Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add Self Service Password Reset requests to Azure AD Activity Logs

    Today when users that try to reset their password using SSPR and don't have any authentication method registered, are left with the only choice to notify system administrator. This result in an email to Global Administrator. I want this event to be registered to Azure AD Audit Logs so that this can be followed up using integrations with Azure Log Analytics, Monitor Alerts and/or Sentinel. Today only users that have verified their authentication methods appear in the audit logs.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  2. Make app notification and app code count towards methods required

    App notification or App code should not result in the message:
    You must enable another method to use mobile app or hardware token code

    These options should be seen as equal to other methods. Otherwise in an environment where other methods are disabled (as they are clearly less secure - such as phone call, SMS, personal email etc) one or more of these less secure methods has to be enabled as well.

    The implication of this is you cannot for example force 2 methods to be required and then select App Code and Security Questions, as you also have to…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  3. Make certain fields optional while registering

    With MFA enabled and the security questions answered, I still have to fill in one or two required fields (e-mail and phonenumber). I cannot choose other options which I selected.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  4. Don't assume that my work email is hosted with Azure / MS.

    When I try to set my email address as a recovery method I get the following error:

    Don't use your work or school email address, because you won't have access to it if you forget your password.

    But that's not true. My company uses a different email hosting service. Losing access to it has nothing to do with my Azure portal password.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  5. Longer Security Questions Truncated by UI

    When selecting Security Questions as an option in mysignins.microsoft.com, many of the longer questions are truncated by the UI so you cannot read the entire questions. Zooming the browser in or out doesn't fix this (my zoom is at the default setting anyway). We are also using many of the pre-configured questions provided in Azure AD.

    I think you need to make this dropdown scale better to accommodate the length of all the default questions.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow Customizable SSPR Error Message When Not Using Password Writeback

    Admins really need to be able to customize the SSPR error page's message when not using password writeback.

    At the moment, we can only change the destination of the "contact your administrator" hyperlink. We do currently have this pointing to our company's internal web page for resetting passwords. (https://[pwresetsite].[domain].edu)

    However, the problem is that the following sequence of events happens 100% of the time:

    A) User reads "you can't reset your own password because password writeback" and simply stops. An error message we can't control gives the user the impression that they cannot self-fix this issue. Even if…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable SSPR to reset Windows cached credentials

    In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

    Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we…

    275 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    41 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  8. Modification of the built-in password reset policy so that an email is being populated through Graph API

    When using built-in policy for password reset v1 or v2, we are unable to reset the password if Email text box is not having email id configured. If I create user using Graph API, it will store email id in Alternate Email text box. So unable to do password reset using built-in policy. I request B2C team to work on this.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  9. Enhance Self-Service Password Reset (SSPR) security

    Recently rolled out SSPR at a client, who after which stated: when I lose my phone out of sight (e.g. gets stolen), then it's relatively easy to reset a password.

    A person with malicious intent could go to the SSPR portal, track down e-mail address and phone number (isn't that hard) and then reset the password without unlocking the stolen phone (because phone call/reading code sent by text message doesn't require unlocking).

    Additional authentication methods, like security questions and personal email addresses, are undesired, due to the fact that the first isn't a good authentication method and in case of…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  10. Display Company Password Policy on Azure tenant "Change Password" Page

    As of now, when user is trying to change a password via Azure Password Reset https://account.activedirectory.windowsazure.com/ChangePassword.aspx

    The user gets a very generic message stating "This password does not meet the length, complexity, age, or history requirements of your corporate password policy.".

    We would like to be able to display our current password policy in the error message, like literally every other website/login page.

    Here is an example

    The password should be at least 9 characters long

    Password should meet below criteria
    1. Password must contain lower case letters
    2. Password must contain upper case letters
    3. Password must contain numerical

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make "Require users to register when signing in" possible to apply to a group instead of only on/off.

    When enabling SSPR, it is currently only possible to set if registration is required or not required. It would be useful in my tenant to be able to require registration for certain groups of people.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  12. Please add clarity to Self Service Password Rest (SSPR) error messages, or allow for customization

    End users are not given clear reasons as to why their password reset failed. For example, the error message for using an invalid password and 'trying to reset the password too frequently' are the same.

    In large organizations with non-technical end users this is generating help desk ticket volume. Having more clarity in these message would help end users and reduce ticket volume.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  13. Remove account alternate email from user selector

    When a user adds an external email address as their alternate address it becomes an internal email address. So if I for instance share files to the alternate address it fails, beacuse it seems to count as an internal address. Also, if I send an email to that external address they end up in the mailbox for the user that has that address as an external email.
    Make that alternate email private on the account.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  14. Password reset Usage Insights - New tile for licensed users

    The Usage & Insights are great! But it shows a total of all accounts which is very inaccurate for the users we expect to be enrolled in MFA or SSPR. What about adding a new tile for total number of users registered out of the total number of licensed users? That would give us a much better "insight" to report to management about. We have around 900 licensed users for E3 - how about a tile for number of users registered who are actually licensed for it?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  15. Unlock account from SSPR without resetting password

    Allow users to unlock their account without them having to reset their password.

    In our organisation, accounts get locked out due to various other reasons and not just because of forgotten password. Option to unlock account should be provided to users who remember their password by asking them for their password, if they choose to just unlock their account.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  16. SSPR - Allow password reset from Windows 10 login screen when connected to wifi

    This suggestion is related to the SSPR functionality at the Windows login screen. The process is described here:
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows

    The password reset screen loads fine and a user is able to reset his AD password when connected to LAN (computer authentication)

    However, when connected to wifi (computer and user authentication / user re-authentication occurs) the password reset screen says that there's no internet connection.

    SSPR needs to be allowed on wifi networks using 802.1x authentication thar have the option “Perform immediately before user logon” disabled.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  17. non posso scaricare app perchè il mio cellulare non è smartphone e non lo consente quindi resto con la password

    non posso scaricare app perchè il mio cellulare non è smartphone e non lo consente quindi resto con la password

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  18. Disable SSPR by group (exclude group from SSPR)

    Currently, you can configure SSPR to be enabled for your entire organization or for a specific group. It would be nice to have the ability to disable/exclude a specific group (e.g. enable for the entire organization except for a specific group(s)). The use case would be a scenario where almost the entire company should have SSPR but there are sensitive accounts that should not be enabled for it.

    65 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  19. SSPR should prevent the use of previous historic passwords used on the account for “X” times (as is standard for on-premise systems)

    Office 365 tenant is a managed domain with all cloud based accounts. Users within the tenant tend to register on private company websites (fitness trackers, consumer purchases, etc.) using their enterprise email address from the tenant. Some of the public company sites get compromised and expose their passwords in clear text, which are then sold on the black market. When those Office 365 accounts are identified as “compromised”, meaning an attacker logs in using the login ID and password from the exposed site the tenant administrator resets those affected passwords to random passwords. The users do not know the password…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow use of custom controls/conditional access with self service password reset

    Allow one of the self service password reset options to be a custom control, such as calling Duo/Okta (currently allowed as a conditional access control). As a company that doesn't use Azure MFA it would be good to be able to use another MFA provider instead of requiring a second mobile application be enrolled, or using less secure methods like SMS.

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base