as per : http://tinyurl.com/kqgjvqx
Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.429 votes
We’re working on a solution and will update you when we know more.
Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.
This is obviously not ideal. We currently having to perform the rollover task manually each month.
Please look at how this process could be improved for automation.306 votes
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!
Principal Program Manager
Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.
Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.217 votes
We are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”.
We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...130 votes
We are aware of this requirement but have no timelines to share at this moment.
Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.
I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.
Aaron posted a great workaround solution:
We would like something built-in Active AD Connect that solves this out of the box92 votes
We are currently investigating how to implement this. The expiration status is not a directory attribute so it is not straight forward how to sync it.
Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4_HMAC_MD5 encryption type for Kerberos."
Please add support for modern ciphers and drop that obsolete RC4_MD5!79 votes
We are currently working on this
Introduce account 'unlock' feature when an account gets locked out during passthrough authentication. (instead of waiting for 30 minutes)
It will be very helpful if we have the ability to unlock on demand when an O365 user's account is locked (self service), without waiting for the account lockout duration. Currently this feature was confirmed by MS tech that it does not exist and that the end user has to wait for the account lockout duration period. This specially is very useful for accounts that are sync'd via AAD Connect and pwd reset in O365 does not apply because the account is a sync'd account.76 votes
We are currently investigating this feature request.
Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.61 votes
We are currently investigating how we can best implement this feature.
Enable change a password when is set with the flag ForceChangePasswordNextSignin on Active Directory on premises
We will like to change a password from AAD when the account have the flag ForceChangePasswordNextSignin ON in Active Directory on premises.41 votes
We are currently testing a solution for this and will likely be able to provide this in the coming months.
Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more
Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more. We Synced 65K members out of which it only synced 29K. When it reached 29K it recognized the member count is more than 50 and it stopped syncing members. It should atleast sync 50K members and then stop.40 votes
e cannot share any timelines right now. Our first iteration is to deploy and use a new service end point that would eventually be able to handle larger groups. It will likely take several months to get this deployed and tested before we can take a next step, which would be to increase the group size limit – probably to 250K members.
If you want to be part of the private preview program, please reach out to me: firstname.lastname@example.org
It would be helpful if attribute to being synced is unchecked or any changes are made to AAD sync connector configuration. It should be logged to AADConnect log or trace file, or report on event log with changes in sync values and data, time, and sign-in account used.32 votes
Our configuration changes often and there is a concern the backup server (in Staging Mode) may not get updated - by an oversight. Then on the day we cut over a department may get impacted by not being in the search scope.
A simple way to export the Configuration(new connectors, search scope, custom attributes etc ) to the backup server may reduce the chance of this happening.29 votes
We are currently working on this. It may still be a couple of months out though. I will update this thread when we know more.
The only seemingly supportable way that is currently documented to synchronize the authentication data properties in Azure AD is to user PowerShell.
This is not really a great Enterprise method to manage and keep user data up to date. For multiple reasons in various cases we prefer to set some of these properties for our user population. It would be a much better scenario to be able to use the already existing on-prem to Azure AD sync tool that is Azure AD Connect.22 votes
Please specify the intervals of automatic upgrade of AD connect or an option to force manually21 votes
Issue has been going on for at least a year. When AD Connect auto-updates, it messes something up with its 'SQL Server 2012 Express LocalDB' instance such that VSS backups of the server fail until addressed.
'Fix' is to run a repair installation of the LocalDB instance, after which the VSS operations succeed without requiring a server reboot.20 votes
I would like to be able to view if an Azure AD account is locked out and have an audit trail of previous lockout events.
Also there should be a way for an Admin to unlock an account/19 votes
When Mailbox is changed from Mailbox to Shared Mailbox or Resources, we have to manually modify two attributes in AD: msExchangeRecipientTypeDetails and msExchangeRemoteRecipientType.
We would like these attributed to be updated automatically.
This step is often overlooked and caused issues for end users.19 votes
Enable UPN suffixes of on-premise domains to be syncrhonised to Azure AD and be used with the Seamless SSO feature
Currently any UPN suffixes in an on-premise domain are not picked up in the Seamless SSO domains feature of the Azure AD Connect. It would be great if UPN suffixes could be added to the Seamless SSO domains, as they are picked up by Azure AD Connect and uploaded to Azure AD as a user's UPN anyway.18 votes
Please provide HA support for AAD Connect with automatic failover! The staging server process is hopeless, and it doesn't support a shared SQL DB. At the moment, the fastest way to do AAD Connect recovery in case the AAD Connect server is destroyed, is to have an default installed Win2016 server with the AAD Connect install files downloaded (and not installed). Due to the fact that both the production and staging server must have same version (or higher), there's a risk that some stuff will not work when you do a recovery to a second server and there's a version mismatch.
In case the primary AAD Connect server goes down, I need an automatic solution and not something that requires a poor sysadmin to be pulled out of sleep in the middle of the night. The AAD Connect server are becoming very critical.
Please provide HA support for AAD Connect with automatic failover! The staging server process is hopeless, and it doesn't support a shared SQL DB. At the moment, the fastest way to do AAD Connect recovery in case the AAD Connect server is destroyed, is to have an default installed Win2016 server with the AAD Connect install files downloaded (and not installed). Due to the fact that both the production and staging server must have same version (or higher), there's a risk that some stuff will not work when you do a recovery to a second server and there's a version…16 votes
HR systems are main sources of identity information such as supervisor - direct report relationships, position (job title) information which can be a basis for granting access, and so on.
Workday inbound sync already exists: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-workday-inbound-tutorial
Other HR systems should also be supported. My company uses SuccessFactors, hence my request.15 votes
- Don't see your idea?