Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support Azure AD domain join for Windows Server 2016

    Microsoft should strongly consider implementing support for Azure AD join in future builds of Windows Server 2016. I how a couple of customers that have nearly finished the transition to all cloud and is left with a couple of servers due to legacy software. They are currently left with the option to deploy Azure AD Domain Services for supporting a couple (2-5) servers.

    https://windowsserver.uservoice.com/forums/295047-general-feedback/suggestions/32995450-support-azure-ad-domain-join-for-windows-server-20

    220 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  2. Utilize AAD Security Groups for Device "Additional Local Administrators" support

    Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).

    105 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  3. All Powershell/BASH/script Azure AD join

    For converting BOYD to Azure AD in the field w/o user intervention, we need a way for elevated accounts to be able to perform an Azure AD join of devices via script.... come on, this is the basics...

    Think of it as MDM self-enrollment... if not that, then give us a one-click way for users to self-enroll the device.

    81 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback on this. There are several ways to do Azure AD join (OOBE, bulk enrollment and Autopilot) which provide a richer experience to join devices to Azure AD. We’re continuously working to enhance those, so currently this is unplanned for the near future. Please continue to vote to help us prioritize


    Ravi

  4. Delegate permissions to remove devices

    The user role User administrator is not able to remove users registered device objekts in Azure AD. I think that roles should be granted that permisson.
    Or create an addiotional role that have the permission to remove device objects in Azure AD.

    62 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  5. AzureAD Joined Device: Do not automatically add Global Admin to LocalAdmin Groups

    Whenever a Client Joins AzureAD, All Global Admins are automatically added as LocalAdmin on the Client joined AzuerAD. This is the default behavior of AzureAD Join – and cannot be altered currently.
    From my Point of view Global Admins are similar sensitive for the AzureAD like Domain Admins are on-premises in ADDS. On-premises a lot of effort has been taken to separate Endpoint Admins from ADDS Admins -> PtH Mitigation and other security best practices. Now AzureAD mixes up highly privileged Identity (Global Admins) and Endpoint Admins.
    Therefore we need a Switch in AzureAD to change AzureADs Default behavior and…

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure AD Join - Password Change At Logon

    When a users password expires or has been set to change at next logon, they are unable to logon on Azure AD Joined Machines, there is no 'password must be changed' dialog as there is with Local AD. Can this please be added?

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  7. AzureAD join give user Admin access- needs to restrict

    By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  8. Auto-configure Mail / Outlook / OneDrive / Calendar apps

    When we join computers using AD Join, existing apps (Outlook, OneDrive) should SSO to our Office 365 account -- or at least auto-complete the working user's email.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  9. dsregcmd.exe with help

    The command dsregcmd.exe should have /help switch to show all viable option of this command with usage examples.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow disabling Windows Hello without InTune subscription

    If you've got an Office 365 subscription, you get AzureAD for free. You can domain-join machines to your AzureAD, and your users get the magic of Single Sign-On.

    However, the default configuration is to force them to setup a PIN in "Windows Hello for Business". You can't disable this setting without an Intune or AzureAD Premium subscription.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  11. Fix Windows 10 AAD Join not allowing user to share local resources

    When a machine is only joined to AAD then these credentials are not allowed to be exposed to sharing local resources on workstations.

    For example, if one machine wants to access a share on another machine we need to be able to use the AAD credentials between the machines as an authenticator.. however, these credentials do not present themselves to the local machines.

    Somehow, we need to be able to take a local share, assign it to an AAD Group then be allowed to add/remove AAD users to and from that group so that local resources can be authenticated with…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    AAD joined machines are meant to work in a primarily cloud environment where all sharing happens through cloud collaboration tools – OneDrive, Sharepoint and Teams, or for large storage – Azure Files

    Sharing local resources on workstations is a legacy on-premises concept when devices were connected on a common network, and required to share resources. In a cloud-first world, there are more capable tools to enable this functionality.. We recommend using them for collaboration so that the access is not dependent on the device being online and active to access those resources.

    If there are specific use cases where the above does not work, we’d like to hear those

    /Ravi

  12. Fully migrate to Azure Active directory

    Currently there is no way to fully migrate an on-prem Active Directory domain to Azure. If there was an option to do so, I would gladly get rid of most of my server infrastructure and have it hosted in Azure.

    Being a mid-sized company, most hybrid architectures are geared towards large sized corporations, and so add complexity to environments that make it prohibitive to take fully advantage of Azure Services.

    Small and mid-sized companies need the same level of security, configuration capabilities, management and monitoring as large corporations, we just don't have the same resources to implement technologies like ADFS…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  13. Eliminate the 15 device CAP on Azure enrollment by a single O365 admin account

    There is a 15 device CAP on Azure enrollment by a single O365 admin account. There is a program through Intune that allows up to 1000 devices in a corporate network, but there's a fair gap between 15 devices and an environment large enough to support an Intune account.

    Let's say you've been using admin@contoso.com as your global admin account and adding computers to the Azure AD account. Currently, after enrolling 15 devices you have to create another, unlicensed Global Admin Account, such as admin2@contoso.com. Use that to add additional computers until you use up another 15 devices, then…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support Hybrid AD join when using VDI

    Please support Hybrid AD join when using VDI to deal with conditional access policy.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  15. Autopilot Offline profile with Hybrid AAD Join

    Please add support for doing Hybrid AAD Join with Autopilot Offline Profile... As of now we need to import hashes of devices, into Autopilot service, in order to do Hybrid AAD Join.
    Support for Hybrid AAD Join in Autopilot offline profile would be awesome, fx. when doing MDT deployment of devices etc.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure AD Joined Machines To Get MFA Prompts at Signin

    When an MFA protected user logs into windows 10 azure ad joined device. It just lets them in with their username and password. Can a system please be put in place which also prompts for MFA BEFORE letting them into windows, not by a small notification in the bottom to ask for it...

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    You can use Windows Hello for Business, that requires MFA to be setup and that can be used to authenticate to Windows as a strong hardware protected credential. In addition, you can also enable multifactor unlock with Windows hello that requires 2 different factors to be present for user to authenticate – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock

    Hope this helps

  17. Create a way to block automatically Azure join only some of domain join computers (servers).

    Create a way to block automatically Azure join only of some domain join computers (servers). Even if you set the GPO "Software\Policies\Microsoft\Windows\WorkplaceJoin\”autoWorkplaceJoin” to disable computers with Windows 10 or Windows Server 2016 are still joined automatically at user login.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure AD Join computer without gaining local admin access

    We really need a settings option in the Azure AD portal managing the local device permission level upon Azure AD Join for users and groups.

    To get remotely close to this today we have to Azure AD join and Intune enroll with a specific Account that we only grant permission to join and it becomes the Admin as users there after does not...

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  19. 4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  20. How can i join mac into Azure Active Directory, please help

    I have more than two machines in my organization, i have to add them to Azure Active directory. how can i achieve this.

    Thanks,
    Suresh

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base