There is no logs for Service Principal connexion in Azure AD Sign-in.
If a SP secret is discovered, we can't determine from where and when the connexion has been done to Azure AD.
Provide logs for service principal connexion to azure (connect-azaccount).
We also would like to use Conditionnal Access with Service Principal to make restriction based on location like user account.4 votes
Thank you for your feedback, CA for Service Principals is under consideration.
Here is documentation on Service Principal Sign-In: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#where-can-you-find-it-in-the-azure-portal
HAve the ability to use all Azure AD user attributes for Customize claims available for Azure AD SAML token.
Allow the use of all Azure AD User attributes in a claim, currently we have a requirement to add Azure AD synced attributes to be sent as a claim for SAML authentication. for example, attributes such as 'Manager' or 'immutable ID' are not supported. Can we have the option to use all available attributes as part of the claim.31 votes
Thanks for the feedback.
Please keep voting to help us prioritize this feature.
We use application claims declared in an AAD application registration to enable specific applications access to specific roles in a microservice application model.
User assigned managed service identity provides a great way to securely assign identity to an application, however currently this is an 'all or nothing' model.
Enabling use of a custom identity manifest in the same way as enabled for a standard application registration would allow far greater flexibility in defining what access an application would have to another application while maintaining the additional security and ease of use benefits achievable though use of managed service identity.5 votes
Thanks Andrew. I can also repro this on the v2.0 code flow. Investigating now.
Azure Active Directory Seamless Single Sign-On - Multi-tenants in a single forest hosting environment.
We have multi-tenants in a single forest hosting environment synchronizing different customers (each in a different OU) to their own O365/Azure AD tenant account. At the current moment, Seamless Single Sign-On only supports one O365/Azure AD tenant for sign on in the current setup we have. This is due to a computer created called AZUREADSSOACC in Windows AD. We want to adopt the Seamless Single Sign-On but as it only supports one O365/Azure AD tenant for sign on we cannot use it.25 votes
Support of PTA in Azure Gov meeting HSPD-12 mandates.17 votes
Pass-through authentication is based on the use of passwords whereas HSPD-12 is based on the use of PIVs. It is unclear how PIV will work with pass-through authentication but we are investigating this.
At present Azure AD can authenticate to SaaS using SAML, OAuth etc. Many academic institutions use Shibboleth which is based on SAML. Currently this means that they have to maintain a separate Shibboleth service in addition to AD FS (if using that for authentication). If a Shibboleth service could be added to Azure AD this would reduce the hardware/software complexity on-site and allow more Universities to take advantage of the Cloud Identity provided by Azure. Shibboleth is generally used to access shared education services, journals and other shared services.51 votes
Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.
Also the ability to build a password blacklist.18 votes
We’re well aware of the NIST 800-63B guidelines (and it’s my team that wrote that password whitepaper!). We’re currently making some foundational changes that should subsequently let us implement many or most of the password composition guidelines.
As for a password blacklist, today we have a banned password list in place that prevents users from using known-bad words, phrases, and passwords. We also have a custom list feature that lets you define your own words and patterns. That’s in private preview today and we’re working to get it to public preview over the next few months.
The simple OAuth codes are documented here:
...however, there is no single resource which lists all the possible error codes given in the error description such as AADSTS65005 & AADSTS65004
Such a resource would allow developers to handle OAuth dance failures in an elegant manner and give end users a better UX.
Some background on this question:
I've started a list of error codes here:
Feel free to add to these in the comments :)8 votes
We’re working on an improved error controller that includes suggested remediations for errors. However, your client app should never change behavior based on specific error codes – these are internal and subject to change at any time.
I would like to see Authenticating wireless access points \ RADIUS servers through Azure AD , not having to store user accounts in local active directory1,148 votes
Thanks for the feedback, we’re currently reviewing this capability to see how we can support RADIUS auth on NPS specifically, for AAD Joined Windows 10 devices to authenticate to WiFi access points
If there are scenarios beyond the above, please provide the details in the comments
I would like to be able to log into MyApps using ADFS and Certificate authentication. I can log into Safari using Certificates, but I can not use the native MyApps application on iOS.3 votes
Thank you for your request. Passed this along to our apps team as they are building out updates to our MyApps experiences.
- Brjann Brekkan – PM Customer Success Team
- Don't see your idea?