Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
letsencrypt integration
enable lets encrypt integration for custom domains in Azure Application Proxy.
this reduces the cost and process effort of the certificates.8 votes -
Enable dedicated App Proxy Authentication Header
When you connect App Proxy with pre-authentication via a native client following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application the authentication header is removed by the App Proxy. This stops single sign on requests from working and breaks a number of automation scenarios if the backend service does not support a dedicated authentication header. Ideally I would like to see the following behaviour:
- By default the Authorization header is used to authenticate with App Proxy
- If multiple values are provided as per https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers each one is checked for authentication against App Proxy, if one is valid, remove it from the header and pass…
26 votesThank you for your feedback. We are reviewing this requirement and will update once we have more details.
-
Allow MFA functionality while Publish Cloud Printers
While running Publish-CloudPrinter, MFA is blocking the ability to complete. MFA prompting through the Microsoft app should be allowed so security of the system/environment is not scarified to complete the setup.
4 votes -
OAuth pre-authentication in Azure Application Proxy
Currently pre-authentication in Azure Application Proxy implies user interacive logon to Azure AD. It would be great if one could choose an option to pre-authenticate as a annplication with a token in the same Azure AD tenant (and select an Oauth app which is regitered in the same tenant).
That's very useful when there is an external application/server accessing on-prem app via Azure Appliation Proxy would pre-authenticate with OAuth in Azure AD first and pass this token AAP.35 votesThanks for sharing your feedback. We will be further reviewing this feature and will update soon when we have more details.
-
Support different paths to on external URL for Azure App Proxy
With hundreds of internal Cold Fusion apps we would like the path in the internal URL to be different in external URL.
As you may know Apache does it simply:
ProxyPass /demo https://{internal server name}/cfapps/{HLQ for demo app}/wwwroot4 votes -
Azure AD Application Proxy wildcard app supporting both http and https for internal URL
I’m trying to publish a huge number of internal applications using wildcard app over Azure AD Application Proxy. Some of the internal applications are available over HTTP, some over HTTPS and some do a redirection from HTTP to HTTPS. All the internal apps must be published over HTTPS.
Now I have found some “complex” workarounds for this scenario, but I’m wondering, if you could add a functionality to Azure AD Application Proxy that helps me to achieve the mentioned goal with using one Azure AD Application Proxy app easily?12 votes -
Allow ADFS equivalent of "Windows Account Name" incoming claim (domain\username) transform to outgoing Name ID claim in Azure SAML SSO
I can easily transform domain\username to Name ID from ADFS using the "Windows Account Name" incoming clam. I can also easily transform claims other than Name ID in Azure SAML to join(user.netbiosname\user.onpremisessamaccountname) to achieve the same thing, but this is not permitted for Name ID. This would allow better legacy compatibility for those trying to vacate ADFS to rely solely on Azure AD SAML SSO.
7 votes -
Web application Proxy on-premises Non-Responsive
We had a recent issue with Web Application Proxy throwing an error 'Maximum no. of Kerberose Attempts exceeded' with error 12008 in WAP server resulting it in being non-responsive. A case has been opened with MS with regards to this as well. When this issue happened WAP server could not authenticate any user. Only resolution was to restart both IIS and WAP Server. This was caused due to left over ghost entries in teh ApplicationHost.config file for the winodws authentication. This issue needs to be addressed in the product as its an issue that can reoccure if the web applications…
2 votes -
Support Remote Desktop Web Client HTML5 on Azure AD App Proxy
Microsoft doesn't support the Azure AD Application Proxy on RD WebClient (HTML5). Like this MFA and Condintional Access would be possible.
Another benefit is that HTML5 works on all Webbrowsers without downloading software.
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin359 votesWe are starting investigation to make this integration happen. We will update you as we progress on the feature and when we have a release date. Thank you so much for your patience.
Send a note to aadapfeedback@microsoft.com if you have questions!
-
Finger print
Offer the fingerprint method
1 vote -
17 votes
-
Get all sharepoint functionality supported or clearer specify what work and what doesnt or how to work around issues?
