Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. RBAC for AAD

    The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.
    Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

    261 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    30 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    We have released a public preview of custom roles with support for a handful of permissions related to managing application registrations. We’re now working on support for enterprise application management permissions, and will continue to release more permissions iteratively over time.

    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview

    We very much appreciate all of your feedback here. We’re not done yet, so please keep letting us know what you think and where we can improve.

    Regards,
    Vince Smith
    Azure Active Directory team

  2. AzureAD Role Delegation to Groups

    Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
    Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation…

    254 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    39 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  3. Deny Access Control in the RBAC

    Please add the options below to RBAC.
    Disable inheritance.
    Deny.

    73 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    We recently added deny capability to Azure’s RBAC system, in the form of deny assignments that can be set by the system only. The first Azure feature to use deny is BluePrint. We intend to add a configurable deny capability in the future, but have not yet announced any details.

    Cheers,
    /Stuart and Balaji

  4. Custom Roles at the Management Group Level

    Please add the ability to define custom roles for Azure RBAC at the new Management Group level. Would like to be able to create custom roles and set the assignable scope to our root management group so that the role definition is available throughout our tenant.

    https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

    53 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support Inheriting Roles in Nested Groups

    Group 1
    Has a Role from my Application
    Has a Member called Group 2

    Currently, roles in nested groups are not transitive. If I am a member of Group 2 above, I do not have the Role granted to Group 1, even though Group 2 is a member of Group 2.

    I can't believe, this is not implemented, I wasted 3 hours trying to figure this out.

    42 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  6. We need to be able to manage Azure AD helpdesk administration & other administration roles via on-prem AD groups

    One Item I would like corrected \ added as a feature.
    We need to be able to manage Azure AD helpdesk administration & other administration roles via on-prem AD groups. Currently we need to add users individually to each of the various roles. Helpdesk is a good example of this as many people come & go from this role & we need to add and remove users individually to the Azure AD Helpdesk administration role. If we had a AD group (example: Servicedesk AD group) with all members of the helpdesk in there, we just have to manage this group…

    42 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  7. Admin-Delegation to AzureAD Parnter Tenants for Azure Subscriptions - similar to O365 Admin Delegation

    Currently the Admin Access to Azure Subscription can be delegated to invdividual Microsoft Accounts (MSA) or Users of the AzureAD Tenant which is assigned to the Subscription. Since we support our customers with their Azure Deployments, our employees need Access to the customer's Subscription. This is currently only possible with delegating Admin-Access to the employee's private MSA. If a Customer could delegate Admin-Access to our AzureAD Partner Tenant, it would be much easier to us and our customers. Moreover we would have the same experience as with 365...

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  8. 36 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow Applications to be added to AD Security Groups

    See https://stackoverflow.com/questions/47762262/add-aad-application-as-a-member-of-a-security-group

    Basically allow adding Service Principals (i.e. Applications) into AD Security Groups just like User Principals are allowed today.

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  10. Users must not delete resource groups if they are not allowed to delete the resources.

    We created custom roles to allow another team to operate our environment. To avoid accidental deletion of data, we removed the delete action for several storage components, for example Data Lake Store Gen1.

    Unfortunately when deleting a resource group, it completely ignores the permissions on resource level. For example, I do not have deletion rights on ADLS, but I can still remove it, by deleting the whole resource group.

    Resource Groups are simple containers and restricting people on managing them on their own will have a huge impact. We will waste a lot of time to define processes and executing…

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  11. RBAC permissions to see Application Gateway Backend Health

    RBAC permissions to see Application Gateway Backend Health
    The RBAC reader' and 'monitoring reader' roles do not allow users of those permissions to see the backend health.
    Error is the client 'user' does not have authorisation to perform action '/Microsoft.Network/applicationGateways/backendhealth/action' over scope 'subscription...resourceGroups/providers/Microsoft.Network/applicationGateways/applicationgatewayane'
    Is it possible to modify the reader / monitoring reader permissions so that viewings the backend health status is allowed for those roles, and/or advise of a read only role that allows this as don't want to grant users modify access to the application gateways just so to enable them to see backend health.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  12. bitlocker recovery

    Delegate permission to view the Bitlocker recovery key to other roles than Global admins (e.g. Device administrators). Our clients guys are responsible for managing the devices, and they will support the end users.
    Or provide RBAC for Azure AD to build customer roles.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  13. Ability to add groups as Additional local administrators on Azure AD joined devices

    I want to be able to set staff members as local admins on their devices but can't add them one at a time like the current system allows. There are too many to maintain. Instead I would like the ability to point to a group and if the user is in the group, then they are a local admin on an Azure joined device.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi, thank you for your feedback. We’re working on support for assigning Azure AD roles to groups, but we don’t have a definitive date yet for when we will release it. Having said that, it is a priority for us to be able to support this.

  14. Add Administrative Units to Azure AD Portal

    AU:s (Azure AD OUs) are only possible to administer in a convoluted way with Powershell today. Please make it possible to administer AU:s in the new modern Azure AD portal.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  15. Global Administrator - View Only Role

    Global Administrator - View Only Role that enables viewing all Azure Active Directory objects and attributes. This is needed by our Information Security/Audit department which does not configure settings but need to see the configuration for Audit purpose.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  16. Service Principal RBAC simulator

    When handling shared subscriptions and deploying certain third party services we require to have a Service Principal that follows the principle of least privilege.
    Nevertheless, after creating this intricate granular Service Principal, there is no proper way to test out it's functionality. The only way to see if your SP works is by actually deploying your service and see where it fails, update the SP and repeat.

    AWS offers IAM policy simulator that does the job in their case. Something similar would be very helpful to have to improve the deployment experience.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  17. Create role for MFA portal admin

    Create a role that can manage MFA portal. Currently only Global Admin has access to MFA portal.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Active Directory should support ABAC/CBAC/UBAC

    AAD currently supports role-based access control (RBAC), but it should natively support attribute-based, context-based, and user-based access control (ABAC/CBAC/UBAC) as well.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow creation of custom directory roles in Azure AD

    Being able to create custom directory roles in Azure AD can allow Administrators the ability to grant users custom tailored roles in Azure AD. One example would be allowing the security office in your organization access to the risky events and risky users tabs with the ability to close,reopen, or mark for false positive without having to give them permissions that they do not need. This essentially takes the idea of "least privileged roles" and expands it to allow for further customization.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  20. Identify deprecated accounts

    Security Center recommends: "Deprecated accounts should be removed from your subscriptions."
    Improve this recommendation by identifying the "deprecated accounts".

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base