Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support using KeyVault for Application using custom domains and certificates
Add support for using certificates stored in Azure KeyVault when publishing applications using custom domains and certificates through Application Proxy. This eliminates the need to first export the certificate from KeyVault and then uploading it. Increases both security and usability.
15 votes -
http2 application proxy
Add support for http2 in the frontend of the application proxy
10 votes -
AppProxy Certificate Import from KeyVault
Currently the only option to associate an SSL cert with the public facing AppProxy is to upload from the local machine.
Would be super helpful if we could retrieve the certificate from a KeyVault in much the same way you do for an AppService.
3 votes -
Application Proxy "Private Services Edge"
Please allow storing part of Application Proxy "Services Edges" on customer site, in case of application access it can hugely improve the performance of web applications by allowing process web request inside of country with minimal latency.
5 votes -
Disable obsolete cipher suites for Azure app Proxy
Currently legacy CBC cipher suites are enabled, which causes an alert in Chrome/Firefox browsers:
The connection to this site is encrypted and authenticated using TLS 1.2, ECDHERSA with P-384, and AES256_CBC with HMAC-SHA1.
Please disable CBC suites or allow customers to choose which cipher suites to use.5 votesThank you for reaching out and sharing your feedback. We made a few improvements such as adding additional ciphers which will allow you to prefer these higher ciphers. However, as you mentioned in the short term we cannot easily turn CBC for all, due to being multi tenant service. That said we are trying to come up with a long term approach for this and analyzing the customer need for this scenario. It would be great if we can connect with you to get a few additional details on your scenarios and make sure we have a good understanding of what your organization needs. Please feel free to reach out to our team to continue the conversation at aadapfeedback@microsoft.com.
-
Support login identity as on Premise SamAccountName for Azure AD users
When the proxy connecter creates the Kerberos Application token for B2B or Azure AD mastered accounts with the SSO setting of login identity option of "on premise SamAccountName" the application token doesn't create a CNAME from the SamAccountName value!
Instead it creates the CNAME from the username part of the UPN. Consequentially SPNEGO or IWA applications fail the authentication.This prevents the use of Azure App proxy for B2B users when using IWA / SPNEGO on premise.
This configuration only works when the AD user is synced from on premise.I would like the connector to use the UPN value…
4 votes -
Azure Application Proxy - Multiple external URLs to same internal URL
The ability to have more than one external URL point to the same internal URL.
e.g
1.external.com > internal.local
2.external.com > internal.localyou currently get this error
"Creating new on premises application
Internal url entered is already being used by another application"1 vote -
Microsoft products are appl
Microsoft products are applications such as Bing, Learn, Academy. Azure-Intune should provision the restrictive coding for proper federalramp reports. The preview shows Bing though no enrollment granted. Let's not systematic the Intranet wall with MAC addresses, however, chip technology to user settings a standard function by automatic machine language. Any ambiguity? Joe Tinger, MCE, MPE
1 vote -
Make Azure Application Proxy available in South Africa North Region
Make Azure Application Proxy available in South Africa North Region, latency is just to high when you have your connector server running on premises. US is 250ms + and Europe is 150ms +. With this kind of latency application proxy will just be to slow to use in South Africa.
7 votes -
Allows customization on Error codes with Azure App Proxy
Currently the Error codes are very generic and disclosed the application hosting platform. If this error can be customizable and will not give a potential bad actor an obvious information that this application is hosting on Azure app proxy instance.
1 vote -
AD Application Proxy should allow configuration controls through Azure policies
We use policies to standardize resource configurations across all subscriptions and applications. It looks like Azure AD Application proxy service doesn’t have any policy aliases to implement policies.
I want to create policies that ensure 1) the external URL’s can only be accessed through https; 2) the application proxy only allows Active Directory Authentication (not passthrough); 3) should only allow HTTP-only cookie; 4) application proxy should use only secure cookie; 4) shouldn’t be configured with persistent cookie.
It would be a great enhancement if we have an option to implement policies on Application Proxies.
1 vote -
letsencrypt integration
enable lets encrypt integration for custom domains in Azure Application Proxy.
this reduces the cost and process effort of the certificates.13 votes -
Send them new password before and update is issued. My computer has been locked for 3 weeks
I can not get my now password. So
Text me. My now password.1 vote -
Allow multi-regional AAD Proxy deployment
Hello,
in globally distributed company, we have an distributed application that uses the same internal URL around the world, and F5 BigIP makes sure that user connects to closest endpoint.
We want to make it available externally via AAD proxy and idea was:
- create AAD Proxy application for each region where we have significant # of users (currently 3 regions - EMEA+US+APAC
- create connector group in each region
- connect application for each region to respective connector group in that regionImplementing this approach, we found 2 weak points:
1. AAD proxy location follows location of AAD tenant…2 votes -
Configurable Session Duration.
Right now, when we use applications behind Azure AD Application proxy, we sometimes lose work when working in applications behind Application proxy.
This because when we post the form we are entering, the session was expired and the browser goes to the login page, automatically signs us back in and takes us back to the page we where on (to an empty form).
We would like a way to control how long the session duration lasts/lasts when idle.1 vote -
NTLM Windows integrated Authentication
Currently we have an API that works with NTLM negotiation and that would be great to have it behind an App Proxy but there is at this moment no support available.
1 vote -
Disable option to create Conditional Access Policy when Passthrough authentication is enabled
When Passthrough Authentication is enabled for an app published through App Proxy, the authentication process is offloaded to the Idp the company uses.
Because of that, authentication requests cannot be evaluated for Conditional Access.
Thus, turning on Passthrough, should automatically prevent users from creating CAP for the application. Currently, the What-If tool will show that the policy will apply when in reality it won't.
This documented here :
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-faqThis behavior already exists for Single-sign on
2 votesThank you for sharing your feedback. We are reviewing this to see how we can improve the experience based on your feedback.
-
Make Azure AD Application Proxy Service available in Middle East/Saudi Arabia region
Our users / connectors are located in Saudi Arabia, but the Azure AD Application Proxy endpoint is in US. This causes a huge delay. Please make Azure AD Application Proxy Service available in Middle East/Saudi Arabia region.
4 votes -
Better error message for App Proxy
When an Enterprise App is enabled for App Proxy, the owners of the app lose access to the SSO settings on the Enterprise App blade. This is intentional due to permission changes in the background, but the error message shown to owners when trying to access SSO settings is too generic. Please update the error message to provide some meaningful info on why the owner no longer has permission to access this setting
1 vote -
Support WIA SSO using SamAccountName for Multiple Domains
Most of the app proxy use cases we have, don't want to use the solution as it doesn't supports SSO for applications authenticating users of different domains in the forest through SamAccountName attribute and they can't use different internal URLs for the applications or switch to UserPrincipalName attribute.
1 voteThank you for reaching out to feedback suggestion forum. Please share more information around your scenario/use-cases and examples to understand needs. This will help us in design consideration or provide alternative solution.
- Don't see your idea?