Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. MIM graph connector missing key information

    MIM graph connector missing key information like Licenses,mailbox created time,Provisioned plans, Extended attributes, etc..

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  2. banned password message azure ad password protection

    Add GPO or client to Windows Client for Azure AD Password protection to display the corporate password policy on login when the user's change password and it's banned. Give users on prem what they can and cannot use as feedback if they put a bad one in.

    66 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable SSPR to reset Windows cached credentials

    In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

    Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we…

    504 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    60 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  4. Send Microsoft Service emails to Elligible Global Admins

    We recently bought new Windows 10 Enterprise E3 licenses. An email from the Microsoft Online Services Team informing us of the availablity of these licenses in out tenant was sent to all 'Assigned' Global Administrators. But not to the PIM-managed elligible Global Admins.

    Ideally we would like to have all Global Admins managed by PIM, excluding only the emergency access accounts.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Access package policy for dynamic assignment

    The ability to have a policy to dynamically assign access packages automatically to users, based on criteria / filters is very important, as this will greatly improve an organizations ability to provide a set of default access packages to their users based on division, company, etc.

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Notification to eligable members

    At Microsoft 365/Azure AD are many predefined notifications set to tenantadmins/global admins as the default recipients (Examples: predefined Alert Policies at S&C Center, Billing notifications, etc). If all members of that role are eligible and currently no member has that role, then it can’t happen that a notification can reach anyone. So please change this behavior that eligible members of a role will get that notification by default.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support NPS/RADIUS for Azure AD Domain Services

    Add support for Microsoft NPS/RADIUS in Azure AD Domain Services

    513 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    61 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    UPDATE 01/06/2020
    Multiple scenarios are still being investigated.
    (We changed the status to because Started implied we were working on the feature and we did not want to represent it inaccurately. We are investigating and therefore, we are marking it under review.

  8. Workday to Azure AD provisioning application under attribute mapping, under target object action delete feature deleting users in Azure

    Workday to Azure AD provisioning application

    under attribute mapping, under target object action delete feature deleting users from Azure AD. Instead of deleting user from Azure AD the account should disable in AD

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  9. Privileged Identity Management event into Event Grid for automation

    We would like to use Privileged Identity Management (PIM) to provide access to content within resource for example a database within a database server. To be able to hook into a successful 'just in time' request and it's timeout I would like to use something like Event Grid.

    The current alerting based on email is not good enough to be able to reliably build automation.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add an option to bypass service plan dependency check when assigning license to group

    The Azure portal does not allow assignment of an add-on license to a user group unless a base license with prerequisite service plans is also assigned to the group. Example: Audio Conferencing can only be assigned to a group if (e.g.) Office 365 E3 with the Microsoft Teams service plan enabled is added to the group at the same time.

    The problem is that most of our customers have a mix of Office licenses. In order to avoid service plan conflicts and unnecessary license usage, we would need to create a group for each possible combination of the addon and…

    99 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

  11. MFA: remember device permanently (& remember per device, not per app)

    Please:
    1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
    2. Make it so that MFA is remembered once per device (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).

    Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or…

    312 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    23 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Auto suggest role activation on "access denied" error messages if user is eligible

    If I have a role that woudl allow me to access a page via PIM, error messages shoulfd suggest to enable the least privilege role I am elligible for instead of just showing an access error.

    This would:
    1. allow to think about PIM as a workaround
    2. understand that Global Admin is not the role to activate by default and that less powerful roles coudl still allow to get things done
    3. add some friendliness to "access denied" error messages :-)

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Integrate Azure AD PIM with on-premises AD

    Azure AD PIM is a cool feature, and easy to use. The on-premises MIMPAM solution is the exact opposite experience. It requires a lot of infrastructure to be in place, and different skillsets are needed to make it secure. It's simply too expensive and complex for a lot of organizations to use.

    Integrating AAD PIM with on-premises AD would solve these issues. A cloud based solution, paid by usage (license per user).

    174 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  11 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Disable SSPR by group (exclude group from SSPR)

    Currently, you can configure SSPR to be enabled for your entire organization or for a specific group. It would be nice to have the ability to disable/exclude a specific group (e.g. enable for the entire organization except for a specific group(s)). The use case would be a scenario where almost the entire company should have SSPR but there are sensitive accounts that should not be enabled for it.

    125 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support License Assignment on Entitlement Management

    Currently, we are using assignment to group method for office 365 license.
    I hope enhance our administration for license assignment task.

    If you support to license assignment on entitlement management, we are able to complex license assignments for restrict access users.
    (ex. only e-maill access, device managment only, etc.)

    I hope support the entitlement management to the license resource.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Make PIM audit more robust. Should be able to filter on all of the key categories (for example, filter on Global Administrator approvals)

    Make PIM audit filtering more robust. Should be able to filter on all of the key categories (for example, ability to create a filter for Global Administrator approvals).

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Conditional Access for B2B Guest users

    For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    We’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?

  18. Enable PIM assignment for a guest user in a specific directory

    We use powershell to activate PIM for users, but when we change to a specific directory, the get-privilegedroleassignment cmdlet still lists the roles available in the "home" directory, rather than the directory that you're currently in..

    connect-pimservice -TenantName <XXXX>

    has no effect on the get-privilegedroleassignment command

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. AzureAD Box User Deprovisioning Transfer Files to Another Account

    Box supports the ability to specify an account to which user files are transferred. We rely on this functionality to ensure that user's files are transferred to a backup service account when a user leaves the organization. It would be very nice to have this capability too.

    Box Dev guide:
    https://www.box.dev/guides/users/deprovision/transfer-folders/

    Okta guide:
    https://help.okta.com/en/prod/Content/Topics/Provisioning/Box/configure-box.htm#Enable2

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. For access denied page, show least privilege role needed to encourage PIM

    When I get an access denied page in Azure AD portal, it would be VERY useful to add the least privileged role [needed to see this resource] as part of the error message page. This will help me know specifically which PIM role to activate (or to add this user to for future access) ...otherwise, it's often just ~easier~ to simply reach too high (e.g. activate GA because it's easier than hunting down or using trial-and-error to know which role I actually need)

    This is a GREAT resource and I use it often, but just surfacing the info immediately would…

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base