Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Nested Group in Azure AD B2C

    We are having a need to use nested group in AD B2C to simplify our group membership assignment and it is currently not available for AD B2C (it is for normal AD). Please considering add this feature.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add possibility to exclude groups/users from Security defaults

    Almost all tenants have some accounts that can't do MFA, e.g. for info screens or system integration. Security defaults would be enforced upon all users... meaning we can't enable Security defaults for most of our customers! Microsoft also recommends excluding an emergency access account from MFA.

    40 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Security Defaults is targeted towards customers that have simple security requirements and do not have complex environments. If you require policy customization, we recommend using Conditional Access which allows for rich flexibility and customization. However, certain system integrations and automation can be tackled with dedicated service principals.

  3. Cannot Change back SCIM from Automatic to Manual.

    I am implementing SCIM and I setup Provisioning to Auto. I want now to move back to Manual, but the item is grey-out, so it's stuck in Automatic.
    How I can change it? Delete the whole application?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow security questions as authentication methods for mfa

    If a user does not have access to their phone allow them to be able to answer security questions to satisfy MFA request

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Unfortunately that would not satisfy MFA. That requires 2 or more of either something you know (password), something you have (phone/hardware token) or something you are (biometric). Security questions and passwords are the same factor. Something you know.

    @MarkMorow

  5. Enable SSO in AADDS

    Seams kinda crazy that it doesn't support SSO out of the box, also that it hasn't been logged against Domain Services as of yet but would be great to see this added (from what I can see).
    Essentially you can setup AADDS, join a machine to said domain and login with a Azure AD account and that's great. But you then need to login to office.com, Office Apps (Word, Outlook), OneDrive,... etc etc all independently.
    However with a machine that's joined to an On Prem AD with some intranet settings added to the client & Azure AD Connect you don't…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  3 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  6. Rename Domain - (ADDS) Active Directory Domain Services

    Allow renaming the Domain set in ADDS

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  1 comment  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Active Directory Seamless Single Sign-On - howto idea Multiple-tenants to a single domain or forests,

    Azure Active Directory Seamless Single Sign-On - howto Multiple-tenants to a single domain or forests,

    hey all i believe i've kinda worked out how one could simply have Seamless Sign-on for one domain to multi-tennants,

    theres a way via some web redirects, computer account renames and creating internal cnames for the Spn's however for it to be universal and be supported in the best way,

    we need Microsoft to host additional Cname redirects or just additional addresses for the SPN's attached to the kerberos accounts aka

    autologon2.microsoftazuread-sso.com
    autologon3.microsoftazuread-sso.com ........ect.ect..

    then during the setup of the Ad connector a check should…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  8. AAD Connect Version Update RSS feed

    We would like to subscribe to a RSS feed to be informed once a new AAD Connect version is released. Is there such a feed function already existing or could you add it to the AAD Connect release web page?

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  9. enable Personal accounts that are invited to an Azure AD tenant to use ROPC

    For [Azure Active Directory v2.0 and the OAuth 2.0 resource owner password credential](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc), I want to enable it to use ROPC for personal account

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    The personal account system does not support ROPC by design. We want users passwords to be protected as much as possible, and eventually move to a passwordless state, which ROPC does not support. The other OAuth protocols are well supported on MSA, and Device Code support is coming for both MSA and AAD for browserless-less scenarios.

  10. MEU TELEFONE MUDOE....NNÃO CONSIGO DAR CONTINUIDADE COMO FAÇO PARA ALTERAR O TEL

    NNÃO CONSIGO DAR CONTINUIDADE COMO FAÇO PARA ALTERAR O TEL

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups

    Baseline Policy: Require MFA for Admins (Preview) needs to be able to exclude groups.

    This policy does not pay attention to trusted location. Therefore, your global admin or other admin SERVICE ACCOUNTS will get blocked unless you exclude them one-by-one.

    This is very disruptive. This policy used to allow excluding groups and they changed it to only excluding users. Not all companies can move at the pace Microsoft is enforcing. We cannot make all of our service accounts into some other solution which won't get impacted and still work for us.

    Bring back group exclusion for manageability!!

