Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Users must not delete resource groups if they are not allowed to delete the resources.

    We created custom roles to allow another team to operate our environment. To avoid accidental deletion of data, we removed the delete action for several storage components, for example Data Lake Store Gen1.

    Unfortunately when deleting a resource group, it completely ignores the permissions on resource level. For example, I do not have deletion rights on ADLS, but I can still remove it, by deleting the whole resource group.

    Resource Groups are simple containers and restricting people on managing them on their own will have a huge impact. We will waste a lot of time to define processes and executing…

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  2. 18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Azure AD member to request role eligibility in Azure AD PIM

    I heard from customers that they would like the ability to switch on a toggle in Azure AD PIM that would allow normal users to request eligibility for a Azure AD Role.

    Basically:

    1. Toggle On - > Allow members to request Azure AD Role
    2. User/Member request role eligibility / Azure AD role
    3. Azure AD PIM admin approves the request for becoming member of the Azure AD role and with either eligibility/approval depending on the default roles.
    4. The member/user would afterwards be able to request approval / eligibility and get approval by the defined approver.
    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Workday-driven automatic AD group assignment

    When a new AD account is created using Workday, it should be possible to assign birthright AD groups to the user automatically.

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support for client certificate authentication

    To protect the HTTPS connection we user TLS Mutual Authentication (2-way certificate pinning) but Application Proxy doesn't provide support for that.

    How difficult it will be?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  6. Show Info and add it to notifactions when activation expires

    We use PIM and sometimes a PIM activation expires in an opened Azure Portal session.
    Sadly, we often need some time to realize that activation expired, because the functions in Azure Portal are not blocked and therefore clickable and there are many cryptic error messages shown, when we try to use functions for which the activation is expired.

    It would be nice, if a Info is displayed when PIM activation expires.
    This info should be added to the notifactions (bell).

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Address VDI and M365 licensing

    Hello everyone, this is a requested change for the components of Azure AD machine join. The use case here is for clients to upgrade their existing Windows PC (7,8,10) to Windows 10 enterprise. Our customer base uses VMware's Horizon view for VDI. VMware's official supported license is KMS. Our clients would love to transition to a cloud based licensing model, but the Windows 10 E3 license does not work with the cloning technology for a couple of reasons.

    Horizon Cloning options & pool types:
    • Manual - VM is not built in Horizon, only brokered through it.
    • Full Clone…

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Join  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow Organisations to force users to complete a new MFA challenge when elevating to a role in Privileged Identity Management

    Currently the behavior is that if a user signed into the Azure Portal and completed an MFA challenge they will not be prompted again when they elevate to a role in PIM even if the role settings are set to "Require MFA on elevation" as PIM will use the existing MFA claim/token that was completed upon sign-in.

    Please allow us to force PIM to acquire a new MFA claim on elevation.

    22 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Group Owner is Inactive and disabled

    We have a challenging situation to manage group owners in Azure Active Directory. If a person leaves organization, his/her identity will be set to "disabled" state. Is there a way automatic emails can be sent to admins notifying Group Owner ID is disabled for all the managed groups?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  10. Use seperate PTA agents for each AD forest

    We are just now maing the switch from ADFS to use PTA.
    We are a large enterprise with some 25k users and 3 seperate AD forests.

    One thing that would make my, and every network/firewall persons, life easier would be if we could have dedicated PTA agents for Forest A that takes care of users with UPN suffix belonging to Forest A, and seperate dedicated agents for Forest B that takes care of users with UPN suffixes belinging to that forest.

    In the current design any login ticket can end up on any PTA agent which means that every server…

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  11. HAve the ability to use all Azure AD user attributes for Customize claims available for Azure AD SAML token.

    Allow the use of all Azure AD User attributes in a claim, currently we have a requirement to add Azure AD synced attributes to be sent as a claim for SAML authentication. for example, attributes such as 'Manager' or 'immutable ID' are not supported. Can we have the option to use all available attributes as part of the claim.

