Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Linux compatibility for AzureAD Powershell Module
As mentioned in https://github.com/PowerShell/PowerShell/issues/5274, the AzureAD module is not compatible with Linux.
95 votes -
Recycle Bin For Deleted Devices
Would be great if there was a recover-msoldevice cmdlet or some way to recover a bitlocker recovery key after a device was deleted.
79 votes -
Query Azure AD Devices BitLocker recovery key via PowerShell
Please allow query Azure AD Devices BitLocker recovery key via PowerShell
37 votes -
Find all users with app passwords
We think that it's necessary to have a command for PowerShell to show app passwords per user. It would also need to show what app the password is being used for. MFA is pointless with thousands of app passwords. Not every user we've enforced has set up app passwords. this is what me and many other admins would like to know.
37 votes -
Powershell command to update the authentication contact email
Need to change the user alternate authentication emails for azure user accounts using Powershell. We are able to change the same in azure portal i.e. Azure active directory >> Users and groups >> all users >> profile >> Authentication contact info >> email.
19 votes -
Add a friendly name attribute when getting MSOL license/SKU (Get-MsolAccountSku)
Please add a "FriendlyName" attribute when doing a license search via Powershell (Get-MsolAccountSku).
If I give you an example. The command "Get-MsolAccountSku" retrieve the following information for an SKU :ExtensionData : System.Runtime.Serialization.ExtensionDataObject
AccountName : xxxxx
AccountObjectId : xxxxxxxxx
AccountSkuId : xxxxx:FLOW_FREE
ActiveUnits : xxxxx
ConsumedUnits : 0
LockedOutUnits : 0
ServiceStatus : {Microsoft.Online.Administration.ServiceStatus, Microsoft.Online.Administration.ServiceStatus, Microsoft.Online.Administration.ServiceStatus}
SkuId : f30db892-07e9-47e9-837c-80727f46fd3d
SkuPartNumber : FLOW_FREE
SubscriptionIds : {xxxxxxxxxx}
SuspendedUnits : 0
TargetClass : User
WarningUnits : 0Please add the friendly name for the license in the result. For the moment, we only have this document https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference
But it's never up to date…17 votes -
Add support for creating native AD applications via PowerShell cmdlets
The current version of the New-AzureRMADApplication cmdlet only supports creating web applications in Azure AD. Please add support for creating Native Applications as well.
15 votesThe new Azure AD PowerShell module that is under development will include support for applications. (Note: These will be following the -AzureAD pattern, not -AzureRm, convention, which is specific to Azure Resource Manager.)
-
Use Powershell standards for Powershell cmdlets
The AzureADcmdlets do not obey standard Powershell coding guidelines/rules/practices that make them weird and harder than necessary to use. Three examples:
-All (For instance in Get-AzureADUser Get-AzureAD...) should be a switch, not a boolean.
-WhatIf should be supported by all Set-* commandlets, and should ideally be able to display the object being changed (like Set-ADUser does). If it doesn't, then at least it will be possible to validate the parameterset.
-Set-AzureADUser -ExtensionProperty wants a 'system.collections.generic.dictionary[string,string]'. However, you only need a hashmap, and Generics is not straight forward in Powershell. Hashmaps are.
14 votes -
Possibility to set attribute LastPasswordChangeTimestamp
Following to the article
https://support.microsoft.com/en-us/help/4025960/federated-users-in-azure-ad-are-forced-to-sign-in-frequently we're trying to set the attribute LastPasswordChangeTimestamp with powershell.By using the CMDlet "Set-MsolUser" with the parameter "LastPasswordChangeTimestamp" nothing happens. The value stays empty / does not change. No error message from the CMDlet. Seems to be a bug!
The new CMDlet "Set-AzureADUser" does not like to support this action, at least there is no parameter like “LastPasswordChangeTimestamp”: https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0
Please give us a way to programmatically set the attribute LastPasswordChangeTimestamp for an azure ad user.
14 votes -
Provide PowerShell access to user extension attributes used in Azure App SAML claims
We need access to get and set the values using PowerShell for user.extensionattribute1 to user.extensionattribute15. On-prem users have these values synchronized via Azure AD Connect, but I'd like to set the values manually for our cloud-only users.
