Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Integrate Azure AD PIM with on-premises AD

    Azure AD PIM is a cool feature, and easy to use. The on-premises MIMPAM solution is the exact opposite experience. It requires a lot of infrastructure to be in place, and different skillsets are needed to make it secure. It's simply too expensive and complex for a lot of organizations to use.

    Integrating AAD PIM with on-premises AD would solve these issues. A cloud based solution, paid by usage (license per user).

    158 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  11 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. AADB2C: Add CORS headers to AD B2C token endpoint to allow for implicit flow (XHR POSTS)

    We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (idtoken&code). However, as this article suggests (https://github.com/Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-reference-oidc.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?p=b2c1_signinpolicy) the browser (quite rightly) performs a preflight check (an…

    140 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  3. Use Seamless SSO in AADDS environments.

    At the moment, having seamless SSO in Azure Active Directory Domain Services doesn't work. Logically, this feature should be automatic...

    At the moment, you can join a machine to AADDS domain, and log in to it with Azure AD credentials. But users still need to sign in manually to Office.com, office apps, etc.

    This is extremely important in a AADDS Windows Virtual Desktop scenario (where Microsoft Office is hosted as RemoteApps). To access Office, users will need to log in to WVD, then AGAIN into the remoteapp host itself, and AGAIN into the Microsoft Office apps - all with the…

    130 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  32 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  4. SSPR - Allow user unlock from the windows 10 logon screen.

    You recently implemented the password reset from the Windows 10 logon screen. However, the possibility of unlocking the user when they remembered the password was lacking.

    I remember that this functionality already exists through the MIM or Azure reset link.

    118 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  5. Disable SSPR by group (exclude group from SSPR)

    Currently, you can configure SSPR to be enabled for your entire organization or for a specific group. It would be nice to have the ability to disable/exclude a specific group (e.g. enable for the entire organization except for a specific group(s)). The use case would be a scenario where almost the entire company should have SSPR but there are sensitive accounts that should not be enabled for it.

    117 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    20 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  6. Introduce account 'unlock' feature when an account gets locked out during passthrough authentication. (instead of waiting for 30 minutes)

    It will be very helpful if we have the ability to unlock on demand when an O365 user's account is locked (self service), without waiting for the account lockout duration. Currently this feature was confirmed by MS tech that it does not exist and that the end user has to wait for the account lockout duration period. This specially is very useful for accounts that are sync'd via AAD Connect and pwd reset in O365 does not apply because the account is a sync'd account.

    106 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Active Directory Domain Services - More Pricing Tiers

    Can we have more pricing tiers? I run a small consultancy business with 1 user and enabling AADDS will cost in excess of £90 a month, even though I won't have anything like the 25000 objects minimum tier cap. However AADDS is useful for demonstrating to SME clients how they can go cloud only so it would make sense to provide an entry level price point, for example max 2500 objects to suit the smaller scenarios.

    100 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  25 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add an option to bypass service plan dependency check when assigning license to group

    The Azure portal does not allow assignment of an add-on license to a user group unless a base license with prerequisite service plans is also assigned to the group. Example: Audio Conferencing can only be assigned to a group if (e.g.) Office 365 E3 with the Microsoft Teams service plan enabled is added to the group at the same time.

    The problem is that most of our customers have a mix of Office licenses. In order to avoid service plan conflicts and unnecessary license usage, we would need to create a group for each possible combination of the addon and…

    98 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

  9. Enable "Owner" attribute for Group Object on Azure AD Connect Sync

    Currently, the group owner on Azure AD Portal is mapped to "Owner" attribute while the Office 365 Admin Portal is mapped to "ManagedBy". For a group which is synced from local AD to the AAD via AAD Connect, there is no way to update the "Owner" attribute on Azure AD.

    The AAD Connect does not support "Owner" attribute for sync and we can't assign "Owner" on Azure AD as it is a synced object.

    So to resolve this issue, the "Owner" attribute should be supported as an attribute for sync on the Azure AD Connect.

    97 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  13 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  10. Automatically enable MFA for all members of an Azure AD Group.

    Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

    97 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

  11. Change MFA sender phone number and content

    Currently is not possible to change the phone number or the content of the SMS to validate the user's number or for MFA.

    B2C would be more useful for financial and/or government organizations if the MFA had more branding options in order give peace of mind to wary customers.

    88 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We’re looking at this feedback and along with work for verification emails, looking to do some work around customization to completely remove the Microsoft brand and allow this depth in customization. Please bear with us as we are looking at how best to prioritize these changes.

    /Sam

  12. Invalidate JWT Token

    Need a way to invalidate JWTTokens that have been issued to a user to prevent the user from accessing the AAD with the token after issuing the OAuth logout request:
    (https://login.windows.net/{{tenant}}/oauth2/logout?postlogoutredirect_uri={{RedirectUri}})

    86 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thanks for the feedback! We will look into this and share an update when we have more information.

  13. Make a App for AzureAD PIM to activate my roles

    Please Make a App for AzureAD PIM to activate my roles - so that the admin user that's only are using portal.office.com need to go into portal.azure.com to active the PIM roles (like global admin)

    75 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  13 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. OAuth pre-authentication in Azure Application Proxy

    Currently pre-authentication in Azure Application Proxy implies user interacive logon to Azure AD. It would be great if one could choose an option to pre-authenticate as a annplication with a token in the same Azure AD tenant (and select an Oauth app which is regitered in the same tenant).
    That's very useful when there is an external application/server accessing on-prem app via Azure Appliation Proxy would pre-authenticate with OAuth in Azure AD first and pass this token AAP.

    74 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. Device-level authentication as primary authentication like ADFS 4.0 (Windows 2016) in Azure AD

    It would be AWESOME, if Azure Active Directory would provide device-level authentication as primary authentication like ADFS 4.0 (Windows 2016)

    We need this please!

    73 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  16. Set Default Country Code in Azure MFA

    When importing users from AD, if the country code isn't included in attribute Azure MFA will set the country code to +1(USA).
    Can a feature be added to allow the default country code to be set a the global level. So that in our case we could set all number to default to +44(Great Britain) .

    73 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    We’ll take this in consideration as we plan new features. In the short term, we are working on Graph API‘s that will allow you to change phone numbers in the StrongAuthentication fields.

    Richard

  17. Modern end-user portal

    One of the main blockers to deploy MIM is lack of a modern end-user facing portal. One doesn't need to port all the functionalities to such a portal straight away and MPRs, Workflows etc can stay within an old portal for admins, but users should see responsive and simple interface (not based on SharePoint)

    70 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  18. AAD Password Reset: Possibility for helpdesk for user verification

    We have users, which are registered for Azure AD Password Reset service. They have filled out the security questions and other options for using the AAD Password Reset self-service.0

    Sometimes the users have Problems to use the self-service in case of different things (forgotten smartphone, answers etc.). In this case, they can call the Helpdesk (ServiceDesk) for further assistant. Now, we are looking for a possibility to make a verification of the user, who is on the other end of the phone.

    Therefor a feature or possibility for members of the Helpdesk/ServiceDesk to verify the calling person with informations are…

    68 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support PIM for service principals

    We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

    We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

    This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

    67 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. RBAC roles for Viewing/Modifying Authentication Info (MFA)

    Currently, only Global Admins can view and modify the information in a user's account in the Authentication Info fields. This is problematic as we have people performing B2C support that are User Administrators and can't see or update the user's info in these fields to help troubleshoot access issues/MFA issues.

    For users assigned the User Administrator role, allow them to view and modify the Authentication Info fields. They currently see grey fields that are empty.

    67 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base