Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Provide alternate path or help when removing features. E.g. URL to Grant Access

    We use to have a "URL to Grant Access" in the WAAD application configuration page. This has been removed recently (March 2014) and there is no documentation or help to explain what is the new way of granting access to other WAADs.

    Even the documentation still specifies this "URL to Grant Access".

    Please help!

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Anonymous responded

    Your suggestion has been passed on to the appropriate Program Manager.

  2. Add support on Entitlement management API so service principal can maintain Catalog resources

    You can generate AAD groups, RBAC assigments and Access Packages thorugh code, but there is no API method to maintain which resources belong to a Catalog, forcing us to add resources to the catalog in a manual step.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Disable option to create Conditional Access Policy when Passthrough authentication is enabled

    When Passthrough Authentication is enabled for an app published through App Proxy, the authentication process is offloaded to the Idp the company uses.
    Because of that, authentication requests cannot be evaluated for Conditional Access.
    Thus, turning on Passthrough, should automatically prevent users from creating CAP for the application. Currently, the What-If tool will show that the policy will apply when in reality it won't.
    This documented here :
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-faq

    This behavior already exists for Single-sign on

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  5. AAD provisioning does not show Audit logs for group membership

    AAD and G suite provisioning does not show Audit logs for group membership update which is I believe quite important to know. As per MS agent :

    If the user is not provisioned already on G suite, when we try to update group membership, this would obviously fail since we don't have a reference attribute to resolve on the target. Currently, by design, Azure AD doesn't retry the previously failed group membership update after the user is provisioned. Workarounds to fix this problem is to remove and re-add the user as a member of the group or trigger a clear…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. IDCS Provisioning doesn't work

    The Oracle Cloud Infrastructure Gallery app uses OracleIDCS object. But it doesn't support the attribute primary email = boolean. You cannot create a user in IDCS unless you set the email and put it as primary. so essentially, the email.primary has to be set to a boolean(true). Please include it in the OracleIDCS objectclass

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. Notification to eligable members

    At Microsoft 365/Azure AD are many predefined notifications set to tenantadmins/global admins as the default recipients (Examples: predefined Alert Policies at S&C Center, Billing notifications, etc). If all members of that role are eligible and currently no member has that role, then it can’t happen that a notification can reach anyone. So please change this behavior that eligible members of a role will get that notification by default.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. MIM graph connector missing key information

    MIM graph connector missing key information like Licenses,mailbox created time,Provisioned plans, Extended attributes, etc..

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  9. Make PIM audit more robust. Should be able to filter on all of the key categories (for example, filter on Global Administrator approvals)

    Make PIM audit filtering more robust. Should be able to filter on all of the key categories (for example, ability to create a filter for Global Administrator approvals).

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Create Custom RBAC- Role with link to Build-In-Role

    When I create a custom Role from a Build-In-Role, this new rule is no longer updated by Microsoft. Because it is custom. I would like to have a way that I can set a delta on a Build-In-Role and create a new Role from it. So I have a custom rule that always receives updates from Microsoft.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Thank you for taking the time to submit feedback! This is an interesting request, we certainly have customers who want it one way or the other. We’ll consider a mechanism to specify a role is ‘inherited’ from a parent role and thus gets updates based on that role. However, we don’t have a timeline for that just yet.

    Thanks again,
    Vince Smith
    Azure Active Directory Team

  11. Application Provisioning Attribute Mapping Configuration Backup for last 5 changes

    During recent incident I came to know the Provisioning Configuration changes details does not get backed up. i.e. attribute changes which we make on attribute mapping. Only a text message get recorded the when changes are performed. It never record what changes were made. If Microsoft provide anyone functionality it will be helpful for all Azure customer.

    Option 1) Provide backup for provisioning application schema for the last 5 configuration changes which can be access by Admin. It will help Admin to restore from the backup if incase of any failure while updating the Schema

    Option 2) Currently Microsoft records…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add ability to join ASG to VM Contributor Role

    VM Contributor role has the ability to join a NIC to an NSG today, which is logical. Network Contributor creates the NSG with the rules, probably applies the NSG to the subnet, but the VM Contributor needs to be able to apply the NSG to the NIC when they create a new VM. VM Contributor does not have the ability to associate a NIC with an ASG, though, which appears to b a pretty major oversight as our NSG rules will not have any impact until the ASG is associated with the NIC. Today, that would require giving our VM…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow Granular Privileged Role Admin Assignments. E.g. Privileged Role Admin (Azure resource)

    Large organisations will often separate/delegate tenant-wide access management and administration from lower-level (Azure) resource-level assignments. If this were extended to PIM, such that we could delegate the management of PIM Azure Resource role assignments to different Admins than those that manage the PIM AAD Admin role assignments this would be better than the all-or-nothing scenario with the Privileged Role Administrator role.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Group Owner is Inactive and disabled

    We have a challenging situation to manage group owners in Azure Active Directory. If a person leaves organization, his/her identity will be set to "disabled" state. Is there a way automatic emails can be sent to admins notifying Group Owner ID is disabled for all the managed groups?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  15. Integrate PIM with Secure Score and e-mail sent to admins

    I don't get e-mails that Global Admins usually receive, unless I am elevated to Global Admin at the time when the e-mail is sent. For example: Azure AD Identity Protection weekly review has stopped been sent out to me unless Global Admin is activated.

    Also, Secure Score says that we only have 1 Global Admin (it recommends at least 2), but we are 10 techs that are eligible for Global Admin. On the other hand, if all 10 techs are elevated, Secure Score says we are too many Global Admins.

    This integration should work against user eligible for Global Admin…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. App Proxy for Intranet API

    We are using App Proxy for intranet API publication.
    The usage flow is below.

    1. SSO to applications SAML cooperating AzureAD.
    2. Use the SSO authentication token to hit the App Proxy API embedded in the application.

    On that basis, I am troubled below.
    · It can not be executed unless you access the API beforehand on the screen.
    I implement the following as HTML.
    <object data = "~ msappproxy.net / api /" type = "text / json" style = "visibility: hidden"> </ object>
    <input type = "button" value = "test" onclick = "postAPI ('~ msappproxy.net / api /')">
      
    · The…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  17. We have a few non-gallery applications we would like to be added.

    We are a K-12 School District and cannot afford the Premium upgrade. The apps are:
    ez-proxy - https://www.oclc.org/en/ezproxy.html
    Frontlineeducation.com (Absense Management and Professional Growth)
    GoGuardian
    Schoolwires (part of Blackboard.com)

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enable PIM for a specific device only

    If a user requests a PIM activation, approvers should have the ability to restrict privileged access from the device the access was requested from.

    Consider a scenario where an attacker is able to convince an administrator to escalate their privileges for a some (fake) legitimate reason (e.g. I need a new site collection in SharePoint Online). If we assume the attacker has compromised the administrator's identity, they would then be able to take on the administrator's privileges from a remote location.

    If the administrator's elevated privileges were restricted to a specific device, the attack would fail.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. connect

    Add SQL MA to AAD Connect with ability to not only provision AAD, but also AD.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  20. IOS using safari/chrome/Firefox not able to get ADAL callback function after login

    I followed the document at https://identity.microsoft.com/Docs/Web for oauth and integrated in my web app. The login works fine from android devices as when clicked on the login button it opens a new page for taking office365 login details. Once done this page closes on it's own and the first page office365 callback function is called which we use to send id_token and other details of the user from this page to our web server. On IOS devices (MAC Book pro/IPAD) the second page gets the comes back to given redirect URI with the id token but the registered callback function…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base