Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. AAD Token Life Time Policy - also look at the Return URL

    When we make an custom Azure AD policy for Token life time, the Return URL functionality is not a part of the configuration.
    It would be nice when you are log-out on the application based on the Azure Ad policy, Azure AD also looks to the return URL functionality (re-direct). At this moment it's done by the web app, but with this new policy, the web app has nothing to do woth it anymore.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Block legacy authentication (Clients) via Client app conditions

    Support blocking legacy auth via client conditions.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. After logout user not redirected to application when using Microsoft private account for logging in

    We have an application that uses Microsoft private account configured as IDP. But when users logout they are not redirected to the application, thought the logout url is configured properly. This does not happen when we use Azure Active directory. Happens only when private accounts are used for logging in.

    Test app url https://domsch.com/dib/dev.

    Click login, -> Click Azure AAD button - > Login with microsoft private email . Once logged in click logout. We will see that the user is not redirected back to the application and when the application is accessed again the user is still logged…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Standalone OAuth2 + non WebApp + No UserInteraction + Redirect always failing - How to get Auth Code ?

    I have created a dummy Outlook mail account :
    Username: arnab30dutta@outlook.com
    Password: wiproinfotechbt012
    Also registered my headless standalone Java App at https://apps.dev.microsoft.com/#/application/524f2f35-30ca-4497-9a58-654e431858ef (I dont require Spring Model Or View, + all necessary consents allowed) using above same user/password

    SpringBootMailRESTApiApp

    Application Id 7a1fff16-ef39-4299-a6b9-50d2b37924e4
    Pass 8wLwBic9Hxwj9f9e5hkjq9n
    RedirectcURI https://USHYDARNDUTTA2.us.deloitte.com:8080/signin-microsoft

    Following URL When Tested with RestClient Firefox addon works fine:

    https://login.live.com/oauth20authorize.srf?clientid=524f2f35-30ca-4497-9a58-654e431858ef&scope=openid+offlineaccess+profile+User.Read+Mail.Read+Calendars.Read+Contacts.Read&redirecturi=http%3a%2f%2flocalhost%3a8080%2fauthorize.html&responsetype=code+idtoken&state=717b3297-2692-4a3a-a22c-ade52010e24b&responsemode=formpost&nonce=adc6829c-c4c3-4895-818a-99e5f9574381&display=popup&uaid=94f304002ecd487cb72a708b8d14fb52&msproxy=1&issuer=mso&tenant=common&uilocales=en-US&loginhint=arnab30dutta%40outlook.com

    But same don't work when hit from Spring Boot App.
    Redirect URI never receives any response.

    Code Attatched

    Plz Plz Plz provide solution of - How to get the Authorization Code ?

    "I…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure App registration making url not mandatory

    Now when registering an app with Azure, you either need to enter Sign-on URL or a Redirect URI depending on the type of Application you pick.

    In my use case (which I believe to be quite broad in general), I don't have any URLs and just want some credentials that I can give to my automation script that manages Azure resources. In particular, I am using Ansible automation to automate management of Azure resources, but generally that could be anything.

    A longer description of the issue can be found here:
    https://stackoverflow.com/questions/46682708/azure-app-registrations-sign-on-url

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Pass Through Auth in ADconnect for Azure Government

    Support of PTA in Azure Gov meeting HSPD-12 mandates.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add Shibboleth to the set of authentication protocols

    At present Azure AD can authenticate to SaaS using SAML, OAuth etc. Many academic institutions use Shibboleth which is based on SAML. Currently this means that they have to maintain a separate Shibboleth service in addition to AD FS (if using that for authentication). If a Shibboleth service could be added to Azure AD this would reduce the hardware/software complexity on-site and allow more Universities to take advantage of the Cloud Identity provided by Azure. Shibboleth is generally used to access shared education services, journals and other shared services.

    48 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  15 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Workable SSO integration

    Hi there

    We would really benefit from a Workable SSO integration.
    https://www.workable.com/

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. New Sign-in experience UX prompt 'I sign in frequently on this device. don't ask me to approve requests here' miss-leading!

    Re-word the New Sign-in experience UX prompt as it is miss-leading, 'I sign in frequently on this device. don't ask me to approve requests here"

    In reality the tenant set MFA configuration is enforced, which in our case is for a single day.

    I believe that the wording of the new sign-in prompt is highly miss-leading and should be altered as this message implies a loser security than is actually in place, which gives completely the wrong message to my users.

    My user base will also be of the opinion that Office 365 isn’t working correctly as the behaviour will…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. "Don't ask me again for 14 days" Azure MFA feature for AD FS 2016

    In Azure AD cloud MFA, once primary authentication has completed, during the second authentication, there is the option to "don't ask me again for 14 days".

