Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Allow Conversion of AD Synced Accounts to "In Cloud Only"
Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.
145 votes -
Request for registration of OATH token and connection to user:
We would like you to allow end users to register OATH token by themselves as well as other multi-factor authentication notifications (i.e. telephone and SMS)
If our request above is not permitted, please consider the following to reduce the time and effort of the administrator:
- Registering OATH token information prior to registration of associated user information
- Connecting the user and OATH token by GUI operation from Azure portal instead of importing CSV
- No entering authentication code when activating OATH token46 votes -
banned password message azure ad password protection
Add GPO or client to Windows Client for Azure AD Password protection to display the corporate password policy on login when the user's change password and it's banned. Give users on prem what they can and cannot use as feedback if they put a bad one in.
40 votes -
OAuth pre-authentication in Azure Application Proxy
Currently pre-authentication in Azure Application Proxy implies user interacive logon to Azure AD. It would be great if one could choose an option to pre-authenticate as a annplication with a token in the same Azure AD tenant (and select an Oauth app which is regitered in the same tenant).
That's very useful when there is an external application/server accessing on-prem app via Azure Appliation Proxy would pre-authenticate with OAuth in Azure AD first and pass this token AAP.27 votesThanks for sharing your feedback. We will be further reviewing this feature and will update soon when we have more details.
-
Set MFA using Azure Active Directory Powershell Module
Add support in Azure Active Directory PowerShell module to set Multi-Factor Authentication (MFA).
Thanks
52 votes -
Enable dedicated App Proxy Authentication Header
When you connect App Proxy with pre-authentication via a native client following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application the authentication header is removed by the App Proxy. This stops single sign on requests from working and breaks a number of automation scenarios if the backend service does not support a dedicated authentication header. Ideally I would like to see the following behaviour:
1. By default the Authorization header is used to authenticate with App Proxy
2. If multiple values are provided as per https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers each one is checked for authentication against App Proxy, if one is valid, remove it from the header…16 votesThank you for your feedback. We are reviewing this requirement and will update once we have more details.
-
azure active directory role
I have a scenario where azure active directory users login to fronend app and will be able to handle user administration using graph apis. These users will not having access to subscription/resources these users are access to only Azure AD who can update/create/delete usrs/profiles. To achieve those actions users should have user admin directory role. But the issue here is these users can login to azure portal and have admin assess to all users. For ex: if I have few applications where users are different i can manage from frontend app and business logic to show only users to related…
25 votesValid feedback. Open for customer upvotes
-
Support NPS/RADIUS for Azure AD Domain Services
Add support for Microsoft NPS/RADIUS in Azure AD Domain Services
205 votes -
Conditional Access for B2B Guest users
For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?
21 votesWe’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?
-
Azure People Picker needs to display more information
the people picker in azure active directory is very hard to use for group management because in large directories it's highly likely that multiple people will have that exact same name. it's also highly likely at a University that employee will also be a student and will have a separate account. When trying to add someone to a group, the AAD people picker only shows name and account name. it doesn't show any other descriptive information to help choose between accounts. Self service group management is a great feature but how are end-users supposed to know which peter pan is…
13 votes -
Improve Exchange online administration via Graph API
The following 8 fields of on-premise users cannot be read or updated by using the Microsoft Graph API.
1. altRecipient
2. mDBUseDefaults
3. msExchRBACPolicyLink
4. msExchPoliciesExcluded
5. protocolSettings
6. homeMDB
7. ntSecurityDescriptor (DACLs)
8. msExchDelegateListLink
The following fields cannot be updated by using the Microsoft Graph API.
1. proxyaddresses
2. mdbStorageQuota
3. mdbOverQuotaLimit
4. mdbOverHardQuotaLimit
5. msExchHideFromAddressLists
6. msExchELCMailboxFlags
7. msExchExternalOOFOptions
8. msExchOmaAdminWirelessEnableTwo possible solutions :
• All listed fields will be included in the AAD-sync tool so that these fields are synchronized
• All listed fields will be included in the Microsoft Graph API and can be administrated…12 votes -
Users must not delete resource groups if they are not allowed to delete the resources.
We created custom roles to allow another team to operate our environment. To avoid accidental deletion of data, we removed the delete action for several storage components, for example Data Lake Store Gen1.
Unfortunately when deleting a resource group, it completely ignores the permissions on resource level. For example, I do not have deletion rights on ADLS, but I can still remove it, by deleting the whole resource group.
Resource Groups are simple containers and restricting people on managing them on their own will have a huge impact. We will waste a lot of time to define processes and executing…
25 votes -
Add an option to bypass service plan dependency check when assigning license to group
The Azure portal does not allow assignment of an add-on license to a user group unless a base license with prerequisite service plans is also assigned to the group. Example: Audio Conferencing can only be assigned to a group if (e.g.) Office 365 E3 with the Microsoft Teams service plan enabled is added to the group at the same time.
The problem is that most of our customers have a mix of Office licenses. In order to avoid service plan conflicts and unnecessary license usage, we would need to create a group for each possible combination of the addon and…
40 votesThis is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.
-
MFA: remember device permanently (& remember per device, not per app)
Please:
1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
2. Make it so that MFA is remembered once per *device* (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or…
145 votes -
Add support for Kerberos AES and drop RC4_HMAC_MD5
Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4_HMAC_MD5 encryption type for Kerberos."
Please add support for modern ciphers and drop that obsolete RC4_MD5!57 votes -
Group Management: show device id when selecting devices
When adding devices to a group, only display names are shown in the selection panel. If customers registered many devices with display names like "iPhone", lots of "iPhone" are shown in the list and admins cannot tell them apart. When adding users to a group, display name and UPN is shown as a unique identifier.
Could you show device ID in addition to display name of each device?
11 votes -
Combined security information registration (Preview) language issue
The Combined Security Information Registration outlined in the follow documentation is not functioning as described.
The Language is not pulling from the browser. In my scenario if I set this up using French language and have my German users attempt the process they are receiving the security questions in French and not German. The documentation outlines the language settings are of the computer accessing the page. This is not what I am experiencing.
9 votes -
Azure Active Domain Services Synchronisation Report
Currently, it is not possible to get accurate information from AADDS about what and when attributes are synchronised from Azure AD to Azure ADDS. It would be most helpful if customers could query on a per user or per directory basis to find out what attributes were synced and at what time (including password changes)
13 votes -
Support pin to taskbar in Enterprise State Roaming
The taskbar settings work with Enterprise State Roaming, they roam between different computers, but not the pinned apps. When users work at different computers, the roaming of pinned apps would be the most valuable part of a roaming taskbar.
40 votes -
Workday-driven automatic AD group assignment
When a new AD account is created using Workday, it should be possible to assign birthright AD groups to the user automatically.
21 votesThank you for your feedback. We are reviewing this feature request and we will post an update on it. Please keep voting so we can prioritize it.
Thanks,
Chetan
- Don't see your idea?