Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for User-Agent Client Hints
User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.
Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/
Need to have the new User-Agent information available in the audit log and the APIs.
81 votes -
Enable "Sign in with Azure AD Credentials" option for Windows Server 2019 Server Core images
As per documentation here: https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
Sign in with Azure AD Credentials feature available only for full Windows Server 2019 Datacenter installations. Would be great if Server Core images of server 2019 will also have this feature enabled.47 votes -
Exclude Emergency Access account from Security Defaults
Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA.
This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off.
If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase…
53 votes -
Give users the ability to request that a resource be delete if they don't have permissions to delete it themselves
When a user does not have permissions to delete an Azure resource but needs it deleted it creates an offline process to request, track, and then select that item to be deleted.
It would be more efficient, reduce errors, and create an audit if the user who wanted to delete a resource was able click a button/link when prompted that they don't have permissions to request the deletion that would then be carried out by someone who is in the group that has permissions to unlock/delete.
25 votes -
Confidential attributes
It is very common to for an IAM / IGA solution to have more attributes than is readable by the user, such as SSNs or other sensitive information. In Windows Server AD, the "confidential bit" can be used to have an attribute in AD only available when specifically granted permission to read it.
Such as feature is highly needed in Azure AD, as today, any user can read essentially any attribute of other users.
Primary use cases:
- Ability to issue SSN or other sensitive info in encrypted SAML token
- Ability to sync SSN or other sensitive info using…27 votes -
Notify before App Registrations Client secret expiry
For secrets and certificates in Azure Key Vault we can set up certificate contact and "EmailAtNumberOfDaysBeforeExpiry".
For App Registrations with client secrets, they just expire (and we get outages).
Please make it possible to get notifications about everything that expire in AAD before they expire, so that we can keep our services running.
No, this can't be monitored/pulled from outside of Azure, as we e.g. run in national clouds where we don't have access on our own.
88 votes -
Add AAD App Registration Support to ARM Template
Currently the ARM template schema for AAD only supports Domain Services (https://docs.microsoft.com/en-us/azure/templates/microsoft.aad/allversions)
Please add support for AAD app registration so an offer can add and configure the registration for the customer.
40 votes -
Allow Conversion of AD Synced Accounts to "In Cloud Only"
Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.
361 votesWe are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”. -
Add an information in the portal about object count in AzureAD | Or warn before limit is reached
Please add a information to the Portal, how many objects are in AzureAD.
This is critical because sync stops when the limit (Standard is 300 000 at the moment) is reached.
To have a Information about actual object count in Azure AD would easily help to avoid issues with sync.
Microsoft sends a Mail when threshold is reached, please add also a feature to send a warning in advance, e.g. when 80% of 300 000 is reached, so a quota raise can be done before there is an outage.
Further, it is unclear how customers can count object count on…23 votes -
Getting more granular permissions with Graph API and SPO sites
Do we have any plans to allow Azure AD-registered apps accessing Microsoft Graph APIs (such as SharePoint Online) to have more granular permissions? Can we get SharePoint Online (SPO) to enforce more granular authorization rules based on the app identity and some manifest rules to restrict the site collection for example, instead of Sites.Read.All? I am looking for something like this: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, but for Azure-AD apps (where we can specify really granular permissions).
This question is around the ability to customize Microsoft Graph APIs such as SharePoint Online APIs to restrict the site collections that can be accessed by…
119 votes -
Return value for AuthenticationMethodsUsed in Get-AzureADAuditSignInLogs
To easily get a report via PowerShell for "MC191153, beginning October 13, 2020, we will retire Basic Authentication"
If AuthenticationMethodsUsed would be populated to show who is using Basic Authentication currently.
16 votes -
Need some way to deal with: "AADB2B_0001 : We cannot create a self-service Azure AD account for you because the directory is federated"
Not all B2B invites can be redeemed successfully. Failures happen for reasons that are out of the inviters control (leading to an inability to fix the problem) and are not predictable (leading to poor user experience).
I suspect this problem happens most frequently when a partner organization bungles taking ownership of their tenant. MSFT needs to make it much harder for people to render their production tenant in such a disfunctional state.
