Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support filtering = false | ServiceProviderConfig

    Azure AD SCIM client is not compatible with applications, which do not support "filtering".

    If “filtering” is not supported by 3rd party app, do not ignore that.
    Use the “matching” attribute defined in mappings during the initial cycle to check, if the resource exists.
    If resource exists (HTTP-200), save “ID” persistently.
    Use “ID” in every subsequent request

    cf. RFC7644 section 4: https://tools.ietf.org/html/rfc7644#section-4

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  2. Please support Join in provisioning with user groups in Azure AD.

    Please support Join function in provisioning with user groups in Azure AD.

    Excerpt:
    Matching based on a combination of attributes is not supported: Most applications do not support querying based on two properties. Therefore, it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
    https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. Additional User Entitlement in Salesforce Provisioning

    At the moment, AFAIK, the Salesforce Connector provisions a Salesforce Profile to a User based on the Security Group they belong to in a 1 to 1 mapping.

    User Provisioning should cover more.

    A Salesforce User can have:
    - 1 Profile
    - 0 to 1 Role
    - 0 to N Permission Sets
    - 0 to N Permission Set Groups
    - member of 0 to N Public Groups
    - member of 0 to N Queues

    How to provision the other entitlements from AD ?

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Are you looking to push that data from Azure AD to Salesforce or import from Salesforce to Azure AD.

    For the former we support profiles, roles, permission sets, permissions. You can go into the attribute mappings and add new mappings for the properties you need. We are evaluating the Salesforce SCIM endpoint to see if we can move to a more standards based integration and support all the attributes that you are requesting.

    For the latter we support importing roles as an Azure AD profile.

  4. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  5. AAD provisioning does not show Audit logs for group membership

    AAD and G suite provisioning does not show Audit logs for group membership update which is I believe quite important to know. As per MS agent :

    If the user is not provisioned already on G suite, when we try to update group membership, this would obviously fail since we don't have a reference attribute to resolve on the target. Currently, by design, Azure AD doesn't retry the previously failed group membership update after the user is provisioned. Workarounds to fix this problem is to remove and re-add the user as a member of the group or trigger a clear…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. IDCS Provisioning doesn't work

    The Oracle Cloud Infrastructure Gallery app uses OracleIDCS object. But it doesn't support the attribute primary email = boolean. You cannot create a user in IDCS unless you set the email and put it as primary. so essentially, the email.primary has to be set to a boolean(true). Please include it in the OracleIDCS objectclass

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. SingleAppRoleAssignment([appRoleAssignments]) should return appRole value not name

    Currently SingleAppRoleAssignment([appRoleAssignments]) returns appRole name. It should either return the value or there should be a way of telling the mapping what field from the object to pass to the target.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Application Provisioning Attribute Mapping Configuration Backup for last 5 changes

    During recent incident I came to know the Provisioning Configuration changes details does not get backed up. i.e. attribute changes which we make on attribute mapping. Only a text message get recorded the when changes are performed. It never record what changes were made. If Microsoft provide anyone functionality it will be helpful for all Azure customer.

    Option 1) Provide backup for provisioning application schema for the last 5 configuration changes which can be access by Admin. It will help Admin to restore from the backup if incase of any failure while updating the Schema

    Option 2) Currently Microsoft records…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. Any automatic user provisioning avaialble for Amadeus products?

    Hello, May I know any automatic user provisioning available for Amadeus products, like Altea Customer Management (CM) and Flight Management (FM)?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. SCIM Bulk

    Is there support for SCIM 2.0 /Bulk end point?
    https://tools.ietf.org/html/rfc7644#section-3.7

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. entitlements scim

    In SCIM mapping, there is the missing target attribute "entitlements". However, this attribute is in the core user Schemas and the rfc 7643 says :

    entitlements

      A list of entitlements for the user that represent a thing the
    
    user has. An entitlement may be an additional right to a thing,
    object, or service. No vocabulary or syntax is specified; service
    providers and clients are expected to encode sufficient
    information in the value so as to accurately and without ambiguity
    determine what the user has access to. This value has no
    canonical types, although a type may be useful as a
    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add more scope options for user/group syncing

    Enterprise Applications currently offer two scoping options with SCIM to sync users/groups in AAD with third party SaaS solution.
    This poses some issues for companies with large number of users and groups in Azure AD.

    In some cases, when selecting the provisioning scope, we would like to synchronize all users, and selected groups. But that is not available, the only options are :
    1. Sync all users and groups
    2. Sync only assigned users and groups

    If we want to sync all users and select groups, we have to choose the first option and set up scope filters for group…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow blocked users to be provisioned to SaaS apps

    we have group/ user provisioning turned on to ServiceNow. Everything is working great, except the users with "block sign in" checked. I reviewed the provisioning logs and show these users aren't sent over to SN. We are doing license management and need to see when inactive users are still assigned a license.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. Sub attributes in mappings

    Sub attributes arent supported in custom sso apps.

    I'm unable to match a user if their email is a sub attribute

    e.g. emails.value

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  15. Configure sync Scope per mapping

    There is a global provisioning setting to Sync only assigned users and groups, or Sync all users and groups. I would like to set this per user mappings or per group mappings. The reason for this is because we have applications that we don't have licenses for all our users. So I would like to provision the users by group membership (assigned), but sync groups globally based on a naming standard (scoping filter).

    The issue with scoping filters is you can't scope based on group membership, which would be another feature request I suppose.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  16. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow kicking off the enterprise app sync job with a service principal

    At the moment, the permissions required to call our SCIM endpoint API), it only supports the delegated permission of ‘Directory.ReadWrita.all’ for work or school account.

    To better integrate with a CICD pipeline, it would be great that we can kick off the enterprise app sync job with a service principal.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Provisioning about delete user

    I want you to select the deleted user so that it can be provisioned on request.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add ability to test attribute expressions

    It would be very helpful to have the ability to provide sample input to attribute expressions and see what the output of the expression would be. Attempting to troubleshoot expressions is currently very difficult as there doesn't seem to be any way to test the expression you're creating other than to actually try to provision users with it.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure AD to on-premises application user provisioning

    Support provisioning users from Azure AD to on-premises applications such as SQL, PowerShell, and LDAP.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base