Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. azure ad domain services SAM account

    Voor Single Sign On with Azure AD as source for users to Azure AD Domain Services, is it possible to rewrite the SAM account to Azure AD. So the Azure AD joined only devices do not genereate a Netbioname/sam account by login of a user, but get this information from AzureAd as well.
    Now we have issues with AADDS joined servers and application with SSO.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Microsoft app registration needs AAD/group ownership

    Currently app registrations created in apps.dev.microsoft.com are owned by a Microsoft account - entirely useless in an organisation. The only way to share ownership of an app registration is to share logon details. Please add the ability to create and manage app registrations amongst other users/groups (preferably AAD, not Microsoft accounts).

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. have SAML AuthnRequest to include the username/email specified in Azure login forms

    when using any 3rd-party SAML IdP to federate Azure AD authentication, why don't you include the typed email(userID) from Azure portal into the SAML authnRequest so that forms-based IdPs can prefill the username to streamline and simplify authentication? the specs allow a <saml:Subject> being an optional part of the authnRequest.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow HTTP Redirect URIs from private address spaces as well as localhost

    localhost is currently the only host allowed for non-SSL Redirect URIs in OAuth2 authentications. This prevents HTTP development testing among various computers within an organization, since any "localhost" setting in a Windows 10 hosts file is ignored.

    I therefore suggest that hosts for HTTP Redirect URIs be also allowed to be a non-public IP address: 192.168.x.x or 10.x.x.x.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Document a full list of the opaque AAD error codes for OAuth dance failure

    The simple OAuth codes are documented here:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-protocols-oauth-code#error-codes-for-authorization-endpoint-errors

    ...however, there is no single resource which lists all the possible error codes given in the error description such as AADSTS65005 & AADSTS65004

    Such a resource would allow developers to handle OAuth dance failures in an elegant manner and give end users a better UX.

    Some background on this question:
    https://twitter.com/dvdsmpsn/status/811537895542624256
    https://social.msdn.microsoft.com/Forums/en-US/6e4e16f1-7f37-431d-ac10-a94ca9a04ae4/document-a-full-list-of-the-opaque-aad-error-codes-for-oauth-dance-failure?forum=WindowsAzureAD

    I've started a list of error codes here:
    https://gist.github.com/dvdsmpsn/1d6569bcd9197a08707ae6d443f554e2

    Feel free to add to these in the comments :)

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support query parameters in Reply urls with Azure AD endpoint v2.0

    Azure AD endpoint 2.0 does not seem to support query parameters in the reply url.
    This is really useful to perform post login/logout action.

    http://stackoverflow.com/questions/37489964/custom-parameter-with-microsoft-owin-security-openidconnect-and-azuread-v-2-0-en

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow more than 150 groups to be returned in the SAML assertion

    As part of the SAML assertion of a user we get the groups from the Azure AD. But for some users that are in many groups (> 150) Azure AD does not send the list of groups.
    Please allow either more than 150 groups or enable an easy way to get all groups of a user.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Direct federation with OpenID Connect IdPs

    At this time, direct federation in preview can be set up with any organization whose identity provider (IdP) that supports the SAML 2.0 or WS-Fed protocol. Please extend this to OpenID Connect IdPs.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Managed service identity for Automation Account

    Please add support for managed identity in Automation Accounts. Would like a easy and secure way to access KeyVaults from Automation Account runbooks.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow a device to enroll under more than one organization for password-less phone sign-in

    In regard to password-less phone sign-ins, Azure AD evidently disallows a device to be enrolled with more than one organization.

    Known issue:

    "One of the prerequisites to create this new, strong credential, is that the device where it resides is registered within the Azure AD tenant, to an individual user. Due to device registration restrictions, a device can only be registered in a single tenant. This limit means that only one work or school account in the Microsoft Authenticator app can be enabled for phone sign-in."

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. text verification code doesn't work when accessing internet from airplane

    text verification code doesn't work when accessing internet from airplane

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Please add FAQ UPN change is unsupported on device join win10 version less than 1803. we do have plan to back port that feature to RS3/RS2.

    we have several cases, where user change UPN and Hybrid AAD join breaks. they see IsAzureADUser:No and AzureADPrt:No. we can place a note or caution in FAQ UPN change is unsupported on device join win10 version less than 1803 (RS4). we do have plan to back port that feature to RS3/RS2.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. password

    wish you can add an option to allow a higher character count Password restriction for our firm. Ideally, we would want minimum of 10 characters on the password of users in our domain. We have no on perm AD.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. The proposed update to the Office 365 signon is not an improvement

    By removing the box around the Username and Password fields, you've made it less obvious they are fillable fields. I know it's fashionable to hide user interface elements as much as possible, but this is a user-hostile move. It should be immediately obvious which part of the screen is a fillable field, users should not have to hunt for it.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Block legacy authentication (Clients) via Client app conditions

    Support blocking legacy auth via client conditions.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. "Don't ask me again for 14 days" Azure MFA feature for AD FS 2016

    In Azure AD cloud MFA, once primary authentication has completed, during the second authentication, there is the option to "don't ask me again for 14 days".

    Enable this feature for AD FS 2016 (v4) when the Azure MFA adaptor is configured.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Force Apple to fix Safari certificate auth bug (Support ADFS Device Authentication)

    We really need Microsoft Corp. to fly to Cupertino and slap the guys responsible for the development of the Safari browser on MacOS. :D
    It looks like the people at SAP give up on Apple. This have been an issue for a long time now and we REALLY need a solution for this.

    Another approach would be to built somekind of mechanism / feature into ADFS that would not send a "Certificate Authentication Request" for specific user-agent-string (Read MacOS+ Safari). We have only seen the issue for Safari on MacOS. Other browsers work like a charm.

    The fact that Apple…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. V2.0 Client Credentials Implement Scopes

    The current Azure AD v2.0 Client Credentials Grant doesn't formally support scopes.

    You have to pass in your application ID appended with .default (Not a scope) which then forces you down the permissions route. You also end up with roles in your token instead of scopes.

    In order to conform to the OAuth standard, scopes should be supported like they are in other grants/flows.

    It also makes it difficult to implement in our services as we have to support two completely different models.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. The post_logout_redirect_uri should handle custom schemes

    The post_logout_redirect_uri should handle custom schemes

    While signing in works fine with custom schemes of native mobile clients (e.g. msal<application-id>://auth as suggested in app registration), custom schemes do not work with post_logout_redirect_uri. There only https (and http://localhost) is working.

    Please support custom schemes with post_logout_redirect_uri. This is a missing feature.

    Workaround:
    Setup a webpage that redirects to the target custom scheme.
    Use that webpage within post_logout_redirect_uri.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Encrypted private key (PKCS#8) / PFX (PKCS#12) support in az cli for service principals

    As it stands there are a few methods to authenticate service principals with a private key and certificate using PKCS#12 files which are documented below:

    Using PowerShell on Windows - WORKS:

    https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-powershell

    Using Terraform (azurerm 1.24.0) - WORKS:
    https://www.terraform.io/docs/providers/azurerm/auth/service_principal_client_certificate.html

    What does not work is using az cli with an encrypted RSA private key in either PKCS#8 or PKCS#12 format and az cli is meant to be the strategic cross-platform tool for administering Azure. I have tested the functionality with an Azure Support Engineer who was very helpful with the testing and explained the current position. The az-cli documentation for that…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base