While publishing sharepoint through guide published https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-integrate-with-sharepoint-server mostly works ok, we have issues accessing the SOAP api and specifically opening office documents through the rich client applications and syncing document libraries. I have some fiddler traces of the traffic flow with and without app proxy and I think it breaks on accessing /sites/sp/ourinternalsitename/vtibin/cellstorage.svc/CellStorageService It works by using the local/on-premise url so sharepoint should be working correctly. Is this a supported scenario that's supposed to work?
Documents work when we open through a passthrough published office online server / web apps server and edit online, but the functionality on…
3 votes -
support organization branding and customization of Azure app proxy error
Hi,
We have few customers who wants to Customize Branding on Azure AppProxy error and also add some custom text such as Helpdesk contact number in case the user wants to reach the Helpdesk. Can you please incorporate the same in your next update.
1 vote -
Azure AD App Proxy - SSL Certificate Renewal
when renewing the ssl cert it would be good to upload just once and have it propogate to all apps using the current cert that is about to be replaced.
We use wildcards for a single domain so would be good to have this rather than upload the same file 50 times and counting to update our cert,
ANytime you create a new application it knows to use the same cert.
23 votes -
Fully Support WebSocket protocol in Azure AD Application Proxy
The current Application Proxy does not support rewriting ws:// or wss:// URLS from my testing.
We have an application that has it's content (HTML, JavaScript, images ...) hosted by IIS and a standalone service that provides data through websockets.
I created an app proxy for the IIS component requesting content rewriting and created a second app proxy for the websocket service. However, it seems that the first app proxy doesn't know to rewrite the embedded ws:// URLS to point them to the second app proxy.
Also, running a websocket tester against the second app proxy external URL fails as it…
57 votesWe are planning to fully support WebSockets. We will update when we have more details.
-
Protect on premises application(that doesnt support SAML,OAUTH or Ping Access) with application proxy and pass user attributes
Protect on premises application(that doesn't support SAML,OAUTH or Ping Access) with application proxy such that Azure AD does authentication for user and post authentication pass user attributes as an HTTP header request to backend on premises application to identify the user.
1 vote -
Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy
Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy. Currently the Azure Application Proxy does not support the Strict-Transport-Security header. Please make App Proxy support this and maybe other customizable headers for DHS BOD 18-01 compliance. https://cyber.dhs.gov/bod/18-01/ The On-prem solution (Web Application Proxy) is also not compliant.
8 votes -
Please support Group Managed Service Accounts for Azure AD App Proxy
Please support Group Managed Service Accounts for Azure AD App Proxy. Without it we have to manage the Kerberos Constrained Delegation Settings for each App Proxy Connector separately. A misconfiguration at this setting has a fatal security impact so we would really appreciate to do it once per connector group.
11 votes -
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/38767417-can-we-release-a-powershell-cmdlet-for-hide-appli
We were automating the publishing of apps but there is one thing which we could not find a cmdlet for is "can we release a PowerShell cmdlet for "Hide applications from end-users in Azure Active Directory"
This is not exposed via Powershell
1 vote -
Azure AD proxy Connector gateway Timeout
As per Azure AD guideline, Only "Default" and "Long" Application time out value can be assigned to Azure application. Default = 85 seconds and Long = 180 Minutes. But i have few application which takes more than 3 minutes to respond on few UI actions. I am wondering, if we can have a way to override the proxy connector application time out settings. We may consider providing a way in Proxy Connector window service installed on server to increase Backend application timeout.
20 votesThank you for sharing your feedback.
The timeout limit was defined due to two main motivations 1. Security and service SLA 2. The nature of network products and user productivity.
In terms of security, App Proxy is a multi-tenant service and in today’s time and the high load we’re experiencing on our system, we have a limited ability to allow connections to be open for such a long time. Allowing such timeouts will widen our attack surface significantly and reliability of our service.
In terms of productivity, we are dealing with a multi- hop network bound service (traffic from the user browser, to our service, to a connector and to the app). In such an environment there may be impact to parts of the system by adding in this longer timeout. When there is no activity on the wire of a network service it is questionable if the connection is…
- Don't see your idea?