Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for User-Agent Client Hints
User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.
Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/
Need to have the new User-Agent information available in the audit log and the APIs.
83 votes -
Enable "Sign in with Azure AD Credentials" option for Windows Server 2019 Server Core images
As per documentation here: https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
Sign in with Azure AD Credentials feature available only for full Windows Server 2019 Datacenter installations. Would be great if Server Core images of server 2019 will also have this feature enabled.47 votes -
Eliminate delays when activating the SharePoint Administrator role in PIM.
Currently it can take up to 1 hour or more to wait for permissions to be propagated in the SharePoint environment after activating the SharePoint Administrator role. Logging out, closing all browser windows -- nothing helps.
This results in lost work time for administrators that require these permissions to do their daily job. And is even worse when there is an issue during off-hours. It does not help your relationship with a business client to tell them that you have to wait for the system to "kick in" and cannot provide an estimate for how long that may take.
Any…
46 votes -
Exclude Emergency Access account from Security Defaults
Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA.
This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off.
If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase…
59 votes -
Add AAD App Registration Support to ARM Template
Currently the ARM template schema for AAD only supports Domain Services (https://docs.microsoft.com/en-us/azure/templates/microsoft.aad/allversions)
Please add support for AAD app registration so an offer can add and configure the registration for the customer.
69 votes -
Give users the ability to request that a resource be delete if they don't have permissions to delete it themselves
When a user does not have permissions to delete an Azure resource but needs it deleted it creates an offline process to request, track, and then select that item to be deleted.
It would be more efficient, reduce errors, and create an audit if the user who wanted to delete a resource was able click a button/link when prompted that they don't have permissions to request the deletion that would then be carried out by someone who is in the group that has permissions to unlock/delete.
25 votes -
Return value for AuthenticationMethodsUsed in Get-AzureADAuditSignInLogs
To easily get a report via PowerShell for "MC191153, beginning October 13, 2020, we will retire Basic Authentication"
If AuthenticationMethodsUsed would be populated to show who is using Basic Authentication currently.
29 votes -
Confidential attributes
It is very common to for an IAM / IGA solution to have more attributes than is readable by the user, such as SSNs or other sensitive information. In Windows Server AD, the "confidential bit" can be used to have an attribute in AD only available when specifically granted permission to read it.
Such as feature is highly needed in Azure AD, as today, any user can read essentially any attribute of other users.
Primary use cases:
- Ability to issue SSN or other sensitive info in encrypted SAML token
- Ability to sync SSN or other sensitive info using…29 votes -
Allow Multi-Stage Reviews And Active Directory Manager Reviews
Please allow multi-stage reviews. This is already the case for approvals. Compliance/Audit teams typically have one person/group reviewing fist, and another person/group of higher job title/function/level reviewing after.
Also, we already have the option to make the Manager (via the manager attribute in Active Directory) an approver. Please make this available for Reviews as well.11 votes -
Add an information in the portal about object count in AzureAD | Or warn before limit is reached
Please add a information to the Portal, how many objects are in AzureAD.
This is critical because sync stops when the limit (Standard is 300 000 at the moment) is reached.
To have a Information about actual object count in Azure AD would easily help to avoid issues with sync.
Microsoft sends a Mail when threshold is reached, please add also a feature to send a warning in advance, e.g. when 80% of 300 000 is reached, so a quota raise can be done before there is an outage.
Further, it is unclear how customers can count object count on…31 votes -
Provide a way to read the device & user attributes used by Dynamic groups
Working with dynamic Groups could be hard and painful, if you do not know the value of the attribute of an AAD object that you want to group.
My idea is to have the ability to read this kind of attribute directly on an AAD Object.
You know the “Attribute Editor Tab” in the “Active Directory Users and computers” good old fashion MMC?
That is that I want for an AAD object! =]I have an experience to illustrate my need:
MS doc says that to group your Intune enrolled devices you have to use the (device.managementType -eq "MDM").
It…
18 votes -
Need to be able to distinguish Federated and PTA/PHS Login
Need to be able to distinguish Federated and PTA/PHS Login while in the process of migrating users with staged rollout feature.
11 votes -
Allow Conversion of AD Synced Accounts to "In Cloud Only"
Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.
461 votesWe are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”. -
Need some way to deal with: "AADB2B_0001 : We cannot create a self-service Azure AD account for you because the directory is federated"
Not all B2B invites can be redeemed successfully. Failures happen for reasons that are out of the inviters control (leading to an inability to fix the problem) and are not predictable (leading to poor user experience).
I suspect this problem happens most frequently when a partner organization bungles taking ownership of their tenant. MSFT needs to make it much harder for people to render their production tenant in such a disfunctional state.
60 votes -
Capture and display a last login date
When reviewing a user's profile, a last login date for any Azure AD/Office 365 login should be captured/displayed, so that admins can evaluate inactive users for account disable and license recovery.
81 votes -
Conditional access policy by location should be standard feature
Conditional Access policies to block access from countries should be a standard security feature and organizations should not have to upgrade to E5 or Azure P2 to use this feature. We see failed sign in attempts everyday from countries such as China and Russia. It would block out 99% of the malicious sign in attempts if we could simply implement a conditional access policy by location.
7 votes -
Getting more granular permissions with Graph API and SPO sites
Do we have any plans to allow Azure AD-registered apps accessing Microsoft Graph APIs (such as SharePoint Online) to have more granular permissions? Can we get SharePoint Online (SPO) to enforce more granular authorization rules based on the app identity and some manifest rules to restrict the site collection for example, instead of Sites.Read.All? I am looking for something like this: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, but for Azure-AD apps (where we can specify really granular permissions).
This question is around the ability to customize Microsoft Graph APIs such as SharePoint Online APIs to restrict the site collections that can be accessed by…
133 votes -
Enable Azure AD Password Protection in Azure Government
This is a feature available in Azure public, please add this feature to Azure Gov. With this enabled, we have much more flexibility in terms of make passwords maintenance easier for our users.
17 votes -
MicrosoftAzureActiveAuthn App Should be Hidden
There's an app visible to users in the portal - MicrosoftAzureActiveAuthn (https://account.activedirectory.windowsazure.com/applications/signin/MicrosoftAzureActiveAuthn/0000001a-0000-0000-c000-000000000000?tenantId=REDACTED) - that is not a "real" app and shouldn't really be visible. Users that do click it arrive at an error page. We're not able to change its visibility via the Azure AD blade in the Azure Portal, however - the field is missing. I think that either the AAD or My Apps portal teams should take action to ensure this infrastructure app is not visible to users.
13 votes -
Custom SAML Certificate common name
We store SAML signature certificate in our documentation system to log the expiration and track them as part of our documentation.
We saw, that the common name of all created certificates is 'Microsoft Azure Federated SSO Certificate'. I would like to have the application name (at least) included in the common name. It could be possible to set a custom common name as well.
That would make it much easier to identify the corresponding application.
7 votes
- Don't see your idea?