Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

    A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
    Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

    Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

    Adding nested groups to Azure AD would add a lot of value to Azure AD.

    1,311 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    153 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

  2. Allow the use of all user attributes for SAML token attributes

    We are developing a POC to have Cisco WebEx and Jabber integrate directly with Azure AD. Authentication works just fine. However, when there is a change to a user's profile in Active Directory, say title or phone number, in order for that change to update in WebEx or Jabber the "whenChanged" attribute needs to be sent as "updateTimeStamp" in the SAML token. "whenChanged" cannot be extended as a Directory Extension so maybe use of the "LastDirSyncTime" attribute in Azure would be a suitable replacement. Also, it would be beneficial to also allow the use of the "mobilePhone" Azure attribute in…

    51 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. Include only pre-selected groups, into the claim

    At the moment there will be all groups user member of, and if that number exceeds 150(200), there would be a link send instead. It is better to only include groups, which makes sense for the application.
    In modern environment, half of the users in big companies are members of more than 200 groups, But for each individual application only few may be somewhat indicative. So why not have a possibility to select only groups which making sense for the each app, and only those would be included into response?

    48 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. BUG: Unable to Delete an Application's AppRole

    Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".

    When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).

    After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for reporting this!

    I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.

    For now, there are two options to work around this:

    1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697

    2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

    / Philippe Signoret

  5. Enterprise Applications - Gallery Apps - Deploy Via API or Powershell

    We have hundreds of AWS accounts that need to be federated with our Azure Active Directory. We in turn create an Enterprise Application thru Gallery Apps per AWS account to enable provisioning and sync all roles into Azure. Unfortunately, scaling and automating this is not possible thru Gallery Apps.

    We need a way to deploy Gallery Apps for AWS / SalesForce programmatically.

    Currently, we are configuring these accounts one at a time. We need to be able to automate this process as we cannot onboard AWS accounts into Azure Active Directory.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure AD Applications - Needs

    - Allow applications in Azure AD to be organised into folders so business units who work in this space can 'claim' applications.
    - Provide the ability to rename applications or application instances once created.
    - Provide visbility of what user created an application.
    - Provide the ability to 'lock' applications from being accidently deleted.
    - Deletion of applications requires X global admins to approve, at the moment a rogue admin could destroy an SSO setup for an entire company in minutes...

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback, some of the suggestions are already available:

    - Ability to rename applications
    - Provide visibility of what users created an application: You can use audit activity reports: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logs

    Regarding the other suggestions, I’ll update this once it’s a planned feature. In the meantime, keep the voting coming so we can prioritize this higher.

    /Luis
    Program Manager

  7. Workday to AAD/AD provisioning query scope

    Workday to AD/AAD provisioning
    please add the ability to scope the query passed to get_workers api. For instance, pass to get_workers company=schoolA.
    Workday is now implementing shared tenants in the EDU space. In a shared tenant, the current query to get_workers pulls all workers and then allows scoping. but the worker data for all schools has to be pulled before it can be scoped. The result is AAD audit logs saturated with other schools employee data. Also need to be able to control audit data written to azure activity logs, or at least be able to clear the provisioning logs.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. SAML SSO, pass Restricted Claims

    It would be good if you could specify a restricted claim to be passed to the relying party such as isCompliant etc if a user is on a managed device. Clearly these claims should not be modifiable.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. Default 'approval required' method for apps (new/unused)

    Please can we have a global catchall for all new or previously unused applications that link to Office365 accounts/resources?

    An example. draw.io has not yet been used and therefore there is no enterprise app to configure in Azure AD.
    One first attempt to log in to draw.io with an Office365 account an approval request should be sent to the Office365 administrators to review the application and the permissions/access it requires.
    Then the enterprise app can be configured accordingly - utilising Self-Service, assignment and approvals as deemed necessary.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. Workday Email Writeback API Version

    According to the Workday provisioning docs, the current API call (Maintain_Contact_Information) for email writeback is v26.1. Can this be updated to use v30.0 or later and use the "Change_Work_Contact_Information" api call instead, as it's specific to work contact information and less likely to be blocked by other business processes in Workday?

