Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Make SPN (non-interactive) login events logged and available

    Currently in Azure AD when using SPN (non-interactive) logins via code (.Net, Powershell, etc.) for automated processes (server to server communication/API) that interact with Azure, there is no event in Azure AD logs to show that this login has occurred. Please make this exposed in the logs in the same fashion that an interactive user login is logged. This is not only beneficial for troubleshooting, but more importantly from a security, compliance, and risk audit trail standpoint.

    176 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    We are working on this but we don’t have a public ETA to share at this time. We will keep you updated as we get closer.

  2. Add the ability to filter with an "Equals" or "Does Not Equal" operator in the Sign-in activity reports in the Azure Active Directory portal

    Currently, the filters for the Azure Active Directory "Sign-Ins" log only allows for filtering with values that equal the input. It would be beneficial to have the option to have the "does not equal" operator for this filtering so that the user could also filter out values that commonly occur in the log. Example: filter would be "Client app" DOES NOT EQUAL "Browser" ... or "Operating System" DOES NOT EQUAL "Windows 10" ... or "Location" DOES NOT EQUAL "US".

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  3. please show "Users with Leaked Credentials" with a zero count even if there are none detected

    in the azure active directory risk events section please show "Users with Leaked Credentials" with a zero count even if there are none detected.
    It would be ideal to set up a mail alert with this alert as well.

    The logic would be:
    if this alert shows up then we know it is working. if it doesnt show up then there is a problem with setup

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  4. Provide more detail in audit logs

    It would be good if some of the AzureAD audit log Activity categories had more detail, eg "Set Company Information" - that's all that is logged for this activity, with no detail into what property was changed.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  5. Fix signin resulttype 50053

    In your documentation you say that signing error ID 50053 is "Account is locked because the user tried to sign in too many times with an incorrect user ID or password." however, when i search for this error using loganalytics i also get the description "Sign-in was blocked because it came from an IP address with malicious activity."

    Can this be fixed?

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  6. expose tenant id in sign-in audit log

    Sign-in logs in Azure AD (and also in Graph) don't expose, if an access request was towards the user's tenant or towards another tenant where the user is a guest.
    Because of this, there is no way to differentiate between the 2 cases.
    As a result IT, security gets a lot of false alarms each time their users access any resource in another tenant.
    What they see, is that their user signed in successfully to Teams, without any Conditional Access Policy applied, no MFA enforced, etc.
    There is no way to tell from the logs, that the user accessed another…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  7. Audit log

    Extend the audit logs to allow for retention for more than 30 days to 90 days.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  8. Adhere to ISO27001 compliance obligations for Office365

    Per https://servicetrust.microsoft.com , Microsoft's cloud services including Exchange Online adhere to ISO27001 and have been audited against ISO27001.
    However, I have been informed that there is no log generated when an end-user or customer signs-out of their account: 'Customer is asking for a new feature, sign-out logs, that today is not supported.'

    Specifically, ISO27001 states in section 12:

    ISO 27001 – A.12.4 – Logging and Monitoring

    Objective: To record events and generate evidence.

    Control 12.4.1 A.12.4.1 Event logging – Event logs recording user activities, exceptions, faults, and information security events shall be produced, kept and regularly reviewed.

    I contend that…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  9. Reporting of IP addresses blocked by Smart Lockout

    It would be beneficial if an admin could have insight into what IP addresses are being blocked by Smart Lockout. If a user is experiencing connectivity issues it would be nice to be able to query a report for their IP address to validate that Smart Lockout is not denying them access.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  10. Provide reporting around Passwordless Phone sign in

    Reporting/management on Passwordless phone sign in including who its available to, who has enabled it, frequency of use, and management options to administratively enroll/unenroll users from it.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add filter for adfs server / mfa in Usage and Insights Report

    Within "Usage & insights | AD FS application activity" blade,

    Allow for filtering by ADFS Server and/or allow for grouping of servers reporting.

    Report on MFA used on app logins.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  12. Audit logs for azure ad policies

    assigning Azure AD policy to service principal and application registration should be consistant from the audit log entry perspective. There are different type of policies and by info from Microsoft at the some point they should be assigned to Service principals i.e. HDR and as they are assigned they create the entry into Audit log (there is different issue as those entries are generic and will not tell you what change was done on service pricinpal). On the other hand for SAML1.1 type of policy, we were notified to assign the policy to App registration, and this activity is not…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  13. 2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add ability to filter out more than just startswith in Password Reset - Usage & Insights

    We have service account and accounts sourced from other sources that show up in Azure AD. We'd like to be able to see what accounts tied to just our permanent people have not registered for SSPR. Currently, you can only filter Name in the reporting with a StartsWith search. Please add the ability to filter by wildcards or EndsWith or even regular expressions.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  15. Display DEPARTMENT in Sign-ins Report and Filtering capability

    We need to be able to filter the Sign-In Activity Reports/Logs by the DEPARTMENT field. We are currently utilizing the DEPARTMENT field in a User's Profile in Azure AD to identify the user's organization and today, there is no way to filter those Activity logs using that field.

    Would be great to have the DEPARTMENT as one of the fields that is displayed in the report. Having a built-in filter for DEPARTMENT in the Portal would be even better.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  16. Alerting to non-admin mailboxes

    Current alerts of Azure AD can only be send to Tenant administrators. As it is a good security practice not to use your administrative credentials in a production environment it is not wise to use a mailbox either. So the request is to enable other email contacts that are not tenant administrators, or even distribution groups.

    This means that employees that are involved in the security process can not really receive emails, without having one tentant administrator having forwarders on a mailbox (= also bad practice to have forwarders)

    Why using the workarounds cannot be used (use an admin account…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  17. Bring back "Sign-ins after multiple failures" report OR createa new policy to alert users/admins of when an account has been compromised.

    I have too many users whom accounts are getting targeted from foreign IP address. For example, no part of our business operates in China thus I know all attempts to access a users account from this region are malicious attacks. I can see when attempts are being made on an account, but I cannot see when a successful attack has been made.

    It would be fantastic to create a policy that will send out an email after x failed attempts within y minutes and 1 successful login.

    I believe you could previously view "Sign-ins after multiple failures" in Classic Azure,…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  18. Improve User Location or disable

    The location shown for most users are off by more than 300 km or 180 miles making the feature more or less useless.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure AD sign-in log was not recorded when it failed to sign-in to Office apps on Android

    Users tried sign-in to Office apps on Android, but Azure AD sign-in log didn't record with app name but only sign-ins to authentication broker showed up on Azure AD. From office apps, users saw this errors.

    Microsoft Office Hub (Prompts for 2FA on my device configured for Microsoft Authenticator):

    Cannot Complete Task. Office Encountered a Problem.

    Microsoft Edge (does not prompt for 2FA):

    We couldn’t sign you in. Please try again later

    Microsoft Excel (Prompts for 2FA on my device configured for Microsoft Authenticator):

    Can’t Complete Task. Office Encountered a Problem.

    Microsoft OneDrive (does not prompt for 2FA):

    We couldn’t…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure Monitor / Action groups for Azure Active Directory Domain Services

    Enable the Action groups for AAD-DS Health Alerts . Currently it supports only the email . We need to have action groups so we can intergate with our monitoring system.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base