Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow internal B2B Guest accounts to be visible in in-cloud address lists

    If an on-premises user which is mail-enabled is granted access to Azure AD as a 'Guest' account (https://docs.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-on-premises-to-cloud) then the account becomes a 'Guest mail user' and has HiddenFromAddressListsEnabled set to 'TRUE' in Exchange Online. This means the account cannot be used as a single on-premises login, in-cloud login, and Exchange Online contact, which is often desirable.

    As discussed with Microsoft support (Microsoft 365 Support Case #24168919) this is due to Exchange Online treating the on-premises attribute 'msExchHideFromAddressLists' differently when it is <not set> on internal B2B Guest accounts (Guest Mail Users).

    Direction: 'Inbound'
    Add new rule
    Description…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  2. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  3. TrackingID#2105100040005144 : Azure sends ObjectIDs when no onprem group is assigned to the user by default

    Related to MS ticket TrackingID#2105100040005144
    Azure setting for OpenID/SAML app is "groupMembershipClaims": "SecurityGroup", to pass the sAMAcoountName.
    It passes samaccountname when the user is member of at least one onprem group.
    But when the user is member of cloud groups only (no onprem group), it sends their objectIds by default. which is incorrect, as the setting is to send samaccountnsamed of securitygroups only.

    This causes 2 issues:
    1. The SAML/OpenID token becomes extremely large and breaks things with tons of object ids, when the user is part of no security groups
    2. The application has to validate the group claim…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  4. One-time passcode login for GCC High/DOD users

    Allow a guest user to be added to GCC/Public Azure AD that exists in a national cloud (GCC-High/DOD). Utilize the same OTP method that allows non-Microsoft users to authenticate.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  5. Block Azure AD guest display name change after accepting invite

    Currently the Azure AD guest account displayname, which is set by the inviter (in this case admins from the tenant) will change when the invitee accepts the invite. Since this displayname is usually the primary way for users to identify others and names are not unique, this creates confusion. Is it possible to add a method to set the invite to not change the displayname after the invite is accepted?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  6. Sign SAML requests for SAML/WS-Fed identity provider (IdP) federation (Direct Federation)

    AAD should be able to sign SAML requests sent to a third-party IDP, especially if the IDP metadata suggests it (WantAuthnRequestsSigned="true"). Either auto-configure request signing based on the metadata and/or allow the admin to toggle request signing on/off.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  7. Self Service sign-up add an API connector to a first time user

    Some application require a setup process, the first time a user signs in.
    It would be great if we can start the process before we redirect the user.
    Or adding a the user in the specific security group.
    This way we can fill up the myapplications page dynamically.

    I know you can handle this also at login, but that means checking every log in, which is overkill.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow to view the application name in the account selection screen

    When you login to azure portal, I can see the application I am trying to log in to, in the account selection screen. (pick account)

    But with my own application this is not the case.
    This information would help inform our users.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  9. Guest User invite perfomance

    After guest user invite the following user update via MS Graph (PATCH) is not able to query the user sometimes after 30 seconds. The reason is that invite component perform the invite async. The only solution is manage retries in GET/PATCH.

    The proposal is to allow update an user in same DC where the user was invited first.
    For example in the invite to return SessionID pointer, that using it the following PATCH will be done, and it will allow to update user properties faster and w/o 30 seconds of retries

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  10. Option to customise the Email OTP Session expiry timeout

    We intend to use the Email OTP as a fallback for the users for whom federation is not happening. Currently, as per the documentation the session expiry time is set to 24 hours, we would like to keep it a bit more relaxed(probably, 7 days or 30 days). Time period of 24 hours seem to be a too short a timeframe. We are trying to reduce the UX overhead for the user, of entering the OTP every 24 hours. Hence we would like to have a longer session expiry time.

    Can Azure AD B2B Email OTP give an option to…

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  11. I want to fix the displayname of guest users when I invite the users form another Azure AD.

    When you invite someone from another AzureAD, using the B2B process, only their DisplayName and EmailAddress comes through (both of which are actually provided in PowerShell.
    After the guest users which have displayname will be accepted, the displayname of users in resource tenant will be changed into the displayname in home tenant.
    I want to fix the displayname of gesut users when I invite the users form another Azure AD.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  12. If the Display Name is manually specified in the invite, the External Azure AD should not override and rewrite it.

    When I set up a guest user in Azure AD, and they accept the invitation, the external Azure AD rewrites their display name in a scheme that doesn't match either organization's naming convention. As the users accept the invites, the admin has to go back and rewrite the guest's display name. Doing this for massive numbers of users becomes cumbersome. This property should be able to be locked on the inviting AD.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  13. Sharing Sites and Accessing Apps

    Does the one-time passcode work for all MS products, such as for providng guest access to Teams?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  14. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow customization for OTP account verification code email

    The OTP email that is sent once daily to OTP Azure B2B guests is, quite frankly, ugly. We would like to brand this email with our firm's logo as well as put some friendly language that specifies what application they're trying to sign into so it does not look as much like a phishing email. Please allow us to customize this email and make it more friendly looking as opposed to a very operational security email that may confuse less-than-savvy users.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  16. Guest account registration french translation issue

    Guest account registration
    When we register a guest account in Azure Active Directory, the text of the autorizations revision is not the same en fr-FR and fr-CA. In fr-CA, the word Photos is plural and this is incorrect and not well received by users. Only the profile photo is accessible. In fr-FR, photo is singular.

    I think that, for all languages versions, the text should be more specific saying «Your profile photo» / «Votre photo de profil». Guests don't want to share too much information.

    Thanks

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  17. Fix New guest user invite SharePoint MFA

    Right now if you invite a new guest user through SharePoint with a conditional access policy enabled the guest will get an error the first time they try to setup MFA on the tenant they are invited to. If they try to set it up a second time the error is gone and they are able to setup MFA.

    Please fix this issue.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  18. 451123828@ minia3.moe

    نسيت كلمة السر

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  19. Hide BitLocker key from the users

    Bitlocker encryption keys are found on laptops running windows on https://myaccount.microsoft.com/device-list. These can be abused either by an attacker with access to the machine, or by the final user since it has everyone read permissions on icacls. Furthermore a privilege escalation is possible by reconecting the disk to another computer and change files in order to achieve persistance and higher privileges, since the final user has is bitlocker keys, he can decrypt and see/change other files in another computer.

    Details:

    https://sec-consult.com/en/blog/2019/04/windows-privilege-escalation-an-approach-for-***********-testers/

    A machine that does not encrypt the Windows partition and allows booting from CD, USB or a pre-boot…

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  20. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6 7 8
  • Don't see your idea?

Feedback and Knowledge Base