Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Extend B2B Federation capabilities to Google Business (aka GSuite) accounts

    Currently, B2B Federation setup only covers "normal" Google IDs (aka @gmail.com IDs).

    We need to setup Federation with GSuite IDs urgently in our current project requirement.

    The idea is to invite a GSuite ID (via email adress) and use Google authentication to access Azure resources, without adding a "shadow" Azure AD account with an own password and security policy.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure AD B2B Collaboration: Automatic invitation of users belonging to a specific group of a specific tenant

    Some companies are using multi-tenant in many places. Therefore, there are multiple requests for the function of automatic invitation. Currently, many companies use their own scripts in PowerShell.
    Please carry out the function of automatic invitation.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  3. Uniform Guest Invitation Process across all Microsoft Products

    As of now B2B guest invitation process is not streamlined across Microsoft Products especially Sharepoint and Teams .Because of this we are not able to provide single solution to customers for Identity life cycle management
    . Following are few of them
    1) If you invite the Users from SharePoint Online, the Guest Invitor is SharePoint Service Account >> Because of this behaviour we can't track the Guest invitor and impose Guest Invitor Role functionality as Sharepoint never look Azure AD whether the user has Guest Invitor role or not. The workaround is create Group Based Invitor functionality within SPO apart…

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add and AAD Tenant Restrictions logging option to log all external tenant usage

    Currently with AAD Tenant Restrictions, we can get AAD log records of blocked sign-ins by having our proxy insert the request header "Restrict-Access-Context". This is good as far as it goes (and I upvoted another user's suggestion to include the external tenant's name and not just the ID).
    I'm asking that there be an additional option to log all use of external AAD tenants (both sign-ins, and the URIs of resources for which tokens are issued). The use case is analytics for risks of data leakage and malicious data exfiltration as well as for potential legal liability scenarios. If we…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  5. B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant

    In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
    The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
    I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.

    117 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure AD guest user profiles are sometimes empty after invitation is accepted

    When inviting a guest user (B2B) the guest user must consent and authorize Azure AD to read the guest user account Name and Email address.
    However, most of the time the user profile that is created in Azure AD is not filling the "Name" attribute. This behavior is not consisted across different Azure AD environments.
    It would also help a lot to enrich the guest profiles with other attributes like "First Name", "Last Name" and "Display Name" because it will greatly reduce the effort needed to modify these accounts manually.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  7. B2B - Expose source tenant UPN and ObjectId in the guest tenant

    There is currently no immutable, unique property to match a user in the source tenant to the guest user in a guest tenant with PowerShell (AzureAD, MSOnline) or Azure AD web GUI. The unique identifier which I believe is the ObjectId from the source tenant, is not exposed in the guest tenant.

    UPN on a guest user can be changed to <anything>@<anyverifieddomaininguest_tenant>, and thus is NOT a unique identifier.

    Request: Expose a guest user ObjectId and UserPrincipalName from the source tenant as attributes/ properties on the guest user object.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  8. Update displayed username for a guest user when its' UPN is changed

    You can change UPN on guest users using PowerShell. You can even drop the "#EXT#"-part, and use any verified domain in the guest tenant, not only the initial onmicrosoft address.
    One problem with this, is that the visible username for the actual guest user when logging into Azure for instance is not changed. It remains the email address used to invite the user initially. Even though the SMTP address or UPN used for inviting is removed from both the source and the guest tenant, this is still shown in the username.

    Request: Update displayed username for a B2B guest user…

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  9. Setting inviteRedirectUrl from UI

    Adding new guest user from Azure AD UI should allow setting inviteRedirectUrl, as Graph API provides (See https://docs.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  10. Guest Account Expiration Date

    Add the ability to mark an expiration date on guest accounts. Once the expiration date has passed, it should automatically unable to login to resources in the tenant (similar to the block sign it bit on a member account)

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  11. Table that shows what portals or sections of Azure AD are accesible as B2B guest user

    There are some portals or sections within Azure and Office365 that are not able to be shared with B2B guest users. The way you find out which ones are or aren't is by trial and error. It would be good to have a table or section within Azure that you can check to find out what portals or sections of Azure AD are accesible as B2B guest user. This could be like a query you can run within Azure and it will tell you on-demand what can be assigned to a B2B user

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  12. OTP Precedence order and migration of existing B2B users

    Currently, the new OTP B2B feature provides this as the default authentication type for non AAD or MS accounts. We want the ability to force this method of auth for those who already have MS accounts. We also want the ability to convert already invited users who are using MS and viral accounts to use OTP. This way, we only have to support two types of guest users - Those with organisational O365 accounts and those using OTP.

    23 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enforce Organizational B2B account

    For users that happen to have both an organizational account AND a personal Microsoft account (PMA) tied to their work email address, we would like to enforce the organizational account being the only allowed option.

    Currently if an invitation is sent and they choose the PMA and then they happen to leave the external company, there is a human reliance component of the external company having to notify us of them leaving.

    A current work around is to monitor the guest accounts for non-org accounts, but it would be less time consuming if the personal account wasn't an option.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  14. Prevent guest users from seing security groups/content through Access Panel.

    In B2B setup guest users can see the members of a security group used for e.g an app through the Access Panel. This is unfortunate as they may be competitiors or membership exposes information that is not supposed to be public.

    I am aware that you can turn of group view for all users in the access panel, but the access panel is also a nice feature.

    B2C will also solve it, but not a good option for many cases.

    Could it be solved with a property hidden or secret only open for internal og owners/admins?

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure AD makes sharing and collaboration seamless for any user with any account

    Confirm a question, does this new feature also apply to AIP when we add collaborators who use Google (gmail) to log in?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  16. Remove the option to select between work and personal account when resetting passwords

    This option confuses guest users. Those who have created an account on a viral tenant need to select "work or school account" and those who have setup an MSA account need to select "personal account". Selecting the wrong option leads to a message stating the user id is not recognised. This is proving difficult to support.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  17. I want to restrict users of my tenants from being invited from other tenants.

    I want to restrict users of my tenants from being invited from other tenants.

    Now the administrator can not see where users of their tenants are accessing.

    Since there is a security problem, I would like to have the ability to control the tenants that users will be invited as guest users.

    28 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Multi-Factor Authentication Server should be able to use/import Users defined in a Azure AD group not just import from AD

    Azure Multi-Factor Authentication Server should be able to use/import Users defined in a Azure AD group not just import from AD thus they could be B2B users.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  19. Show the B2B-blocking proxy address in my tenant's logs

    Scenario:
    I try to invite user@partnerdomain.com to my tenant (via Azure AD B2B), but get the error message "The user you're inviting already exists in the directory." But there are NO traces at all of that account in my tenant.

    It turns out that the user@partnerdomain.com have another proxy address (user@anydomain.com) in THEIR OWN TENANT, and a user in my tenant also happen to have user@anydomain.com as proxy address. There are valid reasons for this to occur.

    I makes sense that you cannot have more than one proxy address per tenant, but there is no way for us…

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  20. Make B2B guest accounts less sensitive to changes in the source AAD/MS account

    I have a customer that uses B2B for any partner collaboration they do within their corporate environment.

    There were partners that went through the following scenario's:
    - They moved their AAD users to another AAD tenant due to a reorganization
    - They changed company name and had a new UPN / SignIn

    In both cases the B2B account broke down. When the user tries to login they get the error: Sorry, but we’re having trouble with signing you in.

    AADSTS50177: User account '' from identity provider 'https://sts.windows.net//&#39; does not exist in tenant '' and cannot access

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base