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. Find and Replace Claims Transformation Function

    When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:

    If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.​

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Workday trigger delta sync

    The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enhanced AAD Support for SAP SuccessFactors

    Hi

    SAP SalesForce (SF) is pre-integrated with AAD, but SalesForce is comprised of numerous applications (HR modules). It would be nice if AAD conditional access, user provisioning and MFA rules could be applied differently based on the SF applications.

    1. MFA: It would helpful if AAD supported MFA for SAP SuccessFactors by SuccessFactors module. e.g. ability to force MFA for the Performance Management & Goals application, but not force MFA for the Learning Management System (Training) application.

    2. User Provisioning: It would helpful if AAD supported automated user (de)provisioning of accounts in SAP SuccessFactors, again based on SF application.

    Take…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. Custom error messages per SaaS App and tenant-wide also

    It would be really awesome, if Microsoft would provide developers with an option to provide custom error messages per Azure AD SaaS Apps and Global Admin to define some tenant-wide custom error messages as well. The error messages provided from Microsoft is not especially user-friendly or customer specific yet. This creates some confusions among internal and B2B users.

    I hope this would be taken into considerations like the Azure Conditional Access custom error messages.

    /Peter Selch Dahl
    Azure MVP

    Also see these related request:
    ---------------------------------------------------------------------

    Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application:
    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6795635-fix-error-aadsts50020-when-logged-in-user-doesn-t

    Customize…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    We don’t plan to provide the capability to customize the error message for now. But, we have been working on making the error messages more actionable.

    If you have any suggestions for improving an specific error message. Please create another post and the team will improve it.

    /Luis
    Program Manager

  15. Allow Directory Extensions as claim in SAML Token

    This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.

    If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).

    I have found that you can include a directory extension attribute as an optional claim in the…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  16. IDP-Initiated SAML flow option for all gallery applications

    Gallery integration for some SaaS applications (such as ServiceNow) use SP-Initiated sign-in flows. This makes ADFS -> Azure AD "migrations" for customers difficult as there is no way to validate the user experience without making Azure AD the default SSO provider. Additionally, some customers rely on just-in-time SAML provisioning, which is seamless with IDP-Initiated flow.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    unplanned  ·  1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. Engage Approval process when attempting to use the app directly

    Please can we initiate the approval process at the application level, not just when being added into the application portal (myapps)?

    An example. draw.io has been configured to require authentication and assignment. A user goes to draw.io and logs in with their Office365 account. They see a user-unfriendly error message as below: -

    [OneDriveSDK Error] errorType: badResponse, message: AADSTS50105:+The+signed+in+user+is+not+assigned+to+a+role+for+the+application+'01234567-89ab-cdef-0123-56789abcdef0'. Trace+ID:+01234567-89ab-cdef-0123-56789abcdef0 Correlation+ID:+01234567-89ab-cdef-0123-56789abcdef0 Timestamp:+2000-01-01+00:00:00Z

    Instead - I would want the application to prompt with the same approval process notification/initiator that is seen when attempting to add the app via MyApps.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    First, we’re working to allow end-users to request Admins to consent to an application that requires Admin permissions.

    As a next step for this feature, we’re considering to add other scenarios like this one where user assignment is required.

    Please keep voting to help us prioritize

    /Luis

  18. Workday to OnPremise Sync with non Global Admin Account

    In the current configuration of the "Workday to Active Directory Provisioning"  you are required to create an account in Azure with Global Admin permissions to be used by the onPremise agent.   All changes made to Active directory are made in the onPremise AD and not in Azure and the permissions appear to be above the needed level in order to maintain our security delegation of lowest level required to perform a task.     
    Is there are a solution to have the interaction between onPremise Agent, Azure and Workday that does not require this level of permission?

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow user folder provisioning for Box upon user assignment in Azure ADP

    We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.

    One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.

    We would like…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Better governance for SaaS apps (App Registration description)

    Azure App Registration needs some kind of better governance. The amount of applications is exploding within companies with all kind of apps all ranging from breakfast to compliance applications. Microsoft needs to add some some extra property fields that can be used for description of the application purpose, but also a field that can be used for service management. I do not think that a Azure Tag would be sufficient. It must be some kind of value that can be set on the application.

    Reference:
    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13102086-azure-ad-applications-needs

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base