Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Recycle Bin For Deleted Devices

    Would be great if there was a recover-msoldevice cmdlet or some way to recover a bitlocker recovery key after a device was deleted.

    190 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    30 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for your feedback. We are looking into it and evaluating different options for solving the use cases mentioned in this thread. We will update this thread once we have more information to share.

  2. Support Chrome in Server 2016 for compliant/hybrid join (using "Windows 10 Accounts" extension)

    This has been listed as "Coming Soon" for six months? A year? Because Server 2016 isn't supported, we have to assign public IPs to Azure VMs and then exempt those IPs from CA rules. We didn't have to do this with Server 2012 R2, yet here in October 2018 we have to do it with Server 2016!

    I am sure backporting the fixes and improvements to hybrid join in Win 10 v1703 is work MS does not care to do and that is why this is not supported yet. Remember we have no Edge on Server 2016 so we must…

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow multi-tenant automatic registration of windows domain-joined devices

    The guide available here:

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup

    Is not multi-tenant aware.

    This prevents the use of meaningful conditional access polices where multiple customers are sharing the same source Windows Server OnPrem AD in a hybrid 365 scenario.

    I would like a solution that allows the SCP information to be delivered by an alternate means, GPO for example.

    We could then sync multiple customers in AD to multiple 365 tenants and implement conditional access effectively.

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →

    We are in the process of updating docs to include Hybrid Azure AD join as a supported scenario in a single AD forest to multiple Azure AD tenants. This could be achieved using client side SCP settings that can be configured using GPO. However, there are certain limitations with a single AD forest to multiple Azure AD tenant setup. Capabilities like Windows Hello for Business using cert trust deployment model, enabling Conditional Access for on-prem apps federated with AD FS, Syncing Office 365 Groups back to on-prem Exchange, enabling Seamless SSO and enabling Azure AD Password Protection for on-prem AD DS will not work.

  4. Device Clean Up in Azure AD

    Provide an easy way to filter/export devices and clean up stale devices from Azure AD.

    Our tenant is easily getting into the 10's of thousands of devices and maybe a 10th of them are actual active devices.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  5. Within Azure AD Devices-All Devices, Make "Download" an option

    When creating Conditional Access policies it is impossible to get a report from Azure or PowerShell that list all devices that are in a "Pending" state in the Registered column.
    There should be an option to download everything in Azure AD Devices-All Devices to a csv file and include the device ID and the Registered state. This would help to find all devices that would fail Conditional Access policies requiring a registered device be used.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  6. Login with Azure AD Credentials on Windows Server 2016

    Currently it's possible to use Azure AD authentication on Azure VM's that are Windows Server 2019 or Windows 10 1809 or later. A lot of our customers are still using Windows Server 2016. Please enable this feature also for Windows Server 2016 Azure VM's.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  7. msFVE-RecoveryInformation sync

    I can see in Azure AD the device can store Bitlocker encryption keys. I have been able to directly store bitlocker keys to Azure. My issue is that I have computers with bitlocker enabled and the bitlocker information stored in on-prem AD. Currently there is no way to synchronize the on-prem bitlocker keys with the Azure Hybrid connected device. I think this should be included in the ADconnect tool, especially since the msFVE-RecoveryInformation object is a sub-object of the device.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →

    We are currently working with Intune to provide a cloud based Bitlocker management solution that will work for both Azure AD joined and Hybrid Azure AD joined devices. We will update this thread once we have more information to share.

  8. Add all fields to Dynamic Groups

    Please add all fields that are available via Get-AzureADDevice to the list of what can be used for Dynamic Groups.
    I would like to be able to use DeviceTrustType and DirSyncEnabled to define dynamic groups for use with Intune.

    For all DeviceTrustType=serverAD (Hybrid joined) add "Always on VPN", etc.

    It does sound like there are other "Hidden" attributes also. Hopefully those too can be surfaced via Get-AzureADDevice and also be allowed in dynamic groups.