45 votes -
Within Azure AD Devices-All Devices, Make "Download" an option
When creating Conditional Access policies it is impossible to get a report from Azure or PowerShell that list all devices that are in a "Pending" state in the Registered column.
There should be an option to download everything in Azure AD Devices-All Devices to a csv file and include the device ID and the Registered state. This would help to find all devices that would fail Conditional Access policies requiring a registered device be used.17 votes -
MFA status after enabling MFA for users who have registered MFA notification destinations in advance
We are deploying Azure MFA by the following method, and we perform various controls depending on the status of MFA ([Forced] or [Enabled]).
https://docs.microsoft.com/ja-jp/azure/active-directory/authentication/howto-mfa-userstates
Even without enabling MFA, I understand that it is possible to directly access 「https://aka.ms/mfasetup」 and register the MFA notification destination in advance.
However, if you enable MFA after registering the MFA notification destination, the status of MFA will not be changed to [Forced] even though MFA setup has been completed.The specifications are different from the status of each MFA status described in the Microsoft public documentation.
Since the control is based on the…14 votes -
Support service-principal impersonation so that SPs can act on behalf of another SP.
I want to allow certain SPs to operate on behalf of other SPs. For instance, I want to allow a signing bot to access Key Vault on behalf of my SP, but only when I call it, and not any other time. This is needed for scenarios like Key Vault, SQL, and other scenarios where my SP has RBAC/ARM privileges that another SP may need to use.
21 votes -
Add a sort of SSO for Native Apps that use ROPC
In a scenario where you develop multiple Native Applications and use Azure AD as Identity Provider, it would be useful to have a way to obtain a sort of SSO even if those native applications use ROPC.
For example, if i develop App1 and App2 and both apps are installed on the same device and configured for the same AAD tenant, if i use ROPC to obtain an idtoken or accesstoken in App1, it would be useful to be able to retrieve another token on App2 without entering credentials.
Maybe exposing an API from the Authenticator broker?
17 votes -
MFA unblock needs to be available to a role that is not a global admin user
Our user admins cannot be assigned a global admin role in O365. They therefore cannot see any users who are MFA blocked under: Azure Active Directory > Security > MFA > Block/unblock users
My request to Microsoft is: PLEASE make MFA User Block/Unblocking more manageable
Per support: As of now, Dec 16 2019, currently, only a Global Admin has rights to view this and it's stored on the MFA backend which does not connect to PowerShell in any way. This is a known issue for our Product Group as well, and there are some changes and/or additional administrative roles coming…20 votes -
Block access to Azure at subscription-level based on device state
Many companies would like the ability to enforce Azure Conditional Access on a Azure subscription-level, which should require the user to have a managed device (Hybrid Azure AD Join / Intune managed device).
The reason for the ask is that some companies have highly sensitive information in some Azure subscription and other subscriptions is used for agile collaboration with partner (Azure B2B) with reduced security requirements for sign-in to Azure subscription.
Basically the same feature that is provided by the SharePoint team.
Provide "Conditional Access" on a SharePoint Online Site Collection Level:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/11125038-provide-conditional-access-on-a-sharepoint-onlinControl access from unmanaged devices:
https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices16 votes -
Outbound IP range for RestfulProvider technical profile to allow IP Whitelisting
The issue is that B2C outbound calls can come from any of the Azure IP Addresses documented here : https://www.microsoft.com/en-us/download/details.aspx?id=56519 It is unrealistic to whitelist every single one of them in target APIs. Please provide a narrowed down source IP range for these outbound calls.
See also: https://github.com/MicrosoftDocs/azure-docs/issues/46544
14 votes -
Eliminate delays when activating the SharePoint Administrator role in PIM.
Currently it can take up to 1 hour or more to wait for permissions to be propagated in the SharePoint environment after activating the SharePoint Administrator role. Logging out, closing all browser windows -- nothing helps.
This results in lost work time for administrators that require these permissions to do their daily job. And is even worse when there is an issue during off-hours. It does not help your relationship with a business client to tell them that you have to wait for the system to "kick in" and cannot provide an estimate for how long that may take.
Any…
9 votes
- Don't see your idea?