Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow 3rd party MFA with PIM

    Azure conditional access policies allow for 3rd party MFA, such as Duo, but Azure PIM does not allow this level of customization with the "Require MFA" configuration for a PIM role. This means that we need to manage 2 different MFA platforms if we're going to leverage both Duo MFA and Azure PIM for security. I'd like the ability to use Duo MFA when activating a PIM role.

    63 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  7 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow User Consent per Scope

    Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".

    Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. Access review

    Option to include non user Service principals in Access review of Azure PIM resource roles.

    All Elevated members access ( owners , contributors) to Azure subscription need to be reviewed as part of SOX compliance and currently Non user service principals ( like VSO Service principals used for automated deployments in Azure) are not included in the Access reviews initiated for Azure Resource roles.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Costume AAD roles creation

    Create customized Azre Active Directory administration roles like RABAC roles on resources.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  5. Workday trigger delta sync

    The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  6. Make provision sync on demand

    Make provision sync on demand for testing purpose.

    User and group sync normally takes about 5~30 minutes. It is very inconvenient and inefficient for testing. Azure AD should allow on demand sync when it is testing phase and the total users are less than a numbers, for example 50.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. I changed the attribute to "not set" in Azure AD but the attribute doesn't sync to Azure ADDS.

    When I update the attributes, I can see the updated values on the Azure ADDS.
    However, if he delete the value of an attribute (= update with not set), the value is not changed.

    Please correct this behavior.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  8. Ability to to remove or customise the default message that we get during SSPR password reset via login screen for Win10 machines.

    Need the ability to remove or customize the default message that we get during SSPR password reset via login screen on Win10 machines. It says '8-16 characters, case sensitive, one number or symbol". This message is conflicting for the end-users as the organizations password policy may not be as stated in the hardcoded message. We need a way to customize it or remove it so that it doesn't confuse end-users.
    Also an important thing to note is that this message is not available when we use SSPR via the online link https://passwordreset.microsoftonline.com/ , its only available when the SSPR reset…

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  9. Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity

    Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.

    It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.

    Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"

    Att.: Caleb and Dhanyah

    /Peter Selch Dahl

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow creation of custom directory roles in Azure AD

    Being able to create custom directory roles in Azure AD can allow Administrators the ability to grant users custom tailored roles in Azure AD. One example would be allowing the security office in your organization access to the risky events and risky users tabs with the ability to close,reopen, or mark for false positive without having to give them permissions that they do not need. This essentially takes the idea of "least privileged roles" and expands it to allow for further customization.

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    This is duplicate of – https://feedback.azure.com/forums/169401/suggestions/12868950 . Latest status of Azure AD custom roles will be updated there.

    Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

    You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

    Abhijeet Sinha
    Azure AD RBAC team

  11. Abilty to sort Conditional Access Policies alphabetically

    It would be usefull to be able to sort Conditional Access Policies alphabetically.

    So, for example if the naming conventon starts with ALLOW: or BLOCK: then when you create new ones and sort alphabetically they will all be in the right order. Right now they are listed in the order of creation.

    64 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. A GUI interface for edit or create custom role on Azure

    A GUI interface for edit or create custom role on Azure.

    Currently any custom role create / edit needed to change by powershell, a GUI interface is more user friendly and easy to manage for customer admin.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add support for Kerberos AES and drop RC4_HMAC_MD5

    Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4HMACMD5 encryption type for Kerberos."
    Please add support for modern ciphers and drop that obsolete RC4_MD5!

    112 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  14. AAD Connect - Sync a single object

    AAD Connect - Allow sync of a selected object. This is useful in troubleshooting one object versus parsing through everything else.

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  15. Get Privilege Role with their Eligible and Permanent Members List using Powershell

    Please add Azure PIM command, which can provide all roles & their members list (should show Eligible & Permanent attribute too) ?

    Get-PrivilegedRoleAssignment shows role details for logged in user only.

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  6 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Granular options for Self Service Password Reset Factors

    It would be nice to be able to configure self service password reset MFA with as much granularity as application MFA policies.

    1) Restrict what factors you can use based on trusted device, network location, etc.

    2) Specify different policies for different user groups. For example, administrative users who are not AAD administrators.

    3) Restrict by domain and have different rules per domains syncing up to the same tenant.

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  17. Enable change a password when is set with the flag ForceChangePasswordNextSignin on Active Directory on premises

    We will like to change a password from AAD when the account have the flag ForceChangePasswordNextSignin ON in Active Directory on premises.

    60 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  18. aad custom roles

    Would be nice if we could create custom aad roles, might be wrong but the concept of creator/owner and being able to assign permissions to the owner role would be nice.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    This is duplicate of – https://feedback.azure.com/forums/169401/suggestions/12868950 . Latest status of Azure AD custom roles will be updated there.

    Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

    You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

    Abhijeet Sinha
    Azure AD RBAC team

  19. Allow Directory Extensions as claim in SAML Token

    This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.

    If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).

    I have found that you can include a directory extension attribute as an optional claim in the…

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more

    Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more. We Synced 65K members out of which it only synced 29K. When it reached 29K it recognized the member count is more than 50 and it stopped syncing members. It should atleast sync 50K members and then stop.

    63 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    e cannot share any timelines right now. Our first iteration is to deploy and use a new service end point that would eventually be able to handle larger groups. It will likely take several months to get this deployed and tested before we can take a next step, which would be to increase the group size limit – probably to 250K members.
    If you want to be part of the private preview program, please reach out to me: rodejo@microsoft.com

  • Don't see your idea?

Feedback and Knowledge Base