Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Enable PIM assignment for a guest user in a specific directory

    We use powershell to activate PIM for users, but when we change to a specific directory, the get-privilegedroleassignment cmdlet still lists the roles available in the "home" directory, rather than the directory that you're currently in..

    connect-pimservice -TenantName <XXXX>

    has no effect on the get-privilegedroleassignment command

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Ability to search on all Azure resources and resource groups in the "Resource filter" experience

    Azure resources/resource groups search in PIM doesn’t search my entire pool of resources /resource groups. It only searches by page. I have to click "load more" 15+ times to find some of my resource groups which is a horrible UX and seems more like a bug to me.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Access package policy for dynamic assignment

    The ability to have a policy to dynamically assign access packages automatically to users, based on criteria / filters is very important, as this will greatly improve an organizations ability to provide a set of default access packages to their users based on division, company, etc.

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Provide us with option of create role or duplicate them from built-in roles via Azure Portal

    Provide us with the option of creating a role or duplicate them from built-in roles via Azure Portal

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Thank you for taking the time to submit feedback! We are working on support for custom roles in Azure AD, and over time as we increase the number of supported permissions we will add the ability to duplicate built-in roles.

    Regards,
    Vince Smith
    Azure Active Directory team

  5. Azure AD User provisioning service : Support Contains Function in Attribut Flow Expression

    Adding a new Expression for https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/functions-for-customizing-application-data called Contains(source[Multivalue], ValueRule).

    This allowes multiple AppRoleAssignments and to set the correct Roles in the SaaS application.

    As a reference SAP Concur with Roles like:
    - Travel user
    - Expense user

    instead of
    - Travel user
    - Expense user
    - Travel and Expense user

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure AD User provisioning service : Adding a Staging/Preview mode

    Please add a Staging/Preview mode for the Azure AD User Provisioning Service.
    It should be possible in an initial setup to test a new provisioning interface and receive a report on what will be changed in an end application. This gives the possibility and security that a new interface can be set up productively.
    There is currently a risk that unwanted changes will be made.
    As a suggestion; extension of the Scope field by
    - Sync all users and groups (Preview only)
    - Sync only assigned users and groups (Preview only)

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable dedicated App Proxy Authentication Header

    When you connect App Proxy with pre-authentication via a native client following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application the authentication header is removed by the App Proxy. This stops single sign on requests from working and breaks a number of automation scenarios if the backend service does not support a dedicated authentication header. Ideally I would like to see the following behaviour:

    1. By default the Authorization header is used to authenticate with App Proxy
    2. If multiple values are provided as per https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers each one is checked for authentication against App Proxy, if one is valid, remove it from the header and pass…
    48 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Push notification when new request is pending of approval on PIM

    Currently, the only option for PIM approvers to receive notification of a new request is email (or my log in at AAD PIM -> Approve Requests).
    By having a push notification, the approval process would be faster when email is not monitored.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure Active Domain Services Synchronisation Report

    Currently, it is not possible to get accurate information from AADDS about what and when attributes are synchronised from Azure AD to Azure ADDS. It would be most helpful if customers could query on a per user or per directory basis to find out what attributes were synced and at what time (including password changes)

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow App Service Certificates to be used on App Proxy endpoints

    Rather than procuring our own certificates, allow us to use certs provisioned on ASC with App Proxy. It should handle renewal and rekeying automatically as well.

    Importantly this would allow us to get a single wildcard cert to front all of our app proxy instances and never have to worry about cert expiry again!

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  11. OAuth pre-authentication in Azure Application Proxy

    Currently pre-authentication in Azure Application Proxy implies user interacive logon to Azure AD. It would be great if one could choose an option to pre-authenticate as a annplication with a token in the same Azure AD tenant (and select an Oauth app which is regitered in the same tenant).
    That's very useful when there is an external application/server accessing on-prem app via Azure Appliation Proxy would pre-authenticate with OAuth in Azure AD first and pass this token AAP.

    75 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  12. serviceNow

    I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.

    For example, the user table within ServiceNow looks similar to the sample snippet below:

    TABLE - User [sys_user]

    FIELD - Username [username] - string
    FIELD - Name [name] - string
    FIELD - Email [email] - string
    FIELD - Department [department] - references Department [cmn
    department] table
    FIELD - Location [location] - references Location [cmn_location] table
    FIELD - etc. etc.

    Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem…

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add SCIM to support UserType field in Scoping Filter

    If AAD UserType field was available in SCIM Scoping Filter, it would be easy to filter out all guest users from the scope of synchronization.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Hi we will review.

    One option to consider is to set the filter to filter out specific domains that guest users are coming from. You could also control who is provisioned based on groups that users are assigned to.

    That being said, the need to scope on user type makes sense.

  14. banned password message azure ad password protection

    Add GPO or client to Windows Client for Azure AD Password protection to display the corporate password policy on login when the user's change password and it's banned. Give users on prem what they can and cannot use as feedback if they put a bad one in.

    66 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Privileged Identity Management Activations duration should have both Maximum and Default activation duration.

    Privileged Identity Management Activations duration should have another configuratuion settings together with Maximum activation duration.

    • Maximum activation duration set to 8 hours
    • Default activation duration set to 4 hours

    This way administrators can extend the time if requered, replaces the need for automaticly have maximum activation time

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Enable Groups (AAD or Synchronized) to be members of AAD Roles

    For AAD roels, ie Security Admin, allow Groups to be added. Currently only Users can be added through the portal.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  17. We would like to have an advanced claim transformation process to simply the configuration of AWS app integrations

    For the integration of AWS with AzureSSO we need to send via the claim "https://aws.amazon.com/SAML/Attributes/Role" the aws account and role information, which will be used for authentication on AWS side. For our scenario, we create for each users an own role in AWS and want to generate the role claim based on the user mail address.

    The transformation of the claim should work like:
    1.) Extract the mail prefix from the user with ExtractMailPrefix()
    2.) Execute on the value from 1.) a tolowercase()
    3.) Use the value from 2.) in a Replace transformation

    The result should look like…

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Conditional Access for B2B Guest users

    For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    We’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?

  19. workday-AAD please add support for sending email notifications after provisioning operations complete

    From the FAQ: "Does the solution support sending email notifications after provisioning operations complete?
    No, sending email notifications after completing provisioning operations is not supported in the current release."
    This would be useful as all of our current processes include emailing a few people per region a user is created in.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure AD Directory Roles modified date | PowerShell

    Hello,
    Please allow query Azure AD Directory Roles modified date,
    So if we run PS: Get-AzureADDirectoryRole
    We could see when role modified and use this as monitoring parameter, as example we can set current date as non-modified, any older date will be triggered.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base