See suggestion: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13743219-allow-for-employeeid-as-a-selection-for-nameidenti
14 votes -
PowerShell PIM Access Reviews
It doesn't appear like there are any PowerShell cmdlets for PIM to support access review creation and management. This would be helpful for automation purposes so someone doesn't have to log into the GUI to create access reviews, check status, etc.
11 votes -
Install and configure Azure Marketplace Enterprise Applications using PowerShell
We need to be able to automate from start to finish the installation and configuration of Azure Marketplace (not custom) Enterprise Applications like AWS, ServiceNow, etc....using PowerShell.
11 votes -
Enable Unattended Sign-in for Federated Users
Currently I can sign in to Azure AD with the Connect-AzureAD cmdlet's -Credential parameter with a cloud-authored account. When I try to do this with a federated account that is synced from our on-premises directory, I receive this error:
accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed: The remote server returned an error: (400) Bad Request.
I had the same issue with the preview versions of the msonline module with ADAL. Please address this so unattended sign in works with federated accounts as well.
Thanks!
8 votes -
There is currently no way to specify a manager of a user using PowerShell
Currently, using the MSOnline PowerShell module, we can specify many properties of an Azure AD User, including the title, city and name, things like that. However, there is no ability to specify the user's manager, among other fields.
The only method to achieve this is through the REST API, which requires using oAuth2.0, something which is very difficult to accomplish using PowerShell.
I'd recommend these missing management areas be covered with an update to the PowerShell module.
8 votesThanks Stephen! This is something we have planned in our backlog.
-
Add a parameter for Set-MsolUserLicense for enabling individual features.
Currently, the Set-MsolUserLicense cmdlet uses reverse logic for what features should be enabled for a user's license.
You need to define what features should not be enabled rather than what features should be enabled.
This causes challenges when it comes to rolling out a new feature if there is not complete autonomy in how an organization's features are configured.
It is not as easy to for example go through and indicate to turn on a particular feature for all users and leave their existing features intact.
It would be very helpful to have an option to enable a particular feature…
7 votes -
Edit Office 365 Group ProxyAddresses
There is an issue with Office 365 group and email aliases. If a user creates a group named "All amazing people" it will create Office 365 email alias allamazingpeople@contoso.com. But in certain instances there are customers (like us) that use Azure AD Sync. So when I create distribution group in our AD, with same email name I get a sync issue.
If I rename Office 365 group and change email address, for some reason all aliases are kept, so the only solution is to remove Office 365 group. I have worked with support when it was mentioned "remove group,…
7 votes -
Infrastructure as code
In following the Infrastructure as Code model, all settings management available through the GUI should be available through an API, even if it evolves from v1 through REST, to v2 through a PowerShell module.
6 votes -
Password-based SSO - change credentials using powershell
We want the ability to be able to update user credentials for password-based SSO apps using powershell so we can script it, as we set credentials for each user individually. To set up for hundreds or thousands of users this will take a very long time using the UI.
I have googled this for hours, and came close to finding a script that could do it but unfortunately couldn't get it to work in our scenario.
Can we please get this functionality?
6 votes -
Set-AzureADUser - setting null value for attribute Mobile or TelephoneNumber
See also at https://github.com/Azure/azure-docs-powershell-azuread/issues/166
Set-AzureADUser -objectid -Mobile "$null" will generate an error.
set-AzureADUser : Error occurred while executing SetUser
Code: Request_BadRequest
Message: Invalid value specified for property 'mobile' of resource 'User'.Expected behaviour: properties Mobile and TelephoneNumber should be able to set to $Null or "" (empty string). It works via the Graph API and the Office 365 Admin Portal, but not with PS AzureAD module.
6 votes -
Get-MsolUser should return the "Source" of the AD entry
Both the Classic portal and the ARM portal clearly display where each AD entry is sourced from. Usually, this is either "Microsoft Azure Active Directory", "Microsoft account", or "Microsoft Azure AD (other directory)". I want to have that information available in the data returned by Get-MsolUser but it is not.
6 votes
- Don't see your idea?