Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Dynamic Groups: Member of group

    Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.

    Example:
    (user.objectId -memberOf group.objectId)
    (user.objectId -notMemberOf group.ObjectId)

    Use case 1 - Group Based Licensing.
    If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.

    Use case 2 - Exceptions
    All users should have a MDM policy applied, accept those of a specific group.

    578 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    33 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.

    Chen

  2. Ability to trigger a dynamic group update

    It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.

    201 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    32 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

  3. Enable support for dynamic mail-enabled security groups

    Dynamic security groups are great, mail-enabled groups are great too wouldn't it be great to have both. We have a requirement to create security groups (or distribution groups) based on employee attributes (i.e. Active Full-time, Active Parttime, etc...). These attributes live in Azure AD but aren't accessible in Exchange Online so I cannot create a dynamic distribution group. I am able to create a mail-enabled security group but the membership cannot be dynamic. And any dynamic group I create can't be mail-enabled unless it's a unified group but for the purposes we need the groups for Unified groups aren't appropriate.…

    168 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    28 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  4. group naming policy using extension attributes

    Please implement additional functionality to allow the use of Extension Attributes as part of a Group Naming Policy. This is required as the Department name is too large and many organisations have a shortened department code which they apply via an Extension Attribute. Using a long department name in a Group Naming POlicy creates names that are too long to be useful, but using a shortened department code plus group name means that the group can be easily identified and attributed to a department without cluttering the name space.

    e.g. Information and Communication Technology has a short code of ICT…

    149 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support for multi-valued attributes synchronized from on premises AD

    AD Connect supports synchronizing multi-valued attributes to AAD.
    However, AAD doesn't support multi-valued attributes synchronized from on premises AD.

    Would be great to have this supported so that for example Dynamic Groups can use multi-value attributes for group membership rules.

    104 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  6. office 365 group expiration

    Within the Office 365 Group Expiration setup there should be a way to set it such that all groups *except* specific ones are subject to the expiration setting. As it stands now it's the other way around; all groups or only the selected ones. In an environment where users are permitted to created their own groups (something I was told even Microsoft allows) you really need the expiration feature enabled by default. But there are certainly use cases where as an admin you will want specific groups exempted from this setting.

    59 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable "Owner" attribute for Group Object on Azure AD Connect Sync

    Currently, the group owner on Azure AD Portal is mapped to "Owner" attribute while the Office 365 Admin Portal is mapped to "ManagedBy". For a group which is synced from local AD to the AAD via AAD Connect, there is no way to update the "Owner" attribute on Azure AD.

    The AAD Connect does not support "Owner" attribute for sync and we can't assign "Owner" on Azure AD as it is a synced object.

    So to resolve this issue, the "Owner" attribute should be supported as an attribute for sync on the Azure AD Connect.

    45 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  8. Dynamic Groups based on device Compliance

    Can we add the "isCompliant" value to the device dynamic groups. This would allow for polices (like WIFI settings or certificates") within Intune to only be available to devices that are deemed compliant.

    My scenario is I want certificates to be removed from a device if it becomes non-compliant so It can't access the WiFi or VPN. I can target the policy at only the "isCompliant -eq true" dynamic group. so once they are non-compliant, they get removed from the dynamic group.

    44 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add group as owner on Azure AD Application and Service Principal

    When managing Application and Service Principal objects in Azure Active Directory, it's difficult to provide granular access controls.

    Azure currently supports adding "Users" as Owners through the Azure Portal, and we can also assign other "Service Principals" as Owners using PowerShell (or by creating the new SPN with an existing SPN), however it's not possible to add a Group.

    When you try to do this, you get the following error message:

    ###############################
    PS C:\> Add-AzureADApplicationOwner -ObjectId <removed> -RefObjectId <removed>
    Add-AzureADApplicationOwner : Error occurred while executing AddApplicationOwner
    Code: Request_BadRequest
    Message: The reference target 'Group_<removed>' of type 'Group' is invalid for the…

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  10. Group-based Licensing for Nested Groups

    Nested groups have been around for a VERY long time. It is ridiculous that group-based licensing doesn't support nested groups. Please add support for nested groups ASAP!

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  11. Implement a way to manually initiate dynamic device group membership evaluations

    Currently, there is no SLA/timeframe on when dynamic AAD device groups evaluate memberships.

