Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow blocked users to be provisioned to SaaS apps

    we have group/ user provisioning turned on to ServiceNow. Everything is working great, except the users with "block sign in" checked. I reviewed the provisioning logs and show these users aren't sent over to SN. We are doing license management and need to see when inactive users are still assigned a license.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  2. Sub attributes in mappings

    Sub attributes arent supported in custom sso apps.

    I'm unable to match a user if their email is a sub attribute

    e.g. emails.value

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. Disable option to create Conditional Access Policy when Passthrough authentication is enabled

    When Passthrough Authentication is enabled for an app published through App Proxy, the authentication process is offloaded to the Idp the company uses.
    Because of that, authentication requests cannot be evaluated for Conditional Access.
    Thus, turning on Passthrough, should automatically prevent users from creating CAP for the application. Currently, the What-If tool will show that the policy will apply when in reality it won't.
    This documented here :
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-faq

    This behavior already exists for Single-sign on

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  4. Get group membership as an attribute of the user when provisioning with SCIM

    When mapping Azure AD attributes to application attributes, I would to know the group membership in order to set properly the values of the target attributes.

    Imagine the licence is an attribute of the user object. It can be "premium"/"silver"/etc.
    On-premises, in AD, I manage my group membership by adding the user to groups like "MyApplicationPremium", "MyApplicationSilver", etc.
    By leveveraging the group membership in the mapping, I can set the proper licence.
    There is no other way to manage this as I will not have an attribute for each application to hold the licence for instance.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  5. Configure sync Scope per mapping

    There is a global provisioning setting to Sync only assigned users and groups, or Sync all users and groups. I would like to set this per user mappings or per group mappings. The reason for this is because we have applications that we don't have licenses for all our users. So I would like to provision the users by group membership (assigned), but sync groups globally based on a naming standard (scoping filter).

    The issue with scoping filters is you can't scope based on group membership, which would be another feature request I suppose.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. Please support Join in provisioning with user groups in Azure AD.

    Please support Join function in provisioning with user groups in Azure AD.

    Excerpt:
    Matching based on a combination of attributes is not supported: Most applications do not support querying based on two properties. Therefore, it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
    https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Link the requested app

    In the Azure Consent Workflow (currently in preview) once a user is approved they receive an email. It would be great if the approved resource / app was linked so that the user can navigate from the approval email directly to the approved site / resource / app.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support filtering = false | ServiceProviderConfig

    Azure AD SCIM client is not compatible with applications, which do not support "filtering".

    If “filtering” is not supported by 3rd party app, do not ignore that.
    Use the “matching” attribute defined in mappings during the initial cycle to check, if the resource exists.
    If resource exists (HTTP-200), save “ID” persistently.
    Use “ID” in every subsequent request

    cf. RFC7644 section 4: https://tools.ietf.org/html/rfc7644#section-4

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. AAD provisioning does not show Audit logs for group membership

    AAD and G suite provisioning does not show Audit logs for group membership update which is I believe quite important to know. As per MS agent :

    If the user is not provisioned already on G suite, when we try to update group membership, this would obviously fail since we don't have a reference attribute to resolve on the target. Currently, by design, Azure AD doesn't retry the previously failed group membership update after the user is provisioned. Workarounds to fix this problem is to remove and re-add the user as a member of the group or trigger a clear…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. Hybrid Reporting Uses Different Formats for CreatedTime

    Hybrid Reporting saves MIM Service Request objects as JSON. The resulting JSON has different formats for the CreatedTime property.
    Sometimes it looks like:
    CreatedTime: 2020-05-14 17:44:57.270
    Other times it looks like:
    CreatedTime: 5/14/2020 5:45:10 PM

    The different formats make it difficult to parse and use.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  12. (Provision null attributes) Add option to have properties be emptied after clearing them in Azure AD

    Right now, I can set a phone number and clear it again in Azure. Azure will update the phonenumber in the application but will never clear it. This is by design I understand that, but our customers would like the option to also clear this information as they consider AAD the source/leading system and it's primary task is to make sure all other applications have the same data, which currently is not the case as the data is never removed from applications after it is removed from AAD

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  14. OAuth pre-authentication in Azure Application Proxy

    Currently pre-authentication in Azure Application Proxy implies user interacive logon to Azure AD. It would be great if one could choose an option to pre-authenticate as a annplication with a token in the same Azure AD tenant (and select an Oauth app which is regitered in the same tenant).
    That's very useful when there is an external application/server accessing on-prem app via Azure Appliation Proxy would pre-authenticate with OAuth in Azure AD first and pass this token AAP.

    75 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. End User to see Azure AD PIM approver details

    Hi ,

    In Azure AD PIM can we track whose the approver. I'm looking it from a end user perspective because when he activates his role it says pending for approval.

    How to check who are the approvers and so that he can chase after the approver ? Ping the approver and get his request approved.

    I don't see this option in Azure AD PIM. I understand as an Admin we can see who are the approvers but how will end user see where the request is pending at ?

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure AD Cloud Provisioning: Add support for device sync

    Currently devices are not synchronized by Cloud Provisioning, not having that makes it unable to do Win10 hybrid device join as the computer need to authenticate to AAD.

    From my point of view this is the Nr. 1 topic to implement.

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  17. Enable dedicated App Proxy Authentication Header

    When you connect App Proxy with pre-authentication via a native client following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application the authentication header is removed by the App Proxy. This stops single sign on requests from working and breaks a number of automation scenarios if the backend service does not support a dedicated authentication header. Ideally I would like to see the following behaviour:

    1. By default the Authorization header is used to authenticate with App Proxy
    2. If multiple values are provided as per https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers each one is checked for authentication against App Proxy, if one is valid, remove it from the header and pass…
    48 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Adding Touch ID Support for MFA/password-less on Chromium (macOS)

    Google has added fingerprint authentication on Chrome including support of Apple's biometric sensors "Touch ID" last year:
    https://www.chromestatus.com/feature/5962264427364352

    This seems to be implemented via Web Authentication API.
    It would be awesome to use Touch ID as 2nd Factor or password-less option in Azure Active Directory. Currently you are able to choose between NFC and USB only (tested on lastest build of Chrome).

    It would be even better if Edge Chromium supported the built-in fingerprint of MacBooks. :)
    However, it seems to be a limitation of Azure Active Directory.

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Passwordless  ·  Flag idea as inappropriate…  ·  Admin →
  19. Admin Consent Required for Basic PIM API Scenarios

    According to the docs, the permissions required to even perform basic scenarios (list my eligible roles, active a role) require admin consent. Can the API be improved to require less consent? I use PIM quite a bit and the portal experience can be painfully slow, I'd really like to automate it with the API.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. IDCS Provisioning doesn't work

    The Oracle Cloud Infrastructure Gallery app uses OracleIDCS object. But it doesn't support the attribute primary email = boolean. You cannot create a user in IDCS unless you set the email and put it as primary. so essentially, the email.primary has to be set to a boolean(true). Please include it in the OracleIDCS objectclass

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base