Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow users with MFA to login via CLI (az login)

    az login currently does not work with Microsoft accounts or accounts that have two-factor authentication enabled, see: https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login

    Following the idea of Infrastructure-as-Code (IaC), we pro-grammatically use `az login` to set up our infrastructure. However, we would highly prefer using user account when running such scripts manually compared to service principals:
    a) Audit logs on Azure should show *who* (= real user) triggered infrastructural changes
    b) MFA-backed accounts are more secure

    See also: https://github.com/Azure/azure-cli/issues/6962

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. how to export lotus notes mail to outlook

    By taking the help of ATS NSF to PST Converter application you can convert single as well as multiple NSF file into PST and other file formats such as EML, EMLX, HTML, vCal, vCard, MBOX, CSV and MSG file format for the future. This tool always ready to export password protected and encrypted data in a safe manner without any hassle. It is 100% safe and secure for the conversion task. It supports cloud-based application Office365 & Live Exchange Server. Before finishing conversion it displays the preview of the recovered mailbox in a safe manner along with email, draft, task,…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. USE AUTHENTICATOR AS 2nd factor

    This is as classic a mind numbing and soul crushing experience as I have experienced in my 30 plus years of a Microsoft missionary . Have 4 or 5 hours to waste? look for documentation showing you how to set up logging into windows 10 on an AAD machine which triggers an authentication in the authenticator app - just admin its the most value added thing you could do and for some reason it doesn't exist - but you can do it for FREE with your Microsoft account - WHY??? PATENTLY RIDICULOUS

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. one time bypass from powershell

    Create the possibility to control/change One-time bypass MFA via PowerShell.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. MFA NPS ext - Support for Network policies via RADIUS-Challange msg via SMS & OTP

    When you have NPS extension, The problem is that when a user is using SMS or OTP, the user is not granted access based on the network policies that are defined in RADIUS server.

    This is known limitation (MS says) with NPS where the network policies are not applied for SMS or OTP Flows.

    If you use a challenge method it does not support the NAP policies. These are only evaluated during primary authentication.
    When using Radius Challenge(for SMS or OTP), the Challenge response skips primary auth and so these policies are not evaluated.

    But when the users have chosen…

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. How to transfer google authenticator to new phone

    First of all, don’t remove Google Authenticator app from your old phone until you add tokens to your new phone. To move all your tokens from one phone to another you should log into each your account and disable 2FA. In process of disabling you will be asked to provide the OTPs generated by your current phone. As soon as you disable 2FA, you should re-enable it and add tokens to your new phone. You’ll find the instructions how to transfer Google Authenticator to a new device on our Blog

    http://myc4.proboards.com/thread/2874/transfer-google-authenticator-new-phone

    https://www.assistotalk.com/how-to-create-a-group-in-gmail-account/

    https://www.assistotalk.com/repair-ok-google-not-working-or-responding/

    https://www.assistotalk.com/gmail-attachment-not-uploading/

    https://www.assistotalk.com/fix-now-google-play-clash-of-clans-sign-in-disconnected/

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Your App authentication is not only useless but doesn't make sense. it's a complete waste of time!

    Make changing security phone numbers simple! Whatever you guys at Microsoft are doing it's broken and time consuming! You tell users to fix MFA go to profile but your links are not where you state they should be, which makes it more confusing to the user! This is a simple request that you all made difficult and confusing!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure MFA OATH Tokens

    when importing csv of oath tokens they show up in myapps.microsoft.com as Authenticator App. Would be good to enter custom name or last 4 digits of serial number.

    When you have testing and or users with multiple tokens no way to know which one you are deleting/changing

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. MFA Phone Numbers Verification or Encryption in DB

    It would be beneficial to be able to enforce that multiple users are not using the same phone number for MFA within the on-prem MFA server.

    Additionally due to privacy concerns, it would be beneficial if the phone number field were encrypted in the database such that admins are unable to retrieve them in clear text from the server.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Change Sign-ins from infected devices title to Sign-ins from suspicious IP

    Change Sign-ins from infected devices title to Sign-ins from suspicious IP. The title of this detection is inaccurate, it is actually when a sign in has been detected from a suspicious IP. Improved wording would be appreciated.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. MFA Limit the Amount of One-Time Bypasses Allowed

    It would be nice if it were possible to limit the amount of one-time bypasses a user can issue themselves within a 24 hour period. Because a user is able to login to the MFA User Portal using security questions when they do not have access to their primary MFA device, someone can essentially bypass MFA altogether by using security questions and issuing themselves a one-time bypass as many time as they want. This also violates PCI compliance in that it doesn't meet the criteria that "MFA should be implemented so that authentication mechanisms are independent of each other."

