Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Scoring password in Azure AD password protection

    Today, Azure AD Password Protection scores the normalized new password with this rules:
    1. Each banned password that is found in a user’s password is given one point.
    2. Each remaining unique character is given one point.
    3. A password must be at least five (5) points for it to be accepted.

    If you use a banned word like "contoso", the score of the password grows with +1. A new password with 5 banned password(s), you will have an accepted password.

    If you choose one of the following password as a new password, it will be accepted:

    "contosocontosocontosocontosocontoso" --> [contoso]…

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Windows Hello for Business in AAD/AD Hybrid too complicated for SMB

    Currently the process to enable Azure AD-joined users to authenticate to on-premises systems is complex and requires multiple servers and specialized expertise. Can we enable a simplified approach to enabling Hybrid environments to support Azure-AD Joined Windows 10 using Windows Hello for Business without complicated Key Trust or Certificate Trust implementations, or at least simplify the setup of those environments so that SMB may easily accomplish this?

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Exclude certain AD Groups from the policies of Azure AD Password Protection (MAB Devices)

    When using MAB authetication in a Domain, one has often to provide the Mac-address as UserName and as Password. Examples can be IP-telephones, computers that are being installed with SCCM, printer,...…

    AAD PPM does not allow names to be equal to passwords, which ist basically correct, but MAB is a common way of registering certain hardware.

    It would be a good idea to make AAD PPM configurable meant to exempt specific accounts from AAD PP on AD-Group Basis or by some other means.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. CORS for token endpoint

    For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
    In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
    Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. V2.0 Client Credentials Implement Scopes

    The current Azure AD v2.0 Client Credentials Grant doesn't formally support scopes.

    You have to pass in your application ID appended with .default (Not a scope) which then forces you down the permissions route. You also end up with roles in your token instead of scopes.

    In order to conform to the OAuth standard, scopes should be supported like they are in other grants/flows.

    It also makes it difficult to implement in our services as we have to support two completely different models.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure SSO SAML Token to support selective attributes encryption

    Support selective attributes(firstname, lastname, unique ID etc) encryption in SAML token for SSO. This is requirement for all applications to whom the user identity information is to be NOT sent in clear text and rather be in encrypted.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Direct federation with OpenID Connect IdPs

    At this time, direct federation in preview can be set up with any organization whose identity provider (IdP) that supports the SAML 2.0 or WS-Fed protocol. Please extend this to OpenID Connect IdPs.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Sign-in to SharePoint 2016 with Guest accounts is challenging

    I have a custom enterprise application for SharePoint 2016, which has "Unique User Identifier" set to "user.userprincipalname" (default configuration), but the experience with Guest accounts is bad:
    - MSA Guest accounts identity set by AAD looks like "user_mail.com#EXT#@Tenant.onmicrosoft.com", which is counter intuitive. When granting permissions to those accounts in SharePoint, we expect to type UserUPN@Tenant.onmicrosoft.com, not user_mail.com#EXT#@Tenant.onmicrosoft.com
    - B2B Guest accounts identity set by AAD looks like "mail@Tenant.onmicrosoft.com", which is great and what we want, but it's inconsistent with the MSA Guest accounts and causes a lot of confusion.

    Can you fix this to always…

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback.

    For “Name” or other claims, you can now select “user.localuserprincipalname” as a source attribute. This will use UPN stored in the tenant for the guest user.

    This isn’t currently available for “NameID” but we’re working on that.

    Also, we’re working on a experience that will let you specify the source attribute based on the user type (AAD, AAD Guest, External Guest, All Guest).

    Let me know if you would be interesting to provide early feedback on what we’re thinking to release.

    \Luis

  9. azure ad domain services SAM account

    Voor Single Sign On with Azure AD as source for users to Azure AD Domain Services, is it possible to rewrite the SAM account to Azure AD. So the Azure AD joined only devices do not genereate a Netbioname/sam account by login of a user, but get this information from AzureAd as well.
    Now we have issues with AADDS joined servers and application with SSO.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. About early adopted Azure Portal for new function

    Hope to choose Azure tenant type to adopt new function.
    For example, Azure AD is deploying LinkedIn integration currently, but some tenants have done and others are not and the implementation period is not unclear.
    so, require to choose adopting new function which Office 365 has already been configured.
    https://docs.microsoft.com/en-us/office365/admin/manage/release-options-in-office-365?view=o365-worldwide

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. More Granularity in Conditional Access: Session Controls for Sign-In Frequency

    The Sign-In Frequency Session Control can only be set in hours and days. I would like to see minutes as an available option as well. There could be a situation where a user closes a sensitive application but does not close the browser and walks away where someone else could tailgate in on that session.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Lock sign-in to specific country/region on a per user basis

    Just like the credit card companies allow you to lock/unlock your credit card for use in different regions/countries it would be great if users could allow/disallow sign-in from different regions/countries.

    Like a per-user conditional access...

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Show the URL that is missing when getting "missing, misconfigured, or does not match reply addresses configured for the application" error

    We have had a number of occasions where we get the "missing, misconfigured, or does not match reply addresses configured for the application" error when using our own applications with AAD as the IdP.

    Sometimes this requires extensive investigation to figure out the offending URL (whether it is missing, a typo, or syntax error).

    What would be handy is if the error gave administrators the offending URL to help direct the investigations.

    If there is a way of exporting this already, would be great to understand how.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Variable password complexity requirements / multiple assignable password complexity policies

    I'd like the ability to configure multiple password complexity requirements / policies, and assign them based on for instance:
    * Azure AD Groups (Ex: All users in a group gets affected, all not assigned to a complexity gets the tenant default complexity)
    * Azure AD Role (Any or specific roles)
    * Subscription role on any of subsbriptions tied to tenant (Ex. User has "owner" on one of the subscriptions)

    This would make sense as regular users should be able to create short, memorable passwords. Admin users on the other hand, should have complex, random generated, long passwords, and use password…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support Device Authentication for Firefox

    Today Device Authentication is supported for Edge, IE and Chrome (Windows 10 Accounts Extension).
    For ather Browsers esspecially Firefox there is no support for Device Authentication.
    It would be great if Firefox users could also benefit from Device Authentication.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support Android Biometrics (Face) Unlock for Microsoft Authenticator

    The Microsoft Authenticator Android app should support the new Biometrics (Face) Unlock API. Currently face unlock is not supported for devices such as Pixel 4.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. option to show group name in groups claims

    ability to enable group names to be visible in the "groups" claim when groupMembershipClaims is enabled or via the SSO options.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Android Enterprise Kerberos Support for MS Authenticator and Company Portal

    On Android Enterprise there is a way to enable Kerberos/SPNEGO based SSO for all WebViews out of the box without any change of code. Since MS Authenticator and Company Portal are used for SSO authentication of native Office Android Apps, it would be beneficial to activate this option. This would allow an enterprise user to have seamless/login-free SSO.

    The scenario is that in the enterprise context the Office 365 login is often federated to an on-premise idP. That idP usually is kerberized and understands SPENGO. I can see that in MS Authenticator I get redirected to the idP but Kerberos…

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Remove two factor

    It is more of an inconvenience that an asset. It doesn't help me feel my account is secure as I have already felt it was secure by having a password that only I knew. This feature is very frustrating as sometime it does not work and then I am not able to log in to my account to complete my course work or view assignments. People should be asked if they would like to turn this feature on versus being made to do so.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. I am the administrator for the account and the phone number that appears I no lo9nguer have access to

    I am the account administrator and the phone number that appears for 2 factor auth, I no longer have access to?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 17 18
  • Don't see your idea?

Feedback and Knowledge Base