Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Active Directory Seamless Single Sign-On - Multi-tenants in a single forest hosting environment.

    We have multi-tenants in a single forest hosting environment synchronizing different customers (each in a different OU) to their own O365/Azure AD tenant account. At the current moment, Seamless Single Sign-On only supports one O365/Azure AD tenant for sign on in the current setup we have. This is due to a computer created called AZUREADSSOACC in Windows AD. We want to adopt the Seamless Single Sign-On but as it only supports one O365/Azure AD tenant for sign on we cannot use it.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Configuration of SAML 2.0 responses - hash algorithm (SHA1 v SHA256), message signing

    Are there any plans to add further configuration options to the AAD SAML 2.0 functionality.

    When acting as an IdP in a SAML 2.0 federation, unlike ADFS, there does not appear to be any options to customize the SAMLResponse which is returned to the Relying Party.

    The options that I'm particularly interested in are:

    - The ability to define the "Secure Hash algorithm" to be either SHA1 or SHA256 - as per this previous post - http://feedback.azure.com/forums/169401-azure-active-directory/suggestions/4762132-customizable-token-signing-hash-algorithm-sha256- many Service Providers only support SHA1 - meaning it is not currently possible to federate with these systems.

    - Message & Assertion signing…

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Windows Hello for Business in AAD/AD Hybrid too complicated for SMB

    Currently the process to enable Azure AD-joined users to authenticate to on-premises systems is complex and requires multiple servers and specialized expertise. Can we enable a simplified approach to enabling Hybrid environments to support Azure-AD Joined Windows 10 using Windows Hello for Business without complicated Key Trust or Certificate Trust implementations, or at least simplify the setup of those environments so that SMB may easily accomplish this?

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Enable more granular password policy

    The options for configuring the password policy is currently not very flexible.
    Many organisations have security policies that are more complex than what can be enforced with on-prem AD, necessitating 3rd party software.
    Within Azure, the password policy options are even less flexible than on-prem AD.
    For example, allow the valid character set with a regular expression.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure AD SAML Claims Rules and import Service Provider metadata

    Most customers of o365 have an on premise AD to connect ADFS to... we don't. We only have our Azure AD. We would really like to have the ability to use more full featured ADFS services from Azure AD, for instance some applications we want to connect to can only receive NameID so the ability to transform SAM Account Name to NameID would be very helpful. Further - importing the metadata from a SAML service provider would complete the circle and allow a more complete set of Azure AD app SSO services.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support Device Authentication for Firefox

    Today Device Authentication is supported for Edge, IE and Chrome (Windows 10 Accounts Extension).
    For ather Browsers esspecially Firefox there is no support for Device Authentication.
    It would be great if Firefox users could also benefit from Device Authentication.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Verification without a cell phone

    There should be a way to verify w/o a phone. I was recently working remote and my phone died. I was unable to work. Seems like an alternative should be available for such occasions.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow use of the 'Keep Me Signed In' prompt when Azure Sealess SSO is enabled.

    If a user had selected the 'Keep Me Signed In' option after login, prior to Azure Seamless SSO being enabled - the experience is great. They are seamlessly signed in with no need to verify their email address.

    If a user had not selected 'Keep Me Signed In' option after login, prior to Azure Seamless SSO being enabled - the experience is poor. Any time they access a web app they are prompted to pick an account, after which there is no prompt or opportunity to select 'Keep Me Signed In'.

    Please bring this feature on-board when Azure Seamless SSO…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Use nested functions in SAML Token Attributes for SSO

    Please allow the capability to use nested functions join(extractmailprefix([mail]),'some string') for SAML Token Attributes.

    The above nested function is already available for "User Identifier" but is not available for all other SAML Token Attributes.

