Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
PIM - Configure default settings for all role assignments
Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.
Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.
e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.
Thanks
Ben.18 votes -
Changing AppRoleAssignment should cause provisioning update
Currently with automatic provisioning for Zoom or DocuSign (probably all applications) if you update the role someone is assigned for the application in Azure AD it does not trigger updating the user at Zoom or DocuSign.
When changing the AppRoleAssignment it should trigger provisioning update. Only way to do this currently is to restart provisioning.
2 votesThis is something we’re working on addressing right now.
/Arvind
-
Enable "Sign in with a security key" option from any sign-in page (e.g. in case of frequency passed)
End-user experience of password-less sign-in options is broken in some user scenarios.
Example: The "Sign in with a security key" option is not available on sign-in page after the sign-in frequency passed (Conditional Access session policy).
7 votesThis is something currently working on to resolve.
-Libby Brown
-
Customer tenants should be manageable by PIM
PIM should be able to manage access to customer's tenants. Partner has employees with their own source of authority but should still be able to give out access based on Azure lighthouse for instance. AzLighthouse currently supports groups only, which are not supported by PIM.
19 votesLighthouse customers will be able to use PIM so they don’t have standing access to customer data.
-
Export of Roles and assignments in AAD
In 365 we can get a csv file showing users role assignments. I would like the same in Azure AD.
User name, Assigned role option to export as a SINGLE CSV file.
10 votesWe shipped ability to export role assignments in Azure AD portal on a per role basis. Next step is ability to export assignments for all roles in one go.
Try this –
Azure portal —> Azure Active Directory —> Roles & admin —> {role} —> Download role assignmentsThanks,
Abhijeet Kumar Sinha
Azure AD RBAC team -
CORS for token endpoint
For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?33 votesThis is now under development – you can track progress in the MSAL.JS issue tracker here: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1000
-
Azure AD to on-premises application user provisioning
Support provisioning users from Azure AD to on-premises applications such as SQL, PowerShell, and LDAP.
1 vote -
Find and Replace Claims Transformation Function
When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:
If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.
31 votesWe have enabled a contains() function. We will be working on the capability to Replace().
/Luis
-
B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant
In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.26 votesWe’re working on features to make this experience better. Thanks for the feedback!
/Elisabeth
-
Add support for Kerberos AES and drop RC4_HMAC_MD5
Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4HMACMD5 encryption type for Kerberos."
Please add support for modern ciphers and drop that obsolete RC4_MD5!92 votesWe are currently working on this
-
Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC
Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.
This is obviously not ideal. We currently having to perform the rollover task manually each month.
Please look at how this process could be improved for automation.
575 votesHi everyone,
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!Jairo Cadena
Principal Program Manager
Microsoft Identity -
Allow 3rd party MFA with PIM
Azure conditional access policies allow for 3rd party MFA, such as Duo, but Azure PIM does not allow this level of customization with the "Require MFA" configuration for a PIM role. This means that we need to manage 2 different MFA platforms if we're going to leverage both Duo MFA and Azure PIM for security. I'd like the ability to use Duo MFA when activating a PIM role.
41 votes -
Remove the option to enable phone sign-in in Microsoft Authenticator App
As we've disabled the option to enable passwordless in our Tenant, it would be helpful to remove / disable the option to enable phone sign-in in MIcrosoft Authenticator APp so the users won't be able to enable something that is not enabled for the company.
7 votes -
Make the content of Access Review emails customizable.
The emails sent to complete an access review have unnecessary additional content (e.g. Microsoft Address) and do not allow addition of more information to help those that receive a message.
23 votesHi Ben,
Thanks for the feedback! Good news is that we are working to improve the emails to provide the reviewers the necessary information succinctly. Some of the information you see, the Microsoft logo and address, some are there because of legal reasons. We are actively working on this right now and will provide updates here.
Follow up question for you, what else do you think is unnecessary, and what would you like to see?
Thanks
Fionna -
Hybrid Joined Devices support with FIDO2
I realise the support for FIDO2 logins with Azure AD was only just released recently, but what timeline is there for support for hybrid joined devices login?
12 votesThis is currently in progress and will be announced shortly.
-
Apply access reviews to entire enterprise application
I would like to create an access review for ALL Teams to review guest membership so whenever someone adds an external user to their Team the review will occur. Currently I have to tell the access review policy which teams it applies to. Because my users can add their own teams I have to create a manual process to look at new teams and add them to an access review. I'd rather just apply it to the entire application so it happens with every Team that exists.
10 votesHello all, Good news – we have made more progress on this ask! We started private preview of reviews on all guests in Teams/Office groups. Please fill out this form to be included in the private preview! We look forward hearing your feedback, working together to improve this feature, and sharing more updates with you very soon! bit.ly/ARGuestsInTeamsPP
- Fionna
-
Access Review to delete user account
We use access reviews to monitor 3rd party Office 365 accounts and licences. The users are in a security groups that assigns the licences. So if they are denied as part of the access review they are removed form the security group so their Office 365 licences are removed.
Is there a way to also delete the user accounts as part of the process
1 voteHi Nikki,
Thanks for the feedback! If you’d like to delete the user in addition to removing the user from the resource (group), we are running a private preview on this exact feature, and we’d love to have you try it!
Please fill out this form for tenant info and we’ll whitelist you for the preview – https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5dv-S62099HtxdeKIcgO-NUMzE4VzM2QllPTkxTVjRWOUFCMEZLQzJPVy4u
Thanks
Fionna -
Access Review Process needs to be complete
Access Reviews don't reflect the azure ad recommendation (example: user not logged for last 30 days etc.) for reviewers of 3rd party SaaS applications. Also, will be great to automate the line manager for each user as the access reviewer, as it would help in larger organisations to better manage and speed up the review process
5 votesHi Niket,
Thanks for the suggestion! Good news is that both of your asks are on our roadmap! Are you using Log Analytics in AAD? We’re working to integrate with the user login data in log analytics and surface those in our recommendations.
As for line managers as reviewers, does your tenant have the manager attributed populated for your users? Great if you are, because we’re working on pulling that info from the user profile page.
- Fionna
-
Risk based conditional access for b2c
In order to reduce user friction the product should have conditional access programing to allow a safe sign in without asking to mutch information and avoid sending to much sms tokens
2 votesThank you for your feedback! We are excited to announce that Risk-based Conditional Access for B2C is currently in private preview. We will keep you updated when it becomes available in public preview and general availability.
-
PIM - multiple approvers required
At the moment you configure multiple approvers in the role setting details dialog. As soon a one approvers approves the request gets accepted.
I would like to have an option to require multiple approvers, that allow the request
eq. configure 5 approvers - 2 are required to approve the request3 votes
- Don't see your idea?