Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. AD Connect 654/ADFS Service Account bug?

    When setting up 2nd (for Staging) AD Connect 1.1.654.0 at customer, setup deadlocks at "AD FS Service Account" pane. Customer has ADFS deployed, and successfully deploy first AD Connect server (older version, later upgraded to 654). Now wants to install 2nd one, gets to screen to pick AD FS Service Account, but DOMAIN USERNAME is prefilled with the UPN of the account used. Can't authenticate now, because field expects DOMAIN\USERNAME format entry. Unfortunately, editing is disabled for this field, so can't continue installation. Customer installed 649 now (doesn't have this issue), then upgraded to 654.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Enable controlling Legacy Activation Client by Conditional Access on Azure AD.

    Enable controlling Legacy Activation Client by Conditional Access on Azure AD.
    (Azure AD の条件付きアクセスにおいて、先進認証に対応していないレガシー認証クライアントへの対応)

    As a major way to control is using AD FS claim rules at present.
    Furthermore, it would be great if the feature will able to control "Legacy Activation Client" especially for the users not compatible with modern authentication even from Azure Management Portal.
    I believe this implementation will help the user to reduce the time and effort for to doing the management operation.

    Thank you for your consideration.
    ------------------------------------------------
    (in Japanese)
    AD FS のクレームルールによる制御が一般的であるが、Azure 管理ポータル上でも、レガシー認証クライアントへの制御が行えるよう機能の追加を希望します。
    この背景としては、利用者の管理負荷軽減を目的としています。

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    need-feedback  ·  2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. third party initiated

    Support OpenID Connect third party initiated login, as described here: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin.

    Opening on behalf of a customer I just spoke to.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    unplanned  ·  1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. "Guest Users limited permission" setting description is wrong or don't work as expected in AAD Admin Center

    In Azure AD Admin Center, under users and Groups/user settings there is an option to set Guest Users Permissions are limited to YES
    The description says: Yes means that guests do not have permission for certain directory tasks, such as enumerate users, groups or other directory resources, and cannot be assigned to administrative roles in your directory.
    But in fact, you can grant administrative roles to guess if the setting is yes or no. Description should be changed, or you should remove the option to assign administrative role when set to yes

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Standalone OAuth2 + non WebApp + No UserInteraction + Redirect always failing - How to get Auth Code ?

    I have created a dummy Outlook mail account :
    Username: arnab30dutta@outlook.com
    Password: wiproinfotechbt012
    Also registered my headless standalone Java App at https://apps.dev.microsoft.com/#/application/524f2f35-30ca-4497-9a58-654e431858ef (I dont require Spring Model Or View, + all necessary consents allowed) using above same user/password

    SpringBootMailRESTApiApp

    Application Id 7a1fff16-ef39-4299-a6b9-50d2b37924e4
    Pass 8wLwBic9Hxwj9f9e5hkjq9n
    RedirectcURI https://USHYDARNDUTTA2.us.deloitte.com:8080/signin-microsoft

    Following URL When Tested with RestClient Firefox addon works fine:

    https://login.live.com/oauth20_authorize.srf?client_id=524f2f35-30ca-4497-9a58-654e431858ef&scope=openid+offline_access+profile+User.Read+Mail.Read+Calendars.Read+Contacts.Read&redirect_uri=http%3a%2f%2flocalhost%3a8080%2fauthorize.html&response_type=code+id_token&state=717b3297-2692-4a3a-a22c-ade52010e24b&response_mode=form_post&nonce=adc6829c-c4c3-4895-818a-99e5f9574381&display=popup&uaid=94f304002ecd487cb72a708b8d14fb52&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&login_hint=arnab30dutta%40outlook.com

    But same don't work when hit from Spring Boot App.
    Redirect URI never receives any response.

    Code Attatched

    Plz Plz Plz provide solution of - How to get the Authorization Code ?

