Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Powershell Enable PIM Role Assignment

    We plan to utilize PIM for Azure Resources (Resource Groups), however it is currently not possible to automate thorugh Powershell. It would be nice if existing Roles could be made eligable and configurated with it's settings thorugh powershell when creating resources/resource groups through powershell.

    110 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  7 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add support for Kerberos AES and drop RC4_HMAC_MD5

    Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4HMACMD5 encryption type for Kerberos."
    Please add support for modern ciphers and drop that obsolete RC4_MD5!

    92 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Azure AD to Azure AD Trust

    Add the ability to trust another 365 tenant like exists with on prem active directory. The scenario is a company that has an establish 365 acquires another company that has a 365 environment. In a on prem scenario a domain trust would be put in place, however federation and external user access is the only options. This capability needs to be in place for Azure AD to trust another Azure AD.

    75 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

    We’re working on a few features in this space that will likely help address this scenario but don’t have an ETA yet to share. Thanks to the folks who have added additional details of what they’re looking for, and if you have more scenarios for how this capability could help you please do add them as comments.

    Thanks,
    Elisabeth

  4. 68 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  5. Delegate permissions to remove devices

    The user role User administrator is not able to remove users registered device objekts in Azure AD. I think that roles should be granted that permisson.
    Or create an addiotional role that have the permission to remove device objects in Azure AD.

    67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more

    Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more. We Synced 65K members out of which it only synced 29K. When it reached 29K it recognized the member count is more than 50 and it stopped syncing members. It should atleast sync 50K members and then stop.

    60 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    e cannot share any timelines right now. Our first iteration is to deploy and use a new service end point that would eventually be able to handle larger groups. It will likely take several months to get this deployed and tested before we can take a next step, which would be to increase the group size limit – probably to 250K members.
    If you want to be part of the private preview program, please reach out to me: rodejo@microsoft.com

  7. We need to be able to manage Azure AD helpdesk administration & other administration roles via on-prem AD groups

    One Item I would like corrected \ added as a feature.
    We need to be able to manage Azure AD helpdesk administration & other administration roles via on-prem AD groups. Currently we need to add users individually to each of the various roles. Helpdesk is a good example of this as many people come & go from this role & we need to add and remove users individually to the Azure AD Helpdesk administration role. If we had a AD group (example: Servicedesk AD group) with all members of the helpdesk in there, we just have to manage this group…

    59 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Assigning cloud groups to built-in roles is in public preview starting today. Here’s the published documentation -

    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept

    https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features

    We will get started on on-prem groups shortly. Stay tuned!

    Regards,
    Abhijeet Kumar Sinha
    Azure Active Directory Team

  8. Link a connector to a different Application Proxy service region.

    We have AAD Application Proxy Connectors installed in both Australia and Singapore however the Azure AD tenant in Australia so all traffic has to loop via the Australian Application Proxy Service.

    This is a problem for our Indonesian users. We setup servers and AADAP connectors in Azure Singapore with the expectation it would provide low latency to Indonesia but that is not the case.

    Please allow us to associate a Connector Group with a specific region so that the connectors and applications linked to the connector group are routed via the expected Application Proxy service region.

    56 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    Hi everyone,

    We are currently developing a solution to allow you to assign a region to applications outside the region of your home tenant. By doing this, connector groups will talk to the App Proxy region specified. Please continue to share your scenarios to make sure we are taking into account these cases.
    We will update once we have a better idea for a release date.

    Send a note to aadapfeedback@microsoft.com if you have questions or want to send feedback directly to us.

    Thanks,
    Jasmine

  9. Add more attributes to AADDS

    Expand the attributes that are syncd with AADDS and available via LDAPS. The one I'm specifically interested in at the moment is the Manager attribute, but others are important too.

    55 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    Hi all,

    We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!

