Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. MFA as second authentication factor for SSPR

    With SSPR we can active several authentication methods (office phone, mobile, alternate email, security questions). This is great, but it would be perfect if we there would be an extra validation on MFA if the user is enrolled.

    23 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Based on the comments, it sounds like the ask is to integrate security questions into MFA. We do not plan to do this at this time. However, we have made mobile app notification and code available for SSPR and have converged the registration and management experiences for SSPR and MFA. You can learn more at aka.ms/securityinfodocs. Thanks!

  2. AADDS: Allow pausing of Domain Services

    On a demo or MSDN subscription I would like to pause Domain Services like I can pause an AD VM. That will save me costs on a demo or development focused Azure subscription. Otherwise, AAD Domain Services uses a significant portion of the $100/month MSDN credit.

    23 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  1 comment  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  3. Restrict new user signups in a Azure B2C tennant to emails from specific domains.

    Using AADB2C we have a use case where we would want only users from partner organisations (we have over 200 partners) to create identities in the Azure ADB2C directory, it would be great to allow only signups for users with verified email in specific domains.

    21 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add permission to create DFS namespace in Azure AD Services

    I'm using Azure Active Directory Domain services and would like to have ability to create DFS namespace in AD.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  5 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  5. 18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  1 comment  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  6. Provide out of box support for Identity Federation using ACS.

    Provide out of box support for Identity Federation using ACS. Justin Smit already posted a sample "ACS integration with Windows Live ID & Facebook Connect" on his blog and ServerSideWebIdentities.zip is also available for download.

    AppFabric team should generilize this sample and expose endpoints like FaceBookFederation.aspx, GoogleFederation.aspx, MicrosoftActiveDirectoryFederation.aspx right inside AppFabric, not as a sample.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add the MIMWAL activites into MIM

    The open-sourced MIMWAL activity library should simply be incorporated into the MIM Service to provide much needed functionality.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  8. Make Azure AD Connect compatible to SBS 2011

    The Azure AD Connect tool does not install on a SBS 2011. I think, that AADConnect should work on an SBS 2011 as well. All in all it's just a W2K8.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  9. Enable DirSync two-way password sync for Azure AD Standard

    This is a basic feature that many small and mid-size organizations need without the other bells and whistles included in Azure AD Premium.

    Case in point: the non-profit organization I support has a mix of Office 365 offsite users and traditional onsite users. With DirSync enabled, off-site users without domain-connected clients are restricted from changing their password in OWA. Since they're a non-profit, investing in Azure AD Premium is not cost-effective as most of the features included are overkill for their requirements.

    Thanks for your consideration!

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback but currently we see this as a capability that stays in Premium. For off-site or what we call cloud only users you can use Azure AD Basic to enable self service password reset but to enable writeback to on premises Windows Server AD users would need to have Premium license.

  10. Reinstate Joiner and other MIM Sync features

    In various scenarios, but especially when in Staging Mode, it is a hindrance that the ways to address data issues invariably presented in the sync service that were once possible in DirSync/FIM/MIM are no longer possible in AADConnect. In particular I am referring to such functions as:
    * changing a disconnector type (via the MIM Joiner tab), and
    * disconnecting a connected object (via the MV object details dialog).

    While I understand architecturally there was a move to remove the Joiner entirely, in a production support scenario I imagine that such features would be of just as much assistance to…

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  11. Include password write-back with Office 365

    Currently password write-back requires an AAD Premium license, however as an Office 365 Enterprise customer, there aren't enough additional features to justify the cost of Premium licenses. Password write-back should be included with Office 365 plans, or as a separate license just for that feature that is priced competitively against self-service account management software (e.g. $0.25/user/month)

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    52 comments  ·  Flag idea as inappropriate…  ·  Admin →

    The initial suggestion was to include password writeback in Office 365 and this is not in our plans. Password writeback to on premises is an Azure AD Premium feature
    BUT
    many of the comments below are around changing or resetting the users password in Office 365 and Password Change for Cloud users is included in all versions of Azure AD and Self Service Password Reset for Cloud users is included in Azure AD Basic, Free, Premium and Office 365. Password Writeback to on premises is Azure AD Premium feature.

    See the feature comparison table for more information:
    https://www.microsoft.com/en-us/cloud-platform/azure-active-directory-features
    Password management topic on our documentation site:
    https://docs.microsoft.com/en-us/active-directory/active-directory-passwords-getting-started

    / Brjann Brekkan

  12. AAD Connect Version Update RSS feed

    We would like to subscribe to a RSS feed to be informed once a new AAD Connect version is released. Is there such a feed function already existing or could you add it to the AAD Connect release web page?

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  13. DirectAccess as a Service

    With domain services now providing Kerberos authentication, etc etc, it would be great to be able to deploy DirectAccess in Azure as a service. This would allow for removal of all on prem/iaas components currently required to take advantage of AD based windows management (gpos, etc).

