Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Getting more granular permissions with Graph API and SPO sites
Do we have any plans to allow Azure AD-registered apps accessing Microsoft Graph APIs (such as SharePoint Online) to have more granular permissions? Can we get SharePoint Online (SPO) to enforce more granular authorization rules based on the app identity and some manifest rules to restrict the site collection for example, instead of Sites.Read.All? I am looking for something like this: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, but for Azure-AD apps (where we can specify really granular permissions).
This question is around the ability to customize Microsoft Graph APIs such as SharePoint Online APIs to restrict the site collections that can be accessed by…
109 votes -
Allow Conversion of AD Synced Accounts to "In Cloud Only"
Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.
237 votesWe are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”. -
Scoring password in Azure AD password protection
Today, Azure AD Password Protection scores the normalized new password with this rules:
1. Each banned password that is found in a user’s password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.If you use a banned word like "contoso", the score of the password grows with +1. A new password with 5 banned password(s), you will have an accepted password.
If you choose one of the following password as a new password, it will be accepted:
"contosocontosocontosocontosocontoso" --> [contoso]…
25 votes -
Request for registration of OATH token and connection to user:
We would like you to allow end users to register OATH token by themselves as well as other multi-factor authentication notifications (i.e. telephone and SMS)
If our request above is not permitted, please consider the following to reduce the time and effort of the administrator:
- Registering OATH token information prior to registration of associated user information
- Connecting the user and OATH token by GUI operation from Azure portal instead of importing CSV
- No entering authentication code when activating OATH token58 votes -
Manage AADDS DNS powershell
Currently, I am unable to find any documented methods for managing DNS in AADDS using PowerShell. If it is possible, can we get an article published that states specifically how to use PowerShell to manage DNS in AADDS? If it doesn't exist, can we get the functionality created? Using MMC is dated and limits our abilities to be automate.
18 votes -
Set MFA using Azure Active Directory Powershell Module
Add support in Azure Active Directory PowerShell module to set Multi-Factor Authentication (MFA).
Thanks
100 votes -
We would like to activate MFA at our designated time.
At present, MFA is activated at the time when the administrator enables MFA per user.
We would like to activate MFA at the administrator's designated time. We believe that this enables us to broaden our range of operation.
It would be great if we could, for example, control by designating the time to parameter "RememberDevicesNotIssuedBefore".24 votes -
AzureAD Protected Groups
Please provide the ability to have protected AzureAD groups which would have similar functionality to the Active Directory protect against accidental deletion function.
We've had a scenario were one of our service desk engineers deleted an AzureAD group by accident, this particular group was used as part of SCIM provisioning therefore all the users were deactivated from the downstream application.
This could potentially be tied into a custom role permission which would only have edit / modify permissions on groups
20 votes -
banned password message azure ad password protection
Add GPO or client to Windows Client for Azure AD Password protection to display the corporate password policy on login when the user's change password and it's banned. Give users on prem what they can and cannot use as feedback if they put a bad one in.
46 votes -
Change the message text to "Use a verification code from my mobile app or hardware token"
Currently, when users configured Azure MFA for hardware token and phone number, they can choose MFA method when signing in azure portal.
In the Azure AD logon page, users see following options.-------------------------
・ Use a verification code from my mobile app
・ Text +XX XXXXXXXXX
-------------------------It's not intuitive for customers to choose "Use a verification code from my mobile app" even though they are using hardware token.
So please change the message text to "Use a verification code from my mobile app or hardware token".
I am support professional and I am receiving unnecessary support calls from users…15 votes -
Enable dedicated App Proxy Authentication Header
When you connect App Proxy with pre-authentication via a native client following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application the authentication header is removed by the App Proxy. This stops single sign on requests from working and breaks a number of automation scenarios if the backend service does not support a dedicated authentication header. Ideally I would like to see the following behaviour:
1. By default the Authorization header is used to authenticate with App Proxy
2. If multiple values are provided as per https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers each one is checked for authentication against App Proxy, if one is valid, remove it from the header…22 votesThank you for your feedback. We are reviewing this requirement and will update once we have more details.
-
Upgrade Workday connector to use the latest Workday API version
The current Workday to AD User Provisioning connector makes use of Workday API version 21.1. Please provide an option in the connector to use the latest API version.
12 votes -
B2B: Please expose the "source" property in the Graph API
We would like to have the Source attribute available in order to manage guest accounts differently based upon what kind of account it is ("Microsoft Azure Active Directory", "Microsoft account", or "Microsoft Azure AD (other directory)"). If the account is a Microsoft Account, we need to be able to have more scrutiny around it. (ie. check to see if the user still works for the partner company.)
16 votes -
Windows Hello for Business in AAD/AD Hybrid too complicated for SMB
Currently the process to enable Azure AD-joined users to authenticate to on-premises systems is complex and requires multiple servers and specialized expertise. Can we enable a simplified approach to enabling Hybrid environments to support Azure-AD Joined Windows 10 using Windows Hello for Business without complicated Key Trust or Certificate Trust implementations, or at least simplify the setup of those environments so that SMB may easily accomplish this?
10 votes -
Export of Roles and assignments in AAD
In 365 we can get a csv file showing users role assignments. I would like the same in Azure AD.
User name, Assigned role option to export as a SINGLE CSV file.
8 votes -
Admin audit function for Azure AD Connect Synchronization Service changes
It would be helpful if attribute to being synced is unchecked or any changes are made to AAD sync connector configuration. It should be logged to AADConnect log or trace file, or report on event log with changes in sync values and data, time, and sign-in account used.
35 votes -
MDM and MAM management should be off by default for all users in Intune settings if you do not have the subscription
MDM and MAM management should be off by default for all users in Intune settings. Some accounts seem to have this on by default and this means you cannot join a device to the Azure domain or add the account to Windows 10. In order to change the settings, you need an active Azure AD prime subscription or subscribe to a trial.
16 votes -
Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups
Baseline Policy: Require MFA for Admins (Preview) needs to be able to exclude groups.
This policy does not pay attention to trusted location. Therefore, your global admin or other admin SERVICE ACCOUNTS will get blocked unless you exclude them one-by-one.
This is very disruptive. This policy used to allow excluding groups and they changed it to only excluding users. Not all companies can move at the pace Microsoft is enforcing. We cannot make all of our service accounts into some other solution which won't get impacted and still work for us.
Bring back group exclusion for manageability!!
47 votes -
Tenant AAD sync is stopped due to exceed the quota. It would be very helpful to get the quotas in the dashboard.
Tenant AAD sync is stopped due to exceed the quota. It would be very helpful to get the quotas in the dashboard.
15 votes -
Notify before App Registrations Client secret expiry
For secrets and certificates in Azure Key Vault we can set up certificate contact and "EmailAtNumberOfDaysBeforeExpiry".
For App Registrations with client secrets, they just expire (and we get outages).
Please make it possible to get notifications about everything that expire in AAD before they expire, so that we can keep our services running.
No, this can't be monitored/pulled from outside of Azure, as we e.g. run in national clouds where we don't have access on our own.
12 votes
- Don't see your idea?