Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. AAD Connect - Sync a single object

    AAD Connect - Allow sync of a selected object. This is useful in troubleshooting one object versus parsing through everything else.

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  2. Ability to export Risky Sign in policies programmatically

    We need a way to export/consult Risky sign in policies.

    In general, a feature should be released with its associated API to allow Microsoft customers to perform automation.

    Support case 119070422001895 confirmed this was not possible.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Make provision sync on demand

    Make provision sync on demand for testing purpose.

    User and group sync normally takes about 5~30 minutes. It is very inconvenient and inefficient for testing. Azure AD should allow on demand sync when it is testing phase and the total users are less than a numbers, for example 50.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Separate create and modify permissions for resources

    Make the write permission for resources more granular. There are many cases where we would like to allow admins to modify resources but not create them. To achieve this we have to assign them a role directly to the resource. This would allow a more general assignment with only modify permissions.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Just a quick update here. We’re actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

    You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

    Regards,
    Abhijeet Sinha
    Azure AD RBAC Team

  5. Allow the possibility to assign Dynamics Device Groups to Conditional Access policies

    I'd like to enforce enrollment for Corporate devices but not for Personal devices; for the same user account. So I can create Dynamics Device Groups but I if I assign these groups to Conditional Access policies, it doesn't work.

    49 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  7 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. AzureAD join give user Admin access- needs to restrict

    By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.

    27 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make SPN (non-interactive) login events logged and available

    Currently in Azure AD when using SPN (non-interactive) logins via code (.Net, Powershell, etc.) for automated processes (server to server communication/API) that interact with Azure, there is no event in Azure AD logs to show that this login has occurred. Please make this exposed in the logs in the same fashion that an interactive user login is logged. This is not only beneficial for troubleshooting, but more importantly from a security, compliance, and risk audit trail standpoint.

    197 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    27 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    We are working on this but we don’t have a public ETA to share at this time. We will keep you updated as we get closer.

  8. We would like to have an ETA for when custom Azure AD admin roles will be usable.. This is a huge request from all around the world. Thank

    We would like to have an ETA for when custom Azure AD admin roles will be usable.. This is a huge request from all around the world. Thank

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  9. A GUI interface for edit or create custom role on Azure

    A GUI interface for edit or create custom role on Azure.

    Currently any custom role create / edit needed to change by powershell, a GUI interface is more user friendly and easy to manage for customer admin.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  10. I changed the attribute to "not set" in Azure AD but the attribute doesn't sync to Azure ADDS.

    When I update the attributes, I can see the updated values on the Azure ADDS.
    However, if he delete the value of an attribute (= update with not set), the value is not changed.

    Please correct this behavior.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow Directory Extensions as claim in SAML Token

    This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.

    If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).

    I have found that you can include a directory extension attribute as an optional claim in the…

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow Applications to be added to AD Security Groups

    See https://stackoverflow.com/questions/47762262/add-aad-application-as-a-member-of-a-security-group

    Basically allow adding Service Principals (i.e. Applications) into AD Security Groups just like User Principals are allowed today.

    47 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  13. aad custom roles

    Would be nice if we could create custom aad roles, might be wrong but the concept of creator/owner and being able to assign permissions to the owner role would be nice.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    This is duplicate of – https://feedback.azure.com/forums/169401/suggestions/12868950 . Latest status of Azure AD custom roles will be updated there.

    Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

    You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

    Abhijeet Sinha
    Azure AD RBAC team

  14. Utilize AAD Security Groups for Device "Additional Local Administrators" support

    Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).

    162 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    We’re currently working on this capability and will provide an update when it’s done.

    However, instead of expanding the “Additional Local administrators” setting, we will support adding AAD groups to Windows 10 local groups (.e.g Administrators, Remote Desktop Users) via MDM policy and elevate user privileges on logon. This will provide greater flexibility to assign different groups to different devices


    Ravi

  15. Latency in sync between Azure ad and Managed domain

    There is a delay in sync between Azure ad and domain services.
    It will be great if we can reduce this sync delay.
    Some times sync will not be up to date so need access to restart the sync between Azure ad and Managed domain.

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  16. Programmatically register B2C applications

    I want to be able to call a Graph API to register new B2C applications

    241 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  17. The Password-based SSO Extension should inactivate the option of saving passwords in the browser.

    The Password-based SSO Extension "My Apps Secure Sign-in Extension" should inactivate the option of saving passwords in the browser.

    Currently, any user can just save the passwords in the browser. Edge is manageable but Chrome, FireFox and Internet Explorer as supported browsers for the extension should inactivate the password manager.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  18. Disable new features, which impact all AzureAD users, per default

    We always appreciate new Features in AzureAD, but if a new feature impacts all our users, we would like to be completely in control of enabling the feature once our organization is ready.
    I specifically refer to the "LinkedIn Integration in AzureAD" which will be enabled by default.
    When deploying future releases, please keep in mind that there are organizations out there, which have strict processes for enabling new features for their employees. Enabling a new feature, which impacts all AzureAD users by default is really disruptive!

    40 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  19. Span AADDS domain across multi regions

    Span the same AADDS domain to multi regions - currently only possible with vnet pairing and VPN gateways. Would also add redundancy to the domain if say a region were to go down or the AADDS service were to stop within a region.

    137 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  20. Support conditional access for MyApps.microsoft.com

    We need myapps.microsoft.com (Access Panel) to support conditional access. Currently it is a quit bad user experience when accepting an Azure B2B invite in a tenant that have implemented Azure Conditional Access that does not have the option to exclude "myapps.microsoft.com (Access Panel)"

    @Adam Steenwyk

    217 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  35 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base