Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  2. MIM - Support for Windows Server 2019 include PCNS/ADMA

    Windows Server 2019 is released last year. Appreciate to support for the latest OS include PCNS, ADMA. Supportability is blocking point for using latest OS for the customer.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  3. Update documentation on using Azure MFA for activating PAM roles

    Since Microsoft no longer offer MFA Server for new deployments, could you please update documentation with instructions on how we can utilize cloud-based Azure Multi-Factor Authentication for PAM role activation.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  4. Es interesante

    Estuvo bien

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  5. MIM Version 4.5.412.0 - roup objects fails to render when 'displayedOwner' attribute value is not populated

    MIM Version 4.5.412.0 - roup objects fails to render when 'displayedOwner' attribute value is not populated.

    Why would you post an update with this? How are users supposed to correct this when it prevents them from loading the page? When will a fix be posted for this?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  6. UocFilterBuilder can't be set to a null/empty value

    It seems impossible to have a UocFilterBuilder on a page that defaults to a null value (or can be changed back to a null value) - a default "all objects" filter is always present.

    This can be a problem, for example when creating a custom object with both Explicit Membership, and a Filter for criteria membership
    (see https://blogs.technet.microsoft.com/iamsupport/2017/03/27/microsoft-identity-manager-2016-sp1-portal-4-4-1459-0-or-later-support-for-customobject-explicitmember-membership-management/)

    It may be that only the manually managed membership is required, in which case the Filter should be null, and the value of ComputedMember should be equal to ExplicitMember.

    However, if the RCDC contains a UocFilterBuilder, it will always default to…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  7. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  8. Option to disable character escaping on parameter lockups in e-Mail Templates

    If you want to send html e-mails over MIM Service the content of variables are escaped.
    This prevents to send dynamic html content.
    As an example, this prevents as well the function ParametersTable() from the open source activity MIMWAL to display the parameters as html.

    Feature request suggestion:
    There should be an option to disable this functionality, as a suggestion on the e-Mail Template like "Disable character escaping for variables".

    In detail:
    If you have a variable like [//WorkflowData/Content] with the value "Hello Test User,<br>Welcome on board" this results in "Hello Test User,&lt;br&gt;Welcome on board"

    As an example Use case: …

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  9. Graph Connector Issue: select is not supported for these properties

    An issue are available on the Graph Management Agent Version 1.1.913.0.

    If you select all attributes you run into the delta limitations of Graph (not all attributes are available over the delta link).

    Method Name : GraphConnector : GetImportEntries
    --------- Outer Exception Data ---------
    Message: Error during http call. HttpStatusCode: BadRequest;
    url: https://graph.microsoft.com:443/v1.0/users/delta/?$select=consentProvidedForMinor,pastProjects,country,registeredDevices,mySite,onPremisesSecurityIdentifier,schools,userType,preferredName,memberOf,faxNumber,postalCode,state,aboutMe,ageGroup,transitiveMemberOf,legalAgeGroupClassification,createdObjects,onPremisesDistinguishedName,employeeId,birthday,deletedDateTime,otherMails,streetAddress,mailNickname,proxyAddresses,contacts,showInAddressList,officeLocation,displayName,businessPhones,ownedDevices,deviceEnrollmentLimit,preferredLanguage,ownedObjects,interests,responsibilities,hireDate,imAddresses,city,onPremisesSamAccountName,id,jobTitle,companyName,onPremisesDomainName,onPremisesLastSyncDateTime,surname,mobilePhone,onPremisesSyncEnabled,directReports,mail,userPrincipalName,department,givenName,onPremisesUserPrincipalName,accountEnabled,manager,isResourceAccount,skills,usageLocation,onPremisesImmutableId,passwordPolicies;
    Response: {
    "error": {
    "code": "BadRequest",
    "message": "Invalid Request: $select is not supported for these properties.",
    "innerError": {
    "request-id": "removed",
    "date": "removed"
    }
    }
    }
    Exception root Exception type: Microsoft.IdentityManagement.Connector.Graph.GraphAPIException
    Source: Microsoft.IdentityManagement.Connector.Graph
    Stack Trace: at Microsoft.IdentityManagement.Connector.Graph.GraphHttpClient.<GetAsync>d__4.MoveNext()
    --- End of stack trace from previous location where exception…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add ability to add child domain after MA already set up

    After you configure a manangement agent in MIM, you can't go back and select a child domain to be synced. It continues to run, but ignores the new partition and selected OUs.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  11. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  12. Graph Connector Issue: Manager update wrong HTTP method

    An issue are available on the Graph Management Agent Version 1.1.913.0.

