Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Request for registration of OATH token and connection to user:

    We would like you to allow end users to register OATH token by themselves as well as other multi-factor authentication notifications (i.e. telephone and SMS)

    If our request above is not permitted, please consider the following to reduce the time and effort of the administrator:
    - Registering OATH token information prior to registration of associated user information
    - Connecting the user and OATH token by GUI operation from Azure portal instead of importing CSV
    - No entering authentication code when activating OATH token

    67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Set MFA using Azure Active Directory Powershell Module

    Add support in Azure Active Directory PowerShell module to set Multi-Factor Authentication (MFA).

    Thanks

    109 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Exclude Emergency Access account from Security Defaults

    Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA.

    This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off.

    If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. We would like to activate MFA at our designated time.

    At present, MFA is activated at the time when the administrator enables MFA per user.
    We would like to activate MFA at the administrator's designated time. We believe that this enables us to broaden our range of operation.
    It would be great if we could, for example, control by designating the time to parameter "RememberDevicesNotIssuedBefore".

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Give option not to use trusted device as the MFA source

    We have noticed you don't get prompted for MFA, even if you have, "Require multi-factor authentication", "All Locations" and "Browser" ticked in Azure.

    I've been told by Microsoft Support that this is because the device I'm logging in from is a, "Trusted Device" (It is a Windows 10 laptop with, "Access work or school" in Accounts configured).

    You get prompted for full MFA if using Google Chrome, but if you are using Edge or IE then this is bypassed because the laptop fulfils the MFA request.

    In Conditional Access policy, "Require multi-factor authentication" is defined as, "User must complete additional…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Change the message text to "Use a verification code from my mobile app or hardware token"

    Currently, when users configured Azure MFA for hardware token and phone number, they can choose MFA method when signing in azure portal.
    In the Azure AD logon page, users see following options.


    ・ Use a verification code from my mobile app

    ・ Text +XX XXXXXXXXX

    It's not intuitive for customers to choose "Use a verification code from my mobile app" even though they are using hardware token.
    So please change the message text to "Use a verification code from my mobile app or hardware token".
    I am support professional and I am receiving unnecessary support calls from users because the…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Move Identity Protection MFA Registration Policy to Azure AD Free or AADP1

    Each customer needs an easy way to request the MFA registration of his employees. With Conditional Access the registration is unfortunately only requested when the employee needs MFA for the first time, but the previous registration would be much better. Therefore, please move the Identity Protection MFA Registration Policy to Azure AD Free or at least AADP1.

    Yes security defaults would accomplish this but I have a lot of AADP1 / E3 customers that would like to enforce the enrollment. A workaround would be via SSPR reg policy. The CA policy with user action would only "secure" the registration not…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. MFA: remember device permanently (& remember per device, not per app)

    Please:
    1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
    2. Make it so that MFA is remembered once per device (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).

    Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or…

    212 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Require re-register MFA, it should revoke Microsoft Authenticator app, not just phone numbers.

    When revoking a users MFA sessions and requiring re-registration of MFA, AAD only removes the phone numbers from the users account. It does not remove the associated Authenticator app. There is no method to for a Global Admin to remove the Authenticator app association from the user. The only supported method is for the end user to log-in and remove it from the myprofile.microsoft.com page.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add application name (and/or IP) to MFA prompt

    Hi,

    Currently the MFA prompt on the mobile device is very limited in the amount of information being shown. My users are getting prompts sometimes out of the blue, and they don't if those are legitemate or fraudulent.

    Legitemate prompts that are asynchronous from users:
    - Outlook on some computer needing to provide MFA again after X days
    - Outlook on mobile needing to provide MFA again

    Fraudulent:
    - Somebodies password was phished.

    The idea is to add some more context information to the MFA prompt in the authenticator app:


    • Application name requesting MFA, or

    • IP Address / geolocation, or
    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Show Sign-in info (location, client, device-type, etc) in Authenticator app

    especially for users (e.g. admins) who receive a lot of MFA signin requests via their Authenticator App (sometimes at unexpected moments), it is crucial that they can quickly verify where the authentication request originated from (detailed location info) and more details on the device (client app, device-type, etc) so the user can make an informed decision if the MFA authentication request on his phone is legitimate or not.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. MFA unblock on same menu as MFA settings

    Put MFA unblock on same menu as MFA settings.

    In the MFA settings menu "Admin Center, AAD, Users, MutiFactor Authentication, select user and then click on ‘Manage User Settings", there is no setting to ‘unblock’ the user. To unblock user, you have to go to "Admin Center, AAD, Security, MFA, Block/Unblock Users"

    May I suggest that the unblock user setting also appear in the "Admin Center, AAD, Users, MutiFactor Authentication, select user and then click on ‘Manage User Settings" menu?

    And/or consider under "Admin Center, AAD, Security, MFA" that you point to the same menu where you can manage user…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Make a prompt for MFA popup on Windows 10 for Always On VPN

    We are testing MFA for Always on VPN. Whenever the conditions match to trigger Always on VPN, there needs to be a popup on Windows 10 to notify you of the MFA request. Currently Windows 10 doesn't even tell you its asking for MFA, just says verifying info.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Combined security information registration (Preview) language issue

    The Combined Security Information Registration outlined in the follow documentation is not functioning as described.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined

    The Language is not pulling from the browser. In my scenario if I set this up using French language and have my German users attempt the process they are receiving the security questions in French and not German. The documentation outlines the language settings are of the computer accessing the page. This is not what I am experiencing.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Conditional access validated prior to password

    Today, authentication validated the password before hitting the conditional access, therefore allow for password sprays to lock the accounts.

    Office 365 and Azure logins should take the password (as we do today), proceed with conditional access, even if the password is wrong, allowing conditional access to block password sprays. Then if the password is incorrect, deny the access or send for approval in the azure app or request the token, whatever is the preferred choice for MFA.

    Hope I was clear...

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. NPS Extension does not allow changing expired password

    We use the the Azure MFA NPS extension for our VPN solution. It would be really helpful if there was a way to allow users to change their password when it expires. At the moment, the user gets denied access with no reason.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. One-time Bypass in Azure MFA Cloud Only

    We need an option to allow for one-time bypass to allow users to reset their MFA if they dont have access to their Authenticator App (phone damaged or lost,stolen). Phone number as backup is not an option

    52 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Show the Country and App/OS that triggered the MFA request via Authenticator app pop up

    If using the Microsoft Authenticator app with App Notifications for Azure MFA requests why can't we also have the Country and App or OS which has triggered the MFA request?

    This will help users from blindly always tapping Approve and also give them more info on what app has requested MFA.

    You can already see this info in the Azure AD sign in and audit logs so why can't it be pushed through to the app pop-ups too?

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. 0651102147

    Ik ben altijd samen met mijn tellefoon en die geef ik niet uit handen. Ik ben de eigenaar van de IPhone XR. Ronnybryden

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 16 17
  • Don't see your idea?

Feedback and Knowledge Base