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Provide additional details about a push notification (ie, source ip, source service, time, logs, etc)

    As we are starting to push MFA in our organisation, it will become more common to have popups from the authenticator app. We have issues where many of our user accounts get compromised, and we have noticed that some users just blindly click accept for a MFA push notification.

    What we would like to see is the ability to push more information along with the notification. This could possibly be done by sending specific VSAs to our NPS Radius server which in turn could deliver these variables to the client.

    Ie, source IP address, source country, source service (vpn, outlook,…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Unique Sender

    We have been reported by our users that the MFA codes are being sent by totally different numbers. Although we know that this is an expected behaviour, it would be good to consider at least calling the senders in the same way, and if possible not Microsoft, but an agnostic name.

    It would also be good to be able to customise the message with a custom text to offer a better user experience.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Prevent users from changing authentication methods and authentication phone number (mfasetup)

    We would need the following features:

    • The possibility to assign different auth methods based on groups for MFA.

    • A way to prevent users from changing the authentication phone number. IT department should be able to predefine one authentication phone number and the user should not be able to change the number or setup an alternate phone number by himself.

    • One way to control the access to MFA setup using Conditional Access Policies.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Show the Country and App/OS that triggered the MFA request via Authenticator app pop up

    If using the Microsoft Authenticator app with App Notifications for Azure MFA requests why can't we also have the Country and App or OS which has triggered the MFA request?

    This will help users from blindly always tapping Approve and also give them more info on what app has requested MFA.

    You can already see this info in the Azure AD sign in and audit logs so why can't it be pushed through to the app pop-ups too?

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. MFA Verification Method, "Call to phone", The user answers the call and presses #. This should be a configurable option to use different key

    Sometimes the users' local phone system reserves the "#" key for a special purpose on incoming calls. Meaning that the touch tone sound is not passed onto the caller, in this case the MFA incoming call. Currently, MFA doesn't allow changing this to use a different key. This should be configurable (to use a different key) in the same way that the voice message being played is configurable.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure MFA Server On Prem - Disallow Phone Extensions or Specific Phone Numbers

    PCI compliance puts services like soft-phones and VOIP as a risk for use with Multi-Factor. The reason being, if an employee has a soft-phone on a laptop that was stolen and their multi-factor is sent to the phone associated with that soft-phone, then both primary and secondary factors are on the same device, thus it is not true multi-factor.

    To mitigate this, it would be nice if we could disallow phone extensions and/or specific ranges of phone numbers (i.e. office phone numbers) from being used as valid options in the MFA server. Has anyone come across this scenario? If so,…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Reset MFA Authenticator setup as an admin

    For several months now, the "Additional security verification" page (http://aka.ms/setupmfa) from Azure MFA has memorized the Authenticator app and the corresponding device. (See attachment)
    Please offer the possibility to the administrators to remove the old paired device and the associated Authenticator app.

    Reason (for us):
    To configure Windows Hello 4 Business the Authenticator app must be used. Many employees have connected an old device that they no longer own or use.
    We do not have the SMS option set to available, and have set Multi-Factor Auth to Enforced. Using the "manage settings" from the MFA portal is still…

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Converged MFA and SSPR

    We have enable the converged Multi-factor Authentication (MFA) and Self-Service Password reset (SSPR). I feel this is easier for end users to update their info as it is all in one place. However, There should be some indication on each type of authentication/security option for what is can be used for (SSPR OR MFA or Both). This would help non-technical end users understand the configuration better.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Exchange ActiveSync and MFA

    Currently Exchange ActiveSync logins are not recorded correctly in Azure AD MFA, and therefore we cannot see if MFA was requested for users, especially for sign-ins from unfamiliar locations. They appear to not have MFA applied.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
1 2 5 7 9 16 17
  • Don't see your idea?

Feedback and Knowledge Base