Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. AppProxy Certificate Import from KeyVault

    Currently the only option to associate an SSL cert with the public facing AppProxy is to upload from the local machine.

    Would be super helpful if we could retrieve the certificate from a KeyVault in much the same way you do for an AppService.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  2. Application Proxy "Private Services Edge"

    Please allow storing part of Application Proxy "Services Edges" on customer site, in case of application access it can hugely improve the performance of web applications by allowing process web request inside of country with minimal latency.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  3. Disable obsolete cipher suites for Azure app Proxy

    Currently legacy CBC cipher suites are enabled, which causes an alert in Chrome/Firefox browsers:
    The connection to this site is encrypted and authenticated using TLS 1.2, ECDHERSA with P-384, and AES256_CBC with HMAC-SHA1.
    Please disable CBC suites or allow customers to choose which cipher suites to use.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for reaching out and sharing your feedback. We made a few improvements such as adding additional ciphers which will allow you to prefer these higher ciphers. However, as you mentioned in the short term we cannot easily turn CBC for all, due to being multi tenant service. That said we are trying to come up with a long term approach for this and analyzing the customer need for this scenario. It would be great if we can connect with you to get a few additional details on your scenarios and make sure we have a good understanding of what your organization needs. Please feel free to reach out to our team to continue the conversation at aadapfeedback@microsoft.com.

  4. Support different paths to on external URL for Azure App Proxy

    With hundreds of internal Cold Fusion apps we would like the path in the internal URL to be different in external URL.

    As you may know Apache does it simply:
    ProxyPass /demo https://{internal server name}/cfapps/{HLQ for demo app}/wwwroot

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  5. Get all sharepoint functionality supported or clearer specify what work and what doesnt or how to work around issues?

    While publishing sharepoint through guide published https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-integrate-with-sharepoint-server mostly works ok, we have issues accessing the SOAP api and specifically opening office documents through the rich client applications and syncing document libraries. I have some fiddler traces of the traffic flow with and without app proxy and I think it breaks on accessing /sites/sp/ourinternalsitename/vtibin/cellstorage.svc/CellStorageService It works by using the local/on-premise url so sharepoint should be working correctly. Is this a supported scenario that's supposed to work?

    Documents work when we open through a passthrough published office online server / web apps server and edit online, but the functionality on…

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow conditional access evaluation without azure pre-authentication

    We have several apps and web services on premise that we would like to be evaluated for location and other factors without any authentication provided by the user. In other words we want to be able to prevent access from non-us locations to some of our web services where the caller is unable to authenticate.

    Example: https://webservice.domain,com on premise where there is no authentication required we still want to use azure ad proxy to reach that application and prevent any access from a non-us location using conditional access. Sinc

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow web crawler robots on a case by case basis

    As per an Azure AD blog post:

    "As part of our continuous effort to improve the security posture of applications that are published by Azure AD Application Proxy, we have started to block Web crawler robots from indexing and archiving your applications.

    Every time a Web crawler robot tries to retrieve the robots settings for a published application, the proxy will reply with a robots.txt file that have the following content:

        User-agent: *
    
    Disallow: /

    No action is needed to turn this on. All Application Proxy customers will automatically get this functionality."

    I am using AADAP within education (read: no…

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add support for other encodings in URL Link Translation like ISO standard 8859-1

    Consider adding support for other encoding types in URL Link Translation feature as this will make it easier to adopt the feature.

    Ex. ISO standard https://en.wikipedia.org/wiki/ISO/IEC_8859-1

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support login identity as on Premise SamAccountName for Azure AD users

    When the proxy connecter creates the Kerberos Application token for B2B or Azure AD mastered accounts with the SSO setting of login identity option of "on premise SamAccountName" the application token doesn't create a CNAME from the SamAccountName value!
    Instead it creates the CNAME from the username part of the UPN. Consequentially SPNEGO or IWA applications fail the authentication.

    This prevents the use of Azure App proxy for B2B users when using IWA / SPNEGO on premise.
    This configuration only works when the AD user is synced from on premise.

