Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support Remote Desktop Web Client HTML5 on Azure AD App Proxy

    Microsoft doesn't support the Azure AD Application Proxy on RD WebClient (HTML5). Like this MFA and Condintional Access would be possible.
    Another benefit is that HTML5 works on all Webbrowsers without downloading software.
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin

    205 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  2. CORS for App Proxy

    There should be CORS setting available on App Proxy just like we have the CORS available for App Services.

    Making calls from Azure Apps into an Azure App Proxy App is a very common scenario, especially when on-prem applications are surfaced externally using App proxy.

    More details - http://stackoverflow.com/questions/43955808/cors-prelight-issue

    93 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    We’ve hit some roadblocks in our design for this feature and will need to re-evaluate options. To help us validate the scenarios we need to address, please continue to share feedback. We will update in the next couple months once we have a better idea of our timeline and approach.

  3. Allow Azure AD App Proxy Apps to use the Azure Web Application Firewall (WAF)

    Applications published with the Azure AD Application Proxy should be allowed to be configured to have traffic go through the Azure Web Application Firewall (WAF). We currently have to purchase a 3rd party WAF instead of using the Azure WAF when publishing applications.

    This should be built-in functionality that can be added onto the Azure AD App Proxy configuration.

    48 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  4. App Proxy connector monitoring and alerting

    Currently we can notice that app published by App Proxy is not working only by manual check.
    It will be great to have build in monitoring and alerting(idea with ITSM tools integrations like SNOW) to be informed about issues with connectors.

    46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    Quick update here that we’re still planning to do this. It will take us some time to complete, but we’ve heard your feedback and know how important it is.
    In the meantime we would love to hear more about the type of data points you would like to see.

  5. Link a connector to a different Application Proxy service region.

    We have AAD Application Proxy Connectors installed in both Australia and Singapore however the Azure AD tenant in Australia so all traffic has to loop via the Australian Application Proxy Service.

    This is a problem for our Indonesian users. We setup servers and AADAP connectors in Azure Singapore with the expectation it would provide low latency to Indonesia but that is not the case.

    Please allow us to associate a Connector Group with a specific region so that the connectors and applications linked to the connector group are routed via the expected Application Proxy service region.

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    Hi everyone,

    We are currently developing a solution to allow you to assign a region to applications outside the region of your home tenant. By doing this, connector groups will talk to the App Proxy region specified. Please continue to share your scenarios to make sure we are taking into account these cases.
    We will update once we have a better idea for a release date.

    Send a note to aadapfeedback@microsoft.com if you have questions or want to send feedback directly to us.

    Thanks,
    Jasmine

  6. Fully Support WebSocket protocol in Azure AD Application Proxy

    The current Application Proxy does not support rewriting ws:// or wss:// URLS from my testing.

    We have an application that has it's content (HTML, JavaScript, images ...) hosted by IIS and a standalone service that provides data through websockets.

    I created an app proxy for the IIS component requesting content rewriting and created a second app proxy for the websocket service. However, it seems that the first app proxy doesn't know to rewrite the embedded ws:// URLS to point them to the second app proxy.

    Also, running a websocket tester against the second app proxy external URL fails as it…

    39 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  7. OAuth pre-authentication in Azure Application Proxy

    Currently pre-authentication in Azure Application Proxy implies user interacive logon to Azure AD. It would be great if one could choose an option to pre-authenticate as a annplication with a token in the same Azure AD tenant (and select an Oauth app which is regitered in the same tenant).
    That's very useful when there is an external application/server accessing on-prem app via Azure Appliation Proxy would pre-authenticate with OAuth in Azure AD first and pass this token AAP.

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Can Azure AD Application Proxy be used for publising Exchange on-premise

    Can Azure AD Application Proxy be used for publishing Exchange on-premise (2013 / 2016). I have came across guidelines for SharePoint and RD gateway on https://blogs.technet.microsoft.com/applicationproxyblog/, however not able to find it for exchange

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow access and use of Citrix Xenapp applications via Azure AD Application Proxy

    There doesn't seem much documentation available for configuration of Rich protocol support (Citrix)
    Unlike previous UAG support where there is at least some communications around the connectivity of using UAG to connect to Citrix applications.

    https://blogs.technet.microsoft.com/edgeaccessblog/2010/03/25/how-to-publish-citrix-xenapp-5-x-with-uag-2010/

    It would be good to be able to replicate the above, which refers to UAG, in the Azure AD Application proxy.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enable dedicated App Proxy Authentication Header

