Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Linux compatibility for AzureAD Powershell Module
As mentioned in https://github.com/PowerShell/PowerShell/issues/5274, the AzureAD module is not compatible with Linux.
169 votesThis is in the works, hoping to be able to release a new version in the next couple of weeks that supports running on Linux (and Mac)
-
Query Azure AD Devices BitLocker recovery key via PowerShell
Please allow query Azure AD Devices BitLocker recovery key via PowerShell
82 votes -
Find all users with app passwords
We think that it's necessary to have a command for PowerShell to show app passwords per user. It would also need to show what app the password is being used for. MFA is pointless with thousands of app passwords. Not every user we've enforced has set up app passwords. this is what me and many other admins would like to know.
81 votes -
Add a friendly name attribute when getting MSOL license/SKU (Get-MsolAccountSku)
Please add a "FriendlyName" attribute when doing a license search via Powershell (Get-MsolAccountSku).
If I give you an example. The command "Get-MsolAccountSku" retrieve the following information for an SKU :ExtensionData : System.Runtime.Serialization.ExtensionDataObject
AccountName : xxxxx
AccountObjectId : xxxxxxxxx
AccountSkuId : xxxxx:FLOWFREE
ActiveUnits : xxxxx
ConsumedUnits : 0
LockedOutUnits : 0
ServiceStatus : {Microsoft.Online.Administration.ServiceStatus, Microsoft.Online.Administration.ServiceStatus, Microsoft.Online.Administration.ServiceStatus}
SkuId : f30db892-07e9-47e9-837c-80727f46fd3d
SkuPartNumber : FLOWFREE
SubscriptionIds : {xxxxxxxxxx}
SuspendedUnits : 0
TargetClass : User
WarningUnits : 0Please add the friendly name for the license in the result. For the moment, we only have this document https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference
But it's never up…32 votes -
PowerShell PIM Access Reviews
It doesn't appear like there are any PowerShell cmdlets for PIM to support access review creation and management. This would be helpful for automation purposes so someone doesn't have to log into the GUI to create access reviews, check status, etc.
28 votes -
Return value for AuthenticationMethodsUsed in Get-AzureADAuditSignInLogs
To easily get a report via PowerShell for "MC191153, beginning October 13, 2020, we will retire Basic Authentication"
If AuthenticationMethodsUsed would be populated to show who is using Basic Authentication currently.
27 votes -
Powershell command to update the authentication contact email
Need to change the user alternate authentication emails for azure user accounts using Powershell. We are able to change the same in azure portal i.e. Azure active directory >> Users and groups >> all users >> profile >> Authentication contact info >> email.
26 votes -
Provide PowerShell access to user extension attributes used in Azure App SAML claims
We need access to get and set the values using PowerShell for user.extensionattribute1 to user.extensionattribute15. On-prem users have these values synchronized via Azure AD Connect, but I'd like to set the values manually for our cloud-only users.
See suggestion: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13743219-allow-for-employeeid-as-a-selection-for-nameidenti
20 votes -
Password-based SSO - change credentials using powershell
We want the ability to be able to update user credentials for password-based SSO apps using powershell so we can script it, as we set credentials for each user individually. To set up for hundreds or thousands of users this will take a very long time using the UI.
I have googled this for hours, and came close to finding a script that could do it but unfortunately couldn't get it to work in our scenario.
Can we please get this functionality?
19 votes -
Install and configure Azure Marketplace Enterprise Applications using PowerShell
We need to be able to automate from start to finish the installation and configuration of Azure Marketplace (not custom) Enterprise Applications like AWS, ServiceNow, etc....using PowerShell.
16 votes -
Use Powershell standards for Powershell cmdlets
The AzureADcmdlets do not obey standard Powershell coding guidelines/rules/practices that make them weird and harder than necessary to use. Three examples:
-All (For instance in Get-AzureADUser Get-AzureAD...) should be a switch, not a boolean.
-WhatIf should be supported by all Set-* commandlets, and should ideally be able to display the object being changed (like Set-ADUser does). If it doesn't, then at least it will be possible to validate the parameterset.
-Set-AzureADUser -ExtensionProperty wants a 'system.collections.generic.dictionary[string,string]'. However, you only need a hashmap, and Generics is not straight forward in Powershell. Hashmaps are.