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Integrate PIM with Secure Score and e-mail sent to admins

    I don't get e-mails that Global Admins usually receive, unless I am elevated to Global Admin at the time when the e-mail is sent. For example: Azure AD Identity Protection weekly review has stopped been sent out to me unless Global Admin is activated.

    Also, Secure Score says that we only have 1 Global Admin (it recommends at least 2), but we are 10 techs that are eligible for Global Admin. On the other hand, if all 10 techs are elevated, Secure Score says we are too many Global Admins.

    This integration should work against user eligible for Global Admin…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Marking a risky sign in as "Confirmed Safe" in the ID protection blade should factor in to the algorithm for future sign ins

    In the risky sign ins report or risky users report in AD Identity Protection you can mark a risky sign in as "confirmed safe." However this does not allow future sign ins from this IP. If an administrator confirms that the sign in is not risky, future sign ins for this user from this location should not be considered risky.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. We are reviewing options for integrating feedback provided by confirm safe/compromised. In the interim, if you want to mark specific IPs as safe for Identity Protection in your tenant, you can do so my marking them as trusted locations. More information is available here (make sure to check the “mark as trusted location” checkbox): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations

  14. Please support Group Managed Service Accounts for Azure AD App Proxy

    Please support Group Managed Service Accounts for Azure AD App Proxy. Without it we have to manage the Kerberos Constrained Delegation Settings for each App Proxy Connector separately. A misconfiguration at this setting has a fatal security impact so we would really appreciate to do it once per connector group.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. B2B User Identity Protection Status

    B2B (Guest) users should show up in the "Risky Users" report if they are being blocked from your AAD tenant. I had a case where the B2B user failed to enroll in MFA within the grace period, then failed enough of their logins that Identity Protection flagged them as "High Risk", but there is nothing to indicate that in any query or report that the tenant admin has access to view. All we could find was a message that they needed to enroll in MFA, which we reset about 10 times before support checked diagnostics on the backend and found…

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add an option to bypass service plan dependency check when assigning license to group

    The Azure portal does not allow assignment of an add-on license to a user group unless a base license with prerequisite service plans is also assigned to the group. Example: Audio Conferencing can only be assigned to a group if (e.g.) Office 365 E3 with the Microsoft Teams service plan enabled is added to the group at the same time.

    The problem is that most of our customers have a mix of Office licenses. In order to avoid service plan conflicts and unnecessary license usage, we would need to create a group for each possible combination of the addon and…

    99 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

  17. PowerShell PIM Access Reviews

    It doesn't appear like there are any PowerShell cmdlets for PIM to support access review creation and management. This would be helpful for automation purposes so someone doesn't have to log into the GUI to create access reviews, check status, etc.

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  7 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  18. Workday to AAD/AD provisioning query scope

    Workday to AD/AAD provisioning
    please add the ability to scope the query passed to getworkers api. For instance, pass to getworkers company=schoolA.
    Workday is now implementing shared tenants in the EDU space. In a shared tenant, the current query to get_workers pulls all workers and then allows scoping. but the worker data for all schools has to be pulled before it can be scoped. The result is AAD audit logs saturated with other schools employee data. Also need to be able to control audit data written to azure activity logs, or at least be able to clear the…

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  19. App Proxy for Intranet API

    We are using App Proxy for intranet API publication.
    The usage flow is below.

    1. SSO to applications SAML cooperating AzureAD.
    2. Use the SSO authentication token to hit the App Proxy API embedded in the application.

    On that basis, I am troubled below.
    · It can not be executed unless you access the API beforehand on the screen.
    I implement the following as HTML.
    <object data = "~ msappproxy.net / api /" type = "text / json" style = "visibility: hidden"> </ object>
    <input type = "button" value = "test" onclick = "postAPI ('~ msappproxy.net / api /')">
      
    · The…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure AD App Proxy - SSL Certificate Renewal

    when renewing the ssl cert it would be good to upload just once and have it propogate to all apps using the current cert that is about to be replaced.

    We use wildcards for a single domain so would be good to have this rather than upload the same file 50 times and counting to update our cert,

    ANytime you create a new application it knows to use the same cert.

    35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base