Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add report for Extranet Lockout Protection - Account Lockout

    Add a new report to Azure AD Connect Health that allows support staff to see which accounts are locked out by ADFS Extranet Lockout Protection.

    56 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

    A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
    Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

    Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

    Adding nested groups to Azure AD would add a lot of value to Azure AD.

    2,611 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    512 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.

    Use case A: nested group in a cloud security group inherits apps assignment
    Use case B: nested group in a cloud security group inherits license assignment
    Use case C: nesting groups under Office 365 groups

  3. Change tracking for Conditional Access Policies

    Support some kind of change tracking or auditing in regards to changes made for Conditional Access Policies?

    273 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    35 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Managed Whitelist of Enterprise Applications

    Please provide facility to whitelist which 3rd party applications are 'approved'.

    Ideally this would be more than just single 'bit' of information, and allow multiple lists - for example, a whitelist for 'regular company business' and another for TOPSECRET, to be integrated with other parts of the azure framework, such as being used in Conditional Access Policy and the EMS E5 features.

    Currently OAuth consent by any user will automatically register an application and this cannot be disabled. Blacklist is possible, but whitelist is not without completely removing ability for users to manage their own consent, which is undesirable from…

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add the option to block only one drive and not the hole sharepoint

    Many large organizations that move to Office 365 have the need to block One Drive for certain users, but leave them the ability to use Sharepoint Online. After opening a support case, the responce was that it is currently not supported and the only option is to block both One Drive and Sharepoint Online.

    41 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Assign directory roles to groups

    Allow the ability to assign Groups to directory roles for better RBAC implementations. As an example, I would like to assign the role "Application Administrator" to a group using the cmdlt add-MsolRoleMember -RoleObjectId "objectID" -RoleMemberType Group -RoleMemberObjectId "objectID" but even though the switch for group is available, it is not supported. So I have to add every single individual user to this role (and many others) in order to extend our on-prem RBAC model to Azure. This is not scalable.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Assigning cloud groups to built-in roles is in public preview starting today. Thanks a ton for all the great feedback that you shared with us. Here’s the published documentation -

    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept

    https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features

    Next steps —> Support for custom roles and on-prem groups. Stay tuned!

    This feedback is similar to – https://feedback.azure.com/forums/169401/suggestions/12938997. Latest status of assigning groups to Azure AD roles will be updated there.

    Regards,
    Abhijeet Kumar Sinha
    Azure Active Directory Team

  7. Costume AAD roles creation

    Create customized Azre Active Directory administration roles like RABAC roles on resources.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  8. Searching & Filtering in the Portal

    We should be able to search and filter within the portal in a much more complete way than we can today.

    Today, you can mostly search for startwith of a upn/name of a user. This is super limiting, so I go back and live in PowerShell to do anything more than a simple name search.
    And if we want to filter, you can use show all users, or guest users only.

    Give us the ability to search / filter / sort / export any attribute available to us.

    This extrapolates to Groups and other object types too.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →

    We’re happy to announce that the users enhancements are now in public preview. Improvements include better filtering, more columns and improved search. We are continuing to work on substring search and sorting, so look out for those improvements in the next few months.

  9. Allow Azure AD to Azure AD Trust

    Add the ability to trust another 365 tenant like exists with on prem active directory. The scenario is a company that has an establish 365 acquires another company that has a 365 environment. In a on prem scenario a domain trust would be put in place, however federation and external user access is the only options. This capability needs to be in place for Azure AD to trust another Azure AD.

    98 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

    We’re working on a few features in this space that will likely help address this scenario but don’t have an ETA yet to share. Thanks to the folks who have added additional details of what they’re looking for, and if you have more scenarios for how this capability could help you please do add them as comments.

    Thanks,
    Elisabeth

  10. SCIM defects


    1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
      As per, https://tools.ietf.org/html/rfc7644#section-1.3,
      The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
      Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.


    2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since…

    48 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    The first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility

    OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing

    Work to support the code grant as well as client credentials on the non-gallery app is currently in our backlog. It’s intended to be done, but not yet funded.

    In the meantime, the 1KB token limitation has been lifted.

