Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for User-Agent Client Hints
User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.
Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/
Need to have the new User-Agent information available in the audit log and the APIs.
78 votes -
Exclude Emergency Access account from Security Defaults
Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA.
This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off.
If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase…
33 votes -
Notify before App Registrations Client secret expiry
For secrets and certificates in Azure Key Vault we can set up certificate contact and "EmailAtNumberOfDaysBeforeExpiry".
For App Registrations with client secrets, they just expire (and we get outages).
Please make it possible to get notifications about everything that expire in AAD before they expire, so that we can keep our services running.
No, this can't be monitored/pulled from outside of Azure, as we e.g. run in national clouds where we don't have access on our own.
72 votes -
Getting more granular permissions with Graph API and SPO sites
Do we have any plans to allow Azure AD-registered apps accessing Microsoft Graph APIs (such as SharePoint Online) to have more granular permissions? Can we get SharePoint Online (SPO) to enforce more granular authorization rules based on the app identity and some manifest rules to restrict the site collection for example, instead of Sites.Read.All? I am looking for something like this: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, but for Azure-AD apps (where we can specify really granular permissions).
This question is around the ability to customize Microsoft Graph APIs such as SharePoint Online APIs to restrict the site collections that can be accessed by…
116 votes -
Allow Conversion of AD Synced Accounts to "In Cloud Only"
Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.
320 votesWe are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”. -
Confidential attributes
It is very common to for an IAM / IGA solution to have more attributes than is readable by the user, such as SSNs or other sensitive information. In Windows Server AD, the "confidential bit" can be used to have an attribute in AD only available when specifically granted permission to read it.
Such as feature is highly needed in Azure AD, as today, any user can read essentially any attribute of other users.
Primary use cases:
- Ability to issue SSN or other sensitive info in encrypted SAML token
- Ability to sync SSN or other sensitive info using…17 votes -
Need some way to deal with: "AADB2B_0001 : We cannot create a self-service Azure AD account for you because the directory is federated"
Not all B2B invites can be redeemed successfully. Failures happen for reasons that are out of the inviters control (leading to an inability to fix the problem) and are not predictable (leading to poor user experience).
I suspect this problem happens most frequently when a partner organization bungles taking ownership of their tenant. MSFT needs to make it much harder for people to render their production tenant in such a disfunctional state.
35 votes -
Block access to Azure at subscription-level based on device state
Many companies would like the ability to enforce Azure Conditional Access on a Azure subscription-level, which should require the user to have a managed device (Hybrid Azure AD Join / Intune managed device).
The reason for the ask is that some companies have highly sensitive information in some Azure subscription and other subscriptions is used for agile collaboration with partner (Azure B2B) with reduced security requirements for sign-in to Azure subscription.
Basically the same feature that is provided by the SharePoint team.
Provide "Conditional Access" on a SharePoint Online Site Collection Level:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/11125038-provide-conditional-access-on-a-sharepoint-onlinControl access from unmanaged devices:
https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices16 votes -
Add a sort of SSO for Native Apps that use ROPC
In a scenario where you develop multiple Native Applications and use Azure AD as Identity Provider, it would be useful to have a way to obtain a sort of SSO even if those native applications use ROPC.
For example, if i develop App1 and App2 and both apps are installed on the same device and configured for the same AAD tenant, if i use ROPC to obtain an idtoken or accesstoken in App1, it would be useful to be able to retrieve another token on App2 without entering credentials.
Maybe exposing an API from the Authenticator broker?
16 votes -
Add AAD App Registration Support to ARM Template
Currently the ARM template schema for AAD only supports Domain Services (https://docs.microsoft.com/en-us/azure/templates/microsoft.aad/allversions)
Please add support for AAD app registration so an offer can add and configure the registration for the customer.