    Thanks

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  9. disabled device

    In Azure AD, each tenant can set User Device limits. In most cases the limit is 20 or unlimited. But in cases where the limit is restricted by Risk Management teams, and conditional access is enforced, we finding that when a user removes a device, or the device state changes, in Azure AD, that device stays on the account in a "Disabled" status. Now we have scripted this to cleanup, but this feels like a product gap in Azure AD, and I'd like to suggest a disabled Device cleanup workflow process to remove these devices from the directory on either…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  10. Windows 10 device object added to Azure AD during AutoPilot should contain Serial Number

    For consistency of search and being able to match up a physical device with its Azure AD object, could devices added using AutoPilot contain the serial number. This is used throughout Intune, but isn't carried over to Azure.

    If I'm trying to search for an orphaned device, I can't find it if I don't know what the device name was.

    One consistent, known search value across the whole environment would be awesome

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  11. Better local user and group support for AADLoginForLinux

    The AADLoginForLinux extension seems to have pam and nss components, but there are few issues regarding user and group management:
    * First the way the users are added to the host isn't very well documented. After testing it looks like they're added on-demand, when a user signs in.
    * The on-demand method, I see is probably a way to avoid scanning all of AAD for all users which I understand is an expensive op, but if you have a group of users you wish to maintain and resolve on the host, it seems the only way to do so, is…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure AD Join devices: fix USERPROFILE path characters

    When doing Azure AD Join from a Windows 10 device (latest version or any previous), Windows creates a USERPROFILE folder, whose exact name is derived from the user's Display Name as defined in Azure AD (first and last name are concatenated). For ex.:
    C:\Users\FirstLastname
    When the user's display name (made from first and last name) contains non-ASCII characters (and that is majority of users globally), the USERPROFILE folder will also contain those characters. Unfortunately, as a consequence, many applications will fail running or installing in such a scenario. Examples include running file downloaded via Google Chrome browser, running Adobe Reader…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  13. Maximum number of devices for a specific user or a group

    Currently the maximum number of devices for a user can be configured in [Azure AD] > [Device] > [Device Settings].

    Would be even better to have the possibility to configure it for a specific user or security group.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  14. Not require AAD registration for using Office 365

    I have several customers that would like to 1) be able to block the pop-up that end users see when starting to use an Office 365 product and 2) not require AAD registration for using Office 365 products.

    The benefits like SSO are very nice, BUT there are som cases where AAD registration is a problem. An example is students that get access to a O365 license as part of their benefits of going to that school. If they have personal PCs, they may have strong objections to their device being managed by the school in any way.

    We have…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  15. Give us an option to block users from registering AD devices without gimmicks or Intune or MDM being a factor

    After trying to block this "feature" with the Azure and Intune support team, it just can't be done.

    Azure AD device registration is the largest security hole in Office 365 and its mind blowing why they even created this option. It bypasses domain password policies, account expiration policies, and lets anyone who installed Office full access to a tenant's resources for 90 days without verifying their account status or even prompting for credentials. 90 days. No credentials needed. In what world is this secure?

    There is no reason why this can't be disabled. If a tenant has Intune then users…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  16. restrict azure ad join by device limit

    Intune have a restriction by device limit. If you enable this to a user, and the limit is reached, new devices will not be enrolled into Intune by that user. But, the user can still Azure AD join a Windows 10 device and access the Windows desktop and all its functions. It would be nice to stop the Azure AD join completely. There is a global limit for Azure AD join, but not per user group limit. It is not possible to set a limit of only 1 device to one Company department and then a limit of 2 devices…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow Azure AD to serve as a Certificate Authority and NDES server

    For authentication-based scenarios having a managed NDES server as part of Azure AD would help remove the need to maintain on-premise infrastructure.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  18. device limit

    Device limit should be checked prior to Conditional Access Policies. This will prevent confusion in the following scenario:
    1. Third party apps are used for auth on devices as the registered token broker
    2. Attempting to sign in on a new device after the device limit is reached fails with registered app
    3. MS Authenticator app is invoked as a fall back to attempt to register the device
    4. Help desk calls are generated because of unexpected behavior

    What should happen:
    1. Limit should be evaluated first, and a too many devices message surfaced to the user.

    What should not…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  19. ADD a function to link devices so that we can be able to "manage lost devices:"

    Add a feature to upload or "export devices" into the Azure platform so that users can manage if lost or stolen

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  20. "Export all" is missing for downloading devices in "Devices - All devices"

    "Export all" is missing for downloading devices in Azure's "Devices - All devices"? Please add this feature or advise how to export all devices list from AAD.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base