Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Enable Azure AD Password Protection in Azure Government
This is a feature available in Azure public, please add this feature to Azure Gov. With this enabled, we have much more flexibility in terms of make passwords maintenance easier for our users.
17 votes -
Scoring password in Azure AD password protection
Today, Azure AD Password Protection scores the normalized new password with this rules:
1. Each banned password that is found in a user’s password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.If you use a banned word like "contoso", the score of the password grows with +1. A new password with 5 banned password(s), you will have an accepted password.
If you choose one of the following password as a new password, it will be accepted:
"contosocontosocontosocontosocontoso" --> [contoso]…
30 votes -
Make Enterprise Apps searchable by Reply URL
We have a ton of SSO'ed apps. If an app is misspelled/mislabeled during creation, the vendor changes product names, or you have multiple similar apps with the same company it can be very difficult to identify the appropriate enterprise app. I think it would be very helpful if we could also search by reply URL.
I love the new Enterprise Apps experience. You guys rock - thanks for being awesome!
6 votes -
Allow more than 150 groups to be returned in the SAML assertion
As part of the SAML assertion of a user we get the groups from the Azure AD. But for some users that are in many groups (> 150) Azure AD does not send the list of groups.
Please allow either more than 150 groups or enable an easy way to get all groups of a user.16 votes -
Windows Hello for Business in AAD/AD Hybrid too complicated for SMB
Currently the process to enable Azure AD-joined users to authenticate to on-premises systems is complex and requires multiple servers and specialized expertise. Can we enable a simplified approach to enabling Hybrid environments to support Azure-AD Joined Windows 10 using Windows Hello for Business without complicated Key Trust or Certificate Trust implementations, or at least simplify the setup of those environments so that SMB may easily accomplish this?
19 votes -
option to show group name in groups claims
ability to enable group names to be visible in the "groups" claim when groupMembershipClaims is enabled or via the SSO options.
23 votes -
Windows Hello for Business reporting tool
Please implement the option/tool of having where to check the WHfB enrollment status for users.
4 votes -
Integrate Eidas (eu wide government login for eu citizens) into azure ad
Since eu offers a eu wide login service for almost all eu citizens a better integration with azure ad could make azure ad more easy to use for many people.
Examples could be
use eu login additional / instead of mfa
Onboard new employees by eu login retrieving their base masterdata.
....3 votes -
By joining our community
developer experiences and condition access
1 vote -
Request to update the machine learning data per user via Confirmed sign-in Safe
[Identity Protection]
Request to update the machine learning data per user via Confirmed sign-in Safe, Customer would like to be able to update the user safe/familiar location data-set to include the new location4 votes -
CORS for token endpoint
For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?31 votesThis is now under development – you can track progress in the MSAL.JS issue tracker here: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1000
-
Add EventLog for login attempt using only blacklisted keyword
Password blacklists will prevent someone from using an easy password containing exclusively blacklisted keywords. But if I want to catch bad guys on my network, I want to see when someone is trying Company123 or Winter2020 for several different users. This is password spraying.
If we can add this short list of commonly guessed passwords to the password blacklist, I would then like to have an event logged when someone attempts to use one of them. If we see many of those events in a short period, the security team will need to investigate.
3 votes -
Update the combined MFA/SSPR Registration's to not be dependent on 3rd-party cookies
Apple has enabled Prevent Cross-site Tracking by default in iOS 13.4. As noted in the article, users get a "Sorry, we can't sign you in" message when 3rd-party cookies are blocked. As a result, MFA/SSPR Registration is broken by default on iOS 13.4. A manual intervention is now required to allow 3rd-party cookies because the setting cannot be managed on a supervised device. Apple has provided prescriptive direction on how update apps. Please update the combined MFA/SSPR Registration's to not be dependent on 3rd-party cookies.
2 votes -
AAD - Azure Key Vault integration
We have a certificate generated by Azure Key Vault and it will auto rotate. and we use the same certificate for the AAD App authentication by uploading the .cer to AAD portal.
However, once the certificate is auto rotated, the thumbprint will be changed, and the AAD App authentication to AAD will fail because it use the latest version of certificate generated by Azure Key Vault.Is it possible to implement a feature rather than upload a cert, just point to the Azure Key vault certificate, once there is a new version generated, AAD should whitelist the new cert version,…
2 votes -
MAKE THE DO NOT ASK FOR 60 DAYS WORK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
MAKE THE DO NOT ASK FOR 60 DAYS WORK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1 vote -
Allow service principals assigned as Azure Sql server AAD admin to create additional Azure AD sql users
It appears you cannot create additional Azure Sql database AAD users using a service principal, it must be a user or group.
This is limiting in Azure DevOps as I would like to use my service connection to use token authentication to provision users for managed identities.1 vote -
The "verify another way" is the same cell phone. How do I verify 2 factor authentication when I don't have that cell phone but it wants t
The "verify another way" is the same cell phone. How do I verify 2 factor authentication when I don't have that cell phone but it wants to send a text or call the lost phone? And there is no way my organization can change that number. And the CCPO organization does not support CVR any longer and AESD-W says they can't help. Help!!!
1 vote -
Sign in to Windows 2016 VM in Azure using Azure Active Directory authentication
Sign in to Windows 2019 VM in Azure using Azure Active Directory authentication is now in preview.
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows.Is it possible to release this feature also for Windows Server 2016 Azure VM's?
1 vote -
1 vote
-
Browser specific Windows Integrated Authentication (WIA) enforcement
Users get errors and are blocked from using their mobile devices for Azure Active Directory Authentication when Windows Integrated Authentication is configured for desktop browsers like Google Chrome in Active Directory Federation Services (ADFS).
ADFS configuration does not allow for configuring specific browsers and OS pairs for Windows Integrated Authentication (WIA) enforcement.
It would be nice to easily configure this to avoid errors.
1 vote
- Don't see your idea?