Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. on prem MFA

    Make the on prem country code list an editable list
    Currently no changes are allowed to the current static list of countries, making it hard to administer users are belong to countries not on the list (i.e Kosovo).
    A country code for the country of Kosovo to the list....

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. MFA notifications sent to mobile (SMS and App) on the same language as the user location in O365

    As per the current configuration design, it seems that users with MFA enabled on their accounts are receiving SMS and/or notifications sent via Authentication App on their mobiles, based on the Browser location settings.

    Example:
    If a user from Sweden travels to China, whenever accessing O365 portal via Mobile, the respective notification message will be sent in Chinese.

    To avoid this kind of issues, or even users on VPN we would like the respective message to be triggered in the language of the country associated with the user location setup in O365.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. MFA whitelist for NPS

    We need to be able to whitelist IPs so they are excluded from azure MFA when the users are connecting to RDS and NPS forwards requests to MFA.

    Scenario:
    We need to set up RDS environments where users who are connecting from the internet are provided with Multi-factor authentication, but with the possibility to bypass MFA when connecting from specific IP-addresses.

    The MFA-part is working, however, we need to be able to bypass MFA for specific IP-addresses which is impossible at the moment.

    This is business critical for our clients.

    Thank you

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow MFA via Email for external vendors

    The current MFA tools are tied to a device that a 3rd party would likely take with them if released from their employer, which poses a high potential for a security risk. If email based MFA was allowed for vendor access, then emails would be sent to a corporate mail server ensuring that the employee was still employed.

    I understand the argument that sending an email to the account you're trying to access is poor security posture, but if it is being send to a different domain, that risk should be mitigated and overall a better security mechanism.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Microsoft Flow needs to work in approval mail scenarios

    The "foreach" action in Flow runs synchronously, which is a problem when using approval emails -- the next approval email is not sent until the first is approved/rejected. Have to use LogicApps instead.

    0 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Secure MFA registration

    Assume that you enable MFA (e.g. through conditional access) only for external access, while MFA is not required for access from internal infrastructure; if a user only access services from internal where MFA is not required the account could be exposed for attacks from the Internet.

    An attacker that use credential stuffing or other password guessing techniques will upon successfully obtaining a users password be allowed to register MFA at the time when he/she meets the MFA requirement. In recent high profile attacks we have read about in the news, the technical breakdown says that the attacker logged in with…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide admin role ability to view / delete registered authenticator apps

    Ran into an issue where user is capped at (5) registered authenticator apps. Working with support, there is currently no way for an admin to see how many registered authenticator apps a user has nor is there a way for an admin to delete them.

    Need ability for an admin role to view/query/modify registered authenticator apps.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support 3rd party MFA tokens with NPS Extension for Azure MFA

    The ability to use 3rd party MFA tokens with the NPS Extension for Azure MFA.
    It is very handy to use Azure MFA for VPN authentication but it is not always practical to use the Microsoft Authenticator app for MFA. There are often times where we need to give 3rd party contractors access to the VPN and providing them with a single hardware token is much easier to manage than having the Microsoft Authenticator app setup on a phone.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Conditional access validated prior to password

    Today, authentication validated the password before hitting the conditional access, therefore allow for password sprays to lock the accounts.

    Office 365 and Azure logins should take the password (as we do today), proceed with conditional access, even if the password is wrong, allowing conditional access to block password sprays. Then if the password is incorrect, deny the access or send for approval in the azure app or request the token, whatever is the preferred choice for MFA.

    Hope I was clear...

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow the creation of custom administrator roles in Azure Active Directory

    Allow the creation of custom administrator roles in Azure Active Directory. In our case we want to assign rights to our helpdesk to allow them to reset users MFA forcing them to proof up. The Authentication Administrator role allows for this but also grants too many other permissions that we don't want to give. Creating a custom role allowing for just MFA reset would resolve this

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add sorting/filtering to Microsoft Authenticator mobile app

    As MFA use expands, users will start to have dozens of MFA accounts. The Authenticator App is great, but its interface is lacking searching, filtering, grouping features. At least ONE of these would be helpful. Currently, a user needs to scroll through many pages to find the entry. It's not sorted in any fashion except for manual dragging and dropping. Please add SOMETHING to help locate accounts faster.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow admin to change timeout for response time of each MFA method

    Now the response timeout for each MFA method (Ex. App push notification is 1 minute etc.) is NOT changeable.
    Customer would like to be able to change this timeout.
    Because when they use NPS extension they are able to set timeout to NPS server but it does effected by the timeout above.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Use Microsoft authenticator for workstation login

    Could we propose using the Microsoft Authenticator mobile app for workstation login when using a domain - joined or a Hybrid AD joined machine. It will accelerate the adoption of MFA in the organization.

    Thanks in advance.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. DUO MFA - Does Not Re-prompt for Authentication when used with Azure CA

    Azure keeps the DUO MFA session cookie active in the browser even when an application has timed out or has been closed and re-opened. When re-authenticing with the application the CA Policy does not call the DUO servers for new session cookie (DUO have confirmed this). I would like to control DUO Authentication session times as you can with the native Azure MFA.

    In addition, I would like to see the following in azure sign-in logs:

    * DUO MFA has been used
    * CA Policy was triggered when DUO MFA is used

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. There should be an option to disable Office Phone as a verification option

    On the MFA settings portal, there is no way to separate office phone from cell phone when choosing the verification options that will be presented to users. The only option is "Phone call". However, when users go into the verification options on their user profile, they can choose to do MFA via "Office phone" or "Mobile phone".

    There needs to be a way to disable Office Phone as an option so that users cannot select it. It is not secure as a verification option.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. provide a radius service for azure active directory so vpn clients can use azure mfa

    provide a radius service for azure active directory so vpn clients can use azure mfa

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Multi-Factor Authentication (MFA) - Microsoft Authenticator code reset options

    Provide us with the ability to ensure the MFA code reset password can be chopped up and sent to multiple individuals.

    I.e. the first half of the code gets sent to you and the second half gets sent to the IT Security Manager, System Admin or other Manager.

    Reason being is that I updated my work phone and needed to reset my Microsoft Authenticator code through the authentication web page. I followed the prompts to have it reset and the code was sent to my phone, from there I was able to scan the QR code on the screen and…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Please add Maldives to phone verification list.

    There is no option to select maldives whilr trying to do sms verification. I think this is a bug as all other Microsoft services has full support in maldives.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Currently there no visibility who approved the user the one time by pass from MFA User Portal and to skip the MFA step.

    Issue:-
    Currently there no visibility who approved the user the one time by pass from MFA User Portal and to skip the MFA step. Alos if Possible Please add info bar which will contain the reason of one time bypass, also How the user portal admin will verify the requested user is the real one.
    Impact:-
    The is Security loophole, there is possibility to missuse of account or this functionality with help of MFA User portal admin.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base