Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Ability to filter users with onPremisesSamAccountName with Microsoft Graph API

    I would like to have a filter on the users api of Microsoft Graph API, where I will be able to filter the users based on onPremisesSamAccountName, which is currently not available with Graph API.

    We have the internal employee id to be stored with onPremisesSamAccountName variable which is present in users API of Microsoft Graph. We are trying to filter with onPremisesSamAccountName property to filter based on the internal employee id. Currently we are not able to do that with Graph API but we really need this to be workling or would be happy if we get know any…

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  2. B2B: Please expose the "source" property in the Graph API

    We would like to have the Source attribute available in order to manage guest accounts differently based upon what kind of account it is ("Microsoft Azure Active Directory", "Microsoft account", or "Microsoft Azure AD (other directory)"). If the account is a Microsoft Account, we need to be able to have more scrutiny around it. (ie. check to see if the user still works for the partner company.)

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  3. Make it possible to get group license assignment error message via Powershell or API.

    Currently, we can only see the group license assignment error message from the Azure portal UI.

    I want a feature that can get this error message using PowerShell or API.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  4. API to manage SAML SSO

    graph API to automate managing SAML SSO configuration : renew certificate, configure SSO details...

    with the amount of apps configured for SSo it started to be hard to manage Certificate ( renew process is so manual)

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  5. Restrciting access to Azure Service Principals.

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md

    >

    Best possible scnario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.

    Can MS look into this please.
    I had raised case with MS…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  6. Graph scopes for assigned users and groups

    Many applications require access to query Microsoft Graph for users and groups. However, the scopes Group.Read.All and User.Read.All are often too wide, providing access to read all user and group objects in the tenant.

    A scope User.Read.Assigned and Group.Read.Assigned (and potentially ReadWrite also), allowing an application to only read user and group objects that are assigned to it, would be very useful.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  7. Powershell Azure AD provisioning and registrations of FIDO2 keys

    Powershell Azure AD provisioning and registrations of FIDO2 keys

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow Microsoft Graph Filters to Look for (or exclude) NULL Values

    Currently, it is not possible to create a filter using Microsoft Graph that looks for "attribute eq/ne NULL". NULL is not currently supported. Requesting this feature be added

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  9. Ability to configure Azure AD Audit Logs diagnostic settings programmatically

    Our service would require the ability to set up AAD audit logs export via API.

    The service would ensure compliance that AAD audit logs are archived and/or streamed to Azure Monitor and Event Hubs for processing.

    Looking for the feature here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

    Currently it is available on the portal, but not over API/Powershell/CLI.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  10. 5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  11. Rest API/CLI for Azure AD use cases related to security configuration

    Hi Team, We are working on compliance check script for Azure AD. One of our use case is to get below data from Azure AD using CLI/Rest API/Powershell.

    • Ensure that Office 365 groups can be managed only by Active Directory (AD) administrators.
    • Ensure that security groups can be managed only by Active Directory (AD) administrators.
    • Do not allow users to remember Multi-Factor Authentication (MFA) on their devices and browsers.
    • Ensure that Active Directory (AD) self-service group management is disabled for non-administrator users.
    • Ensure that "All Users" group is enabled for centralized access management within your…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support lookup by telephone number

    We're trying to add support for MS Graph on our SBC.

    With LDAP, we find the entry by the telephone number, and then use some of the other attributes.

    According to the docs (https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties), this is not possible on MS Graph, because all the telephone numbers (businessPhones, mobilePhone etc.) are not filterable.

    Can you suggest another way to perform this query? Do you plan to support this kind of queries in the future?

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  13. Deleted AAD Graph permissions remain.

    When API access permission of AAD Graph to the registered application was deleted, it was deleted on the UI. However, the AAD Graph access permission that should have been deleted was remain.

    Example:
    1. Grant Group.Read.All and User.ReadWrite.All with AAD Graph .
    2. The administrator agrees to the granted permissions
    3. Delete Group.Read.All
    4. The administrator agrees to the granted permissions
    5. It has been deleted on the UI, however the group information is acquired as a result.
      I tried the same process as above with MS Graph, but I couldn't get group information.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  14. Create Azure AD programmatically

    My organization needs the capability for creating Azure AD programmatically. This is because the multi-tenant SaaS solution we have requires each client (an organization) to have their own Azure AD where they will part of a provider / consumer scheme and sometimes take on both roles (provider and consumer, such as a reseller). There are times where our clients will create and manage their own Azure AD and Azure Subscriptions. However, most of the client base we anticipate serving (acting as consumers) are small businesses and do not have the knowledge nor the staff to handle managing an Azure Subscription…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  15. Release API capabilities for Access Packages and Identity Governance

    I want to automate Access Package deployment with Terraform as I do with user groups as well as make dynamic groups compatible with Access Packages. This would allow me to assign users to groups based on user attributes, as I can do with Dynamic groups, but also enable group members the ability to request an access package based on their dynamic group membership, which are automatically created after deploying a new subscription with Terraform. Access Packages would be specific to each subscription and include resource and application roles that are applicable to users of that subscription. This would replace the…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  16. AzureAdDirectoryrole powershell to show ALL roles

    Get-AzureAdDirectoryrole only shows the roles that are populated, not all available roles.
    It doesn't even have a -listavailable switch.
    This has to be updated or the command is almost unusable.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  17. MailNickName is not unique for Azure AD Groups

    Mailnickname is mentioned as unique value in the microsoft graph documentation for groups. but i am able to create multiple groups with same mailnickname through api and powershell. It would be great to have an unique identifier other than objectid like Mailnickname or displayname for groups

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow signed JWT Bearer token flow (get user access token without password / SAML)

    We will need Oauth support to get user access token without having to provide the user name password or saml assertion from ADFS.

    The trust would be the certificate trust.

    Other implementations from other vendors -

    https://tools.ietf.org/html/rfc7523


    1. Google https://www.jhanley.com/google-cloud-creating-oauth-access-tokens-for-rest-api-calls/
      Refer to --

    def createsignedjwt(pkey, pkeyid, email, scope): and
    exchange that for the user access token in
    def exchangeJwtForAccessToken(signed
    jwt):

    Docusign https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken


    1. Atlassian https://developer.atlassian.com/cloud/jira/software/oauth-2-jwt-bearer-token-authorization-grant-type/


    2. Box https://developer.box.com/docs/construct-jwt-claim-manually#section-3-create-jwt-assertion


    3. Saleforce - https://help.salesforce.com/articleView?id=remoteaccessoauthjwt_flow.htm&type=0


    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  19. [GRAPH API] $filter for /riskyUsers based on date so we can view changes in threat level in a timespan

    $filter for /riskyUsers based on date so we can view changes in threat level in a timespan

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  20. Provide a means of retreiving App registration permissions that have admin consent and be able to revoke consent for certain permissions

    Currently, the azure ad api provides no means of retrieving which permissions have admin consent or a means of revoking admin consent for a given permission.

    Supporting such actions shall allow for fine grained control of permissions in CI/CD pipelines and the extension of tools such as the terraform provider.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base