Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Logout from Authenticator App

    Usually I use Microsoft Authenticator app for signing into my Outlook account (so NO password required).
    It would be great if we can logout from Authenticator app itself. So its like we can login phone and logout from the phone itself. It gives a user better control.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. NIST 800-63B Digital Identity Guidelines

    Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.

    Also the ability to build a password blacklist.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We’re well aware of the NIST 800-63B guidelines (and it’s my team that wrote that password whitepaper!). We’re currently making some foundational changes that should subsequently let us implement many or most of the password composition guidelines.

    As for a password blacklist, today we have a banned password list in place that prevents users from using known-bad words, phrases, and passwords. We also have a custom list feature that lets you define your own words and patterns. That’s in private preview today and we’re working to get it to public preview over the next few months.

  3. AD Connect 654/ADFS Service Account bug?

    When setting up 2nd (for Staging) AD Connect 1.1.654.0 at customer, setup deadlocks at "AD FS Service Account" pane. Customer has ADFS deployed, and successfully deploy first AD Connect server (older version, later upgraded to 654). Now wants to install 2nd one, gets to screen to pick AD FS Service Account, but DOMAIN USERNAME is prefilled with the UPN of the account used. Can't authenticate now, because field expects DOMAIN\USERNAME format entry. Unfortunately, editing is disabled for this field, so can't continue installation. Customer installed 649 now (doesn't have this issue), then upgraded to 654.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. third party initiated

    Support OpenID Connect third party initiated login, as described here: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin.

    Opening on behalf of a customer I just spoke to.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    unplanned  ·  1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. "Guest Users limited permission" setting description is wrong or don't work as expected in AAD Admin Center

    In Azure AD Admin Center, under users and Groups/user settings there is an option to set Guest Users Permissions are limited to YES
    The description says: Yes means that guests do not have permission for certain directory tasks, such as enumerate users, groups or other directory resources, and cannot be assigned to administrative roles in your directory.
    But in fact, you can grant administrative roles to guess if the setting is yes or no. Description should be changed, or you should remove the option to assign administrative role when set to yes

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. password policy

    For Cloud Only Accounts, the current Password Policy in Azure AD restricts the use of last used password ONLY. In my organization the general Password policy guideline is to prevent use of last 10 Passwords. This would be a great feature if this can be configurable. Would love to see this

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Block legacy authentication (Clients) via Client app conditions

    Support blocking legacy auth via client conditions.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Expose all the attributes available for dynamic device groups.

    This would allow easy separation between internal managed devices and BYO devices. Attributes such as IsManaged or DirSyncEnabled are not available even when creating advanced rules.

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. OpenID Connect id_token is missing email claim

    The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. After logout user not redirected to application when using Microsoft private account for logging in

    We have an application that uses Microsoft private account configured as IDP. But when users logout they are not redirected to the application, thought the logout url is configured properly. This does not happen when we use Azure Active directory. Happens only when private accounts are used for logging in.

    Test app url https://domsch.com/dib/dev.

    Click login, -> Click Azure AAD button - > Login with microsoft private email . Once logged in click logout. We will see that the user is not redirected back to the application and when the application is accessed again the user is still logged…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. "Don't ask me again for 14 days" Azure MFA feature for AD FS 2016

    In Azure AD cloud MFA, once primary authentication has completed, during the second authentication, there is the option to "don't ask me again for 14 days".

    Enable this feature for AD FS 2016 (v4) when the Azure MFA adaptor is configured.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. have SAML AuthnRequest to include the username/email specified in Azure login forms

    when using any 3rd-party SAML IdP to federate Azure AD authentication, why don't you include the typed email(userID) from Azure portal into the SAML authnRequest so that forms-based IdPs can prefill the username to streamline and simplify authentication? the specs allow a <saml:Subject> being an optional part of the authnRequest.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Skipping account selection page in Azure AD v2 on consent

    Hello,
    We are using AD v2 implicit flow to authenticate a user from within SharePoint.
    The base url is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?responsetype=idtoken&scope=<>&clientid=<>&redirecturi=<>&state=<>&nonce=<>&clientinfo=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.1&client-request-id=<>&responsemode=fragment

