Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow Organisations to force users to complete a new MFA challenge when elevating to a role in Privileged Identity Management

    Currently the behavior is that if a user signed into the Azure Portal and completed an MFA challenge they will not be prompted again when they elevate to a role in PIM even if the role settings are set to "Require MFA on elevation" as PIM will use the existing MFA claim/token that was completed upon sign-in.

    Please allow us to force PIM to acquire a new MFA claim on elevation.

    22 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Push notification when new request is pending of approval on PIM

    Currently, the only option for PIM approvers to receive notification of a new request is email (or my log in at AAD PIM -> Approve Requests).
    By having a push notification, the approval process would be faster when email is not monitored.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Not require AAD registration for using Office 365

    I have several customers that would like to 1) be able to block the pop-up that end users see when starting to use an Office 365 product and 2) not require AAD registration for using Office 365 products.

    The benefits like SSO are very nice, BUT there are som cases where AAD registration is a problem. An example is students that get access to a O365 license as part of their benefits of going to that school. If they have personal PCs, they may have strong objections to their device being managed by the school in any way.

    We have…

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  4. Remove possibility for mapping to readonly ID attribute

    According to RFC 7643 section 3.1 “The value of the "id" attribute is always issued by the service provider and MUST NOT be specified by the client.” But in fact azure portal allows mapping to “id” attribute which is violation of RFC.
    RFC https://tools.ietf.org/html/rfc7644#section-3.12 specifies that service provider should respond with “Bad Request” to these invalid requests. There is even example of such response in the end of section 3.12.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  5. service principal

    There is no logs for Service Principal connexion in Azure AD Sign-in.

    If a SP secret is discovered, we can't determine from where and when the connexion has been done to Azure AD.

    Provide logs for service principal connexion to azure (connect-azaccount).

    We also would like to use Conditionnal Access with Service Principal to make restriction based on location like user account.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. B2B User Identity Protection Status

    B2B (Guest) users should show up in the "Risky Users" report if they are being blocked from your AAD tenant. I had a case where the B2B user failed to enroll in MFA within the grace period, then failed enough of their logins that Identity Protection flagged them as "High Risk", but there is nothing to indicate that in any query or report that the tenant admin has access to view. All we could find was a message that they needed to enroll in MFA, which we reset about 10 times before support checked diagnostics on the backend and found…

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Marking a risky sign in as "Confirmed Safe" in the ID protection blade should factor in to the algorithm for future sign ins

    In the risky sign ins report or risky users report in AD Identity Protection you can mark a risky sign in as "confirmed safe." However this does not allow future sign ins from this IP. If an administrator confirms that the sign in is not risky, future sign ins for this user from this location should not be considered risky.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. We are reviewing options for integrating feedback provided by confirm safe/compromised. In the interim, if you want to mark specific IPs as safe for Identity Protection in your tenant, you can do so my marking them as trusted locations. More information is available here (make sure to check the “mark as trusted location” checkbox): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations

  8. Add SCIM to support UserType field in Scoping Filter

    If AAD UserType field was available in SCIM Scoping Filter, it would be easy to filter out all guest users from the scope of synchronization.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Hi we will review.

    One option to consider is to set the filter to filter out specific domains that guest users are coming from. You could also control who is provisioned based on groups that users are assigned to.

    That being said, the need to scope on user type makes sense.

  9. Update or remove the CAPTCHA verification in the SSPR

    The CAPTCHA verification in the initial SSPR portal page is most of the time really hard to read and it take 4-5 attempts to actually start the password reset or account unlock process and this frustrates our end-users.

    I understand the reason the CAPTCHA is there but maybe replace it by the reCAPTCHA with images instead of those hard to read letters.

    Ps. the current captcha is case-sensitive but there are no info in SSPR to highlight that :(

    35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  10. Option to enforce authentication every time you access a SSO app (e.g. SaaS app)

    Add a option to enforce authentication every time you access a SSO app (e.g. SaaS):
    - Option could be possible per app
    - Option could be 1) re-enter password (ignore SSO) 2) guaranteed MFA prompt (ignore MFA token)

    Use case:
    Shared PCs, Personal Logins, SaaS App has sensitive payroll data, Concern: People don't log off -> anyone can walk to the PC and get into SaaS app via SSO. As of now even MFA doesn't help due to MFA token or Windows Hello strong auth. You could only play with token life-time.