    Erin Greenlee
    Program Manager
    IAM Core | Domain Services

  10. Enable change a password when is set with the flag ForceChangePasswordNextSignin on Active Directory on premises

    We will like to change a password from AAD when the account have the flag ForceChangePasswordNextSignin ON in Active Directory on premises.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  11. Show location for Azure AD sign-ins from IPv6 addresses

    Please add location information to sign-ins from IPv6 addresses. Currently there is no location information associated with IPv6 so it is circumventing all the Azure AD Identity Protections you have in place.

    53 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    Thanks for your feedback, folks. We have been working towards resolving the locations for IPv6 logins. Currently, a subset of such logins are getting resolved for location and the % will gradually go up. Are you seeing some of your IPv6 logins with resolved location?

  12. Add report for Extranet Lockout Protection - Account Lockout

    Add a new report to Azure AD Connect Health that allows support staff to see which accounts are locked out by ADFS Extranet Lockout Protection.

    52 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  13. Azure MFA Trusted IP limitation of 50 address ranges

    Currently per the article: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next the Trusted IP for configuration "For requests from a specific range of public IPs" is restricted to a hard limit of 50 IP Address ranges.

    Please provide the ability to extend this number as there are companies like ours where the limit of 50 IP Address ranges makes this not usable for production environments.

    50 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add CORS support for discovery and JSON Web Key Set endpoints

    Adding CORS support to the following endpoints would allow them to be downloaded via a JavaScript application:
    - https://login.microsoftonline.com/<tenantid>/v2.0/.well-known/openid-configuration
    - https://login.microsoftonline.com/<tenantid>/discovery/v2.0/keys

    The signatures for these endpoints could then be used to verify JWT's directly within the JavaScript.

    49 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  15. PIM in Office 365 Admin Portal

    Will be nice, if Azure AD PIM funcionality and user and admin controls will be somewhere accessible also from Office 365 Admin Portal, not only Azure Portal.

    For example, if PIM is enabled for user and he has not proper rights and go to Admin Center, he is automatically redirected to PIM console.

    47 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  7 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add a common (multi-tenant) Azure AD Identity Provider

    An idp that can be used to set up the AAD "common" tenant, which does home realm discovery (customer types in their email address and the real tenant is looked up) to find the actual AAD tenant. This would allow any customer with an AAD account in any AAD tenant (that has not disallowed it to be used with the common tenant) to authenticate.

    46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow Applications to be added to AD Security Groups

    See https://stackoverflow.com/questions/47762262/add-aad-application-as-a-member-of-a-security-group

    Basically allow adding Service Principals (i.e. Applications) into AD Security Groups just like User Principals are allowed today.

    45 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  18. 44 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. AADB2C: Add multiply reply URLs with the same domain

    If you create an Azure Active Directory B2C and then add an Application for your Web API, your Web API will only be able to receive tokens from a client that shares the same Application ID.

    Currently, building a Web API that is accessed from several different clients is not supported.

    This means that if you want to add different clients, you can configure them with the restriction that redirect URLs must all belong to the same domain.

    But when you try to add them, for example:
    https://client1.domain.com

    https://client2.domain.com

    I receive an error saying that the reply URLs are not…

    44 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    It is possible to add multiple reply URLs within the same domain, unfortunately the experience is a bit clunky and we’re working on fixing this.

    At this time, in order to achieve this a setup with client1.domain.com and client2.domain.com as redirect URIs, you must first add the overarching domain as a redirect URI and then add the sub-domains, like so:

    1) https://domain.com
    2) https://client1.domain.com
    3) https://client2.domain.com

    Check out this article for more info:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-limitations#restrictions-on-redirect-uris

  20. Access Reviews: Apply to new groups and/or multiple groups

    It would be VERY beneficial to apply an Access Review policy to new groups as they are created, eliminating the management overhead of creating new policies AFTER each group created.
    Also, if a Access Review Policy could be applied to multiple groups at a time, Access Reviewmanagement overhead would be reduced.

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base