Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Provide support in ADAL4J library to authenticate MFA enabled user

    We are using ADAL4J library for Azure AD User Authentication, which enables a Native Client Application to do authentication using Username and Password without User Interaction. But for Multi Factor Authentication enabled Azure AD Users, Authentication is failing with AdalClaimsChallengeException with no API to provide the second factor.

    Please provide support for authenticating MFA enabled user using ADAL4J library.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Converged MFA and SSPR

    We have enable the converged Multi-factor Authentication (MFA) and Self-Service Password reset (SSPR). I feel this is easier for end users to update their info as it is all in one place. However, There should be some indication on each type of authentication/security option for what is can be used for (SSPR OR MFA or Both). This would help non-technical end users understand the configuration better.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Extend Security Group queries with attribute for MFA enabled users

    Extend the dynamic user groups with ability to query for users that have or do not have MFA enabled/setup on there account.

    This will allow for more automization around conditional access, visibility and communication.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. provide a way to sync the mfa codes between iOS and android.

    I'd like to sync between iOS an android devices. please add backup/sync feature

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Different authentications options for MFA roles

    Currently you have one one service-wide setting of MFA authentication options. It would be very useful to have different MFA settings for different user/usage roles, e.g. have phone, mobile app and OTP for general users but only app and OTP for high risk users.

    Background is, that some compliance frameworks (PCI DSS, NIST etc.) recommend not to use phone calls or SMS, but that some real life scenarios require just that - either for technical reasons or for ease of use (aka user acceptance). So for some user groups it may be OK or even necessary to use phone calls…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Management portal for enrolled MFA using conditinoal access users

    Hi

    azure ad conditional access is a great thing .
    but when using it and for example forcing a group to use MFA .
    the users are registered and enrolled.
    but as admin, i dont have any way to manage those users via gui, i can manage them and to check if they are enrolled via powershell.
    there is any plan to create a dashboard that will assist to manage users who already enrolled mfa that were required via conditional access?

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. MFA, would it be feasible to make another option to send confirmations to an email address in addition to cell phones?

    For MFA, would it be feasible to make another option to send confirmations to an email address in addition to cell phones? I have users that work at sites where cell phones aren't permitted. Adding an email address for authentication would alleviate this issue.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Better MFA solution for Remote Desktop access to servers

    Currently, requiring MFA for RDP access to domain servers requires going through a RD Gateway (AFAIK). It would be great to be able to require MFA at the server level and have such servers connect to Azure MFA for the second factor without having to go through a RD Gateway. Maybe proxy the Azure auth connection through an on-premises server... The RD Gateway method is slow and clunky.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Set context/description for MFA bypass IP address subnets

    It would me great, if Microsoft would provide a field that would provide IT security admin to set a description for the IP address subnets that he/she is white listing for MFA byPass.

    Basically just the same as the Azure AD Reporting team did for trusted locations.

    Thanks!

    @Shawn Bishop

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow the creation of custom administrator roles in Azure Active Directory

    Allow the creation of custom administrator roles in Azure Active Directory. In our case we want to assign rights to our helpdesk to allow them to reset users MFA forcing them to proof up. The Authentication Administrator role allows for this but also grants too many other permissions that we don't want to give. Creating a custom role allowing for just MFA reset would resolve this

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. provide a way to import OATH tokens into Azure MFA, assign them to users, and autoactivate them, in order to allow migration

    Need a way to import OATH tokens, assign them to users, and have them activated automatically, in order to allow migration from an existing system using the OATH tokens without having to manually activate each one individually.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add MFA support for server login including console mode (not RDP)

    I see many companies are using third-party MFA solutions to secure their servers.
    These solutions have 3rd party add-on that modify the GINA.dll so the server login screen will have additional field for OTP or will have a wait mechanism for push notifications. The add-on applies for both RDP and direct (console) connections without the need for RDG, and works on servers 2008 R2 to 2016.

    Azure AD MFA should also be able to:
    1. Leverage GINA.dll (it is MS code)
    2. Be able to pass requests to and from MFA Server or NPS Server
    3. It should be agent-less…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enable usage of attribute "StrongAuthenticationUserDetails" for dynamic group membership

    Currently the attribute StrongAuthenticationUserDetails cannot be used for Dynamic Security Groups in Azure (on which we would like to apply conditional access). Could this be added as one of the additional attributes for a complex dynamic membership rule?

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add otpauth protocol support to Microsoft Authenticator

    The Microsoft Authenticator app cannot add accounts directly from URLs using the otpauth URL schema. All otpauth:// links are intercepted by Google Authenticator only, this prevents the user from adding his accounts from third party sites directly with the click of a button in the mobile browser.
    Check out https://daplie.github.io/browser-authenticator/ to see the links in action (unfortunately they are not actually creating a clickable link, but the otpauth:// URL is generated and it works with Google Authenticator when linked properly).

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure MultiFactor Service

    Dear Microsoft,

    We would like to be able to programmatically set the "White List IP's" in Azure Multi Factor Service. In some cases , our end points change IP Address, and we would like to be able to set these IP Addresses using a powershell script to similar. This would be particularly important if we have a large number of end points changing IP address on a regular basis.

    Thank you.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Restrict MFA App registration to device with the same phone number assigned.

    Some organizations would like to prevent a user from having Mobile text/SMS/App from being 2 separate devices but rather require by policy that they be the same device. IE during registration of the OATH token in Azure Authentication check that mobile phone on the device matches the mobile phone registered in Azure MFA.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow AD attributes to be passed to RADIUS clients in Azure MFA

    Azure MFA can pass static values to radius clients, could this be expanded to pass values stored as AD attributes from the authenticated user on to the client.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add support for Flash SMS messages in Microsoft Azure MFA (Both Cloud and On-Prem)

    Add support for Flash SMS messages in Microsoft Azure MFA (Both Cloud and On-Prem)

    @Shawn Bishop / Nitika Gupta

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. MFA NPS ext - Support for Network policies via RADIUS-Challange msg via SMS & OTP

    When you have NPS extension, The problem is that when a user is using SMS or OTP, the user is not granted access based on the network policies that are defined in RADIUS server.

    This is known limitation (MS says) with NPS where the network policies are not applied for SMS or OTP Flows.

    If you use a challenge method it does not support the NAP policies. These are only evaluated during primary authentication.
    When using Radius Challenge(for SMS or OTP), the Challenge response skips primary auth and so these policies are not evaluated.

    But when the users have chosen…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Exchange ActiveSync and MFA

    Currently Exchange ActiveSync logins are not recorded correctly in Azure AD MFA, and therefore we cannot see if MFA was requested for users, especially for sign-ins from unfamiliar locations. They appear to not have MFA applied.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base