    When you connect App Proxy with pre-authentication via a native client following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application the authentication header is removed by the App Proxy. This stops single sign on requests from working and breaks a number of automation scenarios if the backend service does not support a dedicated authentication header. Ideally I would like to see the following behaviour:

    1. By default the Authorization header is used to authenticate with App Proxy
    2. If multiple values are provided as per https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers each one is checked for authentication against App Proxy, if one is valid, remove it from the header…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  11. 14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure AD proxy Connector gateway Timeout

    As per Azure AD guideline, Only "Default" and "Long" Application time out value can be assigned to Azure application. Default = 85 seconds and Long = 180 Minutes. But i have few application which takes more than 3 minutes to respond on few UI actions. I am wondering, if we can have a way to override the proxy connector application time out settings. We may consider providing a way in Proxy Connector window service installed on server to increase Backend application timeout.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for sharing your feedback.

    The timeout limit was defined due to two main motivations 1. Security and service SLA 2. The nature of network products and user productivity.

    In terms of security, App Proxy is a multi-tenant service and in today’s time and the high load we’re experiencing on our system, we have a limited ability to allow connections to be open for such a long time. Allowing such timeouts will widen our attack surface significantly and reliability of our service.

    In terms of productivity, we are dealing with a multi- hop network bound service (traffic from the user browser, to our service, to a connector and to the app). In such an environment there may be impact to parts of the system by adding in this longer timeout. When there is no activity on the wire of a network service it is questionable if the connection is…

  13. AD Application Proxy: Enable home realm discovery using domain hint

    It would be nice to have an option to be able to set a domain hint when we are exposing internal web applications using the AD Application proxy. This way we can direct user to our own ADFS federation page without going through the generic sign-in page first.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Audit logs for Application Proxy

    Audit logs for the connector group modifications on the AAD Application proxy is not enabled for administrators viewing on AAD portal.
    We had an issue, in which the connector group was changed by an admin and we raised a MS Case to find out who modified the setting and after months investigation we found that this specific audit log is not enabled for viewing for admins.
    If audit logs is enabled for such settings modifications, then there is no need for admin to raise an MS case every time when there is modification ..!!!

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. Customize the Azure AD Application Proxy Gateway errorpage

    When you are using the Application Proxy Gateway and there is some error in the connection, e.g. user is not authorized or there is a timeout, you get a error page that is not company branded. See the attached picture.

    It would be nice if it was possible to either use the existing company branding or add separate branding to that error pages.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  16. View all Enterprise Apps configured to Azure AD App Proxy

    Requirement is for a screen to view all apps currently configured for App Proxy, The current process is a hit and miss excercise whereby you navigate to Enterprise Application and guess the app name and navigate to the configuration to see if an app is using app proxy.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  17. App Proxy - Multiple Internal Urls attached to External urls

    Azure AD App Proxy enables hostname url's to work when browsed via Intune Managed Browser or with the MyApps Edge plugin (from Microsoft Store).

    This requires you to publish an application with the hostname https://contoso and a second application with the FQDN https://contoso.internaldomain.com

    This leads to you having 2 published tenantname.msappproxy.net external URLs.

    It would be better if multiple internal URL's could be attached to 1 external URL

    Perhaps this could be implemented under Azure AD >App Registrations, like custom homepages?

    Thanks

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Please support Group Managed Service Accounts for Azure AD App Proxy

    Please support Group Managed Service Accounts for Azure AD App Proxy. Without it we have to manage the Kerberos Constrained Delegation Settings for each App Proxy Connector separately. A misconfiguration at this setting has a fatal security impact so we would really appreciate to do it once per connector group.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add option to disable TLS 1.0 for the application proxy cloud endpoint

    TLS 1.0 is an option for connecting to the cloud endpoint of the application proxy. This causes security audit tools to complain that TLS 1.0 is not in alignment with PCI and other compliance regimes.

    There has been a toggle in the UI for the web app service to disable TLS 1.0 for nearly a year and the same option should be available for the application proxy too.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add the ability to prioritize Azure AD Application Proxy Connectors that are part of a Connector Group (priority load balancing)

    That way a primary or preferred host that has a connector that is part of a connector group installed can be leveraged. This would help in situations when hosts having connectors installed are geo-diverse (active disaster recovery site), as well as when connectors are associated with applications with an active/standby model (in which case it is not desired that the passive node serve requests unless the primary node is down).

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base