    I would like the connector to use the UPN value…

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Make Azure AD Application Proxy Service available in Middle East/Saudi Arabia region

    Our users / connectors are located in Saudi Arabia, but the Azure AD Application Proxy endpoint is in US. This causes a huge delay. Please make Azure AD Application Proxy Service available in Middle East/Saudi Arabia region.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow MFA functionality while Publish Cloud Printers

    While running Publish-CloudPrinter, MFA is blocking the ability to complete. MFA prompting through the Microsoft app should be allowed so security of the system/environment is not scarified to complete the setup.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  12. For Enterprise Applications SSO with IWA/KCD configuration in Azure provide better SPN handling for multiple back-end servers

    For Enterprise Applications SSO with IWA/KCD configuration in Azure, either add support for multiple SPNs for representing multiple back-end servers using round robin DNS, or for Wildcard Application publishing, allow the wildcard SPN in Azure to ignore the mismatched SPN on the back-end servers/application, to support multiple back-end servers, via DNS round robin.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow multi-regional AAD Proxy deployment

    Hello,
    in globally distributed company, we have an distributed application that uses the same internal URL around the world, and F5 BigIP makes sure that user connects to closest endpoint.
    We want to make it available externally via AAD proxy and idea was:
    - create AAD Proxy application for each region where we have significant # of users (currently 3 regions - EMEA+US+APAC
    - create connector group in each region
    - connect application for each region to respective connector group in that region

    Implementing this approach, we found 2 weak points:
    1. AAD proxy location follows location of AAD tenant…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Disable option to create Conditional Access Policy when Passthrough authentication is enabled

    When Passthrough Authentication is enabled for an app published through App Proxy, the authentication process is offloaded to the Idp the company uses.
    Because of that, authentication requests cannot be evaluated for Conditional Access.
    Thus, turning on Passthrough, should automatically prevent users from creating CAP for the application. Currently, the What-If tool will show that the policy will apply when in reality it won't.
    This documented here :
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-faq

    This behavior already exists for Single-sign on

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. KeyVault integration with AAD App Proxy for SSL Certificate Management

    Currently, SSL certificates are uploaded on a per-app basis and have zero lifecycle management (IE: we have to upload a new .pfx when it expires) and cannot be re-used among other apps (IE: a wildcard)

    It should be a given that AAD App Proxy should be able to consume SSL Certificates from an Azure KeyVault, allowing all of the protections and most importantly life cycle features of SSL in Keyvaults

    I think this would wrap up a lot of currently outstanding requests here regarding SSL in AAD AP

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  16. SFTP: We need options to publish other protocols than http and https

    We are trying to get rid of Citrix Netscaler and our Cisco VPN and start using AAD App Proxy. It works perfect on simple websites. Now to the problem.
    We have applications that we publish using our netscaler. In some cases they use MS SQL or postgresql.

    We also have integrations using SFTP and FTP.

    What is your solution to this or you don't want us to use AAD App Proxy for applications such as these?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  17. Dynamics on prem

    Support / guidance for using Azure AD App Proxy for access to Dynamics 365 on prem (including Resco).

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Web application Proxy on-premises Non-Responsive

    We had a recent issue with Web Application Proxy throwing an error 'Maximum no. of Kerberose Attempts exceeded' with error 12008 in WAP server resulting it in being non-responsive. A case has been opened with MS with regards to this as well. When this issue happened WAP server could not authenticate any user. Only resolution was to restart both IIS and WAP Server. This was caused due to left over ghost entries in teh ApplicationHost.config file for the winodws authentication. This issue needs to be addressed in the product as its an issue that can reoccure if the web applications…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Protect on premises application(that doesnt support SAML,OAUTH or Ping Access) with application proxy and pass user attributes

    Protect on premises application(that doesn't support SAML,OAUTH or Ping Access) with application proxy such that Azure AD does authentication for user and post authentication pass user attributes as an HTTP header request to backend on premises application to identify the user.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  20. WAP trafic logs

    We are using WAP to publish many https sites and wanted to see traffic/activity logs.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base