Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. AD Groups in Application Owners

    Would be great to be able to add groups to application owners in AD instead of only users. Scenario is to use on-prem AD synced with Azure to keep management of application roles/groups/etc on-prem for cloud hosted solutions.

    Thanks!

    59 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      under review  ·  8 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
    • Need email alert option when keys are about to expire

      Need email alert option when keys are about to expire

      55 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        7 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
      • Ability to Grant Permissions via API or Powershell

        Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

        Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your…

        43 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          7 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
        • Managed Service Identity support for containers.

          We currently are moving towards containerization of applications using service fabric. Is it possible to enable MSI extension for VM on host and then consume the service from the container?

          35 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            1 comment  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
          • Make Azure Ad Application 'permissions to other applications' optional not mandatory

            From what I understand, adding permissions in the 'permissions to other applications' section of an Azure AD Application means that any tenant administrator trying to grant access to that application using the Admin consent flow must have all the services requested. E.g. if requesting Office 365 'Read users email' permission and CRM Online 'Access CRM Online as organization users' permission the requesting tenant must have both of those Microsoft Services linked to their Azure AD.

            If you don't have access to all requested services you receive the following error:

            'AADSTS65005: The application needs access to a service that your organization…

            23 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              1 comment  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →

              The v2 endpoint for Azure AD supports incremental/dynamic consent, by which an app requests the permissions it needs at run time, dynamically. This will allow your app to get tokens for basic scenarios first (e.g. sign in and get profile) and only get tokens for other, optional, scenarios (e.g. read and send mail as the user) later.

              Be sure to review the current limitations on which services the v2 endpoint will grant tokens for, as this does work for all scenarios or all Microsoft services yet: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations#restrictions-on-services-and-apis

            • Add CORS support for discovery and JSON Web Key Set endpoints

              Adding CORS support to the following endpoints would allow them to be downloaded via a JavaScript application:
              - https://login.microsoftonline.com/<tenantid>/v2.0/.well-known/openid-configuration
              - https://login.microsoftonline.com/<tenantid>/discovery/v2.0/keys

              The signatures for these endpoints could then be used to verify JWT's directly within the JavaScript.

              22 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                2 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
              • 15 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  3 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                • Where is application registered in Azure Active Directory?

                  I registered a new application in https://apps.dev.microsoft.com and afterwards it says "This application will be registered in the Azure Active Directory instance used to manage your xxxx@yyyy.zzz account." I can't see it anywhere.

                  How about providing a link to it instead of hiding it away where I can't find it, that is if it is even actually visible.

                  14 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    6 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →

                    Alan, if I understand correctly, you are saying you cannot see the converged apps you registered on apps.dev.microsoft.com in the Azure Portal. Converged apps cannot currently be managed in the Azure Portal, even though they are registered in the Azure AD tenant listed in the message. If you would like to manage converged apps in the Azure Portal, please post that as an idea/suggestion or vote for it once the post exists.

                  • Support Managed Service Identity on VMs in Azure Batch Pool

                    Enabling MSI for Windows VMs created by an Azure Batch Pool would allow us to use this service in Azure Data Factory .Net custom code activities running on Azure Batch.

                    13 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                    • Azure AD App registration limit for non-admin AD user

                      There is a limit to the number of App and\or Service Principal registrations a non-administrative Azure AD user can provision (250). This prevents having the creation of the APP or SP to be automated as soon as that limit is reached. Unfortunately there is no way to determine the number of objects that have been created by a particular account. No such counter is available, and the objects themselves don’t have a “CreatedBy” attribute that you could query. You do not want to assign the automation account user to be granted the Global admin role in Azure AD due to…

                      11 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        2 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                      • Show "Directory Extension" in portal for users and groups

                        My customers would love to have a easy approach to list all directory extensions for either a specific group or user with the Azure Portal. Currently they have to use PowerShell (Get-AzureADUser -ObjectId $UserId.ObjectId | Select -ExpandProperty ExtensionProperty) to list all the properties associated with the object. This seems a bit difficult for most supporters and IT pros. I would like to see the ability to list the attributes in the short term and the possibility to edit the attributes in the long term.

                        10 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                        • 8 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                          • Add ability to limit a multi-tenant application to a list of specific tenant's

                            A parent company has multiple subsidiaries each having a separate tenant. A multi-tenant application written in house for the group can be used by each subsidiary but is not limited to only those tenants. I request that an element be added to the app manifest that would contain a list of tenants that could use/register the application.

                            8 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              1 comment  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                            • Add support to list directories that the user is member of

                              As per this thread on Stack Overflow (https://stackoverflow.com/questions/45235572/getting-all-b2b-directories-user-is-member-of/) it would be great to be able to list all directories the account is member of along with the directory name and possibly the primary domain. It would greatly make the B2B support in multitenant apps easier than it is right now.

                              7 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                              • It would be nice to have powershell support to access access Azure Portal -> AzureAd ->Users and groups - User settings

                                Currently, there exists no powershell commandlet in the MSOnline and AzureAD Module that could give me the list of user settings. It will be a really powerful commandlet. There exists, Get-MsolCompanyInformation, which only renders the partial information, but not all. The rest of the settings like ,1) Users can add gallery apps to their Access Panel 2) Guest users permissions are limited 3) Admins and users in the guest inviter role can invite 4) Members can invite 5) Guests can invite 6) Restrict access to Azure AD administration portal , are still inaccessible via powershell

                                7 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                                • ADAL google polymer element

                                  google polymer project is getting real momentum for developing webapps. It would be great if we have ADAL polymer element integration.
                                  https://www.polymer-project.org/1.0/

                                  7 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Prevent registered apps from disappearing from portal

                                    The apps that I registered in the Microsoft Registration Portal (MRP) are suddenly gone. I can see them in the Azure Portal, and manage Azure AD apps, but converged apps are only seen in Application registrations. From that place I am unable to manage settings for them.
                                    This also happens with newly registered apps in MRP to me and to my colleague, as soon as app is created it is gone from MRP.
                                    When inspecting the web page there are errors in Console:

                                    0cac2641-217e-404f-b402-ae7f6d97a3a7:1 Failed to load resource: net::ERR_FILE_NOT_FOUND
                                    MeControl.js:1 Uncaught TypeError: Failed to execute 'postMessage' on 'Window': The provided…

                                    5 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      1 comment  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                                    • navigating azure AD V1 and V2 is a nightmare

                                      just spent a couple of days getting an app to authenticate against multiple-tenants.

                                      And now the graph api can't use my app registrations from Azure AD, and there gotcha's EVERYWHERE on V2.
                                      WOW

                                      5 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Document now to configure Azure AD to be a SAML 2.0 identity provider for a SAML 2.0 service provider, for SSO against Office365 credentials

                                        I found https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps but the Azure AD admin interface I get via my Office365 admin isn't consistent with the documentation and I can't find the documented interface. Elsewhere, I find documentation that says this can be done (e.g. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added) but no instructions for how to configure the integration.

                                        5 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Common OpenID Connect discovery endpoint should not contain invalid URL

                                          The OIDC discovery endpoint for the common tenant ( https://login.microsoftonline.com/common/.well-known/openid-configuration ) has an invalid URL as the issuer attribute. The issuer must a valid URL, but it contains curly brances: 'https://sts.windows.net/{tenantid}/'. This can cause problems in libraries such as Nimbus OAuth 2.0 SDK, which parse and validate this attribute. The braces should either be URL-encoded or a different placeholder should be chosen.

                                          5 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4
                                          • Don't see your idea?

                                          Feedback and Knowledge Base