    Enable this feature for AD FS 2016 (v4) when the Azure MFA adaptor is configured.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support credential roaming for Microsoft Workplace Join for non-Windows 10

    Add support for handling credential (Certificate) roaming in the "Microsoft Workplace Join for non-Windows 10" client for Windows 7.

    Either remove previous / old certificate or do not request a new certificate before expiration.

    https://technet.microsoft.com/en-us/library/cc770797(v=ws.11).aspx

    https://www.microsoft.com/en-us/download/details.aspx?id=53554

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Security Bug: Please Fix Bug Application Delegation Bug Lingering Active Directory Delegation

    If application registration has Active Directory delegation it would NOT remove the Active Directory delegation behind the scenes even after removing all delegations.

    I need to remove all application delegations, Save and then add a new non-active directory delegation and Save again in order to limit who can access the application and/or web service.

    This is a issue as if there is any application that uses OAuth 2.0 and gets a token where the the "audience" | "aud": "00000002-0000-0000-c000-000000000000" it will have access to any application without restrictions of delegation rules if this lingering active directory access is behind the…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Optionable Automatic Fallback from PTA to PHS

    If last PTA agent fail and sync group has only invalid agents, there should be a optionable configuration to start Password Sync automatically if admin choose this for trully HA with local disaster (or internet connectivity fail down). And also, send notification when authentication endpoint will fail will be great.

    35 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Keep same element IDs on new Azure AD sign-in page

    As an automation tester, I want the credential input on the new Azure AD web-based sign-in page to be able to be found and used the same way as on the old page so that my scripts don't break.

    Currently, the old Azure AD web-based signin page has this for the username: <input id="creduseridinputtext" class="login_textfield textfield required email field normaltext" placeholder="username@egov.com" type="email" name="login" spellcheck="false" alt="username@egov.com" aria-label="User account" value="" autocomplete="off" aria-describedby="accessibleError">

    And this for the password: <input id="credpasswordinputtext" class="login_textfield textfield required field normaltext" placeholder="Password" spellcheck="false" aria-label="Password" alt="Password" type="password" name="passwd" value="" aria-describedby="accessibleError">

    Both of…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. password policy

    For Cloud Only Accounts, the current Password Policy in Azure AD restricts the use of last used password ONLY. In my organization the general Password policy guideline is to prevent use of last 10 Passwords. This would be a great feature if this can be configurable. Would love to see this

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. NIST 800-63B Digital Identity Guidelines

    Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.

    Also the ability to build a password blacklist.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We’re well aware of the NIST 800-63B guidelines (and it’s my team that wrote that password whitepaper!). We’re currently making some foundational changes that should subsequently let us implement many or most of the password composition guidelines.

    As for a password blacklist, today we have a banned password list in place that prevents users from using known-bad words, phrases, and passwords. We also have a custom list feature that lets you define your own words and patterns. That’s in private preview today and we’re working to get it to public preview over the next few months.

  17. Expose all the attributes available for dynamic device groups.

    This would allow easy separation between internal managed devices and BYO devices. Attributes such as IsManaged or DirSyncEnabled are not available even when creating advanced rules.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Restrict Groups List on Claims Identity to Only Groups (not directory roles)

    Amend the http://schemas.microsoft.com/ws/2008/06/identity/claims/groups claim of the user identity so that it only includes groups, not directory roles as well. (Or add a further groupMembershipClaims value to the manifest to show "GroupsOnly" or similar, in addition to the current "All" | "SecurityGroup" | null option)

    Currently if a user is in either the Global Administrator or Limited Administrator role, the ID of this role appears in the list of groups as well. See details on StackOverflow here: https://stackoverflow.com/questions/45215615/phantom-group-membership-in-azure-ad

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. OAUTH integration

    For integration with OAuth2 several solutions were tried both at the mobile application level (React Native) and at the Backend level (Laravel).

    The problem we encounter with Laravel libraries is that they are focused on web application, where the process includes a redirect to the Microsoft page to make the entry. This as we are running from a server we would not have the way to make this redirect for the user. In Laravel we use Socialite that is of Laravel and OAuth 2 Client of PHP League. In the research process in Microsoft forums especially in this question (…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. have SAML AuthnRequest to include the username/email specified in Azure login forms

    when using any 3rd-party SAML IdP to federate Azure AD authentication, why don't you include the typed email(userID) from Azure portal into the SAML authnRequest so that forms-based IdPs can prefill the username to streamline and simplify authentication? the specs allow a <saml:Subject> being an optional part of the authnRequest.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base