Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. banned password message azure ad password protection

    Add GPO or client to Windows Client for Azure AD Password protection to display the corporate password policy on login when the user's change password and it's banned. Give users on prem what they can and cannot use as feedback if they put a bad one in.

    46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Enhanced Reporting for Azure AD Password Protection

    We are running Azure AD Password Protection on-premise mode. The PowerShell summary report is ok, but only works for admins. It would be better to have a report available in the Azure Portal for management to review easily. The report could allow us to see the same summary stats that exist in the PowerShell report.

    Also, Individual event data is only available in the Windows Event Viewer where the user attempted to change their password. We have no way to centrally search for an event by user without checking all our DCs. In addition, the helpdesk have no privileges to…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Risky user email notification is confusing

    Risky user email notification is confusing.
    When a user click the link on an email, he/she goes to "Risky users (Preview)" page. However this page is confusing. Especially, sometimes it says "No risky sign-ins found" on "Resent risky sign-ins" tab. The link should navigate users to "Azure AD Identity Protection" page, which is intuitive and easier to understand.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow risk reevalueation for guest users

    Currently resource tenants with an User Risk Policy in place, will face the problem that guest users with a risk, that doesn't meet the risk policy will get blocked from accessing the resource tenant. As the risk for guest user can neither be seen nor changed, the only way to allow access to resources is to exclude them from the policy. It would be beneficial for admins of resource tenants to be able reevaluate the risk for guest users on their tenant, instead of letting them bypass and ignoring all future risk events for the user.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Idea

    Ring quiet rule

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Notify end-users when an risky sign-in (e.g. sign-in from an anonymous IP address) event is created

    Can a feature be added to notify end-users by email when Azure AD detects a risky sign-in event (e.g. sign-in from an anonymous IP address) on their account, so they're able to take immediate action if their account is compromised?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Send Azure user risk notifications to the user also.

    Currently, Azure allows alert groups to be created in order to receive alerts/risk user alerts, etc. It would be nice if the user could also receive a notification that their AAD account is at risk due to suspicious activity.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Marking a risky sign in as "Confirmed Safe" in the ID protection blade should factor in to the algorithm for future sign ins

    In the risky sign ins report or risky users report in AD Identity Protection you can mark a risky sign in as "confirmed safe." However this does not allow future sign ins from this IP. If an administrator confirms that the sign in is not risky, future sign ins for this user from this location should not be considered risky.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. We are reviewing options for integrating feedback provided by confirm safe/compromised. In the interim, if you want to mark specific IPs as safe for Identity Protection in your tenant, you can do so my marking them as trusted locations. More information is available here (make sure to check the “mark as trusted location” checkbox): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations

  9. Drop Risky Sign-In Attempts

    Add an option for Identity Protection Risk events to drop traffic that comes from risky attempts, rather than block/lockout. For example, if someone attempts to log in with an anonymous IP address, drop the traffic but do not lock the account out. This would still prevent the access attempt, but it would also prevent the legitimate user from being locked out of their account just because someone attempted to access the account (and failed).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Export risk events from Azure AD Identity to Event Hub

    Azure AD Identity Protection events are currently not possible to export to an event hub.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Ability to export Risky Sign in policies programmatically

    We need a way to export/consult Risky sign in policies.

    In general, a feature should be released with its associated API to allow Microsoft customers to perform automation.

    Support case 119070422001895 confirmed this was not possible.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Managing a tree structure for Azure Active Directory Users

    It would be good to have a tree structure while viewing the users in azure active directory.

    For example, to have a clear distinction between two colleagues who belong to two different departments. This will also help to manage the third-party developers.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Provide a prompt when using azure MFA with RDP

    Currently if you use Azure MFA and remote desktop with the NPS doing the authentication the user receives no prompt that the server is waiting for MFA to be approved on the devic. As per your own article on it the RDP connection will just sit at initiating remote connection until it fails so if the users phone is in another room they just call help desk asking why they cant login.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#verify-configuration

    A simple "please approve the MFA prompt on your MFA device" notification on this screen would make it a 1000% more useful and cut down a heap…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Create the ability to generate email alerts for risky sign-ins by type, rather than severity

    Please, add the ability to generate email alerts for specific sign-in types (e.g. log-ins from anonymous IP addresses) to enable admins to refine their procedures based on what is deemed legitimate user behaviour.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure AD Identity Protection alerts should only send to users that are chosen.

    Currently email alerts are sent to all global admins, security admins and security readers. There is no way to remove those users from receiving alerts. Only users that are selected to be included should receive the email alerts.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow Azure AD Identity Protection alerts to be disabled.

    Currently all global administrators are alerted when user risk level is at high, but there is no way to turn off the alerts.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Additional Info for Risky Users in AIP

    We would like to see the reason for the Risky sign-ins. This would help us identify why AIP flagged our users. Is it because of impossible travel or anonymous IP etc in Risky Users blade under AAD.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Prevent password brute force by block suspicious IP address

    Conditional Access come into place after checking user and password. To have a country blocking or a block list of IPs there is too late.

    Every night there are a lot of password brute force attacks from mostly the same IP address. To protect the users from not be locked out, if they arrive in the morning, these IPs are added to a blacklist, but the request from this IP addresses are not blocked like a firewall will do this. These requests are going to Azure AD to authenticate the user, after some wrong passwords the account is locked out…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. need to configure which users could receive Identity protection weekly digest report

    currently for identity protection alerts and weekly digest report, the notification email could only be sent to active GA/security admins. however, for customer who is using PIM without permanent roles, the target admins might not get the notification email since the role might be deactivated when the notification email is generated.

    currently for Alerts notification, we have an public review feature to configure additional email addresses, but this feature is not available for weekly digest report.

    our suggestion is to sent the alert/weekly digest report notification email to PIM admins no matter the role is active or inactive. Or adding…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. DCR - outlook thick client re-auth on AAD risk

    When an existing access token for Outlook or Office expires, and the refresh token is submitted to the Office 365 service to request a new access token, Azure AD Conditional Access policies are re-evaluated, but Azure Identity Protection Policies are not. For example, if a user is flagged as High risk, and the high risk policy requires the user to perform a Self Service Password Reset, this is not triggered with the desktop clients. If the user is accessing the Office 365 service using a web client like Office Online or OWA, the risk state will be triggered, and the…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base