Office 365 tenant, but requires Admins to enable users. For organizations that would like to phase MFA in for their users, it would be nice for users to self opt-in sort of like they do with personal email accounts. Then over time, administrators can "require" MFA by a certain date for users holding out. One way to handle this is to include a link for the end user under user settings to "Sign up for Multi-Factor Authentication". Right now, nothing appears under a users security settings until they are enabled by an administrator. Thx!

    67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. MFA on-premises use security questions for fallback

    In the on-premises MFA server there's the ability to enable "use security questions for fallback". This is great but only works for newly imported accounts. Can this be enforced on all users?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. On-Premises MFA logging, user change MFA method

    There's much logging in the on-premises MFA server, but it's missing the change for MFA method by the enduser at the moment. Can be handy for traceback (including the machine name from which the change has been made) and seeing if there's a possible identity theft.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. MFA

    Update the Multi Factor Authentication (MFA) Gui so we can see any account that is NOT enabled or enforced. Seems like a basic setting but I cannot find any resource to help identify these risks and it is troubling (and manual).

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. MFA by device not per application

    We are piloting MFA with auth expiry every 7 days. Currently every 7 days we have to log into ever single app using MFA (word, excel, onedrive, onenote etc etc) every 7 days on both our laptops and our mobile devices.

    It would seem reasonable for the apps on each device to have a share session that expired every 7 days instead.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Provide Multi Factor Auth for Microsoft Accounts when logging into the Azure Portal

    Currently multi factor authentication can be enabled for accounts created in Azure AD, for securing login to the Azure Portal. However Microsoft accounts such as user@live.com can not have multi factor authentication enabled for them. This creates a security risk for those that may not have organization ID for the tenant they are working in, or the Microsoft Account has been granted co-admin or RBAC access to other subscriptions.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Backup Codes for Azure MFA

    Please add support for "Backup Codes" to Azure MFA as soon as possible. Many popular MFA services already support Backup Codes, basically a list of 10 valid authentication codes that a user can print off and use in situations where there regular authentication method is not available.

    Use cases for backup codes include:

    - User's mobile phone is lost, stolen, or damaged.
    - User will be in an area with out good mobile phone service or consistent access to a land line.
    - Users let's mobile phone battery drain..

    58 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.

    Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.

    Richard

  17. Windows Authentication for Terminal Services support for Windows Server 2012 R2

    Windows Authentication for Terminal Services support for Windows Server 2012 R2

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Provide MFA Reports via API or reporting services

    Currently we pull a daily user detail report from the MFA portal and add it to a spreadsheet we then visualise with Power BI. It allows us to monitor the success/failure rate across authentication methods. Linked to an AD extract it also allows us to report based on country.

    It would be useful if the report data could be obtained via API to automate the collection of this data

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Use Cortana's voice for Azure MFA phone verification/callback service

    Azure MFA already has support for custom voice messages [1].

    To provide a consistent experience across all Windows 10 devices, it would be neat if the Azure MFA callback service had Cortana's voice.

    This would also allow Azure MFA to benefit from the Cortana accent regionalisation efforts (American English for en-us, Australian English for en-au).

    [1] https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/#custom-voice-messages

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Update MFA Server documentation to cover all features and configuration options

    The documentation for Azure MFA Server seems very incomplete. Just to mention a few:
    Proper descriptions for "Phone Factor Admins" group, AD requirements and changes is completely missing.
    No documentation can be found for available tags that can be used for dynamically adding information in emails.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base