Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. AAD Connect switch staging mode without global admin permission

    The number of global admins should be kept low.

    In order to allow operation teams to switch services in case of failure, the need to do this with the Global Admin permission should be removed.

    As a service provider we have problems to comply with SLAs because the customer only approves Global Admin authorization temporarily on request. In a 24/7 fault situation, this can not be secured.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure AD Health Connect Agent for ADFS is out of date

    I tried to download the latest version of the "Azure AD Health Connect Agent for ADFS" from https://www.microsoft.com/en-us/download/details.aspx?id=48261 (version 3.1.51.0) but when I checked the file details (attached screenshot) it is showing it is version 3.1.46.0.
    When I install this agent on one of the ADFS servers it is also installed as version 3.1.46.0.

    Please can the download URL for this agent be updated with version 3.1.51.0 of the agent?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  3. Would like to have an alert notification within Azure AD Connect Health when group membership exceeds 50,000

    Would like to have a DCR (Design Change Request) entered in for an alert creation within Azure Active Directory (AAD) Connect Health that would send an alert when more than the default of 50,000 users is exceeded and the syncing stops occurring. Currently there is the limitation of 50,000 and would like to see an alert within the AD Connect Health Dashboard as right now the alerts are hard to navigate as by a default they are all the way positioned at the bottom of the FIM logs. Thank you.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  4. server 2019 support?

    ADFS connect health support for Server 2019 or just isnt documented?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add AD DS Login Auditing to Agent

    While the AAD Connect for AD FS Agent can help identity some risks related to logins, that isn't a complete solution right now. Further to other feedback requests asking for IP and Application in those reports, I think we could do with the additional information from the AD DS Agent as well. Additionally, being able to search for specific IPs or Accounts to assist in determining the failed login sources (and dates/times) would be very useful.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  6. Revise licensing requirements for initial registered agents

    The current licensing system requires 25 AAD Premium licenses for each additional registered agent beyond the first (i.e. 26 licenses for 2 agents, 51 licenses for 3 agents, etc ...). That's a shame as it makes it impossible for smaller businesses to get even close to full coverage of their relevant infrastructure.

    For example, assume a best practices infrastructure with:
    - 2 x Domain Controllers
    - 2 x AD Federation Servers (installed on DCs)
    - 1 x AAD Connect server
    - 1 x AD FS Web Application Proxy (on AAD Connect server)

    That's 3 Windows servers with two DCs &…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  7. Amina

    Amina

    0 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure AD Connect Health Pass-through Authentication Agent Support

    Please add support for monitoring the Azure AD Pass-through Authentication Agent to Azure AD Connect Health. This is current a gap in that when you use Pass-through Authentication (PTA) the agents are not monitored and there is no way to do this via Azure AD Connect Health currently. The PTA agent is a critical service when using Pass-Through Authentication so this should be monitored.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure AD Connect Sync Tool - Allow sync by selecting specific AD Groups - Not by OU

    We are using the Azure AD Connect sync tool and would like to be able to synchronize a selection of on premise AD security groups. This would allow us the ability to create a set of Azure groups on premise that we add users to and specifically grant access to our azure AD. Then in Azure we can set those permissions to azure resources as needed. This allows us to add and remove users on prem easily and synchronize ONLY those users we want to have access to Azure. This keeps our Azure AD clean and relevant. The current tool…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  10. Relaying party utilization report

    AD connect health should provide some kind of a report which can tell who are the users trying to authenticate externally or internally per relying party in ADFS.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  11. AD Connect Health report legacy endpoints not enabled

    AAD Connect Health should not be prompting organisations to re-instate legacy authentication endpoints:
    1. /adfs/services/trust/2005/usernamemixed
    2. /adfs/services/trust/2005/windowstransport
    also the service seems to be unaware that 2016 and later do not default publish certain unnecessary URLS:
    3. /adfs/ls/
    as we cannot customise the alerts checked to ignore this, customers will be prompted to open vulnerabilities through legacy authentication by using AD Connect Health!

