Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Dynamic Groups: Member of group

    Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.

    Example:
    (user.objectId -memberOf group.objectId)
    (user.objectId -notMemberOf group.ObjectId)

    Use case 1 - Group Based Licensing.
    If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.

    Use case 2 - Exceptions
    All users should have a MDM policy applied, accept those of a specific group.

    509 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    30 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.

    Chen

  2. Ability to trigger a dynamic group update

    It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.

    165 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    31 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

  3. Support for multi-valued attributes synchronized from on premises AD

    AD Connect supports synchronizing multi-valued attributes to AAD.
    However, AAD doesn't support multi-valued attributes synchronized from on premises AD.

    Would be great to have this supported so that for example Dynamic Groups can use multi-value attributes for group membership rules.

    85 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    20 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  4. Enable "Owner" attribute for Group Object on Azure AD Connect Sync

    Currently, the group owner on Azure AD Portal is mapped to "Owner" attribute while the Office 365 Admin Portal is mapped to "ManagedBy". For a group which is synced from local AD to the AAD via AAD Connect, there is no way to update the "Owner" attribute on Azure AD.

    The AAD Connect does not support "Owner" attribute for sync and we can't assign "Owner" on Azure AD as it is a synced object.

    So to resolve this issue, the "Owner" attribute should be supported as an attribute for sync on the Azure AD Connect.

    41 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  5. Dynamic Groups based on device Compliance

    Can we add the "isCompliant" value to the device dynamic groups. This would allow for polices (like WIFI settings or certificates") within Intune to only be available to devices that are deemed compliant.

    My scenario is I want certificates to be removed from a device if it becomes non-compliant so It can't access the WiFi or VPN. I can target the policy at only the "isCompliant -eq true" dynamic group. so once they are non-compliant, they get removed from the dynamic group.

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  6. Implement a way to manually initiate dynamic device group membership evaluations

    Currently, there is no SLA/timeframe on when dynamic AAD device groups evaluate memberships.

    Here is the recommended troubleshooting steps for these groups not populating, straight from the Azure portal:
    "Please allow time for the group to populate. Depending on the size of your tenant, the group may take up to 24 hours for populating for the first time or after a rule change."

    If admins are using dynamic AAD device groups for any sort of application deployment or policy targeting, waiting up to 24 hours may not be reasonable. It would be very helpful if there was a way to…

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

    In the interim, we’ve added the ability to view the processing status for the dynamic membership rule of a group in the Azure Admin portal. This is not providing an SLA for the rule evaluation, however, it does provide information including that the processing is complete.

  7. Group-based Licensing for Nested Groups

    Nested groups have been around for a VERY long time. It is ridiculous that group-based licensing doesn't support nested groups. Please add support for nested groups ASAP!

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure AD Group expiration should allow exclude groups rather than include groups

    Currently the Azure AD group expiration is set to All/Include some/None. So if I dont want to include all, I have to constantly go and add new groups to the include list.
    Having the ability to exclude would be much more admin friendly.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  9. Security group Edit and Delete

    Currently Security Group owners can Delete and Edit the security Group. Most of the times, we only want the Security Group owners to Add/Remove members only.

    Allow Admins to to configure Group properties to disable Edit and Delete operation by the Security Group owner.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  10. Dynamic Groups: More Attributes to query from

    Dynamic Groups needs more attributes to query from. This list of attributes should be similar to the attributes in Azure AD SAML configuration (ie. user.onpremisesamaccountname is the big one in my case)

    Use Case: We have account provisioning tools and their lower environment provisions accounts to Azure AD for automated provisioning of O365 licenses. The lower environment accounts samaccountname all starts with the same character prefix ('yy' for example) and we would like to filter these out of HR groups so that our HR department can be confident that the private data remains private.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  11. AzureAD Protected Groups

    Please provide the ability to have protected AzureAD groups which would have similar functionality to the Active Directory protect against accidental deletion function.

    We've had a scenario were one of our service desk engineers deleted an AzureAD group by accident, this particular group was used as part of SCIM provisioning therefore all the users were deactivated from the downstream application.