    Prompt consent in combination with domain hint for an organization does not seem to work correctly.
    Here are our observations with the following parameters:

    A. &amp;prompt=none&amp;domain_hint=organizations | Works correctly and uses the organisational account
    
    B. &amp;prompt=consent&amp;domain_hint=organizations | Does not work and restarts the user login process incl. re-entering email address
    C. &amp;prompt=consent | Works correctly and gives the user selection of logged-in accounts

    We would like if scenario B would work the same…

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for filing this. I cannot reproduce this under any variety of circumstances. prompt=consent & domain_hint=organizations drops me on the account picker as expected.

    Please reach out if this still happens for you, and we’ll help debug the issue.

    Thanks,
    Azure Identity AuthN team.

  14. Allow HTTP Redirect URIs from private address spaces as well as localhost

    localhost is currently the only host allowed for non-SSL Redirect URIs in OAuth2 authentications. This prevents HTTP development testing among various computers within an organization, since any "localhost" setting in a Windows 10 hosts file is ignored.

    I therefore suggest that hosts for HTTP Redirect URIs be also allowed to be a non-public IP address: 192.168.x.x or 10.x.x.x.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. WHR Parameter: Make Azure AD recognise a tenant "SAML Entity ID" in whr

    The change I'm suggesting is to make AzureAD recognise a tenant's "SAML Entity ID" as a valid value for whr, in addition to the list of registered domains.

    Reason:
    When authenticating to a third party with AzureAD as the identity provider we provide them a SAML Entity ID of: https://sts.windows.net/{tenant-guid}/

    The third party is using AD FS. To avoid their home realm discovery page we can specify whr=https://sts.windows.net/{tenant-guid}/ in the URL we use.

    The third party then redirects back to https://login.microsoftonline.com/{tenant-guid}/wsfed?wa=wsignin1.0&wtrealm=....&whr=https://sts.windows.net/{tenant-guid}/

    The problem is our users who are already logged in to AzureAD are asked to start the login…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure AD Connect - SSO- Without redirecting to login page- SPO

    Whenever user is trying to open SPO deep link from IE favorite , its redirecting to login page. How we can login SPO without signin page/select email id.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Authenticating wireless access points \ RADIUS through Azure AD

    I would like to see Authenticating wireless access points \ RADIUS servers through Azure AD , not having to store user accounts in local active directory

    1,095 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    91 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback, we’re currently reviewing this capability to see how we can support RADIUS auth on NPS specifically, for AAD Joined Windows 10 devices to authenticate to WiFi access points

    If there are scenarios beyond the above, please provide the details in the comments


    Ravi

  18. REMOTE DESKTOP SERVICES Windows 2012 R2

    I would like to setup remote desktop services in Win2012R2 with MFA but authenticate to Azure AD, is this possible? I would like to avoid authenticating to on-prem domain controllers with S2S VPN. I have peering setup between RDS VNet and Azure AD vnet, please advise

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Document a full list of the opaque AAD error codes for OAuth dance failure

    The simple OAuth codes are documented here:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-protocols-oauth-code#error-codes-for-authorization-endpoint-errors

    ...however, there is no single resource which lists all the possible error codes given in the error description such as AADSTS65005 & AADSTS65004

    Such a resource would allow developers to handle OAuth dance failures in an elegant manner and give end users a better UX.

    Some background on this question:
    https://twitter.com/dvdsmpsn/status/811537895542624256
    https://social.msdn.microsoft.com/Forums/en-US/6e4e16f1-7f37-431d-ac10-a94ca9a04ae4/document-a-full-list-of-the-opaque-aad-error-codes-for-oauth-dance-failure?forum=WindowsAzureAD

    I've started a list of error codes here:
    https://gist.github.com/dvdsmpsn/1d6569bcd9197a08707ae6d443f554e2

    Feel free to add to these in the comments :)

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Access Panel Extension for Edge Browser

    Edge supports browser extensions now. We should have an Access Panel browser extension for Edge!

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base