Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Let us manage or remove the limit of AD groups creation for a non-admin user or service principal (250)
We define from our side which user accounts and service principals can create Azure AD groups. The configuration that allows us to manage this:
- “EnableGroupCreation” set to “False” so that by default non-admin accounts cannot create groups
- and added a specific access group to “GroupCreationAllowedGroupID” to allow specific user accounts and service principals to create groupsAccording to https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions - a non-admin user can create a maximum of 250 groups in an Azure AD organization.
This limit blocks us to move forward with business-critical tasks.
Purpose to remove the limit of AD groups created by non-admin user accounts/service: …
6 votesThank you for reaching out to feedback suggestion forum. This feature is in progress.
-
App grouping
Currently conditional access policies can be scoped only to individual applications.
This has strong limitations:
* No more than hundreds of applications per policy
* In large environments with lots of applications, this gets very complex and unmanageable
* Changes to Conditional Access policies are always risky and should be minimized
* Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automationAll these issues can be solved by the following set of features:
* Provide a mechanism to group apps
* Allow CA policies to be scoped to these app groupsDepending…
25 votes -
PIM - Configure default settings for all role assignments
Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.
Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.
e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.
Thanks
Ben.26 votes -
Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
<#
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
MS Link
https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md>
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS…112 votesWe’ve started work on this, focused on policy based on IP range.
-
MyApps Portal Frequently Used Collection
We would like to have a collection in the MyApps portal that duplicates the functionality of the Secure Sign-in Browser Extension so a user would see their individual frequently used SSO apps in a collection.
1 voteThank you for reaching out to feedback suggestion forum. This feature is in progress and will update status to completed once it is released.
-
Customer tenants should be manageable by PIM
PIM should be able to manage access to customer's tenants. Partner has employees with their own source of authority but should still be able to give out access based on Azure lighthouse for instance. AzLighthouse currently supports groups only, which are not supported by PIM.
33 votesLighthouse customers will be able to use PIM so they don’t have standing access to customer data.
-
B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant
In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.83 votesWe’re working on features to make this experience better. Thanks for the feedback!
/Elisabeth
-
Enable "Sign in with a security key" option from any sign-in page (e.g. in case of frequency passed)
End-user experience of password-less sign-in options is broken in some user scenarios.
Example: The "Sign in with a security key" option is not available on sign-in page after the sign-in frequency passed (Conditional Access session policy).
7 votesThis is something currently working on to resolve.
-Libby Brown
-
Add ability to test attribute expressions
It would be very helpful to have the ability to provide sample input to attribute expressions and see what the output of the expression would be. Attempting to troubleshoot expressions is currently very difficult as there doesn't seem to be any way to test the expression you're creating other than to actually try to provision users with it.
1 voteWork is in progress for this.
/Arvind
-
CORS for token endpoint
For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?37 votesThis is now under development – you can track progress in the MSAL.JS issue tracker here: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1000
-
Export of Roles and assignments in AAD
In 365 we can get a csv file showing users role assignments. I would like the same in Azure AD.
User name, Assigned role option to export as a SINGLE CSV file.
10 votesWe shipped ability to export role assignments in Azure AD portal on a per role basis. Next step is ability to export assignments for all roles in one go.
Try this –
Azure portal —> Azure Active Directory —> Roles & admin —> {role} —> Download role assignmentsThanks,
Abhijeet Kumar Sinha
Azure AD RBAC team -
Find and Replace Claims Transformation Function
When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:
If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.
38 votesWe have enabled a contains() function. We will be working on the capability to Replace().
/Luis
-
Azure AD to on-premises application user provisioning
Support provisioning users from Azure AD to on-premises applications such as SQL, PowerShell, and LDAP.
1 vote -
Allow 3rd party MFA with PIM
Azure conditional access policies allow for 3rd party MFA, such as Duo, but Azure PIM does not allow this level of customization with the "Require MFA" configuration for a PIM role. This means that we need to manage 2 different MFA platforms if we're going to leverage both Duo MFA and Azure PIM for security. I'd like the ability to use Duo MFA when activating a PIM role.
57 votes -
Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC
Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.
This is obviously not ideal. We currently having to perform the rollover task manually each month.
Please look at how this process could be improved for automation.
735 votesHi everyone,
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!Jairo Cadena
Principal Program Manager
Microsoft Identity -
Add support for Kerberos AES and drop RC4_HMAC_MD5
Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4HMACMD5 encryption type for Kerberos."
Please add support for modern ciphers and drop that obsolete RC4_MD5!110 votesWe are currently working on this
-
Access Review to delete user account
We use access reviews to monitor 3rd party Office 365 accounts and licences. The users are in a security groups that assigns the licences. So if they are denied as part of the access review they are removed form the security group so their Office 365 licences are removed.
Is there a way to also delete the user accounts as part of the process
2 votesHi Nikki,
Thanks for the feedback! If you’d like to delete the user in addition to removing the user from the resource (group), we are running a private preview on this exact feature, and we’d love to have you try it!
Please fill out this form for tenant info and we’ll whitelist you for the preview – https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5dv-S62099HtxdeKIcgO-NUMzE4VzM2QllPTkxTVjRWOUFCMEZLQzJPVy4u
Thanks
Fionna -
Make the content of Access Review emails customizable.
The emails sent to complete an access review have unnecessary additional content (e.g. Microsoft Address) and do not allow addition of more information to help those that receive a message.
26 votesHi Ben,
Thanks for the feedback! Good news is that we are working to improve the emails to provide the reviewers the necessary information succinctly. Some of the information you see, the Microsoft logo and address, some are there because of legal reasons. We are actively working on this right now and will provide updates here.
Follow up question for you, what else do you think is unnecessary, and what would you like to see?
Thanks
Fionna -
Hybrid Joined Devices support with FIDO2
I realise the support for FIDO2 logins with Azure AD was only just released recently, but what timeline is there for support for hybrid joined devices login?
14 votesThis is currently in progress and will be announced shortly.
-
Remove the option to enable phone sign-in in Microsoft Authenticator App
As we've disabled the option to enable passwordless in our Tenant, it would be helpful to remove / disable the option to enable phone sign-in in MIcrosoft Authenticator APp so the users won't be able to enable something that is not enabled for the company.
7 votes
- Don't see your idea?