Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow users to self update MFA methods for "Other Organizations you belong to"

    Users that have a presence in multiple tenants need a way to self update their MFA methods for "other organizations you belong to" on the myworkaccount.microsoft.com/organizations. Currently there is only a link to "leave organization". Please add a link to "update MFA methods".

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Eliminate delays when activating the SharePoint Administrator role in PIM.

    Currently it can take up to 1 hour or more to wait for permissions to be propagated in the SharePoint environment after activating the SharePoint Administrator role. Logging out, closing all browser windows -- nothing helps.

    This results in lost work time for administrators that require these permissions to do their daily job. And is even worse when there is an issue during off-hours. It does not help your relationship with a business client to tell them that you have to wait for the system to "kick in" and cannot provide an estimate for how long that may take.

    Any…

    64 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  10 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. “test_test_” prefix name for a tenant

    The OMS code doesn't allow name changes for the tenants that starts with "testtest".
    This is an standard naming convention for test tenants, and the code enforce this rule to ensure that test tenants do not get renamed.
    Would be great to add this to the public information, this should be a "must know" before creating a tenant.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add support for User-Agent Client Hints

    User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.

    Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/

    Need to have the new User-Agent information available in the audit log and the APIs.

    83 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow users to personalize their MyApps portal

    Implement the possibility for users to personalize their MyApps user experience by making it possible for them to hide and unhide tiles on their MyApps portal of applications that they don't use and make it possible for them to rearrange tiles, so that their often used applications can always be accessed directly from the top of the page.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  MyApps portal  ·  Flag idea as inappropriate…  ·  Admin →
  6. Exclude Emergency Access account from Security Defaults

    Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA.

    This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off.

    If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase…

    78 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable "Sign in with Azure AD Credentials" option for Windows Server 2019 Server Core images

    As per documentation here: https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
    Sign in with Azure AD Credentials feature available only for full Windows Server 2019 Datacenter installations. Would be great if Server Core images of server 2019 will also have this feature enabled.

    49 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Make the re-authentication prompts much clearer and more visible

    When users with MFA enabled have to re-authenticate due to the tenant policy, Microsoft apps often show that you have to "sign in again", but can also just silently fail, or show "your message cannot be sent". In the worst case there is no sign that the apps are effectively offline. This can have a big impact on productivity, if e.g. Outlook, Teams, and OneDrive Sync are offline but don't show that clearly, it means the user is effectively isolated.

    Feature request: A/ make the alerts and liveness checking for the session much more visible, and B/ ideally, find a…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. dynamic membership for administrative units

    Managing user memberships for administrative units should be make possible by dynamic membership!

    So for instance the memberships should be auto-updated based on the department field of the user. (or any other attribute)

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  10. Show additional information to the MFA Notification

    When a user receives an MFA notification, it would be nice to see the following communicated in the notification:
    - Login Location (City, State, Country)
    - Service being logged into (Office 365 Portal, SharePoint Online, OneDrive, Client Apps, etc.)
    - Device OS/Type (Windows 10/Laptop, iOS 13.5.1/iPhone, Android 10.0/Tablet)
    - Device Compliance (Yes/No)

    This would further help users determine if the request is legitimate.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. MicrosoftAzureActiveAuthn App Should be Hidden

    There's an app visible to users in the portal - MicrosoftAzureActiveAuthn (https://account.activedirectory.windowsazure.com/applications/signin/MicrosoftAzureActiveAuthn/0000001a-0000-0000-c000-000000000000?tenantId=REDACTED) - that is not a "real" app and shouldn't really be visible. Users that do click it arrive at an error page. We're not able to change its visibility via the Azure AD blade in the Azure Portal, however - the field is missing. I think that either the AAD or My Apps portal teams should take action to ensure this infrastructure app is not visible to users.

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  MyApps portal  ·  Flag idea as inappropriate…  ·  Admin →
  12. Enable reset of PRT to allow for immediate Eligible Device Administrator role through Azure PIM

    As it currently stands, if you want to permit specific sets of users to be Device Administrator "eligible" through Azure PIM you may have to wait up to 4 hours for the Primary Refresh Token (PRT) to be updated via Azure before your Azure AD joined devices will acknowledge the Device Administrator role.

    This is a big flaw which basically renders this PIM function useless and needs to be fixed by Microsoft. All other Azure AD roles within Azure PIM work just fine when assigning an "eligible" role.

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support PIM on AAD B2C Tenants

    Today, in a B2C tenant no licenses can be purchased or obtained from trial. Unfortunately - Priveleged Identity Management requires a P2/E5 license to function and therefore cannot function on an AAD B2C tenant

    In a B2C tenant the same paradigms of PIM for administrators apply – (just in time access, just enough access, access reviews/audit history, time-bound, and break glass approval to activate ) to our AAD B2C Administrators. Without PIM our only option is to provide them standing administrator access which goes against security best practice and standards.

    There exist various different administration job responsibilities in a B2C…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide PowerShell/Azure CLI access to upload custom list to Azure AD Password Protection

    Currently only able to manage this list in the Portal. Request for the ability to upload the list from the command line so that a secure process can be implemented without the need to cut and paste the list into a web browser.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support PIM for service principals

    We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

    We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

    This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Change message details for users block by CA policy when signing into O365

    When a user is blocked by a conditional access policy set in Azure Active Directory, the message validates that the username and password was successful but failed due to certain criteria not being meet (CA Policy). The premise being that a bad actor with stolen creds is able to confirm that those credentials are valid, despite not being on a device capable of logon. This would allow the actor to attempt to use the same credentials in other places and is a major security risk.

    Please allow for this message to be editable or change it so that it doesn't…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Confidential attributes

    It is very common to for an IAM / IGA solution to have more attributes than is readable by the user, such as SSNs or other sensitive information. In Windows Server AD, the "confidential bit" can be used to have an attribute in AD only available when specifically granted permission to read it.

    Such as feature is highly needed in Azure AD, as today, any user can read essentially any attribute of other users.

    Primary use cases:
    - Ability to issue SSN or other sensitive info in encrypted SAML token
    - Ability to sync SSN or other sensitive info using…

    40 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

  18. Self-service password reset - Different settings for initial/first time setup

    SSPR should have functionality to allow for a lighter/less strict SSPR policy when the user account have never signed in before.
    This would effectively kill the need for distributing first-time passwords for newly onboarded resources, while still ensuring that a strict enough policy is used (2 authentication methods) for the user in SSPR later on.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add AAD App Registration Support to ARM Template

    Currently the ARM template schema for AAD only supports Domain Services (https://docs.microsoft.com/en-us/azure/templates/microsoft.aad/allversions)

    Please add support for AAD app registration so an offer can add and configure the registration for the customer.

    75 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Return value for AuthenticationMethodsUsed in Get-AzureADAuditSignInLogs

    To easily get a report via PowerShell for "MC191153, beginning October 13, 2020, we will retire Basic Authentication"

    If AuthenticationMethodsUsed would be populated to show who is using Basic Authentication currently.

    35 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 224 225
  • Don't see your idea?

Feedback and Knowledge Base