    If you want to update the manager of a user the connector sends a POST request against graph.

    The issue is that the function Assign manager is listening on HTTP PUT.

    StackTrace below:
    Method Name : ExportContext : Export Export failed
    --------- Outer Exception Data ---------
    Message: Error during http call. HttpStatusCode: MethodNotAllowed;
    url: https://graph.microsoft.com:443/Beta/users/{GUID removed}/manager//$ref/;
    Response: {
    "error": {
    "code": "Request_BadRequest",
    "message": "Uri is invalid for a POST operation. The URI must refer to a service operation or an entity set.",
    "innerError": {
    "request-id": "{GUID removed}",
    "date": "2019-05-21T06:41:51" …

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add frontend MFA to PAM

    PAM can only MFA via CustomPhoneProvider, which has its issues:
    - Users must have a phone number (or the provider is not called)
    - In effect limits you to Back-end MFA (phone call, or push notification)
    - Frontend can be achieved, but technically much harder.

    Allow the PAM API to get tokens/inputs/other from frontend.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add logging to PAM API

    From what I have experienced, the PAM API does not log anything of value. Please make it log when it has problems, debugging running processes is not logging.

    Alternatively: If it can log, please document how to configure it.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow PAM to join MIM Sets

    The basic of PAM is that you have to activate privileges... But somehow MIM cannot do this for itself?

    (Correct me if I am wrong, but I was unable to create a Set that targets users who have activated a PAM role.. I was able to target the PAM Requests, but not extract the users)

    Alternatively: Allow Security Groups in AD to be a member of a set directly, not with Sync.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  16. Fix PAM API to not use impersonation for Active Directory

    In some patch or another the PAM API was altered to call Active Directory in the callers contexts. Which for Constrained Delegation means you have to add the SPN for LDAP for all your domain controllers.

    According to my brief read of the code it seems it only does this to... find the users expiration date.

    For AD reads, use the service accounts identity, not impersonation.

    Relevant blog post:
    https://www.steadyblog.com/microsoft-identity-manager-sp1-pam-rest-api-requests-either-fail-with-http-404-or-500-when-calling-remotely/

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  17. Support Managed Service accounts in PAM Powershell Cmdlets

    Managed service accounts cannot use (all) the PAM Cmdlets correctly.

    Get-* Works

    But creation does not work; Why:
    - The source code assumes the caller is a user when it tries to resolve its sid (to populate the creator id in MIM)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  18. Microsoft Identity Manager: create supported scenario for bidirectional password sync with PCNS

    With many ADs on prem, we have a major need to sync passwords bi-directional between global AD and local ADs.

    MIM 2016 with PCNS does support password sync, but is not supporting a scenario with bi-directional sync. Can this be supported ?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  19. open-source adconnect / mim

    ADconnect also known as MIM are the primairy tools for syncing AD or other accounts. Yet the do not seem to get much attention from Microsoft developers. I'm talking about the basic sync engine, not the portal service. It basically works, but its lacking quite a lot of features that would make the life of our customers better. Thing like alerting, and being able to manage the connectorspace when something goes wrong. Remove an outstanding delete or add one if needed without needing to delete the entire connector space. Adding a scheduler into the gui, Things usefull to fix corrupted…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  20. Document the settings required for MultiSubnetFailover=True for MIM Sync, Mim Portal and MIM Service for SQL Always On Availability Groups

    Hi

    The MultiSubnetFailover=True keyword is now supported for MIM deployments tp connect to SQL in two datacentres using SQL Always On Availability Groups.

    But the exsiting documentation is awful and confusing.

    A clear document is required to show how the MultiSubnetFailover=True is used in the connection string for MIM and SharePoint.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base