Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. B2B - Expose source tenant UPN and ObjectId in the guest tenant

    There is currently no immutable, unique property to match a user in the source tenant to the guest user in a guest tenant with PowerShell (AzureAD, MSOnline) or Azure AD web GUI. The unique identifier which I believe is the ObjectId from the source tenant, is not exposed in the guest tenant.

    UPN on a guest user can be changed to <anything>@<anyverifieddomaininguest_tenant>, and thus is NOT a unique identifier.

    Request: Expose a guest user ObjectId and UserPrincipalName from the source tenant as attributes/ properties on the guest user object.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add tenant name to AzureAD tenant restrictions error log

    Azure AD tenant restrictions work great, however rely on you being told the 3rd party tenant name, eg contoso.onmicrosoft.com. Many orgs users simply have no idea what their tenant name is as they use the org domain name instead.

    In the AAD signin logs you clearly see the target tenant id code, but there is no way to map that on to a tenant name to use in your proxy configuration. This would make life soooo much simpler for organisations that restrict access to tenants and need to manage the config.
    In my case this is for a large central…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  3. Improve the experience of creating and managing Azure AD B2B security groups of guest users

    We created a security group of 200+ external users across 80+ vendors.


    1. Please create the ability to easily manage the membership of a security group in Azure portal. For example, we cannot currently sort the list of members by name. Also, to drill into a member's profile, it takes two clicks when it should only require one click.


    2. Please create the ability to track responses to invitations within a group. After multiple rounds of mass invitations via PowerShell, 80 users responded to the invitation, but 120 people have not and they likely cannot find the email. We need the ability…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  4. sign in codes

    IMO would love to not have to receive codes to sign in. already signing in w/ our password, so i think codes are time consuming/unneccessary

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  5. What happened to inviting "users in partner companies"?

    In the old portal we had the ability to bulk upload a CSV file of "Users in partner companies" into B2B. There doesnt' appear to be an equivalent in the new portal.

    This allowed us to invite external users, add them to an appropriate group and send them to a SPOnline URL, all in one hit. Plus monitor the invite process in the AzureAD reports.

    Great for Extranets!

    Now I have to invite individuals, then add them to a group, then send them a URL to go to once they're finished.
    I can script a lot of this out, but…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow users to use their email on sign in even though the adress is associated with an account

    When we invite external users to our Azure AD, we use an email that they provide. This works fine for a lot of cases. However, in some situations, the user gets a message like this:

    You have been invited to access <somedomain>
    To access applications in the <someorg> organization, you'll
    need to sign in with <yourEmail>. This email
    address is associated with an account named
    <someaccount>

    To get this to work, the user needs to use the account as login, and not the email we used to invited them. This is very confusing for the users, as some of them…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  7. B2B account login to domain joined computers

    Industry: Higher Ed
    Currently, we provision AD accounts so students (and vendors) can access domain-joined computers/servers. The challenge, this provisions an Office 365 account/mailbox and our current practice allows students to keep those mailboxes after they graduate.

    Higher Ed institutions would benefit from the ability to provision B2B accounts for these user types (especially students), and allow those accounts to login to ADDS-joined computers/servers.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  8. Extend B2B Federation capabilities to Google Business (aka GSuite) accounts

    Currently, B2B Federation setup only covers "normal" Google IDs (aka @gmail.com IDs).

    We need to setup Federation with GSuite IDs urgently in our current project requirement.

    The idea is to invite a GSuite ID (via email adress) and use Google authentication to access Azure resources, without adding a "shadow" Azure AD account with an own password and security policy.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  9. Guest Account Expiration Date

    Add the ability to mark an expiration date on guest accounts. Once the expiration date has passed, it should automatically unable to login to resources in the tenant (similar to the block sign it bit on a member account)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  10. Extend the branding abilities of b2b

    The branding abilities of b2b are not on par with b2c. Azure for authentication has severe branding limitations like, 265 characters and allowing a couple of pictures .

    Let me have more control over layout, custom error messages. Also allow me to embed links into the experience.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  11. B2B display name

    Hi,

    We have noticed change on B2B accounts display name. Now Azure AD overrides it from actual user properties, meaning
    * If user belongs to some Office 365 already, our directory shows that display name
    * If user doesn't belong to any O365, it shows firstname.lastname

    And this display name change happens after user has activated their account to our directory. In our company there is naming standard, which we would like to follow. Previously, when support invited user, they could chagne display to correct format directly. Now our support does extra work, when chasing has user activated account and…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow an Application Service Principal to be added as a guest in other tenants

    We manage multiple tenants across our extended organiation and would like to have a single application service principal to do so rather than having a separate service principal in each tenant.

    The work around is to use a standard user account but we would prefer not to do it this way. Since service Proncipals don’t have UPNs, there doesn’t seem to be a way to invite them via the B2B guest invite API.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  13. Reset Password option for B2B User should be grayed out to avoid confusion

    had a real life scenario today whereby Azure AD Admin / Support person was having issues with a B2B / External Login and so clicked on the available Reset Password for the login . And got rather generic error message below which made them think they didnt have correct rights

    "The password can not be reset. This may be due to an incorrect level of administrative privilege or if trying to reset your own password."

    Ask : If a B2B / External User , have the Reset Password button grayed out and ideally with a "hover over" of something like…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  14. support removal of the forgotten password link for B2B users

    At the moment in AD Connect you can remove the Password Writeback option however the microsoft company branded page has no option to remove the "forgotten password" link.

    So users end up trying to use that link and end up saying the Admin hasnt enabled the option.

    It would be better to support an option to either customize the link or removal completed when the password writeback is turned off.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enforce MFA for Azure B2B during first sign in after invite

    Consider adding support for Enforcing MFA during the first Azure B2B sign in after accepting the invitation.

    @Sarat Subramaniam

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  16. Enable SSPR for B2B invited users when there is no admin for their domain

    When an external user is invited and there is no existing Azure AD domain for him a dynamic one is set up and his account created there, this is all well and good.

    However, if he looses his password there is no way to reset it. I have tried it with a mail address on a test domain and I could not recover the password. The only option I could see is to claim the dynamically created Azure AD for the external user's domain, so that the new admin of that domain can reset the password. But this is of…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  17. Invite redemption url get

    We are able to invite new guest users into our AD Tenant using either PowerShell or Graph API. Using this approach we may choose not to send the Invitation E-Mail, in which case we would get the Invitation Redemption URL and we can send it to the "guest" in any way we choose allowing us to better control the first step of the overall invitation experience.

    The issue is that once we get the URL, we have no way to retrieve that URL back in the future. It is up to us to save that URL for future use or…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  18. Guest invitation sender email customization

    Currently when Guest user is created in Azure AD invitation is ent to guest using "invites@microsoft.com" email address and due to this sometimes guest users ignore this email as spam. Instead of @microsoft.com domain , can we use our own company domain email here?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow guest users to configure FIDO2 passwordless authentication

    Allow guest users the ability to register FIDO2 security keys for their accounts. Currently this is only available for "Member" users but we would like to see this available for "Guest" users as well.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key#user-registration-and-management-of-fido2-security-keys

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow B2B Domain allow/deny list override for Global Admins

    Currently we only allow invitations to guest users from specific domains (e.g. .com) due to security policies BUT also allow members to invite guests (.com is a trusted company).

    Sometimes, however, we need to add users outside of that domain (e.g. gmail..com) in one-off cases ONLY. We do not want to add this exception domain to the allowed list FOR ONE GUEST USER invite. Because the members have the ability to add guests, we then open up that domain to them as well (not good).

    The option to override the domain DENY/ALLOW lists should be available to global administrators…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base