    Here is the recommended troubleshooting steps for these groups not populating, straight from the Azure portal:
    "Please allow time for the group to populate. Depending on the size of your tenant, the group may take up to 24 hours for populating for the first time or after a rule change."

    If admins are using dynamic AAD device groups for any sort of application deployment or policy targeting, waiting up to 24 hours may not be reasonable. It would be very helpful if there was a way to…

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

    In the interim, we’ve added the ability to view the processing status for the dynamic membership rule of a group in the Azure Admin portal. This is not providing an SLA for the rule evaluation, however, it does provide information including that the processing is complete.

  12. Azure AD Group expiration should allow exclude groups rather than include groups

    Currently the Azure AD group expiration is set to All/Include some/None. So if I dont want to include all, I have to constantly go and add new groups to the include list.
    Having the ability to exclude would be much more admin friendly.

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  13. Security group Edit and Delete

    Currently Security Group owners can Delete and Edit the security Group. Most of the times, we only want the Security Group owners to Add/Remove members only.

    Allow Admins to to configure Group properties to disable Edit and Delete operation by the Security Group owner.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  14. Office 365 Stream Group Channels: Assign Access with Azure AD Groups

    Currently you can configure access to an Office 365 Stream Channel as companywide or group. When using the 'Group Channel' option you cannot specify an existing Azure AD Group.

    Assigning access to 500 out of 1000 people would require creating a Stream Group and manually adding the required 500 users. This would then have to be manually maintained when new users come along.

    It would be much better to be able to use an existing Azure AD group synced from on premises AD via AD connect.

    Please make it possible to assign access to Stream Channels using Azure AD Groups

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  15. AzureAD Protected Groups

    Please provide the ability to have protected AzureAD groups which would have similar functionality to the Active Directory protect against accidental deletion function.

    We've had a scenario were one of our service desk engineers deleted an AzureAD group by accident, this particular group was used as part of SCIM provisioning therefore all the users were deactivated from the downstream application.

    This could potentially be tied into a custom role permission which would only have edit / modify permissions on groups

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support for Azure Dynamic Device groups for grouping ADJ & HDJ devices

    how to properly group Azure Domain Joined devices and Hybrid Azure Domain Joined devices??... there is no available support for this request.
    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices

    There are values available within an ADJ and HDJ to be filtered. I can filter them in Get-MsolDevice or in the Azure Portal too, but an Azure dynamic device group doesn't have an available attribute to filter them, there are two values that can be used to filter but none of them are available for Azure DDG:

    ADJ>
    DeviceTrustType: Azure AD Joined
    DirSyncEnabled: $null
    HDJ>
    DeviceTrustType: Domain Joined
    DirSyncEnabled: True

    Please advise how to group these two…

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  17. Dynamic Groups: More Attributes to query from

    Dynamic Groups needs more attributes to query from. This list of attributes should be similar to the attributes in Azure AD SAML configuration (ie. user.onpremisesamaccountname is the big one in my case)

    Use Case: We have account provisioning tools and their lower environment provisions accounts to Azure AD for automated provisioning of O365 licenses. The lower environment accounts samaccountname all starts with the same character prefix ('yy' for example) and we would like to filter these out of HR groups so that our HR department can be confident that the private data remains private.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  18. Dynamic Group Membership - Devices groups and exclusion

    It would be great to be able to create rules for devices group membership that allow to exclude a list or a group of devices.

    i.e. (device.managementType -eq "PC") -notin (device.Group -eq "WhatEverGroup")

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  19. wildcards support in AZURE Dynamic Group Rules

    I would like to see the ability to add wildcard support in rules of Dynamic Group. For example,

    (user.userPrincipalName -startswith "partners.*@emaildomain.com") will add any email like partners.microsoft@emaildomain.com, partners.hp@emaildomain.com into the Dynamic Group. THanks,

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  20. Group Management: show device id when selecting devices

    When adding devices to a group, only display names are shown in the selection panel. If customers registered many devices with display names like "iPhone", lots of "iPhone" are shown in the list and admins cannot tell them apart. When adding users to a group, display name and UPN is shown as a unique identifier.

    Could you show device ID in addition to display name of each device?

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base