Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Configurability of SCIM /Groups PATCH Members List Size

    When provisioning via SCIM to Slack, we're seeing only three members per PATCH request with hundreds of concurrent requests, resulting in 429 rate limiting responses. With a significant number of users (10k plus) this becomes a serious problem. We need to increase the number of members per PATCH for AAD SCIM to be a viable provisioning solution.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support provisioning of User Risk level to SCIM applications

    Support UserRisk level (from Azure Identity protection) as an attribute that can be provisioned via SCIM. Currently, applications that need this info have to use Graph API (which is an overhead when all other attributes are available through SCIM).

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. entitlements scim

    In SCIM mapping, there is the missing target attribute "entitlements". However, this attribute is in the core user Schemas and the rfc 7643 says :

    entitlements
    A list of entitlements for the user that represent a thing the
    user has. An entitlement may be an additional right to a thing,
    object, or service. No vocabulary or syntax is specified; service
    providers and clients are expected to encode sufficient
    information in the value so as to accurately and without ambiguity
    determine what the user has access to. This value has no
    canonical types, although a type may be useful as a…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add more scope options for user/group syncing

    Enterprise Applications currently offer two scoping options with SCIM to sync users/groups in AAD with third party SaaS solution.
    This poses some issues for companies with large number of users and groups in Azure AD.

    In some cases, when selecting the provisioning scope, we would like to synchronize all users, and selected groups. But that is not available, the only options are :
    1. Sync all users and groups
    2. Sync only assigned users and groups

    If we want to sync all users and select groups, we have to choose the first option and set up scope filters for group…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    The best way to accomplish this is to

    1. Create a dynamic group that contains all users in the tenant and assign it to the app.
    2. Assign any groups you would like to the app.
    3. Set scope to sync assigned users and groups.

    This will result in all users being provisioning and only the groups you choose being provisioned.

  5. Allow blocked users to be provisioned to SaaS apps

    we have group/ user provisioning turned on to ServiceNow. Everything is working great, except the users with "block sign in" checked. I reviewed the provisioning logs and show these users aren't sent over to SN. We are doing license management and need to see when inactive users are still assigned a license.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. Sub attributes in mappings

    Sub attributes arent supported in custom sso apps.

    I'm unable to match a user if their email is a sub attribute

    e.g. emails.value

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. 9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Configure sync Scope per mapping

    There is a global provisioning setting to Sync only assigned users and groups, or Sync all users and groups. I would like to set this per user mappings or per group mappings. The reason for this is because we have applications that we don't have licenses for all our users. So I would like to provision the users by group membership (assigned), but sync groups globally based on a naming standard (scoping filter).

    The issue with scoping filters is you can't scope based on group membership, which would be another feature request I suppose.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. AAD provisioning does not show Audit logs for group membership

    AAD and G suite provisioning does not show Audit logs for group membership update which is I believe quite important to know. As per MS agent :

    If the user is not provisioned already on G suite, when we try to update group membership, this would obviously fail since we don't have a reference attribute to resolve on the target. Currently, by design, Azure AD doesn't retry the previously failed group membership update after the user is provisioned. Workarounds to fix this problem is to remove and re-add the user as a member of the group or trigger a clear…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Please support Join in provisioning with user groups in Azure AD.

    Please support Join function in provisioning with user groups in Azure AD.

    Excerpt:
    Matching based on a combination of attributes is not supported: Most applications do not support querying based on two properties. Therefore, it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
    https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. Attribute SAMAccountName for the ServiceNow User provisioning

    Would be great to to have in the supported list of attributes in the ServiceNow user provisioning app the attribute SamAccountName. This is important for example for the intgegration of legacy applications like SCCM in ServiceNow asset management. Thanks for your support

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. IDCS Provisioning doesn't work

    The Oracle Cloud Infrastructure Gallery app uses OracleIDCS object. But it doesn't support the attribute primary email = boolean. You cannot create a user in IDCS unless you set the email and put it as primary. so essentially, the email.primary has to be set to a boolean(true). Please include it in the OracleIDCS objectclass

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  15. Get group membership as an attribute of the user when provisioning with SCIM

    When mapping Azure AD attributes to application attributes, I would to know the group membership in order to set properly the values of the target attributes.

    Imagine the licence is an attribute of the user object. It can be "premium"/"silver"/etc.
    On-premises, in AD, I manage my group membership by adding the user to groups like "MyApplicationPremium", "MyApplicationSilver", etc.
    By leveveraging the group membership in the mapping, I can set the proper licence.
    There is no other way to manage this as I will not have an attribute for each application to hold the licence for instance.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support filtering = false | ServiceProviderConfig

    Azure AD SCIM client is not compatible with applications, which do not support "filtering".

    If “filtering” is not supported by 3rd party app, do not ignore that.
    Use the “matching” attribute defined in mappings during the initial cycle to check, if the resource exists.
    If resource exists (HTTP-200), save “ID” persistently.
    Use “ID” in every subsequent request

    cf. RFC7644 section 4: https://tools.ietf.org/html/rfc7644#section-4

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. (Provision null attributes) Add option to have properties be emptied after clearing them in Azure AD

    Right now, I can set a phone number and clear it again in Azure. Azure will update the phonenumber in the application but will never clear it. This is by design I understand that, but our customers would like the option to also clear this information as they consider AAD the source/leading system and it's primary task is to make sure all other applications have the same data, which currently is not the case as the data is never removed from applications after it is removed from AAD

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow dynamic permission set assignment in Salesforce provisioning

    Right now AAD supports a "Permission Sets"attribute, however this is not usable. Salesforce users have multiple Permission Sets, which are dependent on their O365 groups. For example, members of the O365 group "IT Services Team" would get the permission set "IT Services" in Salesforce. Until AAD's Salesforce connector supports mapping Permission Sets based on group membership in AAD, most organizations will not be able to use AAD for Salesforce provisioning.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  19. AzureAD Box User Deprovisioning Transfer Files to Another Account

    Box supports the ability to specify an account to which user files are transferred. We rely on this functionality to ensure that user's files are transferred to a backup service account when a user leaves the organization. It would be very nice to have this capability too.

    Box Dev guide:
    https://www.box.dev/guides/users/deprovision/transfer-folders/

    Okta guide:
    https://help.okta.com/en/prod/Content/Topics/Provisioning/Box/configure-box.htm#Enable2

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Salesforce Connector Terminology

    This may be "cosmetic" but in the Salesforce - Users and groups
    Assignment page, 1 Azure AD Security Group is mapped to something called a Role. It's actually a Profile in Salesforce. Aligning the terminology could be good as Salesforce Role are different.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base