16 votes -
Possibility to set attribute LastPasswordChangeTimestamp
Following to the article
https://support.microsoft.com/en-us/help/4025960/federated-users-in-azure-ad-are-forced-to-sign-in-frequently we're trying to set the attribute LastPasswordChangeTimestamp with powershell.By using the CMDlet "Set-MsolUser" with the parameter "LastPasswordChangeTimestamp" nothing happens. The value stays empty / does not change. No error message from the CMDlet. Seems to be a bug!
The new CMDlet "Set-AzureADUser" does not like to support this action, at least there is no parameter like “LastPasswordChangeTimestamp”: https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0
Please give us a way to programmatically set the attribute LastPasswordChangeTimestamp for an azure ad user.
16 votes -
Add support for creating native AD applications via PowerShell cmdlets
The current version of the New-AzureRMADApplication cmdlet only supports creating web applications in Azure AD. Please add support for creating Native Applications as well.
16 votesThe new Azure AD PowerShell module that is under development will include support for applications. (Note: These will be following the -AzureAD pattern, not -AzureRm, convention, which is specific to Azure Resource Manager.)
-
Set-AzureADUser - setting null value for attribute Mobile or TelephoneNumber
See also at https://github.com/Azure/azure-docs-powershell-azuread/issues/166
Set-AzureADUser -objectid -Mobile "$null" will generate an error.
set-AzureADUser : Error occurred while executing SetUser
Code: Request_BadRequest
Message: Invalid value specified for property 'mobile' of resource 'User'.Expected behaviour: properties Mobile and TelephoneNumber should be able to set to $Null or "" (empty string). It works via the Graph API and the Office 365 Admin Portal, but not with PS AzureAD module.
14 votes -
Buggy command
Get-AzureADAuditSignInLogs consistently fails with the error:
Get-AzureADAuditSignInLogs : Unexpected character encountered while parsing value: {. Path 'value[8].authenticationProcessingDetails', line 1,
position 25039.
At line:1 char:1
+ Get-AzureADAuditSignInLogs
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Get-AzureADAuditSignInLogs], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.GetAuditSignInLogs12 votes -
Powershell SAML App Automation
With having to register SAML based applications very frequently, it gets very time consuming to have to add/update/delete these manually. We already have automation in place for JWT based applications using AzureAD module. I don't see why the same can't exist for SAML (non-gallery/gallery) applications.
Module should handle:
- Gallery/Non-Gallery/On-Premise (I believe tags are used to distinguish this)
- Type of SSO (SAML, pass-based. and linked)
- - - At least for SAML, the module should handle steps 1-4
- Handle the provisioning aspectsFrom my understanding some of this can be done using AzureADServicePrincipal cmdlets of AzureAD, but not…
11 votes -
Edit Office 365 Group ProxyAddresses
There is an issue with Office 365 group and email aliases. If a user creates a group named "All amazing people" it will create Office 365 email alias allamazingpeople@contoso.com. But in certain instances there are customers (like us) that use Azure AD Sync. So when I create distribution group in our AD, with same email name I get a sync issue.
If I rename Office 365 group and change email address, for some reason all aliases are kept, so the only solution is to remove Office 365 group. I have worked with support when it was mentioned "remove group,…
10 votes -
There is currently no way to specify a manager of a user using PowerShell
Currently, using the MSOnline PowerShell module, we can specify many properties of an Azure AD User, including the title, city and name, things like that. However, there is no ability to specify the user's manager, among other fields.
The only method to achieve this is through the REST API, which requires using oAuth2.0, something which is very difficult to accomplish using PowerShell.
I'd recommend these missing management areas be covered with an update to the PowerShell module.
10 votesThanks Stephen! This is something we have planned in our backlog.
-
Enable Unattended Sign-in for Federated Users
Currently I can sign in to Azure AD with the Connect-AzureAD cmdlet's -Credential parameter with a cloud-authored account. When I try to do this with a federated account that is synced from our on-premises directory, I receive this error:
accessingwsmetadataexchangefailed: Accessing WS metadata exchange failed: The remote server returned an error: (400) Bad Request.
I had the same issue with the preview versions of the msonline module with ADAL. Please address this so unattended sign in works with federated accounts as well.
Thanks!
9 votes -
Improve filtering of results
Currently with the MSOnline module we can easily filter for users based on domain name, department, etc. but this is not easy using the AzureAD module since it is dependent on the Azure AD Graph oData filtering. Beyond this it seems to have its own limitations as well. For instance, the Azure AD Graph supports the 'startswith' method in oData filters, but this is not supported by the AzureAD module.
Please consider expanding on the filtering capabilities of the AzureAD module to allow us to find users by domain name or other properties easily.
8 votes
- Don't see your idea?