Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
AzureAD Box User Deprovisioning Transfer Files to Another Account
Box supports the ability to specify an account to which user files are transferred. We rely on this functionality to ensure that user's files are transferred to a backup service account when a user leaves the organization. It would be very nice to have this capability too.
Box Dev guide:
https://www.box.dev/guides/users/deprovision/transfer-folders/Okta guide:
https://help.okta.com/en/prod/Content/Topics/Provisioning/Box/configure-box.htm#Enable21 voteThanks for the feedback. We are evaluating the functionality. Would you want one account that all files are sent to or moved up to the manager?
-
Salesforce Connector Terminology
This may be "cosmetic" but in the Salesforce - Users and groups
Assignment page, 1 Azure AD Security Group is mapped to something called a Role. It's actually a Profile in Salesforce. Aligning the terminology could be good as Salesforce Role are different.1 vote -
Remove possibility for mapping to readonly ID attribute
According to RFC 7643 section 3.1 “The value of the "id" attribute is always issued by the service provider and MUST NOT be specified by the client.” But in fact azure portal allows mapping to “id” attribute which is violation of RFC.
RFC https://tools.ietf.org/html/rfc7644#section-3.12 specifies that service provider should respond with “Bad Request” to these invalid requests. There is even example of such response in the end of section 3.12.1 voteThanks for the feedback. Will review with the team.
-
Need to be able dismiss errors from UI
I have a customer that is getting some errors which are not actionable showing up in their Reporting and in the main page for Provisioning. These errors do not impact the sync and they would like a way to mark them as handled or ignore so they can quit showing up in the UI and the reporting. This is similar to the request in https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36173572-clean-up-old-sync-errors.
1 vote -
Allow Scope Filtering Based On Group Type
It would be very useful to allow for scope filtering of groups by Group Type. Currently, there's no easy way to filter out groups based on whether they're Office, Distribution, Security, etc.
1 voteCould you please describe the scenario where the specific distribution type is needed as a scoping filter?
-
Azure AD User provisioning service : Support Contains Function in Attribut Flow Expression
Adding a new Expression for https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/functions-for-customizing-application-data called Contains(source[Multivalue], ValueRule).
This allowes multiple AppRoleAssignments and to set the correct Roles in the SaaS application.
As a reference SAP Concur with Roles like:
- Travel user
- Expense userinstead of
- Travel user
- Expense user
- Travel and Expense user1 voteThanks for the feedback, we will review
-
Azure AD User provisioning service : Allow accessing diagnostic logs
It should be possible to get diagnostic logs, like API calls from the Azure Portal in case of an exception, so that a troubleshooting is possible without contacting the MS support.
1 voteCould you please clarify what types of API calls / what scenarios you’ve needed this information?
-
Azure connector sync issues
We are trying to auto provision Salesforce users using Azure AD connector. We want certain attributes like ManagerId and Department to be in sync with AD always. So we had set that to "Always" in the set up. But our observation says that, when these values are changed in AD, it is updating to the new values in Salesforce. But if these values are changed in Salesforce, they are not getting overwritten with the values from AD in Salesforce. Which means, now they are out of sync.
Since we have set that to "Always", we expect these attributes to be…1 voteThanks for the input. The way the service works today we leverage the delta query API provided by AD graph to constantly check for changes and apply them to the target application. We are aware of changes in Azure AD and have a way of reflecting them in the target application. We don’t have a way today of getting changes directly from Salesforce but are looking at how we can make this possible.
- Don't see your idea?