Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

Enter your idea

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

Merge office365 and live accounts that use the same email address

I use both Azure/msdn and office 365
I already had an msdn account mvdl@our-company.com ( Windows Live account) and our company recently migrated to Office 365 which resulted in a mvdl@our-company.com Office365 account.

Wich is causing a lot of grieve when switching between asure web portal / msdn web portal / office 365 web portal

Even when I have no portals open, I cant switch accounts. I need to explicity open the portal that I last logged in to. Log out, and then I can switch accounts.

And having both office 365 portal and Azure portal open at the same time is impossible.

I use both Azure/msdn and office 365
I already had an msdn account mvdl@our-company.com ( Windows Live account) and our company recently migrated to Office 365 which resulted in a mvdl@our-company.com Office365 account.

Wich is causing a lot of grieve when switching between asure web portal / msdn web portal / office 365 web portal

Even when I have no portals open, I cant switch accounts. I need to explicity open the portal that I last logged in to. Log out, and then I can switch accounts.

And having both office 365 portal and Azure portal open at the same…

1,188 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

230 comments · End user experiences · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Folks,

Thanks for the questions and suggestions. And apologies for not sharing any update on this thread for so long. We’ve been working on this problem and have announced changes on our official team blog (see here: https://cloudblogs.microsoft.com/enterprisemobility/2016/09/15/cleaning-up-the-azure-ad-and-microsoft-account-overlap/).

First, we are acutely aware of the UX pain this is causing and we are sorry for this. We are trying to undo a decade and a half of systems divergence. There are literally hundreds of different engineering teams across Microsoft involved in this effort. So this is taking time.

Second, we can’t easily “merge” two accounts, or allow IT to “take over” personal Microsoft accounts. There are two main hurdles: (1) The terms of service are fundamentally different for the two account types and (2) they are based on different technologies with different stacks (different identifiers, SDKs, token formats, etc.). We’re working to converge the two stacks but again this takes time. There are details of this in the blog post linked above.

Third, in the past year we’ve worked with 70+ teams across Microsoft that operate business services but only supported MSA for historical reason. Our goal is for all of these apps to support Azure AD (work accounts) as well. As of Nov 2017, we’re about half way there. Dev Center and MSDN subscriptions (now called Visual Studio subscriptions) are example of apps that now support Azure AD. Microsoft Payment Central and Invoicing are a few weeks away. Volume Licensing and many others are in progress and a couple months away.

The best recommendations we can provide right now are:
1) Use your work account (in Azure AD) to access any work application that supports it.
2) If you had created a personal Microsoft account to access Microsoft business apps, and no longer need it, close the account. Or rename it (which means chancing the user id) to avoid confusion.

Please follow our team blog for future updates on this problem.

Ariel Gordon

Folks,

Thanks for the questions and suggestions. And apologies for not sharing any update on this thread for so long. We’ve been working on this problem and have announced changes on our official team blog (see here: https://cloudblogs.microsoft.com/enterprisemobility/2016/09/15/cleaning-up-the-azure-ad-and-microsoft-account-overlap/).

First, we are acutely aware of the UX pain this is causing and we are sorry for this. We are trying to undo a decade and a half of systems divergence. There are literally hundreds of different engineering teams across Microsoft involved in this effort. So this is taking time.

Second, we can’t easily “merge” two accounts, or allow IT to “take over” personal Microsoft accounts. There are two main hurdles: (1) The terms of service are fundamentally different for the two account types and (2) they are based on different technologies with different stacks (different identifiers, SDKs, token formats, etc.). We’re working to converge the two stacks but again this…
Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

1,062 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

127 comments · SaaS Applications · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
Get user membership groups in the claims with AD B2C

As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

1,020 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

66 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.

Apologies for the delay.

/Parakh

Old message:
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?
Fully customizable verification emails

Currently, Azure AD B2C sends verification codes via emails to end users during sign-up and password reset flows. These emails have limited customization. Add support for full customization of the email body & content.

827 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

109 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

planned · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

We continue evaluating several alternatives to provide full email customization. We are actively working on an alternative.

Unfortunately we do no yet have an ETA.
Allow the User Admin role to Enable/Disable MFA for users

Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.

813 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

169 comments · Multi-factor Authentication · Flag idea as inappropriate… · Delete… · Admin →

planned · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
Authenticating wireless access points \ RADIUS through Azure AD

I would like to see Authenticating wireless access points \ RADIUS servers through Azure AD , not having to store user accounts in local active directory

628 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

64 comments · Authentication · Flag idea as inappropriate… · Delete… · Admin →
Customer-owned domains

Run Azure AD B2C's sign-up & sign-in pages under a custom domain, for e.g., login.contoso.com, instead of login.microsoftonline.com.

543 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

64 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Software Engineer, Microsoft Azure) responded

Due to various technical limitations, the first iteration of the customer-owned domains functionality will not be available for a few more months. We will provide an update as soon as we can get a more specific ETA.

If you are looking to use custom domains to use javascript, we are now looking to enable that experience by providing a new (non-customizable) domain. Please look for updates here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15493536-add-support-for-javascript-inside-the-custom-ui-br

/Parakh
Support exporting and importing conditional access policies using PowerShell

Support exporting and importing conditional access policies using PowerShell. This would be handy for backup purposes, but also for re-use of the same policy rules between test and production tenants.

The Microsoft Graph API currently do not have any REST APIs for accessing and creating conditional access policies: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview

427 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

23 comments · Conditional Access · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

We’ll be wrapping up work soon, after making updates from feedback we’ve received so far. We should have a public date soon.

