Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Login with printable badges for K-3 students to SSO applications.

    We'd like the capability to login with printable badges for K-3 students to SSO applications in Azure AD. So that they can simply scan their badge that the teacher made for them and get into the application. Similar to the https://clever.com/products/badges. This would fit into the passwordless signon but not require phones as students may not have phones.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Passwordless  ·  Flag idea as inappropriate…  ·  Admin →
  2. Workday-driven automatic AD group assignment

    When a new AD account is created using Workday, it should be possible to assign birthright AD groups to the user automatically.

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  3. Ability to trigger a dynamic group update

    It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.

    649 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    76 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

  4. access reviews

    In access reviews, it would be helpful to see the current status of the account. For example, we have accounts that are recommended for "Deny" but in AAD the account is already blocked from signing-in.

    Also accounts surface in the access review that have been removed from AAD.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for submitting the feedback!

    You’re right that currently we don’t reflect the status of the account in real time, because when the review is created we take a snapshot of the users in the review right before the review starts, so the reviewers get a view of the user’s activity X days before the review. This has been an audit requirement for some customers. I’d like to hear more about your use case in dynamically updating the user’s status, and how that contributes to your audits (if any).

    We’ll keep this feedback in mind when planning, thanks again!
    - Fionna

  5. Ability to search on all Azure resources and resource groups in the "Resource filter" experience

    Azure resources/resource groups search in PIM doesn’t search my entire pool of resources /resource groups. It only searches by page. I have to click "load more" 15+ times to find some of my resource groups which is a horrible UX and seems more like a bug to me.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure Active Domain Services Synchronisation Report

    Currently, it is not possible to get accurate information from AADDS about what and when attributes are synchronised from Azure AD to Azure ADDS. It would be most helpful if customers could query on a per user or per directory basis to find out what attributes were synced and at what time (including password changes)

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  7. Users must not delete resource groups if they are not allowed to delete the resources.

    We created custom roles to allow another team to operate our environment. To avoid accidental deletion of data, we removed the delete action for several storage components, for example Data Lake Store Gen1.

    Unfortunately when deleting a resource group, it completely ignores the permissions on resource level. For example, I do not have deletion rights on ADLS, but I can still remove it, by deleting the whole resource group.

    Resource Groups are simple containers and restricting people on managing them on their own will have a huge impact. We will waste a lot of time to define processes and executing…

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support for Workday "Integration System" custom attributes

    Sourced from https://github.com/MicrosoftDocs/azure-docs/issues/21671

    Adjust Workday web service call (get_workers) by adding a reference criteria call

    As an AD Admin, I would like the Azure AD Workday connector to support "integration system" attributes which are retrieved through special modification to the Get_Workers() API call.

    It would be beneficial if the web service call for workers could be adjusted to call another integration to get values that the normal API call won't get.
    Example: Some values needed or recommended for provisioning might be part of custom objects or derived from other objects in Workday.
    What I propose is that you at least…

    57 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  9. PowerShell PIM Access Reviews

    It doesn't appear like there are any PowerShell cmdlets for PIM to support access review creation and management. This would be helpful for automation purposes so someone doesn't have to log into the GUI to create access reviews, check status, etc.

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  7 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  10. Create Custom RBAC- Role with link to Build-In-Role

    When I create a custom Role from a Build-In-Role, this new rule is no longer updated by Microsoft. Because it is custom. I would like to have a way that I can set a delta on a Build-In-Role and create a new Role from it. So I have a custom rule that always receives updates from Microsoft.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Thank you for taking the time to submit feedback! This is an interesting request, we certainly have customers who want it one way or the other. We’ll consider a mechanism to specify a role is ‘inherited’ from a parent role and thus gets updates based on that role. However, we don’t have a timeline for that just yet.

    Thanks again,
    Vince Smith
    Azure Active Directory Team

  11. serviceNow

    I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.

    For example, the user table within ServiceNow looks similar to the sample snippet below:

    TABLE - User [sys_user]

    FIELD - Username [username] - string
    FIELD - Name [name] - string
    FIELD - Email [email] - string
    FIELD - Department [department] - references Department [cmn
    department] table
    FIELD - Location [location] - references Location [cmn_location] table
    FIELD - etc. etc.

    Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem…

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. HAve the ability to use all Azure AD user attributes for Customize claims available for Azure AD SAML token.

    Allow the use of all Azure AD User attributes in a claim, currently we have a requirement to add Azure AD synced attributes to be sent as a claim for SAML authentication. for example, attributes such as 'Manager' or 'immutable ID' are not supported. Can we have the option to use all available attributes as part of the claim.

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Address VDI and M365 licensing

    Hello everyone, this is a requested change for the components of Azure AD machine join. The use case here is for clients to upgrade their existing Windows PC (7,8,10) to Windows 10 enterprise. Our customer base uses VMware's Horizon view for VDI. VMware's official supported license is KMS. Our clients would love to transition to a cloud based licensing model, but the Windows 10 E3 license does not work with the cloning technology for a couple of reasons.

    Horizon Cloning options & pool types:
    • Manual - VM is not built in Horizon, only brokered through it.
    • Full Clone…

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Join  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure AD User provisioning service : Adding a Staging/Preview mode

    Please add a Staging/Preview mode for the Azure AD User Provisioning Service.
    It should be possible in an initial setup to test a new provisioning interface and receive a report on what will be changed in an end application. This gives the possibility and security that a new interface can be set up productively.
    There is currently a risk that unwanted changes will be made.
    As a suggestion; extension of the Scope field by
    - Sync all users and groups (Preview only)
    - Sync only assigned users and groups (Preview only)

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  15. Application Provisioning Attribute Mapping Configuration Backup for last 5 changes

    During recent incident I came to know the Provisioning Configuration changes details does not get backed up. i.e. attribute changes which we make on attribute mapping. Only a text message get recorded the when changes are performed. It never record what changes were made. If Microsoft provide anyone functionality it will be helpful for all Azure customer.

    Option 1) Provide backup for provisioning application schema for the last 5 configuration changes which can be access by Admin. It will help Admin to restore from the backup if incase of any failure while updating the Schema

    Option 2) Currently Microsoft records…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  16. Salesforce Connector Terminology

    This may be "cosmetic" but in the Salesforce - Users and groups
    Assignment page, 1 Azure AD Security Group is mapped to something called a Role. It's actually a Profile in Salesforce. Aligning the terminology could be good as Salesforce Role are different.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. Azure AD App Proxy - SSL Certificate Renewal

    when renewing the ssl cert it would be good to upload just once and have it propogate to all apps using the current cert that is about to be replaced.

    We use wildcards for a single domain so would be good to have this rather than upload the same file 50 times and counting to update our cert,

    ANytime you create a new application it knows to use the same cert.

    35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  18. Privileged Identity Management Activations duration should have both Maximum and Default activation duration.

    Privileged Identity Management Activations duration should have another configuratuion settings together with Maximum activation duration.

    • Maximum activation duration set to 8 hours
    • Default activation duration set to 4 hours

    This way administrators can extend the time if requered, replaces the need for automaticly have maximum activation time

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. 18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add ability to join ASG to VM Contributor Role

    VM Contributor role has the ability to join a NIC to an NSG today, which is logical. Network Contributor creates the NSG with the rules, probably applies the NSG to the subnet, but the VM Contributor needs to be able to apply the NSG to the NIC when they create a new VM. VM Contributor does not have the ability to associate a NIC with an ASG, though, which appears to b a pretty major oversight as our NSG rules will not have any impact until the ASG is associated with the NIC. Today, that would require giving our VM…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base