Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. In the Sync Engine UI, update the Management Agent Tab so that additional attributes that are saved in can be displayed on the screen.

    Currently in the Sync Engine UI, on the Management Agent Tab, the following attributes are displayed. Name, Type, Description and State.

    It would be useful if the attributes displayed could be configurable, and additional attributes stored in the database such as maid, creationdate, modificationdate and ispasswordsyncallowed.

    The benefit of this is you can easily see how recently a Connector (MA) was updated, and if Password Sync is enabled for the Connector

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  2. MIM 2016 SP1 language pack for Romania

    My customer is a multinational company and requires several local language translations in the MIM Portal. All of the ones we need (so far) are present EXCEPT Romanian.

    Is this on the roadmap?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add requestor UPN and email to audit list

    Sometimes I cannot find the requestor in the Active Directory according to the entry in PIM (e.g. Azure AD does not exist as user). It would be helpful to ad the email adress and UPN to the requestor colomn and as separate column in the Excel export.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Resource Group Missing

    Hello I have EA access. I created two resource group and assigned owner access to there outlook.com account. When they login to portal.azure.com they don't any resource group

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure Password Management reporting RBAC

    Extend the new administrative roles added to Azure AD that enable finer-grained administration ( https://blogs.technet.microsoft.com/enterprisemobility/2016/06/28/azuread-updated-with-new-admin-roles/ ) to also encompass Password Management, including MIM hybrid reporting of Self Service Password Reset.

    We are in the midst of deploying MIM Hybrid Reporting for Self Service Password Reset and would like to be able to provide business administrators access to the reporting, without granting administrative access.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  6. Change behavior in new tab after activating role on Azure AD PIM

    In current design of Azure AD Privileged Identity Management(PIM), it is required to open a new browser to see o365 portal for activated role (e.g. the temporary Global Admin). However I want availability by sign-in o365 in a new tab on the current browser instead of opening a new browser. Usually, users open new tab for new web page, I think.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Notification to wrong Azure AD domain

    When you enable some new tools (like Azure PIM) the notification came with information that you enable this for domain $XYZ.

    When you have more custom domains added in some order like:
    A Domain
    B Domain
    C Domain (Main domain)
    D Domain

    The notitification came for domain A Domain, not for C Domain (Main Domain). It is something to be wrong or to be considered as bad state?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure Active Directory Domain Services Status

    I've been having problems with the Domain Services correctly syncing passwords via LDAP. Today none of the LDAP services could connect. Thinking that something might have happened to my configuration I disabled the Domain Services, reconfigured it, then re-enabled. The re-enable has been going for several hours now. The Domain Services section is set to OFF but when I try to configure it again it throws an error. No details, just says that it can't save the configuration.

    It would be nice if there was some sort of status page where I could see what's going on regarding provisioning and…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  9. More simple configuration between Dynamics Nav and Azure Active Directory

    Allow more simple application single sign-on between Azure Active Directory and Dynamics Nav i.e. use similar application as application proxy to create the federation between nav and azure ad.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  10. Need to strip out the special characters when answering SSPR questions

    Like FIM, it would be nice if SSPR stripped out the spaces (in the answers) and the special characters so that users are not challenged remembering the exact answer, such as hyphens or apostrophes on answers.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow blocked users to be provisioned to SaaS apps

    we have group/ user provisioning turned on to ServiceNow. Everything is working great, except the users with "block sign in" checked. I reviewed the provisioning logs and show these users aren't sent over to SN. We are doing license management and need to see when inactive users are still assigned a license.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Sub attributes in mappings

    Sub attributes arent supported in custom sso apps.

    I'm unable to match a user if their email is a sub attribute

    e.g. emails.value

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. Configure sync Scope per mapping

    There is a global provisioning setting to Sync only assigned users and groups, or Sync all users and groups. I would like to set this per user mappings or per group mappings. The reason for this is because we have applications that we don't have licenses for all our users. So I would like to provision the users by group membership (assigned), but sync groups globally based on a naming standard (scoping filter).

    The issue with scoping filters is you can't scope based on group membership, which would be another feature request I suppose.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  15. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  16. AzureAD Box User Deprovisioning Transfer Files to Another Account

    Box supports the ability to specify an account to which user files are transferred. We rely on this functionality to ensure that user's files are transferred to a backup service account when a user leaves the organization. It would be very nice to have this capability too.

    Box Dev guide:
    https://www.box.dev/guides/users/deprovision/transfer-folders/

    Okta guide:
    https://help.okta.com/en/prod/Content/Topics/Provisioning/Box/configure-box.htm#Enable2

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. Salesforce Connector Terminology

    This may be "cosmetic" but in the Salesforce - Users and groups
    Assignment page, 1 Azure AD Security Group is mapped to something called a Role. It's actually a Profile in Salesforce. Aligning the terminology could be good as Salesforce Role are different.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. access reviews

    In access reviews, it would be helpful to see the current status of the account. For example, we have accounts that are recommended for "Deny" but in AAD the account is already blocked from signing-in.

    Also accounts surface in the access review that have been removed from AAD.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for submitting the feedback!

    You’re right that currently we don’t reflect the status of the account in real time, because when the review is created we take a snapshot of the users in the review right before the review starts, so the reviewers get a view of the user’s activity X days before the review. This has been an audit requirement for some customers. I’d like to hear more about your use case in dynamically updating the user’s status, and how that contributes to your audits (if any).

    We’ll keep this feedback in mind when planning, thanks again!
    - Fionna

  19. Remove possibility for mapping to readonly ID attribute

    According to RFC 7643 section 3.1 “The value of the "id" attribute is always issued by the service provider and MUST NOT be specified by the client.” But in fact azure portal allows mapping to “id” attribute which is violation of RFC.
    RFC https://tools.ietf.org/html/rfc7644#section-3.12 specifies that service provider should respond with “Bad Request” to these invalid requests. There is even example of such response in the end of section 3.12.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Reevaluate "potential stale accounts in a privileged role" alert

    This alert is to identify "Accounts in a privileged role that have not changed their password in the past 90 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers."

    Rotating of passwords is not the best way to identify stale accounts. SecureScore has a control that encourages setting passwords to never expire based on research which also led NIST to update their position on password expiration policies and the Microsoft security baseline for win 10 to recommend not expiring passwords. (see below)

    A stale account is one that has not been…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base