    "I need the Redirect To Work and fetch the code without…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. SVG Login Buttons

    Branding guidelines are available which offer up login buttons to be used in web applications that use Azure AD for authentication. The branding guidelines are here:

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-branding-guidelines

    The buttons on that page are PNGs. It would be good to publish SVG versions of these buttons, as many web apps incorporate SVGs rather than binary files served up statically.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Custom Attribute for Cloud Only users

    Recently had an issue where I was populating Exchange Online Cloud Only user mailboxes customattribute1. I wanted to leverage that field to pass that customattribute value to a SaaS provider which had a requirement for a unique id. There is not field to enter a unique id in Azure AD. My request would be to allow the ability to have a custom attribute field that is not dependent on Exchange Online, since it has been found via support that the Exchange Online team, by design, does not pass those values for Cloud Only users.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Please document how to perform logout

    AAD documentation is awesome in general. How to authorize the user is documented very well. But there is no documentation at all on how to logout.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support certificate authentication in MyApps for iOS

    I would like to be able to log into MyApps using ADFS and Certificate authentication. I can log into Safari using Certificates, but I can not use the native MyApps application on iOS.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. More Granularity in Conditional Access: Session Controls for Sign-In Frequency

    The Sign-In Frequency Session Control can only be set in hours and days. I would like to see minutes as an available option as well. There could be a situation where a user closes a sensitive application but does not close the browser and walks away where someone else could tailgate in on that session.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Lock sign-in to specific country/region on a per user basis

    Just like the credit card companies allow you to lock/unlock your credit card for use in different regions/countries it would be great if users could allow/disallow sign-in from different regions/countries.

    Like a per-user conditional access...

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. option to show group name in groups claims

    ability to enable group names to be visible in the "groups" claim when groupMembershipClaims is enabled or via the SSO options.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Full UPN is very difficult for younger students

    We switched our Chromebooks from Google Authentication to Azure authentication. When we had Google Authentication, the full UPN was not required. We could fill in the common end to the email address automatically. For us @wcdsb.ca

    With the Azure authentication, all users, including our kindergarten and grade 1's, have to type in the full user id and @wcdsb.ca

    This is very difficult for students and teachers. There should be a method to automatically fill in the end of the UPN.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Show the URL that is missing when getting "missing, misconfigured, or does not match reply addresses configured for the application" error

    We have had a number of occasions where we get the "missing, misconfigured, or does not match reply addresses configured for the application" error when using our own applications with AAD as the IdP.

    Sometimes this requires extensive investigation to figure out the offending URL (whether it is missing, a typo, or syntax error).

    What would be handy is if the error gave administrators the offending URL to help direct the investigations.

    If there is a way of exporting this already, would be great to understand how.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Make OIDC login_hint parameter adhere to spec when used with Azure AD

    Specifying a "login_hint" parameter during an OIDC login flow to Azure AD currently prevents the user from making changes to their username on the login screen.

    per the spec (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) this is supposed to be a hint for what the user might use to log in.

    The current functionality causes some integration issues where an RP uses a username/email to know whether to redirect or not and wants to provide that username/email to the OP. This prevents the user from having to re-enter their email (good UX) but if it's unchangeable at the OP then it could lock…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. allow fido2 or oauth device to be the default authentication factor instead of the mobile app

    when testing the FIDO2 authentication key , i remarked that most of webservice redirected to mobile app
    even no authenticator has been configured.
    Rending logon impossible on aka.ms/mfasetup for example ....
    So therefore it’s not usable for corporate users that don’t want to use their mobile....

    i tried to put it as default but only the authenticator app could be selected . i call the support that told me to open a request feature.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Logout from single AAD integrated app

    Currently, if a user logout from any specific Azure AD integrated application, the users gets logout from all cloud services opened on the same browser (E.g. My Apps portal). So, if after logout from an app, the user goes back to My Apps portal and clicks on another app tile, it gets redirected to an Azure sign-in page, instead of being seamlessly authenticated to this second app.

    Customers would like to have control over this logout action, in order to allow users to logout from single application, without affecting any previous or future AAD authentication.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Honour redirectUrl parameters when using MyApps password-based SSO

    Currently, when you configure an Enterprise Application to use password-based SSO there is a flaw in the MyApps extension - when you click on a deep-link to the application (i.e. via email/SharePoint, etc) the app will redirect you to it's login page. If you just entered your username and password here it would then most likely redirect you back to your original deep-link page.

    With MyApps, when you click on the deep-link URL, you are redirected to the app login page, where upon the MyApps extension will recognise you have credentials for this site and prompt you to login automatically.…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. AADLogin for Oracle Linux

    Add support for Oracle Linux for AADLogin.

    Thank you.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Authentication does not work via SMS

    Please, choose better your provider of SMS Service, as clearly SMS does not properly work, codes are not delivered to cell pone via SMS

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base