    60 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow Azure AD Password Reset auth info re-confirm to be disabled by app

    Allow Azure AD Password Reset authentication information re-confirm to be disabled by app. This setting is defaulted to 180 and can be changed or globally disabled.

    While it is nice to remind users to verify their authentication proofs are still valid, having this on breaks seamless SSO flows when it is configured for things like ZScaler.

    The user is suddenly prompted for interaction in a flow that otherwise is normally handled in the background.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  13. AAD Sync; make mobile attribute authoritative again after AAD/tenant/portal update

    AAD Sync; make mobile attribute authoritative again after AAD/tenant/portal update.

    If you update the mobile attribute as a user or admin in the tenant, this no longer flows from on premises AAD Sync. If the user has made a mistake and you wish this to flow again from on premises, there is no way to make it authoritative again.

    36 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    26 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  14. Enhanced AAD Connect/SaaS Provisioning Options

    If MS wants organizations to start leveraging AAD similarly to On-Premise they need to grant more control over the provisioning schedule. We have break/fix user account additions that need to replicate from On-Premise to AAD and then to G Suite.

    With the 30 minute minimum sync option and 45-60min G Suite provisioning cycle we could be looking at 1:15 minutes before a user can access the app.

    We should have the ability to adjust these options as our organization sees fit.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  15. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow ADConnect to register in place or a built in Portal switch to sync users matching verified domains and rules back to azureAD.

    Subject: RE: 118090418928814 trying to properly sync a user from an azure domain service domain to azure ad itself. Azure Active Directory
    We understand what your saying.
    So to use the managed domain ldaps and custom OU’s ( users / groups stored here at this location in the managed domain ) how do we get these back up and around to the azure infrastructure since we know it’s a one way from the top. If we setup a managed domain joined machine and Adconnect sync the custom ou’s to the azure AD tenant will this break the tenant? Is there…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    Azure AD Domain Services has a one-way synchronization mechanism FROM Azure Active Directory. Users, and organizational units from Domain Services do not sync to Azure AD. This is because Domain Services is an extension of Azure Active Directory— to enable organizations to lift on-premises applications that use legacy protocols like LDAP and Kerberos to Azure. The custom group sync provided by Azure AD Domain Services is there to enable customers to reduce the scope of the users that is synced from Azure Active Directory to Azure AD Domain Services.
    The services does not work that way and their are no plans to change it at this time.

    Mike Stephens, Azure AD Domain Services PM

  17. Add Server core support

    Add support for Server core installations.

    This is mainly a bakground service syncing users and therefor much more sutible for a core version then a bloted version of windows.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure AD password protection

    Add the possibility when using the Azure AD Password Protection feature that if you would ban the word "Contoso" as a password that also varations to this word or sentinces with this word are forbidden. For example "Contoso 2018" or "Contoso is great".

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →

    The private preview version of password protection explicitly banned entries that were on the global and custom banned password lists. Feedback early on was that users were having an incredibly difficult time configuring passwords. Password protection was then moved to a points based algorithm to strike a balance between security and usability. The current algorithm blocks a wide variety of weak passwords while giving users enough flexibility to configure a strong password

  19. Allow HeartBeatIntervalInMilliseconds to be configured.

    We need to be able to reduce the Heartbeat Interval to prevent a timeout issue through our proxy server. Editing the configuration settings would help.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  20. Include Azure AD Identity Protection with Azure AD Free

    I believe Azure AD Identity Protection should be included with Azure AD Free edition.

    It comes with Azure AD Premium P2 edition and i'm checking out the features for our 20000+ users but the cost will be extremely prohibitive.

    In Free edition there are cut down reports which don't provide any real details on detected risk events. Surely it's in everyones interest to make freely available all features which allow detection, investigation and remediation of potential vulnerabilities affecting identities.

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →

    Unfortunately, it is not in the direction of the product to give full Identity Protection to free customers as this is a premium (P2) feature. We do provide some limited reports to give basic risk information for non-P2 customers, but full Identity Protection is and will remain a premium (P2) feature.

← Previous 1 3 4 5 12 13
  • Don't see your idea?

Feedback and Knowledge Base