Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.
This is obviously not ideal. We currently having to perform the rollover task manually each month.
Please look at how this process could be improved for automation.819 votes
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!
Principal Program Manager
as per : http://tinyurl.com/kqgjvqx
Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.704 votes
We’re working on a solution and will update you when we know more.
Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.
Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.671 votes
We are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”.
We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...292 votes
We are aware of this requirement but have no timelines to share at this moment.
Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.
I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.
Aaron posted a great workaround solution:
We would like something built-in Active AD Connect that solves this out of the box270 votes
We are currently investigating how to implement this. The expiration status is not a directory attribute so it is not straight forward how to sync it.
Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.256 votes
We are currently investigating how we can best implement this feature.
Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4HMACMD5 encryption type for Kerberos."
Please add support for modern ciphers and drop that obsolete RC4_MD5!112 votes
We are currently working on this
Introduce account 'unlock' feature when an account gets locked out during passthrough authentication. (instead of waiting for 30 minutes)
It will be very helpful if we have the ability to unlock on demand when an O365 user's account is locked (self service), without waiting for the account lockout duration. Currently this feature was confirmed by MS tech that it does not exist and that the end user has to wait for the account lockout duration period. This specially is very useful for accounts that are sync'd via AAD Connect and pwd reset in O365 does not apply because the account is a sync'd account.106 votes
We are currently investigating this feature request.
Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more
Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more. We Synced 65K members out of which it only synced 29K. When it reached 29K it recognized the member count is more than 50 and it stopped syncing members. It should atleast sync 50K members and then stop.63 votes
e cannot share any timelines right now. Our first iteration is to deploy and use a new service end point that would eventually be able to handle larger groups. It will likely take several months to get this deployed and tested before we can take a next step, which would be to increase the group size limit – probably to 250K members.
If you want to be part of the private preview program, please reach out to me: email@example.com
Enable change a password when is set with the flag ForceChangePasswordNextSignin on Active Directory on premises
We will like to change a password from AAD when the account have the flag ForceChangePasswordNextSignin ON in Active Directory on premises.60 votes
We are currently testing a solution for this and will likely be able to provide this in the coming months.
The only seemingly supportable way that is currently documented to synchronize the authentication data properties in Azure AD is to user PowerShell.
This is not really a great Enterprise method to manage and keep user data up to date. For multiple reasons in various cases we prefer to set some of these properties for our user population. It would be a much better scenario to be able to use the already existing on-prem to Azure AD sync tool that is Azure AD Connect.57 votes
We utilise the 'description' attribute extensively for university relationship AuthZ. As we have over 360,000 identities, using groups can't be used with AAD Connect/Azure due to the 50,000 member limit.
We are interested in moving our SAML apps from ADFS to Azure (over 100) as well as connecting some on-premises app to Azure with Application Proxy, however as we use 'description' to apply the necessary AuthZ, we consequently cannot move the apps.
The 'description' attribute is sync'ed from on-premises, so I'm sure it would be a simple thing to enable it for consumption in Azure.
Please specify the intervals of automatic upgrade of AD connect or an option to force manually40 votes
Please provide HA support for AAD Connect with automatic failover! The staging server process is hopeless, and it doesn't support a shared SQL DB. At the moment, the fastest way to do AAD Connect recovery in case the AAD Connect server is destroyed, is to have an default installed Win2016 server with the AAD Connect install files downloaded (and not installed). Due to the fact that both the production and staging server must have same version (or higher), there's a risk that some stuff will not work when you do a recovery to a second server and there's a version mismatch.
In case the primary AAD Connect server goes down, I need an automatic solution and not something that requires a poor sysadmin to be pulled out of sleep in the middle of the night. The AAD Connect server are becoming very critical.
Please provide HA support for AAD Connect with automatic failover! The staging server process is hopeless, and it doesn't support a shared SQL DB. At the moment, the fastest way to do AAD Connect recovery in case the AAD Connect server is destroyed, is to have an default installed Win2016 server with the AAD Connect install files downloaded (and not installed). Due to the fact that both the production and staging server must have same version (or higher), there's a risk that some stuff will not work when you do a recovery to a second server and there's a version…38 votes
Currently Cloud Provisioning does not support password writeback, so using Azure AD SSPR with on-Prem synched passwords is not possible.
Would be great to have that as one of the first enhancements of Cloud Provisioning33 votes
Currently we can't sync the Division Attribute of an AD User to Azure AD.
Is there a plan to add Division to the Azure AD User attribute list so we can use it in Dynamic group queries??32 votes
Enable UPN suffixes of on-premise domains to be syncrhonised to Azure AD and be used with the Seamless SSO feature
Currently any UPN suffixes in an on-premise domain are not picked up in the Seamless SSO domains feature of the Azure AD Connect. It would be great if UPN suffixes could be added to the Seamless SSO domains, as they are picked up by Azure AD Connect and uploaded to Azure AD as a user's UPN anyway.26 votes
I would like to see Azure AD Dynamic groups be synced to on Prem AD. Currently you can sync distribution groups but not security groups. I would love to be able to set up dynamic groups and have my on prem groups reflect changes to things like position changes while staying synced with their counterparts in the cloud.24 votes
Add a button in the AADConnect rules editor to import rules that were exported from another AADConnect instance. Bonus points if you could make it so you can choose the other AADConnect server, see its rules and selectively import them to the new instance.24 votes
Managing membership of AAD administrative units for any large group with regular churn has a high amount of administrative overhead for keeping that membership up to date. With no dynamic membership for administrative units currently, users have to be added/removed manually via powershell. It would be convenient if azure active directory connect sync'd on-prem AD OUs and their membership --> populated AAD administrative units. As rights delegation often occurs at the OU level in on-prem AD similar to how administrative units function with delegated roles, the structure for scoping already exists for distinct user populations within the org.23 votes
- Don't see your idea?