Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Improve the support of the MFA product for clients setup up the initial configuration. Offering links to a forum is poor & dissappointing !

    Initial setups/configurations can often be the stage that requires the most support, and offering links to a forum are insufficient support, for a paid product. There should be at least an improved support level for the first month, during which setup and config questions should be able to be submitted by email for a tech support reply or phone call. The current documentation is quite vague in areas such as setting up a VPN to use the MFA on-premises solution, with many users submitting questions to forums, trying to get it working.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Better documentation on Multi Factor Authentication

    For Office 365 users, the MFA on-boarding documentation does not cover the need to turn on ADAL for Exchange Online and Skype For Business. Documentation should be updated or ADAL should default to ON for these applications in Office 365.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Automatically enable MFA for all members of an Azure AD Group.

    Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

    86 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

  4. Please allow granular RADIUS authentication filtering

    As it stands, we can use the on-premises MFA server to authenticate RADIUS clients in an all-or-nothing fashion. Our real-world requirements include only letting people in a specific group into a specific VPN endpoint (RADIUS client), while allowing a different group to get into a different client. It would also be very useful to be able to say, for a single client to accept users in group A with MFA challenge, but group B without. A rich rule set like ADFS provides would be even nicer, but intermediate steps in that direction soon would be a huge improvements.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. User Opt-In to Azure MFA with Office 365

    We have enabled MFA at our Office 365 tenant, but requires Admins to enable users. For organizations that would like to phase MFA in for their users, it would be nice for users to self opt-in sort of like they do with personal email accounts. Then over time, administrators can "require" MFA by a certain date for users holding out. One way to handle this is to include a link for the end user under user settings to "Sign up for Multi-Factor Authentication". Right now, nothing appears under a users security settings until they are enabled by an administrator. Thx!

    88 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. MFA on-premises use security questions for fallback

    In the on-premises MFA server there's the ability to enable "use security questions for fallback". This is great but only works for newly imported accounts. Can this be enforced on all users?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. On-Premises MFA logging, user change MFA method

    There's much logging in the on-premises MFA server, but it's missing the change for MFA method by the enduser at the moment. Can be handy for traceback (including the machine name from which the change has been made) and seeing if there's a possible identity theft.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. MFA

    Update the Multi Factor Authentication (MFA) Gui so we can see any account that is NOT enabled or enforced. Seems like a basic setting but I cannot find any resource to help identify these risks and it is troubling (and manual).

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. MFA by device not per application

    We are piloting MFA with auth expiry every 7 days. Currently every 7 days we have to log into ever single app using MFA (word, excel, onedrive, onenote etc etc) every 7 days on both our laptops and our mobile devices.

    It would seem reasonable for the apps on each device to have a share session that expired every 7 days instead.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Provide Multi Factor Auth for Microsoft Accounts when logging into the Azure Portal

    Currently multi factor authentication can be enabled for accounts created in Azure AD, for securing login to the Azure Portal. However Microsoft accounts such as user@live.com can not have multi factor authentication enabled for them. This creates a security risk for those that may not have organization ID for the tenant they are working in, or the Microsoft Account has been granted co-admin or RBAC access to other subscriptions.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Backup Codes for Azure MFA

    Please add support for "Backup Codes" to Azure MFA as soon as possible. Many popular MFA services already support Backup Codes, basically a list of 10 valid authentication codes that a user can print off and use in situations where there regular authentication method is not available.

    Use cases for backup codes include:


    • User's mobile phone is lost, stolen, or damaged.

    • User will be in an area with out good mobile phone service or consistent access to a land line.

    • Users let's mobile phone battery drain..

    75 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.

    Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.

    Richard

  12. Windows Authentication for Terminal Services support for Windows Server 2012 R2

    Windows Authentication for Terminal Services support for Windows Server 2012 R2

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Provide MFA Reports via API or reporting services

    Currently we pull a daily user detail report from the MFA portal and add it to a spreadsheet we then visualise with Power BI. It allows us to monitor the success/failure rate across authentication methods. Linked to an AD extract it also allows us to report based on country.

    It would be useful if the report data could be obtained via API to automate the collection of this data

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Use Cortana's voice for Azure MFA phone verification/callback service

    Azure MFA already has support for custom voice messages [1].

    To provide a consistent experience across all Windows 10 devices, it would be neat if the Azure MFA callback service had Cortana's voice.

    This would also allow Azure MFA to benefit from the Cortana accent regionalisation efforts (American English for en-us, Australian English for en-au).

    [1] https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/#custom-voice-messages

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Update MFA Server documentation to cover all features and configuration options

    The documentation for Azure MFA Server seems very incomplete. Just to mention a few:
    Proper descriptions for "Phone Factor Admins" group, AD requirements and changes is completely missing.
    No documentation can be found for available tags that can be used for dynamically adding information in emails.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. phone factor

    Surface/expose Azure MFA (Phone Factor) attribute data in GRAPH to facilitate API-based manipulation and mitigate some of the current limitations in RBAC within "cloud only" deployments of the Azure MFA service.

    142 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. need new Authenticator QR code

    can't find where to get new Authenticator QR code after updating Windows Phone in new portal. Tried search no matches found.
    Expect it under Profile Management.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure AD App Proxy - Login with MFA Code Only

    Please add an access option which requires username and Azure Multi-Factor Authentication only.

    This should not authenticate users to any other part of the platform. It should behave like a page which does not require authentication - except for requiring the user to pass a MFA check.

    The reason for this is we wish to present an internal password change page to the Internet. We want users to provide MFA credentials before they access the page, but they won't be able to pass the primary password login because it is expired.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Set context/description for MFA bypass IP address subnets

    It would me great, if Microsoft would provide a field that would provide IT security admin to set a description for the IP address subnets that he/she is white listing for MFA byPass.

    Basically just the same as the Azure AD Reporting team did for trusted locations.

    Thanks!

    @Shawn Bishop

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure AD MultiFactor OP server uses Azure portal for mobile app

    I cannot fathom how Microsoft can "Windows Azure Multi-Factor Authentication Server" which is not connected to Azure AD in any way. Why do you have to install a web site application/portal for users to register and configure access to the OP auth server. It's a farse to bill this as an Windows Azure feature. Every configuration is completely separate from Azure. The Authentication server should respect the Azure AD enabled users, their MFA settings and the Azure portal for Mobile app integration. The design of this "server" removes any benefit of using Azure AD with AD connect.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base