20 votes -
Request for registration of OATH token and connection to user:
We would like you to allow end users to register OATH token by themselves as well as other multi-factor authentication notifications (i.e. telephone and SMS)
If our request above is not permitted, please consider the following to reduce the time and effort of the administrator:
- Registering OATH token information prior to registration of associated user information
- Connecting the user and OATH token by GUI operation from Azure portal instead of importing CSV
- No entering authentication code when activating OATH token77 votes -
Azure AD AWS Cli Authentication
Following Microsoft article below, it is possible to federate Amazon AWS console with AzureAD
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorialbut Amazon also provide API/CLI access to perform everything that is possible via the web console and more. Please see the link below for more info
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.htmlTo configure the CLI/API we used to use the credentials setup on IAM but with AzureAD authentication there is no IAM user anymore but instead we'd have to use AWS STS to get similar credentials.
As it stands, currently it is not possible to use AzureAD as an IDP for CLI access using federation.
In general, when…
11 votes -
Multiple Active UPNs - One User Active in Multiple Disconnected On Prem Forests
Some organizations are federated for purposes of identity/branding only. Multiple disconnected on-prem forests ma exist with a single joined attribute such as email/samaccountname. Password synchronization may also already exist. Users then may exist and be active in multiple on premise forests. Allowing for Multiple Active UPNs in one Azure AD would allow better allocation of entitlements in these organizations. SSO could be directed to the appropriate Azure AD connect agents for seamless SSO. Hopefully, features such as WHfB and Hybrid device join could fit into this paradigm. Since Azure AD is modern and more flexible, this would negate a need…
16 votes -
Outbound IP range for RestfulProvider technical profile to allow IP Whitelisting
The issue is that B2C outbound calls can come from any of the Azure IP Addresses documented here : https://www.microsoft.com/en-us/download/details.aspx?id=56519 It is unrealistic to whitelist every single one of them in target APIs. Please provide a narrowed down source IP range for these outbound calls.
See also: https://github.com/MicrosoftDocs/azure-docs/issues/46544
11 votes -
Support service-principal impersonation so that SPs can act on behalf of another SP.
I want to allow certain SPs to operate on behalf of other SPs. For instance, I want to allow a signing bot to access Key Vault on behalf of my SP, but only when I call it, and not any other time. This is needed for scenarios like Key Vault, SQL, and other scenarios where my SP has RBAC/ARM privileges that another SP may need to use.
14 votes -
Move Azure AD Domain Services between subscriptions
Currently a lot of services/resources can be moved from one subscription to another. This way it's possible to move services to a CSP (by moving to their Azure Plan Subscriptions); or change CSP.
Unfortunately this is not possible with Azure AD Domain Services. That means that when this is created in a subscription under a CSP, there's a CSP lock-in. Of course this is very much undesirable for a customer.
Please allow for Azure AD Domain Services to be moved between subscriptions.
11 votes -
Re-enable bulk invite from Azure Portal (B2B guests
The bulk invite (preview) functionality to invite multiple B2B guests was available on Azure Portal and was working fine. It has been disabled since 22nd Dec with no current deadline/timeline to re-enable it.
When I checked with Microsoft Product team they asked me to raise this as an idea here and that they will re-enable if there was enough community support.
Refer this for the functionality that I am referring to https://docs.microsoft.com/en-us/azure/active-directory/b2b/tutorial-bulk-invite
11 votes -
Scoring password in Azure AD password protection
Today, Azure AD Password Protection scores the normalized new password with this rules:
1. Each banned password that is found in a user’s password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.If you use a banned word like "contoso", the score of the password grows with +1. A new password with 5 banned password(s), you will have an accepted password.
If you choose one of the following password as a new password, it will be accepted:
"contosocontosocontosocontosocontoso" --> [contoso]…
27 votes -
B2C sign up verification code in email will expire in 5 minutes. Is it possbile to extend the validity?
B2C sign up verification code in email will expire in 5 minutes. Is it possible to extend the validity? I have heard several feedback that 5 minutes isn't practical in real world.
22 votes -
Allow any App registered in Azure AD to have its own customized login page UI like in Azure AD B2C
Nowadays, on Azure AD, you can customize the login page UI at the Organization level. This means ALL the registered apps will share the same UI, same branding, same css, etc.
Please, add a way to customize the Azure AD login page UI & branding per-app like Azure AD B2C does via Custom Policies
10 votes
- Don't see your idea?