    266 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    35 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. RBAC permissions to see Application Gateway Backend Health

    RBAC permissions to see Application Gateway Backend Health
    The RBAC reader' and 'monitoring reader' roles do not allow users of those permissions to see the backend health.
    Error is the client 'user' does not have authorisation to perform action '/Microsoft.Network/applicationGateways/backendhealth/action' over scope 'subscription...resourceGroups/providers/Microsoft.Network/applicationGateways/applicationgatewayane'
    Is it possible to modify the reader / monitoring reader permissions so that viewings the backend health status is allowed for those roles, and/or advise of a read only role that allows this as don't want to grant users modify access to the application gateways just so to enable them to see backend health.

    49 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow Granular Privileged Role Admin Assignments. E.g. Privileged Role Admin (Azure resource)

    Large organisations will often separate/delegate tenant-wide access management and administration from lower-level (Azure) resource-level assignments. If this were extended to PIM, such that we could delegate the management of PIM Azure Resource role assignments to different Admins than those that manage the PIM AAD Admin role assignments this would be better than the all-or-nothing scenario with the Privileged Role Administrator role.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Workday to AAD/AD provisioning query scope

    Workday to AD/AAD provisioning
    please add the ability to scope the query passed to getworkers api. For instance, pass to getworkers company=schoolA.
    Workday is now implementing shared tenants in the EDU space. In a shared tenant, the current query to get_workers pulls all workers and then allows scoping. but the worker data for all schools has to be pulled before it can be scoped. The result is AAD audit logs saturated with other schools employee data. Also need to be able to control audit data written to azure activity logs, or at least be able to clear the…

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add option to disable TLS 1.0 for the application proxy cloud endpoint

    TLS 1.0 is an option for connecting to the cloud endpoint of the application proxy. This causes security audit tools to complain that TLS 1.0 is not in alignment with PCI and other compliance regimes.

    There has been a toggle in the UI for the web app service to disable TLS 1.0 for nearly a year and the same option should be available for the application proxy too.

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. SSPR - Allow user unlock from the windows 10 logon screen.

    You recently implemented the password reset from the Windows 10 logon screen. However, the possibility of unlocking the user when they remembered the password was lacking.

    I remember that this functionality already exists through the MIM or Azure reset link.

    118 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  16. Conditional Access blocking Office Activation and signin.

    When the Conditional Access Policy is configured with All cloud Apps option, Office activation is also blocked, although there isn´t any cloud app dedicated for Office activation exclusion. Please create one dedicated cloud app for Office activation.

    224 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  19 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Support tags for Azure AD Domain Services

    Considering adding support for Azure Tags in Azure AD Domain Services. Azure Ad Domain Services is nearly to only service that does not support tags in Azure.

    @Erin

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  18. Use seperate PTA agents for each AD forest

    We are just now maing the switch from ADFS to use PTA.
    We are a large enterprise with some 25k users and 3 seperate AD forests.

    One thing that would make my, and every network/firewall persons, life easier would be if we could have dedicated PTA agents for Forest A that takes care of users with UPN suffix belonging to Forest A, and seperate dedicated agents for Forest B that takes care of users with UPN suffixes belinging to that forest.

    In the current design any login ticket can end up on any PTA agent which means that every server…

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  19. Create Custom Controls for Azure AD conditional policies without offline process

    First of all thank you very much for the Custom Controls functionality for Azure AD.
    I just found through an Azure Support channel that today, you need to contact Microsoft to become a "valid" provider for custom controls.
    It would be great if you could make the registration process online and automated as I see a lot of potential for customers to want to implement their own validation logic during the authentication pipeline.

    Having to offline register with Microsoft in order to have a compatible service will make it much harder to push this feature forward.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Please support Group Managed Service Accounts for Azure AD App Proxy

    Please support Group Managed Service Accounts for Azure AD App Proxy. Without it we have to manage the Kerberos Constrained Delegation Settings for each App Proxy Connector separately. A misconfiguration at this setting has a fatal security impact so we would really appreciate to do it once per connector group.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base