Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Enable Azure AD Password Protection in Azure Government
This is a feature available in Azure public, please add this feature to Azure Gov. With this enabled, we have much more flexibility in terms of make passwords maintenance easier for our users.
17 votes -
Make refreshing SSO sessions an option
Currently, an SSO session has a fixed lifetime as configured by the SsoLifetime parameter, i.e., a user logs in, and once [SsoLifetime] minutes have passed, their SSO session ends, even if they were still active until minutes before.
This is because a new SSO session is only created when an authentciation is performed, but as long as an SSO session is active, (of course) no authentication is performed.There are use cases, however, where we want the user to be able to extend their SSO session whenever they are active, provided that their current SSO session is still valid.
It…
8 votes -
Avoid Sign-in prompt on iOS by adding Redirect URI scheme for Apple device in Safe List
When adding a new Microsoft Exchange account under Settings / Password & Accounts on an Apple iOS device to access O365, after authentication a consent page is displayed (see screenshot). This page is not clear to users, and we have seen cases where the device would be stuck on it (Continue or Cancel wouldn’t work)
Looking at AAD logs and after opening a case, we found out that this page is displayed because the redirect URI that the iOS device sends back to AAD is not in the “Safe List” (http://, https://, msauth:// (iOS only), msauthv2:// (iOS only)…5 votes -
Scoring password in Azure AD password protection
Today, Azure AD Password Protection scores the normalized new password with this rules:
1. Each banned password that is found in a user’s password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.If you use a banned word like "contoso", the score of the password grows with +1. A new password with 5 banned password(s), you will have an accepted password.
If you choose one of the following password as a new password, it will be accepted:
"contosocontosocontosocontosocontoso" --> [contoso]…
31 votes -
Allow service principals assigned as Azure Sql server AAD admin to create additional Azure AD sql users
It appears you cannot create additional Azure Sql database AAD users using a service principal, it must be a user or group.
This is limiting in Azure DevOps as I would like to use my service connection to use token authentication to provision users for managed identities.4 votes -
Make Enterprise Apps searchable by Reply URL
We have a ton of SSO'ed apps. If an app is misspelled/mislabeled during creation, the vendor changes product names, or you have multiple similar apps with the same company it can be very difficult to identify the appropriate enterprise app. I think it would be very helpful if we could also search by reply URL.
I love the new Enterprise Apps experience. You guys rock - thanks for being awesome!
6 votes -
option to show group name in groups claims
ability to enable group names to be visible in the "groups" claim when groupMembershipClaims is enabled or via the SSO options.
29 votes -
SAML token. Login ID look up in Claim management - source attribute.
With the new option to sign-in to Azure AD with email as an alternate login ID (preview), it would be great to have access to the login ID in the source attribute when adding a new claim. It may be useful to able to pass the login ID in a SAML claim when it's different from user.email and UPN, especially if an account has multiple ProxyAddresses that can be used as login ID.
Dynamic source attribute and an attribute lookup function in the transformation would be handy as well.
Thank you.2 votes -
Allow more than 150 groups to be returned in the SAML assertion
As part of the SAML assertion of a user we get the groups from the Azure AD. But for some users that are in many groups (> 150) Azure AD does not send the list of groups.
Please allow either more than 150 groups or enable an easy way to get all groups of a user.16 votes -
Windows Hello for Business in AAD/AD Hybrid too complicated for SMB
Currently the process to enable Azure AD-joined users to authenticate to on-premises systems is complex and requires multiple servers and specialized expertise. Can we enable a simplified approach to enabling Hybrid environments to support Azure-AD Joined Windows 10 using Windows Hello for Business without complicated Key Trust or Certificate Trust implementations, or at least simplify the setup of those environments so that SMB may easily accomplish this?
19 votes -
Integrate Eidas (eu wide government login for eu citizens) into azure ad
Since eu offers a eu wide login service for almost all eu citizens a better integration with azure ad could make azure ad more easy to use for many people.
Examples could be
use eu login additional / instead of mfa
Onboard new employees by eu login retrieving their base masterdata.
....4 votes -
AAD - Azure Key Vault integration
We have a certificate generated by Azure Key Vault and it will auto rotate. and we use the same certificate for the AAD App authentication by uploading the .cer to AAD portal.
However, once the certificate is auto rotated, the thumbprint will be changed, and the AAD App authentication to AAD will fail because it use the latest version of certificate generated by Azure Key Vault.Is it possible to implement a feature rather than upload a cert, just point to the Azure Key vault certificate, once there is a new version generated, AAD should whitelist the new cert version,…
4 votes -
Windows Hello for Business reporting tool
Please implement the option/tool of having where to check the WHfB enrollment status for users.
4 votes -
Help locked out of Facebook
Please I can’t see well and I accidentally deleted my Facebook account within the app. I have iCloud back up but that didn’t seem to do anything but sync the new version without the Facebook accounts to my other phone.
1 vote -
Integration with ASP.Net WebForms (NOT MVC)
I have seen and implemented many articles on how to do SSO against an MVC app and they work great. I am trying to integrate this into an existing WebForms (Non-MVC) .aspx application and having a login lopping issue.
1 vote -
This is aweful - not understandable at all. Hate this.
This is a horrible inconvenience and I don't understand these directions at all. Horrible explanation.
1 vote -
sasa
recover
1 vote -
If this is correct area; mobile app Authenticator needs better recognizable icon that is noticeably an MS product.
If this is correct area; mobile app Authenticator needs better recognizable icon that is noticeably an MS product.
1 vote -
Better customisation for claims with Azure AD Policies
Right now I’m aware I can set SamlClaimType of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier and this allows me to send a number of attributes in the format of urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If I do not set a SamlClaimType then by default is sends a persistent nameId using the nameID format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. Can we support customisation to this like what can be done in the portal? In the portal I can set persistent to send the users ObjectId and a few other options, however I don’t see any documentation on how I can do this in a policy.
Also support for the other two formats should be…
1 vote -
CORS for token endpoint
For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?33 votesThis is now under development – you can track progress in the MSAL.JS issue tracker here: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1000
- Don't see your idea?