Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Conditional access policies to block specific versions of windows
We need the ability to apply Azure Conditional Access policies to specific Windows OS versions (XP, 7, 8, 8.1 and 10)
While Azure Conditional Access policies can be currently applied to Windows, this includes all Windows operating systems. We need the ability to apply them to specific Windows OS versions as XP, 7 and 8.
Having this functionality would allow for example to block Windows XP, 7 and 8 devices through CA policies, forcing users to use a safe, updated and supported OS.
23 votes -
Give customers option to exempt Foreign Principal from conditional access policies
Foreign Principals access the customer tenants through Partner Center. Customers are currently unable to exempt the Foreign Principal account from conditional access policies like they can for regular users. Subjecting Foreign Principals to conditional access policies can create insurmountable hurdles because the Foreign Principal is from outside the organization and depends on Partner Center for access. Please give customers the option to exempt the Foreign Principal account from conditional access policies in Azure AD.
27 votes -
Fix tab order for B2C login
Please fix the tab order for B2C logins. Currently tab goes from the username field to the "Forgot your password" link. It should go from username to password.
43 votes -
Pronouns available across services
Please add an optional Pronoun field to a user object type. Ideally, this would be able to be used across M365, such as in SharePoint About Me pages, in Contact Card experiences across Outlook and Teams, etc.
55 votes -
Prompt users for account selection when opening different applications federated across multitenant environments in the same browser
Our client has multiple Azure AD environments (dev, tst, stg, prod) which act as IDP for their applications which are mapped 1:1 (SP Dev env is integrated with AAD Dev, etc). When a user logs into an application that is federated using AAD Prod, then opens a new tab in the same browser and tries to access an application that is federated using AAD Dev, Stg, or Tst, they are not prompted to select their lower environment account or enter credentials. Instead, they are being directly signed into the AAD lower env using prod credentials which is causing an access…
16 votes -
Fix Conditional Access Bug, wich prevents Teams to be excluded
Within Conditional Access ( CDA ), you will be able to include office 365 and exclude dedicated apps, like sharpoint.
But the exclude feature is not working with Teams, as described in Microsofts own documentation.Our Intention is to block Office 365 Web Apps, except to Teams.
With the conditional access configurd with
- Teams as exception
or
- Teams and all dependend apps, like documented by Microsoftthe rule will not be applied successfully.
Teams still kept blocked, while the dependend Apps like SharePoint were still wörking, from out the same CDA rule.
MS documentaion to exclude office apps
…15 votes -
Cross tenant support for managed identity
Please add support for cross tenant use of managed identities. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant
34 votesThank you for reaching out to feedback suggestion forum. Please share more information around your scenario/use-case, end goal, what type of tenants/directories etc. this will help us to understand need and design this integration.
-
Enable OATH / Hardware Token as Second Factor in GCC High Environment
Currently the Commercial Clouds support OATH hardware tokens (pre-programmed tokens that can serve as the second factor in MFA). This feature is sorely needed in GCC High as there are times when a user must login from a location where their phone is not available. Please add MFA/hardware token support to GCC High.
13 votes -
Disable user's ability to change password (via cloud/portals) disable service self for any one
Disable reset password :https://account.activedirectory.windowsazure.com/ChangePassword.aspx
for all students44 votes -
Allow Microsoft authenticator to transfer from Android to iphone
Microsoft authenticator to transfer from Android to iPhone. Currently iPhones can only restore Microsoft Authenticator backups from iCloud.
31 votes -
Extend FIDO2 passwordless AAD support to mobile browsers on Android, iOS etc.
Please extent support for FIDO2 passwordless AAD sign-in to mobile browsers. According to doc: https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility no mobile browsers are currently supported. Mobile Edge is not even listed.
We were looking forward to equip Android tablet-only users with Yubikeys to be able to do FIDO2 passwordless sign-in to Office 365 and 3rd party web services using Azure AD as an IdP. Especially those users could benefit most from a passwordless sign-in. However, the sign-in option 'Sign-in using a security key' is currently not available when using a mobile browser to connect.
What are the plans? Will this become available in the…
7 votes -
Azure AD role to unblock or block MFA for users
I am unsure if someone posted an idea about this, but is there an existing Azure AD role that allows an administrator to block or unblock MFA for users? As it seems today, only a Global administrator can unblock or block MFA for a user. If there an Azure AD role that does this today, please let me know. Otherwise, it would be nice to incorporate the block/unblock MFA permission with an existing role or create a new one. Just a thought! :)
34 votes -
Add an additional less complicated data restore option that would allow the Azure support team to manage an AADDS restore
In general, today an extensive AADDS backup and restore option exists and we worked with both the support group as well as the Product group to utilize this recently. Due to the complexity of this restore we would like to request the following:
A more targeted restore that would allow for a restore/backup of the Domain Services data rather than an entire infrastructure DR type restore that would be in general a simpler second option.28 votes -
Include a Parameter/Indicator in Azure AD Sign-in Logs
Requesting PG team to look into the Azure AD Sign-in Logs and include any indicator/parameter to state that the password entered was correct although the access to M365 resources were blocked. This will not only help us to detect brute force attacks but also to understand any account compromises.".
6 votes -
Enable Microsoft Autofill with Azure AD work and school accounts
The Microsoft Autofill function in the Microsoft Authenticator is currently only available for Microsoft accounts.
Enable the Autofill feature in the Microsoft Authenticator and Microsoft Autofill browser extension for Azure AD work and school accounts.
12 votes -
Enable Temporary Access Pass use during AutoPilot enrollment
I should be able to provide a Temporary Access Pass to a new user in order for them to drive the AutoPilot OOBE. So that they can enrol for Windows Hello for Business and passwordless authentication without having to use a password or register for MFA.
It looks like you had it working perfectly but then took it away!
https://www.inthecloud247.com/my-first-experience-with-temporary-access-pass-during-windows-autopilot-enrollment/"A Temporary Access Pass cannot be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter, or during Windows Setup/Out-of-Box-Experience (OOBE) and AutoPilot."
Note this flow works on Android so why not on Windows…
8 votes -
Update the Microsoft Graph Security API event when logic app add comment to Azure sentinel' incident
Scenario
1. Azure sentinel analytic rule trigger, then it creates the incident alert in Azure sentinel and then Microsoft Graph captured the incident alert info.
2. Logic app playbook check if there is an incident alert, then query the data and then add it to the incident's comment.
3. I tried to query the Microsoft graph security API in PowerShell and then discovered that the incident alert result was not updated for including the incident comment.
4. I checked with various teams (Microsoft graph security team, Microsoft Sentinel Security Team, Microsoft Logic app Team ). the Microsoft Security API team…4 votes -
dynamic membership for administrative units
Managing user memberships for administrative units should be make possible by dynamic membership!
So for instance the memberships should be auto-updated based on the department field of the user. (or any other attribute)
81 votes -
workday: allow writeback of matching user employee id from different ERP system
The Workday Writeback connector needs the capability to writeback a users emplid from an adjacent ERP system. We are using WD HCM and WD financials, and we are using Peoplesoft Campus Solutions for student information system. We need a way to write the Peoplesoft Employee ID back to workday into a custom workday attribute.
20 votes -
Azure AD SSO with SAML2.0 should support the Relay State parameter
SP-initiated SSO is working fine, but we're interested in doing IDP-initiated SSO with a RelayState. Our goal is to provide a seamless SSO experience for the user so that they can SSO from our application directly into an Azure component (Azure Synapse, Azure Data Factory, etc.) without having to first enter their UPN on the Azure AD login page. This feature is supported in AD, but not Azure AD.
11 votes
- Don't see your idea?