Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Scoring password in Azure AD password protection
Today, Azure AD Password Protection scores the normalized new password with this rules:
1. Each banned password that is found in a user’s password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.If you use a banned word like "contoso", the score of the password grows with +1. A new password with 5 banned password(s), you will have an accepted password.
If you choose one of the following password as a new password, it will be accepted:
"contosocontosocontosocontosocontoso" --> [contoso]…
25 votes -
Windows Hello for Business in AAD/AD Hybrid too complicated for SMB
Currently the process to enable Azure AD-joined users to authenticate to on-premises systems is complex and requires multiple servers and specialized expertise. Can we enable a simplified approach to enabling Hybrid environments to support Azure-AD Joined Windows 10 using Windows Hello for Business without complicated Key Trust or Certificate Trust implementations, or at least simplify the setup of those environments so that SMB may easily accomplish this?
10 votes -
Exclude certain AD Groups from the policies of Azure AD Password Protection (MAB Devices)
When using MAB authetication in a Domain, one has often to provide the Mac-address as UserName and as Password. Examples can be IP-telephones, computers that are being installed with SCCM, printer,...…
AAD PPM does not allow names to be equal to passwords, which ist basically correct, but MAB is a common way of registering certain hardware.
It would be a good idea to make AAD PPM configurable meant to exempt specific accounts from AAD PP on AD-Group Basis or by some other means.
12 votes -
CORS for token endpoint
For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?14 votes -
V2.0 Client Credentials Implement Scopes
The current Azure AD v2.0 Client Credentials Grant doesn't formally support scopes.
You have to pass in your application ID appended with .default (Not a scope) which then forces you down the permissions route. You also end up with roles in your token instead of scopes.
In order to conform to the OAuth standard, scopes should be supported like they are in other grants/flows.
It also makes it difficult to implement in our services as we have to support two completely different models.
3 votes -
Azure SSO SAML Token to support selective attributes encryption
Support selective attributes(firstname, lastname, unique ID etc) encryption in SAML token for SSO. This is requirement for all applications to whom the user identity information is to be NOT sent in clear text and rather be in encrypted.
6 votes -
Direct federation with OpenID Connect IdPs
At this time, direct federation in preview can be set up with any organization whose identity provider (IdP) that supports the SAML 2.0 or WS-Fed protocol. Please extend this to OpenID Connect IdPs.
4 votes -
Sign-in to SharePoint 2016 with Guest accounts is challenging
I have a custom enterprise application for SharePoint 2016, which has "Unique User Identifier" set to "user.userprincipalname" (default configuration), but the experience with Guest accounts is bad:
- MSA Guest accounts identity set by AAD looks like "user_mail.com#EXT#@Tenant.onmicrosoft.com", which is counter intuitive. When granting permissions to those accounts in SharePoint, we expect to type UserUPN@Tenant.onmicrosoft.com, not user_mail.com#EXT#@Tenant.onmicrosoft.com
- B2B Guest accounts identity set by AAD looks like "mail@Tenant.onmicrosoft.com", which is great and what we want, but it's inconsistent with the MSA Guest accounts and causes a lot of confusion.Can you fix this to always…
17 votesThanks for the feedback.
For “Name” or other claims, you can now select “user.localuserprincipalname” as a source attribute. This will use UPN stored in the tenant for the guest user.
This isn’t currently available for “NameID” but we’re working on that.
Also, we’re working on a experience that will let you specify the source attribute based on the user type (AAD, AAD Guest, External Guest, All Guest).
Let me know if you would be interesting to provide early feedback on what we’re thinking to release.
\Luis
-
azure ad domain services SAM account
Voor Single Sign On with Azure AD as source for users to Azure AD Domain Services, is it possible to rewrite the SAM account to Azure AD. So the Azure AD joined only devices do not genereate a Netbioname/sam account by login of a user, but get this information from AzureAd as well.
Now we have issues with AADDS joined servers and application with SSO.5 votes -
About early adopted Azure Portal for new function
Hope to choose Azure tenant type to adopt new function.
For example, Azure AD is deploying LinkedIn integration currently, but some tenants have done and others are not and the implementation period is not unclear.
so, require to choose adopting new function which Office 365 has already been configured.
https://docs.microsoft.com/en-us/office365/admin/manage/release-options-in-office-365?view=o365-worldwide13 votes -
More Granularity in Conditional Access: Session Controls for Sign-In Frequency
The Sign-In Frequency Session Control can only be set in hours and days. I would like to see minutes as an available option as well. There could be a situation where a user closes a sensitive application but does not close the browser and walks away where someone else could tailgate in on that session.
2 votes -
Lock sign-in to specific country/region on a per user basis
Just like the credit card companies allow you to lock/unlock your credit card for use in different regions/countries it would be great if users could allow/disallow sign-in from different regions/countries.
Like a per-user conditional access...
2 votes -
Show the URL that is missing when getting "missing, misconfigured, or does not match reply addresses configured for the application" error
We have had a number of occasions where we get the "missing, misconfigured, or does not match reply addresses configured for the application" error when using our own applications with AAD as the IdP.
Sometimes this requires extensive investigation to figure out the offending URL (whether it is missing, a typo, or syntax error).
What would be handy is if the error gave administrators the offending URL to help direct the investigations.
If there is a way of exporting this already, would be great to understand how.
2 votes -
Variable password complexity requirements / multiple assignable password complexity policies
I'd like the ability to configure multiple password complexity requirements / policies, and assign them based on for instance:
* Azure AD Groups (Ex: All users in a group gets affected, all not assigned to a complexity gets the tenant default complexity)
* Azure AD Role (Any or specific roles)
* Subscription role on any of subsbriptions tied to tenant (Ex. User has "owner" on one of the subscriptions)This would make sense as regular users should be able to create short, memorable passwords. Admin users on the other hand, should have complex, random generated, long passwords, and use password…
1 vote -
Support Device Authentication for Firefox
Today Device Authentication is supported for Edge, IE and Chrome (Windows 10 Accounts Extension).
For ather Browsers esspecially Firefox there is no support for Device Authentication.
It would be great if Firefox users could also benefit from Device Authentication.9 votes -
Support Android Biometrics (Face) Unlock for Microsoft Authenticator
The Microsoft Authenticator Android app should support the new Biometrics (Face) Unlock API. Currently face unlock is not supported for devices such as Pixel 4.
1 vote -
option to show group name in groups claims
ability to enable group names to be visible in the "groups" claim when groupMembershipClaims is enabled or via the SSO options.
2 votes -
Android Enterprise Kerberos Support for MS Authenticator and Company Portal
On Android Enterprise there is a way to enable Kerberos/SPNEGO based SSO for all WebViews out of the box without any change of code. Since MS Authenticator and Company Portal are used for SSO authentication of native Office Android Apps, it would be beneficial to activate this option. This would allow an enterprise user to have seamless/login-free SSO.
The scenario is that in the enterprise context the Office 365 login is often federated to an on-premise idP. That idP usually is kerberized and understands SPENGO. I can see that in MS Authenticator I get redirected to the idP but Kerberos…
13 votes -
Remove two factor
It is more of an inconvenience that an asset. It doesn't help me feel my account is secure as I have already felt it was secure by having a password that only I knew. This feature is very frustrating as sometime it does not work and then I am not able to log in to my account to complete my course work or view assignments. People should be asked if they would like to turn this feature on versus being made to do so.
1 vote -
I am the administrator for the account and the phone number that appears I no lo9nguer have access to
I am the account administrator and the phone number that appears for 2 factor auth, I no longer have access to?
1 vote
- Don't see your idea?