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure AD Connect Health agent data

    Hi, I'm currently looking at implementing Azure AD Connect Health on our AD DS, AD FS, WAP and Azure AD Connect sync servers. We have offices in German and when anything is implemented the German Workers Council have to agree it. We are being asked what actual data is being sent by the on-premises agents to Azure AD Connect Health. I don't see this level of information in the Microsoft Online documentation, but I would have thought that we are not the first to ask this question. Do you have details that can be shared and also I think it…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  13. Issue with Azure AD Connect Health AD DS agent - Ports exhaustion

    We ran into an issue where all the RPC ports on few of our Production DC's got exhausted by this agent and resulted in replication failure. See below netstat output:

    [Microsoft.Identity.Health.Adds.InsightsService.exe]
    TCP 10.20.81.9:55151 10.153.6.10:389 CLOSE_WAIT 5860
    [Microsoft.Identity.Health.Adds.InsightsService.exe]
    TCP 10.20.81.9:55157 10.155.32.13:389 CLOSE_WAIT 5860
    [Microsoft.Identity.Health.Adds.InsightsService.exe]
    TCP 10.20.81.9:55164 10.153.6.10:389 CLOSE_WAIT 5860
    [Microsoft.Identity.Health.Adds.InsightsService.exe]
    TCP 10.20.81.9:55167 57.12.150.90:389 CLOSE_WAIT 5860
    [Microsoft.Identity.Health.Adds.InsightsService.exe]
    TCP 10.20.81.9:55172 10.155.44.8:389 CLOSE_WAIT 5860
    [Microsoft.Identity.Health.Adds.InsightsService.exe]
    TCP 10.20.81.9:55173 10.153.6.10:389 CLOSE_WAIT 5860

    Log Name: System
    Source: Tcpip
    Date: 06/07/2019 05:00:21
    Event ID: 4231
    Task Category: None
    Level: Warning
    Keywords: Classic
    User: N/A
    Computer: DXBEGDC26PV.corp.emirates.com
    Description:
    A request to allocate an ephemeral port number from the global…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure AD Connect Health for ADDS

    Support for Azure AD Connect Health for ADDS on Windows Server Core. It currently does not work because it sets up by using IE. Have it use "device login" like the Az module for PowerShell Core.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  15. Integrate Azure AD Connect Health with OMS/Log Analytics

    This information should be available in OMS/Log Analytics, as a one stop shop for all monitoring... It should not be available only separately to OMS/Log Analytics!

    44 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback. Connect Health team is planning to integrate Connect Health data with Log Analytics in phases. The first stream of ADFS data will be available in 3-6 months for preview.
    Please reach out to askaadconnecthealth at microsoft.com for preview request.

  16. SCOM Management Pack for Azure AD Connect

    Please create a management pack for SCOM to monitor AAD Connect, including the Pass-through authentication functionality. This is a critical component in the Microsoft cloud ecosystem. All on-prem products are supposed to be shipped with a SCOM management pack for monitoring them. This has been in prod for years and it is still missing.

    And no, AD Connect health does not cut it. For example, it does not even send an alert email when the "Microsoft AAD Application Proxy Connector" is not running.

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  17. Include an AAD Connect Health Gateway for DCs without internet connectivity

    An easy to configure gateway install similar to the OMS gateway to act as a proxy for servers without internet connectivity would be a useful addition.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  18. Fix AD Connect Health remediation in the portal so it actually works

    I have a handful of users who had AAD accounts first. We then added a server in office and created accounts on it. We installed AAD Connect and synced the domain. The users all now have duplicates in AAD. Sync recognized this issue and the UI offers a fix, but the fix ALWAYS fails with a generic error message offering no recourse. Please fix the fix.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  19. This link, in your automated email, does not lead to any "troubleshooter" than can be "run"

    This link, in your automated email, does not lead to any "troubleshooter" than can be "run"

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  20. A PDC is not reachable through this domain controller when server reboots

    If your PDC emulator is unavailable when rebooting for applying updates, we can get this error from all other domain controllers in the environment.

    Is this actually a problem? My experience says no, but this alert casts doubt on that. We are back to asking ourselves, should the FSMO roles be moved when patching? Historically, the answer to this has been no, this isn't needed. Can we get some more guidance from Microsoft on this?

    Title:
    Domain controller is unable to find a PDC.

    Description:
    A PDC is not reachable through this domain controller. This will lead to impacted user…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base