  11. AADC Health - Notification when AADC Scheduler is disabled

    Send a notification when AADC Scheduler is disabled or when sync didn't happen for x number of hours/days.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  12. Link a connector to a different Application Proxy service region.

    We have AAD Application Proxy Connectors installed in both Australia and Singapore however the Azure AD tenant in Australia so all traffic has to loop via the Australian Application Proxy Service.

    This is a problem for our Indonesian users. We setup servers and AADAP connectors in Azure Singapore with the expectation it would provide low latency to Indonesia but that is not the case.

    Please allow us to associate a Connector Group with a specific region so that the connectors and applications linked to the connector group are routed via the expected Application Proxy service region.

    63 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    Hi everyone,

    We are currently developing a solution to allow you to assign a region to applications outside the region of your home tenant. By doing this, connector groups will talk to the App Proxy region specified. Please continue to share your scenarios to make sure we are taking into account these cases.
    We will update once we have a better idea for a release date.

    Send a note to aadapfeedback@microsoft.com if you have questions or want to send feedback directly to us.

    Thanks,
    Jasmine

  13. B2C analytics and reporting

    It would be great if there was some kind of reporting or/and analytics for B2C in Azure. For example can we find the successful user sign-ins or the total user count in B2C (greater than 1000)? You can see the user count lower than 1000 in the Azure AD blade -> Users and groups -> Overview.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are working on offering a set of Power BI reports with analytics about your Azure AD B2C tenant, including: user counts, active users, registrations, and conversion rates. These reports will be available as a Power BI content pack.

    There’s a private preview of this feature. If you have a subscription to Power BI Pro and want to join the preview, send an email to aadb2cpreview@microsoft.com with the name of your B2C tenant.

    /Sergio

  14. Enterprise Application

    Create a SSO/Enterprise Application Admin role similar to Intune/Sharepoint admin role. Allow the delegation of the SSO and enterprise applications to an admin other than the global tenant admin.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  15. AADConnect - Generate Preview

    When viewing an object in AADConnect and generating a preview based on full or delta imports... it should actually go and perform the full or dela import of that specific object when you perform that action. If i'm troubleshooting an issue in a large directory environment, I dont want to have to wait 6 to 12 hours for a full import, full sync to run after making each change... It seems logical that i could update a directory object or an AADConnect rule and go preview the impact of those changes on a single object without having to import the…

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  16. msFVE-RecoveryInformation sync

    I can see in Azure AD the device can store Bitlocker encryption keys. I have been able to directly store bitlocker keys to Azure. My issue is that I have computers with bitlocker enabled and the bitlocker information stored in on-prem AD. Currently there is no way to synchronize the on-prem bitlocker keys with the Azure Hybrid connected device. I think this should be included in the ADconnect tool, especially since the msFVE-RecoveryInformation object is a sub-object of the device.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →

    We are currently working with Intune to provide a cloud based Bitlocker management solution that will work for both Azure AD joined and Hybrid Azure AD joined devices. We will update this thread once we have more information to share.

  17. Add a common (multi-tenant) Azure AD Identity Provider

    An idp that can be used to set up the AAD "common" tenant, which does home realm discovery (customer types in their email address and the real tenant is looked up) to find the actual AAD tenant. This would allow any customer with an AAD account in any AAD tenant (that has not disallowed it to be used with the common tenant) to authenticate.

    58 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  18. Customer-owned domains

    Run Azure AD B2C's sign-up & sign-in pages under a custom domain, for e.g., login.contoso.com, instead of login.microsoftonline.com.

    1,061 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    168 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. Managed Service Identity needs new shorthand. MSI is taken

    Please please get an abbreviation checker at Microsoft. MSI is already a thing. Desktop isn't quite that dead yet. I have a hard enough time keeping up, without stepping on the same 3 letter from the same company meaning completely different things!

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow ICMP/Ping through NSG

    The lack of the most BASIC functionality such as PING has forced my CTO to prevent the renewal of a $140,000 Enterprise Agreement. Our clients use external monitoring software. Amazon Web Services and Google Cloud Engine allow this, yet Microsoft's "Excuse" is that it is a security risk (It isn't, and anyone saying it is, is lying.)

    Without Ping, I cannot approve the renewal of the contract. Please add Ping before I must also revoke our subsidiaries contracts with Azure!

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base