Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Introspection endpoint for Azure Active Directory

    Hi,
    Times, there will be cases when the user logs out but the token associated with the user on the client doesn't expire and so when the Resource Servers/APIs invoked with these tokens gets serviced/honored. It would be great to have an introspection endpoint with AAD to check the validatity of the token (as mentioned in RFC 7662 https://tools.ietf.org/html/rfc7662) so that all APIs/Resources can leverage it and accept or reject the token instead of creating a custom repository at our end to blacklist these tokens.

    142 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thanks for the feedback! We will look into this and share an update when we have more information.

  2. SSPR - Allow user unlock from the windows 10 logon screen.

    You recently implemented the password reset from the Windows 10 logon screen. However, the possibility of unlocking the user when they remembered the password was lacking.

    I remember that this functionality already exists through the MIM or Azure reset link.

    114 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  3. Integrate Azure AD PIM with on-premises AD

    Azure AD PIM is a cool feature, and easy to use. The on-premises MIMPAM solution is the exact opposite experience. It requires a lot of infrastructure to be in place, and different skillsets are needed to make it secure. It's simply too expensive and complex for a lot of organizations to use.

    Integrating AAD PIM with on-premises AD would solve these issues. A cloud based solution, paid by usage (license per user).

    106 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  8 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Introduce account 'unlock' feature when an account gets locked out during passthrough authentication. (instead of waiting for 30 minutes)

    It will be very helpful if we have the ability to unlock on demand when an O365 user's account is locked (self service), without waiting for the account lockout duration. Currently this feature was confirmed by MS tech that it does not exist and that the end user has to wait for the account lockout duration period. This specially is very useful for accounts that are sync'd via AAD Connect and pwd reset in O365 does not apply because the account is a sync'd account.

    103 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  5. Automatically enable MFA for all members of an Azure AD Group.

    Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

    96 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

  6. Add an option to bypass service plan dependency check when assigning license to group

    The Azure portal does not allow assignment of an add-on license to a user group unless a base license with prerequisite service plans is also assigned to the group. Example: Audio Conferencing can only be assigned to a group if (e.g.) Office 365 E3 with the Microsoft Teams service plan enabled is added to the group at the same time.

    The problem is that most of our customers have a mix of Office licenses. In order to avoid service plan conflicts and unnecessary license usage, we would need to create a group for each possible combination of the addon and…

    89 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

  7. Disable SSPR by group (exclude group from SSPR)

    Currently, you can configure SSPR to be enabled for your entire organization or for a specific group. It would be nice to have the ability to disable/exclude a specific group (e.g. enable for the entire organization except for a specific group(s)). The use case would be a scenario where almost the entire company should have SSPR but there are sensitive accounts that should not be enabled for it.

    89 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure Active Directory Domain Services - More Pricing Tiers

    Can we have more pricing tiers? I run a small consultancy business with 1 user and enabling AADDS will cost in excess of £90 a month, even though I won't have anything like the 25000 objects minimum tier cap. However AADDS is useful for demonstrating to SME clients how they can go cloud only so it would make sense to provide an entry level price point, for example max 2500 objects to suit the smaller scenarios.

    84 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  21 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  9. Invalidate JWT Token

    Need a way to invalidate JWTTokens that have been issued to a user to prevent the user from accessing the AAD with the token after issuing the OAuth logout request:
    (https://login.windows.net/{{tenant}}/oauth2/logout?postlogoutredirect_uri={{RedirectUri}})

    82 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thanks for the feedback! We will look into this and share an update when we have more information.

  10. Enable "Owner" attribute for Group Object on Azure AD Connect Sync

    Currently, the group owner on Azure AD Portal is mapped to "Owner" attribute while the Office 365 Admin Portal is mapped to "ManagedBy". For a group which is synced from local AD to the AAD via AAD Connect, there is no way to update the "Owner" attribute on Azure AD.

    The AAD Connect does not support "Owner" attribute for sync and we can't assign "Owner" on Azure AD as it is a synced object.

    So to resolve this issue, the "Owner" attribute should be supported as an attribute for sync on the Azure AD Connect.

    78 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  9 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  11. Device-level authentication as primary authentication like ADFS 4.0 (Windows 2016) in Azure AD

    It would be AWESOME, if Azure Active Directory would provide device-level authentication as primary authentication like ADFS 4.0 (Windows 2016)

    We need this please!

    73 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  12. Change MFA sender phone number and content

    Currently is not possible to change the phone number or the content of the SMS to validate the user's number or for MFA.

    B2C would be more useful for financial and/or government organizations if the MFA had more branding options in order give peace of mind to wary customers.

    72 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We’re looking at this feedback and along with work for verification emails, looking to do some work around customization to completely remove the Microsoft brand and allow this depth in customization. Please bear with us as we are looking at how best to prioritize these changes.

    /Sam

  13. Make a App for AzureAD PIM to activate my roles

    Please Make a App for AzureAD PIM to activate my roles - so that the admin user that's only are using portal.office.com need to go into portal.azure.com to active the PIM roles (like global admin)

    70 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  12 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Set Default Country Code in Azure MFA

    When importing users from AD, if the country code isn't included in attribute Azure MFA will set the country code to +1(USA).
    Can a feature be added to allow the default country code to be set a the global level. So that in our case we could set all number to default to +44(Great Britain) .

    70 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    We’ll take this in consideration as we plan new features. In the short term, we are working on Graph API‘s that will allow you to change phone numbers in the StrongAuthentication fields.

    Richard

  15. Modern end-user portal

    One of the main blockers to deploy MIM is lack of a modern end-user facing portal. One doesn't need to port all the functionalities to such a portal straight away and MPRs, Workflows etc can stay within an old portal for admins, but users should see responsive and simple interface (not based on SharePoint)

    66 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add support for webhooks when users are invited, added, removed from Azure AD + Azure AD B2B Collaboration

    Currently it is not possible to receive a notification from Azure AD when a user has been invited (through B2B Collaboration) or added directly through Graph API or the portal.

    66 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  17. RBAC roles for Viewing/Modifying Authentication Info (MFA)

    Currently, only Global Admins can view and modify the information in a user's account in the Authentication Info fields. This is problematic as we have people performing B2C support that are User Administrators and can't see or update the user's info in these fields to help troubleshoot access issues/MFA issues.

    For users assigned the User Administrator role, allow them to view and modify the Authentication Info fields. They currently see grey fields that are empty.

    65 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  18. AADB2C: Add CORS headers to AD B2C token endpoint to allow for implicit flow (XHR POSTS)

    We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (idtoken&code). However, as this article suggests (https://github.com/Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-reference-oidc.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?p=b2c1_signinpolicy) the browser (quite rightly) performs a preflight check (an…

    64 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. AAD Password Reset: Possibility for helpdesk for user verification

    We have users, which are registered for Azure AD Password Reset service. They have filled out the security questions and other options for using the AAD Password Reset self-service.0

    Sometimes the users have Problems to use the self-service in case of different things (forgotten smartphone, answers etc.). In this case, they can call the Helpdesk (ServiceDesk) for further assistant. Now, we are looking for a possibility to make a verification of the user, who is on the other end of the phone.

    Therefor a feature or possibility for members of the Helpdesk/ServiceDesk to verify the calling person with informations are…

    63 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow extensibility of portal through the use of custom controls

    There are some business scenarios which currently cannot be built in the FIM portal due to the limited set of Uoc controls available, and their lack of customization. This leads to external tools needing to be made, fracturing the experience for FIM users. Allowing the Uoc base control to be made public and inheritable opens up scenarios for controls with extended validations, external lookups, code behind, and much more.

    59 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base