Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support for 3rd party EMM solutions when requiring device compliance

    We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.

    Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.

    184 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for your feedback. Microsoft is currently working with third party MDM providers to enable this scenario. We will update this thread once we have more information to share.

  2. Show location for Azure AD sign-ins from IPv6 addresses

    Please add location information to sign-ins from IPv6 addresses. Currently there is no location information associated with IPv6 so it is circumventing all the Azure AD Identity Protections you have in place.

    92 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    30 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    Thanks for your feedback, folks. We have been working towards resolving the locations for IPv6 logins. Currently, a subset of such logins are getting resolved for location and the % will gradually go up. Are you seeing some of your IPv6 logins with resolved location?

  3. 212 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    This is in the works, hoping to be able to release a new version in the next couple of weeks that supports running on Linux (and Mac)

  4. PowerShell module to manage and configure Azure RM PIM roles

    It is tedious and error-prone to manually configure PIM roles on multiple individual resources/resource groups through the portal. Would be nice to have a PowerShell module to make this task easier.

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Powershell Enable PIM Role Assignment

    We plan to utilize PIM for Azure Resources (Resource Groups), however it is currently not possible to automate thorugh Powershell. It would be nice if existing Roles could be made eligable and configurated with it's settings thorugh powershell when creating resources/resource groups through powershell.

    130 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  8 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Go Direct to Password Reset from Sign-In/Sign-Up

    The Sign-in only policy allows the user to go directly to the password reset.

    The Sign-in/Sign-Up does not allow this. The user gets redirected back and you have to handle AADB2C90118.

    Reference: https://stackoverflow.com/questions/41497158/azure-ad-b2c-self-service-password-reset-link-doesnt-work

    While this flow is useful for some people the opposite is also true. Please allow me to specify the password reset policy in my sign-in/sign-up policy so the round trip is not required if I don't want it.

    188 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    48 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  7. Release API capabilities for Access Packages and Identity Governance

    I want to automate Access Package deployment with Terraform as I do with user groups as well as make dynamic groups compatible with Access Packages. This would allow me to assign users to groups based on user attributes, as I can do with Dynamic groups, but also enable group members the ability to request an access package based on their dynamic group membership, which are automatically created after deploying a new subscription with Terraform. Access Packages would be specific to each subscription and include resource and application roles that are applicable to users of that subscription. This would replace the…

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  8. add GC port 3269 to AD-DS created LB

    Hi,

    right now we can't access port 3269 (Global Catalog) of our AD-DS service.
    After open it in NSG and modify the LB it only stay open for hours. The LB get's overwritten every now and then.

    Request: Add LB rule for 3269 to the auto-create script of AD-DS. Customer still can control access this via NSG.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  9. Create seperate sign in risk policies for medium and high risk events

    Would like to be able to create a seperate sign-in risk policy for medium and high risk events, medium policy would enforce MFA but let user continue working, high risk policy would block user access and preferably intiate sign out of all existing logins/tokens as this is a confirmed breech/exposure of credentials.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Granular options for Self Service Password Reset Factors

    It would be nice to be able to configure self service password reset MFA with as much granularity as application MFA policies.

    1) Restrict what factors you can use based on trusted device, network location, etc.

    2) Specify different policies for different user groups. For example, administrative users who are not AAD administrators.

    3) Restrict by domain and have different rules per domains syncing up to the same tenant.

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  11. AAD Connect - View Current Configuration

    AAD Connect - View Current Configuration needs an option to export the configuration. This should be to text file and CSV format for viewing. Also to XML format for backup and later importing of the configuration if ever needed.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add more attributes to AADDS

    Expand the attributes that are syncd with AADDS and available via LDAPS. The one I'm specifically interested in at the moment is the Manager attribute, but others are important too.

    63 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    Hi all,

    We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!

    Erin Greenlee
    Program Manager
    IAM Core | Domain Services

  13. Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity

    Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.

    It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.

    Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"

    Att.: Caleb and Dhanyah

    /Peter Selch Dahl

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Please extend Azure AD Identity Protection to the B2C tenant

    Please extend Azure AD Identity Protection to the B2C tenant

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. PowerShell and Graph API support for managing Multi-Factor Authentication

    Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

    The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

    Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

    The new AzureAD and AzureADPreview PowerShell modules support connecting to…

    912 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    130 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We’re really pleased to let you know that we’ve released the first authentication method APIs to public preview:

    https://docs.microsoft.com/graph/api/resources/authenticationmethods-overview

    So far there are APIs for managing phone numbers and password resets. When phone numbers are set with the API, the user can use that number for MFA and SSPR (as allowed by your tenant’s policy).

    The team is hard at work at building out APIs for all of the other authentication methods, and we’ll update the response here as they’re released.

  16. Ability to to remove or customise the default message that we get during SSPR password reset via login screen for Win10 machines.

    Need the ability to remove or customize the default message that we get during SSPR password reset via login screen on Win10 machines. It says '8-16 characters, case sensitive, one number or symbol". This message is conflicting for the end-users as the organizations password policy may not be as stated in the hardcoded message. We need a way to customize it or remove it so that it doesn't confuse end-users.
    Also an important thing to note is that this message is not available when we use SSPR via the online link https://passwordreset.microsoftonline.com/ , its only available when the SSPR reset…

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow creation of custom directory roles in Azure AD

    Being able to create custom directory roles in Azure AD can allow Administrators the ability to grant users custom tailored roles in Azure AD. One example would be allowing the security office in your organization access to the risky events and risky users tabs with the ability to close,reopen, or mark for false positive without having to give them permissions that they do not need. This essentially takes the idea of "least privileged roles" and expands it to allow for further customization.

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    This is duplicate of – https://feedback.azure.com/forums/169401/suggestions/12868950 . Latest status of Azure AD custom roles will be updated there.

    Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

    You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

    Abhijeet Sinha
    Azure AD RBAC team

  18. RBAC roles export/backup

    Currently there are actions that can wipe out RBAC roles such as cross tenant subscription transfers, but there is no way to export these roles so they can be easily applied to the subscription once the transaction is complete. Being able to backup this data/export this data could be useful for a number of applications allowing quick management of access across subscriptions

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    We shipped ability to export role assignments in Azure AD portal on a per role basis. Next step is ability to export assignments for all roles in one go.

    Azure portal —> Azure Active Directory —> Roles & admin —> {role} —> Download role assignments

    Thanks,
    Abhijeet Kumar Sinha
    Azure AD RBAC team

  19. High availability support for AAD Connect

    Please provide HA support for AAD Connect with automatic failover! The staging server process is hopeless, and it doesn't support a shared SQL DB. At the moment, the fastest way to do AAD Connect recovery in case the AAD Connect server is destroyed, is to have an default installed Win2016 server with the AAD Connect install files downloaded (and not installed). Due to the fact that both the production and staging server must have same version (or higher), there's a risk that some stuff will not work when you do a recovery to a second server and there's a version…

    38 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  20. enforced privileged identity management for CSP and report on costumer security blade among other normal security measure.

    Costumers even thrusting their CSP need to have a view and a control over their activities PIM is one of them , and report should be send to the security center that have the abilities to be linked to a SIEM .
    it's also part of a compliance audit, we should not need to add that partner as a B2B guest to do so , it's too much combersome as the trust between the azure AD is exisiting .

    begin to put the admin agent and helpdesk agent as eligible role (i would even suggest by default" .

    CSP Cloud…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base