Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. The proposed update to the Office 365 signon is not an improvement

    By removing the box around the Username and Password fields, you've made it less obvious they are fillable fields. I know it's fashionable to hide user interface elements as much as possible, but this is a user-hostile move. It should be immediately obvious which part of the screen is a fillable field, users should not have to hunt for it.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow admins to force the App password to expire after certain number of days

    Currently, the Apps passwords for non web based apps, has no limitation of lifetime. We feel potentially unsafe, in case if that device compromised they can use this credentials. So we require an option to be implemented that should allow and Admins to force the Apps passwords should get expired after certain number of days.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. The confirmation system by text or call is not working

    The system takes way too long to activate and makes it inconvenient to access webmail.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. third party initiated

    Support OpenID Connect third party initiated login, as described here: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin.

    Opening on behalf of a customer I just spoke to.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    unplanned  ·  1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. "Guest Users limited permission" setting description is wrong or don't work as expected in AAD Admin Center

    In Azure AD Admin Center, under users and Groups/user settings there is an option to set Guest Users Permissions are limited to YES
    The description says: Yes means that guests do not have permission for certain directory tasks, such as enumerate users, groups or other directory resources, and cannot be assigned to administrative roles in your directory.
    But in fact, you can grant administrative roles to guess if the setting is yes or no. Description should be changed, or you should remove the option to assign administrative role when set to yes

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Block legacy authentication (Clients) via Client app conditions

    Support blocking legacy auth via client conditions.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. "Don't ask me again for 14 days" Azure MFA feature for AD FS 2016

    In Azure AD cloud MFA, once primary authentication has completed, during the second authentication, there is the option to "don't ask me again for 14 days".

    Enable this feature for AD FS 2016 (v4) when the Azure MFA adaptor is configured.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Force Apple to fix Safari certificate auth bug (Support ADFS Device Authentication)

    We really need Microsoft Corp. to fly to Cupertino and slap the guys responsible for the development of the Safari browser on MacOS. :D
    It looks like the people at SAP give up on Apple. This have been an issue for a long time now and we REALLY need a solution for this.

    Another approach would be to built somekind of mechanism / feature into ADFS that would not send a "Certificate Authentication Request" for specific user-agent-string (Read MacOS+ Safari). We have only seen the issue for Safari on MacOS. Other browsers work like a charm.

    The fact that Apple…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add EventLog for login attempt using only blacklisted keyword

    Password blacklists will prevent someone from using an easy password containing exclusively blacklisted keywords. But if I want to catch bad guys on my network, I want to see when someone is trying Company123 or Winter2020 for several different users. This is password spraying.

    If we can add this short list of commonly guessed passwords to the password blacklist, I would then like to have an event logged when someone attempts to use one of them. If we see many of those events in a short period, the security team will need to investigate.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Security Defaults: Verification code from mobile app or hardware token - need to allow

    According to the site, security defaults does not allow "Verification code from mobile app or hardware token".

    Given social engineering - and the limited effectiveness of UAC (people like to click notifications!) - allowing Verification Codes from mobile app or hardware token needs to be allowed as part of the security defaults.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. An unexpected error has occurred - Security Info

    trying to add the authenticator app as one of my security verification methods but when I click on the Security Info tab in my signing, it buffers for a little while and then shows - an unexpected error has occured.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Company Branding customization should allow removal of GitHub Sign-in option

    Azure AD P1 "Company Branding" should allow an option to remove 'GitHub' from the sign-in page.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Policy setting to enforce client secret expiration on Apps/SPs

    It should be possible to have a policy setting that lets you set a lifetime for client sercrets and certificates for apps and service principals.

    This would mean users will be forced to rotate certificates/secrets.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. make SSIS compatible with AAD

    Currently it is not possible to use SSIS with AAD. It works a little bit, but if SSIS opens too many connections in a specific time (how many? in which time?) then AAD is closing the connections and access is denied.
    (Failed to authenticate AAD user; it encountered a loop; ...)
    SSIS doesn't support token caching, I think this is the main issue.

    But:
    SSIS is a Microsoft product and AAD is a Microsoft product.
    So please find a way how to use SSIS in a stable way with AAD!
    If it is not possible to make SSIS compatible then…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. service principal

    There is no logs for Service Principal connexion in Azure AD Sign-in.

    If a SP secret is discovered, we can't determine from where and when the connexion has been done to Azure AD.

    Provide logs for service principal connexion to azure (connect-azaccount).

    We also would like to use Conditionnal Access with Service Principal to make restriction based on location like user account.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Full UPN is very difficult for younger students

    We switched our Chromebooks from Google Authentication to Azure authentication. When we had Google Authentication, the full UPN was not required. We could fill in the common end to the email address automatically. For us @wcdsb.ca

    With the Azure authentication, all users, including our kindergarten and grade 1's, have to type in the full user id and @wcdsb.ca

    This is very difficult for students and teachers. There should be a method to automatically fill in the end of the UPN.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. MFA app password

    1.What exactly we need is if the account is get compromised while user resetting the password the app password also need to be reset by default also is there any options to get the popup /notification automatically
    While user reset the password ?

    2.Ideally the app passwords should vanish as soon as we disable MFA, or Reset passwords so the user has to use a new password for all devices/apps

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Make OIDC login_hint parameter adhere to spec when used with Azure AD

    Specifying a "login_hint" parameter during an OIDC login flow to Azure AD currently prevents the user from making changes to their username on the login screen.

    per the spec (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) this is supposed to be a hint for what the user might use to log in.

    The current functionality causes some integration issues where an RP uses a username/email to know whether to redirect or not and wants to provide that username/email to the OP. This prevents the user from having to re-enter their email (good UX) but if it's unchangeable at the OP then it could lock…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Logout from single AAD integrated app

    Currently, if a user logout from any specific Azure AD integrated application, the users gets logout from all cloud services opened on the same browser (E.g. My Apps portal). So, if after logout from an app, the user goes back to My Apps portal and clicks on another app tile, it gets redirected to an Azure sign-in page, instead of being seamlessly authenticated to this second app.

    Customers would like to have control over this logout action, in order to allow users to logout from single application, without affecting any previous or future AAD authentication.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. The post_logout_redirect_uri should handle custom schemes

    The postlogoutredirect_uri should handle custom schemes

    While signing in works fine with custom schemes of native mobile clients (e.g. msal<application-id>://auth as suggested in app registration), custom schemes do not work with postlogoutredirect_uri. There only https (and http://localhost) is working.

    Please support custom schemes with postlogoutredirect_uri. This is a missing feature.

    Workaround:
    Setup a webpage that redirects to the target custom scheme.
    Use that webpage within postlogoutredirect_uri.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base