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  14. OpenIdConnect: bug in Azure AD SSO Reply URL

    If the reply url contains a # sign, Azure AD doesn't redirect the token back to the configured reply url but to the root.

    Configured reply url: http://localhost:8050/#/login/

    Expected reply url after successful authentication: http://localhost:8050/#/login/?idtoken=eyJ....
    Actual reply url after successful authentication: http://localhost:8050/#idtoken=eyJ

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →

    URL fragments in the redirect URL are not supported in OAuth 2.0 (or OpenID Connect).

    The OAuth 2.0 spec (RFC 6749) Section 3.1.2, in reference to the redirection endpoint:

    “The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The endpoint URI MAY include an “application/x-www-form-urlencoded” formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component."

    (https://tools.ietf.org/html/rfc6749#section-3.1.2)

    A second thing I notice is that you seem to be invoking the Implicit Grant flow (“response_type=id_token”, or “response_type=id_token token”), which is why the id_token (and possibly access_token) are being returned as URI fragments (“#id_token=…”) and not query string parameters (“?id_token=…”).

    — Philippe Signoret

  15. API to create ACS namespace programatically

    Currently there is no way we can create ACS namespace through REST API. It's good if we have this capability exposed through API.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
    declined  ·  Anonymous responded

    The Azure Active Directory team has aligned its resources behind services in Azure Active Directory. This effort will eventually replace functionality available in ACS. The blog post – http://blogs.technet.com/b/ad/archive/2013/06/22/azure-active-directory-is-the-future-of-acs.aspx – provides a high-level overview of this transition. The ideas posted around ACS have been collected and passed to the team. We will close out ideas posted around ACS to return votes used on this topic. Please feel free to post additional ideas here, and/or email me directly – robert.faller@microsoft.com.
    The Azure Active Directory team greatly appreciates the feedback. We look forward to hearing from the community as much as possible. It is one of the essential ways we can continue to create and enhance our service offerings to meet your needs. Thank you.

  16. Add control over allowed hosts to ACS crossdomainpolicy.xml

    I think it's great that we finally have support for Flash/Silverlight on the ACS. However, I think the support is poorly implemented.

    The current policy is expressed as

    <cross-domain-policy>
    <allow-access-from domain="" secure="true" />
    <allow-access-from domain="
    " secure="false" />
    <allow-http-request-headers-from domain="" headers="" secure="true" />
    <allow-http-request-headers-from domain="" headers="" secure="false" />
    </cross-domain-policy>

    I'd prefer to be able to add the domains that can access the service from Flash/SL via the administrative UI since my use cases for ACS are for single applications, not for the world at large.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    declined  ·  Anonymous responded

    The Azure Active Directory team has aligned its resources behind services in Azure Active Directory. This effort will eventually replace functionality available in ACS. The blog post – http://blogs.technet.com/b/ad/archive/2013/06/22/azure-active-directory-is-the-future-of-acs.aspx – provides a high-level overview of this transition. The ideas posted around ACS have been collected and passed to the team. We will close out ideas posted around ACS to return votes used on this topic. Please feel free to post additional ideas here, and/or email me directly – robert.faller@microsoft.com.
    The Azure Active Directory team greatly appreciates the feedback. We look forward to hearing from the community as much as possible. It is one of the essential ways we can continue to create and enhance our service offerings to meet your needs. Thank you.

  17. Include Azure AD Identity Protection with Azure AD Free

    I believe Azure AD Identity Protection should be included with Azure AD Free edition.

    It comes with Azure AD Premium P2 edition and i'm checking out the features for our 20000+ users but the cost will be extremely prohibitive.

    In Free edition there are cut down reports which don't provide any real details on detected risk events. Surely it's in everyones interest to make freely available all features which allow detection, investigation and remediation of potential vulnerabilities affecting identities.

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →

    Unfortunately, it is not in the direction of the product to give full Identity Protection to free customers as this is a premium (P2) feature. We do provide some limited reports to give basic risk information for non-P2 customers, but full Identity Protection is and will remain a premium (P2) feature.

  18. replace on-premises based AD with AADDS

    I read through with great interest the AADDS public preview use cases and documentation. It looks nice but for a very limited set of use cases. I do like the pricing.

    I would like to replace existing non-AD LDAP servers with AADDS and have both on-prem and cloud based apps do authentication from one common source. Turns out this isn't possible at all.

    I would like to have encryption for all requests to the AADDS, always.

    Additionally I would like to add attributes to the schema, if at all possible.

    I would like to AADDS join all windows devices to…

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  1 comment  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  19. AADDS: Remove username collision limitation

    If you have joe@mydomainusa.com and a different user that's joe@mydomaincanada.com all in the same AAD, when you enable Domain Services, only one user will function since only one user gets MYDOMAIN\joe as its username. Please remove this limitation

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  2 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  20. B2C and B2B in SharePoint 2013

    I am interested in using B2C and B2B authentication use cases to access SharePoint 2013. Please provide functionality and instruction.

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base