Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Access package policy for dynamic assignment

    The ability to have a policy to dynamically assign access packages automatically to users, based on criteria / filters is very important, as this will greatly improve an organizations ability to provide a set of default access packages to their users based on division, company, etc.

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow approver to revoke approvals

    Designated approvers for an access package should be able to revoke approval, e.g. select the approval in the history and be able to revoke the access approval.

    At the moment, only access package owners can remove access.

    Approvers may make a mistake or access may have been approved on a basis that changed, so they should have a self-service functionality to revoke an approval and thereby remove access.

    In one of our projects this is a requirement, because business owners need to approve access to specific data, but they also need to be able to remove access - also outside…

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Multi-Stage Reviews And Active Directory Manager Reviews

    Please allow multi-stage reviews. This is already the case for approvals. Compliance/Audit teams typically have one person/group reviewing fist, and another person/group of higher job title/function/level reviewing after.
    Also, we already have the option to make the Manager (via the manager attribute in Active Directory) an approver. Please make this available for Reviews as well.

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow on behalf of requests for manager approval

    The existing manager approval is great, but often a manager would like to be able to assign certain permissions before the user has his first working day.

    An option allowing a manager to request access packages on behalf of their direct reports, or for a manager to assign their direct reports access packages that have a manager approval policy linked to it, would greatly improve the manager experience.

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Customized message for approved access packages

    When access package requests are being approved, the user receives a generic email informing of "You now have access to XYZ".
    It would improve the service vastly if the contents of this "approved-mail" could be customized with further instructions for where the user may access the resources they have been assigned.

    As it is now, the user even get's a misleading button in the email saying "Get started" which just leads back to the My Access portal.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support Exchange Groups in Entitlement Management

    In order to improve easy of adoption for existing organizations, Distribution groups and Mail Enabled Security Groups needs to be supported as resoruces for access packages

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow moving access packages between catalogs

    As delegation of access package assignment manager role must happen on catalog level, we are currently creating loads of unnecessary catalogs "just in case" we need to delegate in the future. Having an option to move access packages between catalogs would simplify this a lot.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. NDA / DPA Requirenments

    We have a large number of independent companies (legal entities).Each company is obliged to sign an NDA with each supplier whose employees we authorize in the tenant. The purpose of the data processing must be defined by a DPA between a company and the supplier.

    DPA Suplier <> Company.Data could perhaps be implemented at Access Package level

    NDA Suplier <> Company could perhaps be implemented at the catalog level

    Allow the Catalog Owner role to add a Connected Organization

    Allow the Catalog Owner role to manage which connected organizations may be used in the catalog

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support License Assignment on Entitlement Management

    Currently, we are using assignment to group method for office 365 license.
    I hope enhance our administration for license assignment task.

    If you support to license assignment on entitlement management, we are able to complex license assignments for restrict access users.
    (ex. only e-maill access, device managment only, etc.)

    I hope support the entitlement management to the license resource.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Integrate Entitlement Management with MyApps

    It would be great integrate Entitlement Management with the MyApp portal.

    Example:
    1) User navigates to the MyApps portal and clicks on "+Add app"
    2) Within Entitlement Management, there are a number of applications that the user is already entitled too, but require either approval or a licence.
    3) These applications are listed within the "+Add app" section.
    4) User selects an application within this section, which then starts the approval process within Entitlement Management. It would be a great user experience to be redirected to the MyAccess portal, or this is done transparently.
    5) User and approvers receive emails…

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Entitlement Management, Graph API: Filtering on nested objects.

    Filtering on nested objects with Graph API in Entitlement Management is currently very limited and is thus also limiting the flexibility by programmatically scripting Automation runbooks.

    Example:
    Filtering on "requestorSettings/scopeType" is not supported. This would be good to have in order to filter out assignmentPolicies that are for example admin-add only.

    https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies?$filter=requestorSettings/scopeType eq 'NoSubjects'

    Returns:
    "error": {
    "code": "InvalidFilter",
    "message": "OData query is invalid: Filter 'requestorSettings/scopeType Equals NoSubjects is not supported. .",

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Share assignment policy between access packages

    I find myself adding the same policy to many, many access packages - "Manager approval and Manager review every 180 days" etc. It would have been nice to be able to define an assignment policy once, linking several access packages to the same assignment policy, reducing management overhead.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow "Access Has Ended" Email to Users to be Disabled

    Currently if an Admin assigns a user to a package, no email is sent, which is fine. However, when the Admin removes the user, there is no way to prevent the email. This has caused much confusion to the users because they get an email telling them that they have been removed from something they didn't know they had in the first place, so they log a call with the service desk.
    Also, it makes setting up a Package a "get it right first time" event prior to a wider rollout.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Identity Governance hourly expiration

    AAD PIM allows for hourly activation. But there are some cases PIM cannot handle and we must use Identity Governance access packages.

    The only let down with these packages is that they work off number of days and not number of hours.

    Is it possible to set Identity Governance activations in hours like PIM, rather than days?

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Make Entitlement Management part of Identity & Threat Protection

    Currently, it's only comming to AAD P2, but it would make sense to have it in Identity & Threat Protection as well.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add support on Entitlement management API so service principal can maintain Catalog resources

    You can generate AAD groups, RBAC assigments and Access Packages thorugh code, but there is no API method to maintain which resources belong to a Catalog, forcing us to add resources to the catalog in a manual step.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Improved end-user interface is needed

    Hi all,

    I do think Entitlement Management is great potential, however just the idea of letting end-user into the Azure portal and try to navigate this gives me nightmares when it comes to adoption work needed.

    I think a UI would in some way would be needed to better sell this to the organizations.
    This interface should of course be available as a Enterprise app

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Integrate Azure resources with Entitlement Management

    Allow entitlement management to work with Azure resources to manage access. Right now, the only way to do this seems to be using Azure AD groups which have to be configured to have access to resources. This could also include allowing entitlement management to work with Azure resources PIM.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure Active Directory Access Package assignment Duration

    Currently Azure Active Directory Access Package assignment uses Days as a assignment unit. Access Package provides JIT access to the resources. In many scenarios we would want to specify the access in Hours. Please add hours as a unit of assignment.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add search capability for description of access package

    Currently, only the displayname of an access package is searchable in myaccess. Being able to search for description both in myaccess and through graph would be very useful.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base