Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow the User Admin role to Enable/Disable MFA for users

    Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.

    1,280 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    246 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. PowerShell and Graph API support for managing Multi-Factor Authentication

    Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

    The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

    Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

    The new AzureAD and AzureADPreview PowerShell modules support connecting to…

    825 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    122 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We’re really pleased to let you know that we’ve released the first authentication method APIs to public preview:

    https://docs.microsoft.com/graph/api/resources/authenticationmethods-overview

    So far there are APIs for managing phone numbers and password resets. When phone numbers are set with the API, the user can use that number for MFA and SSPR (as allowed by your tenant’s policy).

    The team is hard at work at building out APIs for all of the other authentication methods, and we’ll update the response here as they’re released.

  3. Add MFA support to Secure the Windows 10 logon

    Creating a way to secure the Logon to a Windows 10 workstation with MFA would then remove much of the complexity required to secure all the applications installed upon it (such as DA etc).

    This would need to have the ability to store offline logins somehow which is possible with RSA SecurID.

    It would and the final touches to a really great solution.

    781 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    65 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. MFA: remember device permanently (& remember per device, not per app)

    Please:
    1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
    2. Make it so that MFA is remembered once per device (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).

    Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or…

    281 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Enable per user MFA bypass for Azure MFA (Cloud) make this both temporary and permenant based on settings

    Currently per user bypass is not capable in Azure MFA (Cloud only) this can be done using the Azure MFA on premise server. This functionality make Azure MFA more usable for a end user community that often loses or forget cell phones and need temporary bypass. Also using Azure MFA with NPS/Radius there is no way to allow services accounts that do network equipment monitoring to avoid Azure MFA if we want to enable MFA to access critical network infrastructure or VPN using radius this would help this scenario too

    200 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    28 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow Azure AD Sync to Prepopulate the Authentication Phone Number from an Onpremise AD Object, and prevent users from entering their own.

    Allowing a User to set their own mobile number in MFA, completely negates the purpose of the Technology, in an Azure AD Connect environment.

    For a Secure environment, The Administrator would set the Mobile Number as the source of Truth in Active Directory, and it should prevent a potential attacker, from changing the mobile number as they see fit.

    If a user, who has not registered for Azure MFA yet, credentials are compromised, then an attacker could supply their own Authentication Number, and Azure MFA becomes ineffective.

    We should have the ability to set the Authentication Number in AD, and…

    196 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide support for YubiKey / FIDO as the MFA

    Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.

    https://www.yubico.com/about/background/fido/

    160 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Azure MFA is currently designing the experience for FIDO 2.0. This is the next iteration of the FIDO U2F standard that the link references.

    Richard

  8. Enable app password creation when MFA is enforced using Azure Conditional Access

    I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.

    I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that…

    159 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    23 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Migrating from Azure MFA Server to MFA Cloud

    Need a migration method for migrating from Azure MFA Server to Azure MFA Cloud, without all our users having to re-register.

    120 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. 111 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Anonymous responded

    Please provide more details. DirectAccess is an on-premises technology and as such may not fall into Azure Active Directory.

  11. User Opt-In to Azure MFA with Office 365

    We have enabled MFA at our Office 365 tenant, but requires Admins to enable users. For organizations that would like to phase MFA in for their users, it would be nice for users to self opt-in sort of like they do with personal email accounts. Then over time, administrators can "require" MFA by a certain date for users holding out. One way to handle this is to include a link for the end user under user settings to "Sign up for Multi-Factor Authentication". Right now, nothing appears under a users security settings until they are enabled by an administrator. Thx!

    99 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Request for registration of OATH token and connection to user:

    We would like you to allow end users to register OATH token by themselves as well as other multi-factor authentication notifications (i.e. telephone and SMS)

    If our request above is not permitted, please consider the following to reduce the time and effort of the administrator:
    - Registering OATH token information prior to registration of associated user information
    - Connecting the user and OATH token by GUI operation from Azure portal instead of importing CSV
    - No entering authentication code when activating OATH token

    96 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Automatically enable MFA for all members of an Azure AD Group.

    Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

    91 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

  14. Improve Azure Authenticator App to require password or touch id validation before approving push request.

    Currently, if you receive a push notification to the Azure Authenticator app while the phone is locked, merely swiping the notification and selecting View allows access to approve (or deny) the request. Other authenticator apps (Google, Lastpass, etc.) require the device password or touch id (on iOS) before the request can be approved. This is a security flaw and needs to be fixed.

    82 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Backup Codes for Azure MFA

    Please add support for "Backup Codes" to Azure MFA as soon as possible. Many popular MFA services already support Backup Codes, basically a list of 10 valid authentication codes that a user can print off and use in situations where there regular authentication method is not available.

    Use cases for backup codes include:


    • User's mobile phone is lost, stolen, or damaged.

    • User will be in an area with out good mobile phone service or consistent access to a land line.

    • Users let's mobile phone battery drain..

    80 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.

    Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.

    Richard

  16. Azure Authenticator (MFA) Desktop App

    SUMMARY:
    Due to limited capability to use the Microsoft Authenticator Mobile app on a mobile device, there is a requirement to get a desktop version of the app that has the same functionality.

    BUSINESS CASE/BACKGROUND:
    We make use of MFA for all remote users who are connecting to our network from a non-managed device (i.e not a company laptop/desktop). These remote users would then be expected to use the Microsoft Authenticator app on a mobile device with the following Authentication options;
    - Text Code to my authentication phone number
    - Notify me through app
    - Use verification code from app

    79 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. 68 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Set Default Country Code in Azure MFA

    When importing users from AD, if the country code isn't included in attribute Azure MFA will set the country code to +1(USA).
    Can a feature be added to allow the default country code to be set a the global level. So that in our case we could set all number to default to +44(Great Britain) .

    67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    We’ll take this in consideration as we plan new features. In the short term, we are working on Graph API‘s that will allow you to change phone numbers in the StrongAuthentication fields.

    Richard

  19. Show the Country and App/OS that triggered the MFA request via Authenticator app pop up

    If using the Microsoft Authenticator app with App Notifications for Azure MFA requests why can't we also have the Country and App or OS which has triggered the MFA request?

    This will help users from blindly always tapping Approve and also give them more info on what app has requested MFA.

    You can already see this info in the Azure AD sign in and audit logs so why can't it be pushed through to the app pop-ups too?

    62 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Exclude Emergency Access account from Security Defaults

    Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA.

    This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off.

    If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase…

    59 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 16 17
  • Don't see your idea?

Feedback and Knowledge Base