Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Custom password complexity

    Allow the ability to set different password complexities for local accounts in a B2C tenant.

    116 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. Restricting Access Of Azure Service Principals – Using Conditional Access

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md

    >

    Best possible scenario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
    Can MS look into this please.
    I had raised case with MS…

    112 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add support for Kerberos AES and drop RC4_HMAC_MD5

    Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature&quot; the "Seamless SSO uses the RC4HMACMD5 encryption type for Kerberos."
    Please add support for modern ciphers and drop that obsolete RC4_MD5!

    110 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow Azure AD to Azure AD Trust

    Add the ability to trust another 365 tenant like exists with on prem active directory. The scenario is a company that has an establish 365 acquires another company that has a 365 environment. In a on prem scenario a domain trust would be put in place, however federation and external user access is the only options. This capability needs to be in place for Azure AD to trust another Azure AD.

    92 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

    We’re working on a few features in this space that will likely help address this scenario but don’t have an ETA yet to share. Thanks to the folks who have added additional details of what they’re looking for, and if you have more scenarios for how this capability could help you please do add them as comments.

    Thanks,
    Elisabeth

  5. Show location for Azure AD sign-ins from IPv6 addresses

    Please add location information to sign-ins from IPv6 addresses. Currently there is no location information associated with IPv6 so it is circumventing all the Azure AD Identity Protections you have in place.

    84 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    29 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    Thanks for your feedback, folks. We have been working towards resolving the locations for IPv6 logins. Currently, a subset of such logins are getting resolved for location and the % will gradually go up. Are you seeing some of your IPv6 logins with resolved location?

  6. B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant

    In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
    The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
    I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.

    83 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide "Conditional Access" on a SharePoint Online Site Collection Level

    It would be great, if any future "Conditional Access" provided for SharePoint Online could be done on a per. Site Collection Level.

    Talk to the SharePoint Online team regarding this

    73 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. 70 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  9. Delegate permissions to remove devices

    The user role User administrator is not able to remove users registered device objekts in Azure AD. I think that roles should be granted that permisson.
    Or create an addiotional role that have the permission to remove device objects in Azure AD.

    69 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  10. We need to be able to manage Azure AD helpdesk administration & other administration roles via on-prem AD groups

    One Item I would like corrected \ added as a feature.
    We need to be able to manage Azure AD helpdesk administration & other administration roles via on-prem AD groups. Currently we need to add users individually to each of the various roles. Helpdesk is a good example of this as many people come & go from this role & we need to add and remove users individually to the Azure AD Helpdesk administration role. If we had a AD group (example: Servicedesk AD group) with all members of the helpdesk in there, we just have to manage this group…

    64 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Assigning cloud groups to built-in roles is in public preview starting today. Here’s the published documentation -

    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept

    https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features

    We will get started on on-prem groups shortly. Stay tuned!

    Regards,
    Abhijeet Kumar Sinha
    Azure Active Directory Team

  11. Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more

    Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more. We Synced 65K members out of which it only synced 29K. When it reached 29K it recognized the member count is more than 50 and it stopped syncing members. It should atleast sync 50K members and then stop.

    63 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    e cannot share any timelines right now. Our first iteration is to deploy and use a new service end point that would eventually be able to handle larger groups. It will likely take several months to get this deployed and tested before we can take a next step, which would be to increase the group size limit – probably to 250K members.
    If you want to be part of the private preview program, please reach out to me: rodejo@microsoft.com

  12. Link a connector to a different Application Proxy service region.

    We have AAD Application Proxy Connectors installed in both Australia and Singapore however the Azure AD tenant in Australia so all traffic has to loop via the Australian Application Proxy Service.

    This is a problem for our Indonesian users. We setup servers and AADAP connectors in Azure Singapore with the expectation it would provide low latency to Indonesia but that is not the case.

    Please allow us to associate a Connector Group with a specific region so that the connectors and applications linked to the connector group are routed via the expected Application Proxy service region.

    63 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    Hi everyone,

    We are currently developing a solution to allow you to assign a region to applications outside the region of your home tenant. By doing this, connector groups will talk to the App Proxy region specified. Please continue to share your scenarios to make sure we are taking into account these cases.
    We will update once we have a better idea for a release date.

    Send a note to aadapfeedback@microsoft.com if you have questions or want to send feedback directly to us.

    Thanks,
    Jasmine

  13. 62 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  7 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure MFA Trusted IP limitation of 50 address ranges

    Currently per the article: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next the Trusted IP for configuration "For requests from a specific range of public IPs" is restricted to a hard limit of 50 IP Address ranges.

    Please provide the ability to extend this number as there are companies like ours where the limit of 50 IP Address ranges makes this not usable for production environments.

    59 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enable change a password when is set with the flag ForceChangePasswordNextSignin on Active Directory on premises

    We will like to change a password from AAD when the account have the flag ForceChangePasswordNextSignin ON in Active Directory on premises.

    58 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add more attributes to AADDS

    Expand the attributes that are syncd with AADDS and available via LDAPS. The one I'm specifically interested in at the moment is the Manager attribute, but others are important too.

    58 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    Hi all,

    We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!

    Erin Greenlee
    Program Manager
    IAM Core | Domain Services

  17. Allow 3rd party MFA with PIM

    Azure conditional access policies allow for 3rd party MFA, such as Duo, but Azure PIM does not allow this level of customization with the "Require MFA" configuration for a PIM role. This means that we need to manage 2 different MFA platforms if we're going to leverage both Duo MFA and Azure PIM for security. I'd like the ability to use Duo MFA when activating a PIM role.

    57 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. PIM in Office 365 Admin Portal

    Will be nice, if Azure AD PIM funcionality and user and admin controls will be somewhere accessible also from Office 365 Admin Portal, not only Azure Portal.

    For example, if PIM is enabled for user and he has not proper rights and go to Admin Center, he is automatically redirected to PIM console.

    57 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  7 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Abilty to sort Conditional Access Policies alphabetically

    It would be usefull to be able to sort Conditional Access Policies alphabetically.

    So, for example if the naming conventon starts with ALLOW: or BLOCK: then when you create new ones and sort alphabetically they will all be in the right order. Right now they are listed in the order of creation.

    56 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add report for Extranet Lockout Protection - Account Lockout

    Add a new report to Azure AD Connect Health that allows support staff to see which accounts are locked out by ADFS Extranet Lockout Protection.

    55 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base