    It would be supremely beneficial to use join() and extractmailprefix([mail]) together to craft SAML responses that show possible alias email addresses for a user.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. post_logout_redirect_uri Error Stuck On Office365 Azure OAuth2 Logout Event

    I have application on MS Azure that use office365 authentication.
    When my App access logout protocol like this below:
    https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri={my_redirect_uri}

    It should be normally logout all users MS Login Session then redirect me to {post_logout_redirect_uri} when the session is there and I go logout.
    The case happen when I already logout my account from other MS Apps (ex.Outlook) **the Session is already destroyed now** and then My Application access the uri above (line 3):
    The bug is it doesn't redirect me, and stuck at a page that said "You signed out of your account, It's a good idea to close…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make the My Apps Secure Sign-in Extension available in Safari

    It works well in Chrome, Edge and Firefox but 50% of our users are using Safari as their preferred browser. This is currently preventing us from deploying Password-Based SSO for some of our apps.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Expose all the attributes available for dynamic device groups.

    This would allow easy separation between internal managed devices and BYO devices. Attributes such as IsManaged or DirSyncEnabled are not available even when creating advanced rules.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Skipping account selection page in Azure AD v2 on consent

    Hello,
    We are using AD v2 implicit flow to authenticate a user from within SharePoint.
    The base url is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=<>&client_id=<>&redirect_uri=<>&state=<>&nonce=<>&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.1&client-request-id=<>&response_mode=fragment

    Prompt consent in combination with domain hint for an organization does not seem to work correctly.
    Here are our observations with the following parameters:
    A. &prompt=none&domain_hint=organizations | Works correctly and uses the organisational account
    B. &prompt=consent&domain_hint=organizations | Does not work and restarts the user login process incl. re-entering email address
    C. &prompt=consent | Works correctly and gives the user selection of logged-in accounts

    We would like if scenario B would work the same as A taking the user directly…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for filing this. I cannot reproduce this under any variety of circumstances. prompt=consent & domain_hint=organizations drops me on the account picker as expected.

    Please reach out if this still happens for you, and we’ll help debug the issue.

    Thanks,
    Azure Identity AuthN team.

  14. password policy

    For Cloud Only Accounts, the current Password Policy in Azure AD restricts the use of last used password ONLY. In my organization the general Password policy guideline is to prevent use of last 10 Passwords. This would be a great feature if this can be configurable. Would love to see this

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure SSO SAML Token to support selective attributes encryption

    Support selective attributes(firstname, lastname, unique ID etc) encryption in SAML token for SSO. This is requirement for all applications to whom the user identity information is to be NOT sent in clear text and rather be in encrypted.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. We need the ability to disable the “Show option to remain signed in” for specific users

    At this moment the only workaround for this issue is to hide the prompt for users by using the “Show option to remain signed in” setting in company branding, which would hide it for our whole tenant, and thus hide it from ALL users. We want to hide this just for specific users.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Bug: Malformed OAuth 2.0 access token response

    # Steps to reproduce

    Request an access token by following the instructions at [Request an access token].

    # Expected

    `expires_in` is a number, as in [the example] and [RFC 6749]:

    "expires_in": 3599,

    # Actual

    `expires_in` is a string:

    "expires_in": "3599",

    [Request an access token]: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-access-token
    [RFC 6749]: https://tools.ietf.org/html/rfc6749#section-5.
    [the example]: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#successful-response-1

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add Support to Azure AD Connect PTA for Integrated Windows Authentication

    We moved from AD FS to Pass Through Authentication which turned out to not support IWA. We have several SQL jobs and users connecting to Azure Servers/DB's using IWA in SSMS which no longer works as it is supported only in a federation flow. Unfortunately due to this we had to back out of our PTA implementation. While there is a workaround in SSMS using an alternative authentication method, there isn't anything for a our SQL jobs. We confirmed this with Microsoft when we opened a support case.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Access Panel Extension for Edge Browser

    Edge supports browser extensions now. We should have an Access Panel browser extension for Edge!

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. option to show group name in groups claims

    ability to enable group names to be visible in the "groups" claim when groupMembershipClaims is enabled or via the SSO options.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base