Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Ability to filter users with onPremisesSamAccountName with Microsoft Graph API

    I would like to have a filter on the users api of Microsoft Graph API, where I will be able to filter the users based on onPremisesSamAccountName, which is currently not available with Graph API.

    We have the internal employee id to be stored with onPremisesSamAccountName variable which is present in users API of Microsoft Graph. We are trying to filter with onPremisesSamAccountName property to filter based on the internal employee id. Currently we are not able to do that with Graph API but we really need this to be workling or would be happy if we get know any…

    56 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  2. B2B: Please expose the "source" property in the Graph API

    We would like to have the Source attribute available in order to manage guest accounts differently based upon what kind of account it is ("Microsoft Azure Active Directory", "Microsoft account", or "Microsoft Azure AD (other directory)"). If the account is a Microsoft Account, we need to be able to have more scrutiny around it. (ie. check to see if the user still works for the partner company.)

    45 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Microsoft Graph Filters to Look for (or exclude) NULL Values

    Currently, it is not possible to create a filter using Microsoft Graph that looks for "attribute eq/ne NULL". NULL is not currently supported. Requesting this feature be added

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  4. API to manage SAML SSO

    graph API to automate managing SAML SSO configuration : renew certificate, configure SSO details...

    with the amount of apps configured for SSo it started to be hard to manage Certificate ( renew process is so manual)

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  5. Make it possible to get group license assignment error message via Powershell or API.

    Currently, we can only see the group license assignment error message from the Azure portal UI.

    I want a feature that can get this error message using PowerShell or API.

    23 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  6. Powershell Azure AD provisioning and registrations of FIDO2 keys

    Powershell Azure AD provisioning and registrations of FIDO2 keys

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support the on-behalf-of flow for tokens gotten through the client credentials flow

    Add support for token exchange when using application tokens gotten through the client credentials flow similar to the on-behalf-of flow for user tokens.

    We want to use this for Azure API Management which is acting as a gateway to many backend services. In this scenario the clients get a token to the App registration for the API Management which then would use a token exchange/on-behalf-of flow to get a token and send it to the backend service. That way information about the original caller is kept in the token in the claims appid/azp, oid and sub for use by the…

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  8. Graph scopes for assigned users and groups

    Many applications require access to query Microsoft Graph for users and groups. However, the scopes Group.Read.All and User.Read.All are often too wide, providing access to read all user and group objects in the tenant.

    A scope User.Read.Assigned and Group.Read.Assigned (and potentially ReadWrite also), allowing an application to only read user and group objects that are assigned to it, would be very useful.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  9. msal.js logout silently

    logout silently is needed in some scenarios due business rules

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  10. Create Azure AD programmatically

    My organization needs the capability for creating Azure AD programmatically. This is because the multi-tenant SaaS solution we have requires each client (an organization) to have their own Azure AD where they will part of a provider / consumer scheme and sometimes take on both roles (provider and consumer, such as a reseller). There are times where our clients will create and manage their own Azure AD and Azure Subscriptions. However, most of the client base we anticipate serving (acting as consumers) are small businesses and do not have the knowledge nor the staff to handle managing an Azure Subscription…

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  11. Restrciting access to Azure Service Principals.

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md

    >

    Best possible scnario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.

    Can MS look into this please.
    I had raised case with MS…

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to configure Azure AD Audit Logs diagnostic settings programmatically

    Our service would require the ability to set up AAD audit logs export via API.

    The service would ensure compliance that AAD audit logs are archived and/or streamed to Azure Monitor and Event Hubs for processing.

    Looking for the feature here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

    Currently it is available on the portal, but not over API/Powershell/CLI.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  13. Release API capabilities for Access Packages and Identity Governance

    I want to automate Access Package deployment with Terraform as I do with user groups as well as make dynamic groups compatible with Access Packages. This would allow me to assign users to groups based on user attributes, as I can do with Dynamic groups, but also enable group members the ability to request an access package based on their dynamic group membership, which are automatically created after deploying a new subscription with Terraform. Access Packages would be specific to each subscription and include resource and application roles that are applicable to users of that subscription. This would replace the…

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  14. Rest API/CLI for Azure AD use cases related to security configuration

    Hi Team, We are working on compliance check script for Azure AD. One of our use case is to get below data from Azure AD using CLI/Rest API/Powershell.

    • Ensure that Office 365 groups can be managed only by Active Directory (AD) administrators.
    • Ensure that security groups can be managed only by Active Directory (AD) administrators.
    • Do not allow users to remember Multi-Factor Authentication (MFA) on their devices and browsers.
    • Ensure that Active Directory (AD) self-service group management is disabled for non-administrator users.
    • Ensure that "All Users" group is enabled for centralized access management within your…

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support lookup by telephone number

    We're trying to add support for MS Graph on our SBC.

    With LDAP, we find the entry by the telephone number, and then use some of the other attributes.

    According to the docs (https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties), this is not possible on MS Graph, because all the telephone numbers (businessPhones, mobilePhone etc.) are not filterable.

    Can you suggest another way to perform this query? Do you plan to support this kind of queries in the future?

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  16. Update the Microsoft Graph Security API event when logic app add comment to Azure sentinel' incident

    Scenario
    1. Azure sentinel analytic rule trigger, then it creates the incident alert in Azure sentinel and then Microsoft Graph captured the incident alert info.
    2. Logic app playbook check if there is an incident alert, then query the data and then add it to the incident's comment.
    3. I tried to query the Microsoft graph security API in PowerShell and then discovered that the incident alert result was not updated for including the incident comment.
    4. I checked with various teams (Microsoft graph security team, Microsoft Sentinel Security Team, Microsoft Logic app Team ). the Microsoft Security API team…

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  17. Include users profile picture in OIDC token

    A lot of applications using the users Identity via OAuth / OpenID connect will have the requirement to show a thumbnail of the users profile picture, as all the Microsoft (Office) apps do too.

    We we're looking for a way to have this picture included in the token that is returned from the OpenIdConnect flow in Azure AD, but this seems to be impossible right now and judging by the question found on SO (https://stackoverflow.com/questions/39936877/microsoft-openid-login-flow-picture-access) there hasn't been any progress on this specific topic.

    I don't want to look at the neighbors grass too much, but over at…

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add writable extension attributes to device objects

    Would like to see free form "extension style" attributes that can be both written to and read from via Graph and\or the azure UI. User objects have this ability over graph with the new profile endpoint, where you can read\write custom extension attributes.

    Device objects have no way to modify the schema at all, and there is no way to persist data and make it readable\displayable over graph or the UI. We use this a lot on prem writing custom data and what not to attributes on machine objects. Would like to see this replicated out to Azure AD.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  19. Deleted AAD Graph permissions remain.

    When API access permission of AAD Graph to the registered application was deleted, it was deleted on the UI. However, the AAD Graph access permission that should have been deleted was remain.

    Example:
    1. Grant Group.Read.All and User.ReadWrite.All with AAD Graph .
    2. The administrator agrees to the granted permissions
    3. Delete Group.Read.All
    4. The administrator agrees to the granted permissions
    5. It has been deleted on the UI, however the group information is acquired as a result.
      I tried the same process as above with MS Graph, but I couldn't get group information.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add Equipment or create room resources through MS Graph API

    Hi,
    We cannot add equipment or create room resources through Microsoft Graph API or Azure AD Graph API.
    Also it'll be nice if we could connect or link equipment to room so that we can filter rooms based on the availability of equipment for each room.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base