-Caleb
Dynamic Groups: Member of group

Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.

Example:
(user.objectId -memberOf group.objectId)
(user.objectId -notMemberOf group.ObjectId)

Use case 1 - Group Based Licensing.
If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.

Use case 2 - Exceptions
All users should have a MDM policy applied, accept those of a specific group.

410 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

25 comments · Groups/Dynamic groups · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.

Chen
B2C Fully Customizable Sign-In Page

Create a Sign In Policy by which we can provide our own template for the sign in page. It could work the same way as the Sign Up policy does.

362 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

61 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Hi all,

We’ve put out a new version of the sign in policy called sign in v2. This is available through the new portal experience and we have rebranded policies as user flows. Please give this a try and give us feedback through this link: https://microsoft.qualtrics.com/jfe/form/SV_0Gu45RkBy2YR1kh

/Sam
Set an AzureAD account to expire on a specified date

Just like in active directory allow accounts to be set to expire on a specified date. Our company policy is to set network accounts for non-employees (consultants, contractors, temporary employees, interns) to expire at a certain interval after they are created. We want the same functionality within Office 365.

357 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

42 comments · User Creation, Deletion, and Profile Management · Flag idea as inappropriate… · Delete… · Admin →
Remove requirement for onprem Exchange when using DirSync

as per : http://tinyurl.com/kqgjvqx

Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.

337 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

36 comments · Azure AD Connect · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Admin, Microsoft Azure) responded

We’re reviewing the best architectural solution here and will updated when we know more.
AADB2C: Send email invitation for new user to sign up

I would like the ability to trigger an email invitation be sent to new users for our web application that I want to authenticate with AADB2C. In our multi-tenant design, each tenant will be responsible for adding their own users to their tenant. I would like the admin of the tenant to be able to send an email invitation to the new user and then that user can complete the sign-up process.

330 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

26 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded

Thank you for the feedback. We are strongly considering this for the future. Today we are focusing on customer facing apps with open self-service signup. /Jose Rojas
Add MFA support to Secure the Windows 10 logon

Creating a way to secure the Logon to a Windows 10 workstation with MFA would then remove much of the complexity required to secure all the applications installed upon it (such as DA etc).

This would need to have the ability to store offline logins somehow which is possible with RSA SecurID.

It would and the final touches to a really great solution.

316 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

26 comments · Multi-factor Authentication · Flag idea as inappropriate… · Delete… · Admin →

AdminAzure AD Team (Product Manager, Microsoft Azure) responded

For requiring additional factors with Windows Hello for Business, please see – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock

For why PIN is better than a password, please see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password

For Authenticator app sign in to Azure AD, please see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in

As always, other feedback is welcome

/Ravi
Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library

Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library, just like Azure AD and Active Directory Authentication Library has.

The Azure AD B2C page has been saying 'Get tokens using a username & password with the OAuth 2.0 Resource Owner Password Credentials Flow (coming soon)' since September 2015.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-protocols/

314 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

64 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Just to provide an update, we are close to launching a private preview. We are in the final testing stages for this feature. We will have another update in the next few weeks with instructions on how to join the private preview.
Add support for JavaScript inside the custom UI branding page

295 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

37 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Hi all,

This is currently available for custom policies, you can find the instructions here: https://docs.microsoft.com/azure/active-directory-b2c/javascript-samples

We will be bringing this to built in as well in the coming weeks.

/Sam
Add an Azure AD Identity Provider

AADB2C is great, but why not adding an Azure AD provider? We're developing an application where we can have customers with social identities as well as Azure AD identities, it would be great in the AADB2C login page to have an option like "Organization Account". In this way we can code against one single API and not be forced to use two different entry points.

287 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

36 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

We have released the public preview for this feature! Learn more about how to use it here: https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-oidc-azure-active-directory

/Sam
SAML protocol support

Azure AD B2C currently supports OpenID Connect and OAuth 2.0. Add SAML protocol support as well.

286 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

31 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Seems like this feature request was not updated when the feature was announced. Talking to a SAML2.0 identity provider is possible if you use custom policies: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom

/Parakh
PowerShell and Graph API support for managing Multi-Factor Authentication

Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

The new AzureAD and AzureADPreview PowerShell modules support connecting to Azure AD w/MFA-enabled accounts, but they do not expose any StrongAuthentication data for viewing or editing.

The new Graph API does not expose any StrongAuthentication data. The old Azure AD Graph API doesn't, either.

Please fix this, or provide an update as to when it will be fixed.

Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

The new AzureAD and AzureADPreview PowerShell modules support connecting to…

281 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

34 comments · Multi-factor Authentication · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

The MFA team is currently working on adding get/set/read/delete abilities for StrongAuthentication data to the Graph API.

Richard
AADB2C: Support OAuth 2.0 client credential flow

As mentioned in the B2C limitations:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-limitations/

Our daemons / server-side applications need this feature as part of our security implementation in order to grant access to our web apis.

236 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

18 comments · B2C · Flag idea as inappropriate… · Delete… · Admin →

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded

Currently, you can use “App Registration” blade in the Azure Portal (outside of the Azure AD B2C blades) to register an apps that define application permission and the register apps that use client credentials to request these. The caveat is that this is done using the same mechanism that you’d use in regular Azure AD.

Ideally we’d have a first class experience for this in the Azure AD B2C blades or at least have an Azure doc that walks you through the experience I just summarized, so I’m leaving this feature ask open.

It would be great if you guys can add comments with your feedback. What scenarios areyou trying to achieve? Does the approach above help you achieve what you want to achieve? Does the experience to do so work for you guys and if not, what would you like to see?