    This could potentially be tied into a custom role permission which would only have edit / modify permissions on groups

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  12. wildcards support in AZURE Dynamic Group Rules

    I would like to see the ability to add wildcard support in rules of Dynamic Group. For example,

    (user.userPrincipalName -startswith "partners.*@emaildomain.com") will add any email like partners.microsoft@emaildomain.com, partners.hp@emaildomain.com into the Dynamic Group. THanks,

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  13. Dynamic Group Membership - Devices groups and exclusion

    It would be great to be able to create rules for devices group membership that allow to exclude a list or a group of devices.

    i.e. (device.managementType -eq "PC") -notin (device.Group -eq "WhatEverGroup")

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure People Picker needs to display more information

    the people picker in azure active directory is very hard to use for group management because in large directories it's highly likely that multiple people will have that exact same name. it's also highly likely at a University that employee will also be a student and will have a separate account. When trying to add someone to a group, the AAD people picker only shows name and account name. it doesn't show any other descriptive information to help choose between accounts. Self service group management is a great feature but how are end-users supposed to know which peter pan is…

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  15. Group Management: show device id when selecting devices

    When adding devices to a group, only display names are shown in the selection panel. If customers registered many devices with display names like "iPhone", lots of "iPhone" are shown in the list and admins cannot tell them apart. When adding users to a group, display name and UPN is shown as a unique identifier.

    Could you show device ID in addition to display name of each device?

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  16. Management Groups

    Management groups (MGs) are currently at the scope of a single tenant only. Customer(s) wish to use Management groups in a multi-tenanted scenarios and want management groups to span multiple AAD tenants. Otherwise they would have to replicate the MG(s) across each tenant and then apply the same Azure polices and RBAC roles multiple times to MGs in each tenant separately, which becomes a management/maintenance issue.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    We are designing a feature that will allow Management groups to connect to subscriptions and management groups in different tenants. There is no timeline yet other than it is being planned for the 2nd half of 2019 to be worked on.

    One question we do have is what services in Azure would you like to see supported in the cross tenant scenario? Azure Policy, Blueprints, RBAC Accesses, Security Monitoring, Deployments, etc…

  17. Support for Azure Dynamic Device groups for grouping ADJ & HDJ devices

    how to properly group Azure Domain Joined devices and Hybrid Azure Domain Joined devices??... there is no available support for this request.
    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices

    There are values available within an ADJ and HDJ to be filtered. I can filter them in Get-MsolDevice or in the Azure Portal too, but an Azure dynamic device group doesn't have an available attribute to filter them, there are two values that can be used to filter but none of them are available for Azure DDG:

    ADJ>
    DeviceTrustType: Azure AD Joined
    DirSyncEnabled: $null
    HDJ>
    DeviceTrustType: Domain Joined
    DirSyncEnabled: True

    Please advise how to group these two…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  18. Security groups

    For last few months I am working as IT helpdesk and many times I am getting request to add users to security group for specified time frame(let say 1 month).
    I would love to see option: for how long user will be member of this group when adding user to group. As right now request can't be close as is not finish, I have to do job twice as user need to be removed from group after 30 days. Creating script and adding to scheduler is some solution but something may go wrong it is after 30 days. Option right…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow to use any Intune parameter as a criteria for a dynamic device AAD group

    Dynamic AAD device groups are very important part of managing devices with Intune, because all assignments must be done using AAD groups.

    Currently you can use only limited set of different Intune attributes when creating dynamic AAD groups. Ultimately you should be able to utilize any attribute that Intune knows as a criteria in dynamic groups.

    For example, you cannot create the following dynamic device groups
    - all co-managed devices
    - devices with a specific application
    - devices with a specific OS language
    - devices with a low free disk space

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  20. nested group

    Get-AzureADUserMembership doesn't count nested groups and only explicit groups. It would be great to have the cmdlet ( this or a new one) perform recursive queries to get the group listing. This is critical when troubleshooting issues pertaining user's group membership count.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base