Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. banned password message azure ad password protection

    Add GPO or client to Windows Client for Azure AD Password protection to display the corporate password policy on login when the user's change password and it's banned. Give users on prem what they can and cannot use as feedback if they put a bad one in.

    58 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add Powershell module for MIM Service and Synchronziation service

    Provide an efficient way for FIM/MIM admins to automate some daily tasks and troubleshooting as well.

    57 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support Hybrid AD join when using VDI

    Please support Hybrid AD join when using VDI to deal with conditional access policy.

    56 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  4. Use Seamless SSO in AADDS environments.

    At the moment, having seamless SSO in Azure Active Directory Domain Services doesn't work. Logically, this feature should be automatic...

    At the moment, you can join a machine to AADDS domain, and log in to it with Azure AD credentials. But users still need to sign in manually to Office.com, office apps, etc.

    This is extremely important in a AADDS Windows Virtual Desktop scenario (where Microsoft Office is hosted as RemoteApps). To access Office, users will need to log in to WVD, then AGAIN into the remoteapp host itself, and AGAIN into the Microsoft Office apps - all with the…

    55 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  14 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure AD B2C Support Social IDP Profile Picture

    Add support for a built-in attribute type for storing a profile picture URL. Azure AD B2C should then store the profile picture URL as a user attribute when signing in with a social provider. This attribute can then be selected as an application claim attribute so applications can have access to social provider profile pictures. The attribute should also update on any subsequent successful sign in attempts when there is an updated profile picture from the social provider.

    Alternatively, just update AD B2C to set the user's social profile picture as the AD thumbnail photo when creating an account.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Although we do not directly support this feature, there is a new workaround available which is to use the IdP token (like Facebook’s token) to grab the profile photo. You can do this by calling Facebook directly from the app using the facebook token.

    Azure AD B2C now allows the access tokens of OAuth 2.0 identity providers to be passed as a claim in the B2C token. Please try it out (see instructions below) and give us feedback at aadb2cpreview@microsoft.com.

    User flows (built-in policies)

    https://docs.microsoft.com/azure/active-directory-b2c/idp-pa

    Custom policies

    https://docs.microsoft.com/azure/active-directory-b2c/idp-pass-through-custom

  6. SCOM Management Pack for Azure AD Connect

    Please create a management pack for SCOM to monitor AAD Connect, including the Pass-through authentication functionality. This is a critical component in the Microsoft cloud ecosystem. All on-prem products are supposed to be shipped with a SCOM management pack for monitoring them. This has been in prod for years and it is still missing.

    And no, AD Connect health does not cut it. For example, it does not even send an alert email when the "Microsoft AAD Application Proxy Connector" is not running.

    53 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  7. Force admins to verify via MFA with every activation request

    If PIM role activation requires MFA verification the MFA back-end will abide by the "Don't prompt me again for X days" option which results in admins not being prompted to verify for a role activation.

    PIM should allow for the ability to ignore this setting and prompt admins every time they activate an admin role even though they may not have been prompted when logging into the Azure portal. Placing the MFA gate in front of admin role activation is the whole point to PIM.

    52 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. OAuth pre-authentication in Azure Application Proxy

    Currently pre-authentication in Azure Application Proxy implies user interacive logon to Azure AD. It would be great if one could choose an option to pre-authenticate as a annplication with a token in the same Azure AD tenant (and select an Oauth app which is regitered in the same tenant).
    That's very useful when there is an external application/server accessing on-prem app via Azure Appliation Proxy would pre-authenticate with OAuth in Azure AD first and pass this token AAP.

    51 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow BambooHR to write to AD Azure when a new starter is created so it creates a new user. HRaaM.

    Okta has the ability to use HR as a source of truth and are really engaging with HR as a master for AD. I know Bamboo can do that with Okta and Workday can as well. This would be a great way to have a flawless clear process using HR systems. From recruiting, to creating an employee in the system and then pushing it to ADAzure. Otherwise it's better to go with Okta. Higher price point but lower risk.

    51 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  10. Provide MIM Portal to authenticate by SAML or any other federation standard.

    Add SAML or WS-* support to MIM Portal to authenticate in a federated scenario and remove the account dependency from any local Active Directory.

    51 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  11. SSPR configurable password policy text window (for tenants using ADFS/write-back)

    We have Azure AD using ADFS, so SSPR is using password write-back.

    We have a 3rd party password filter implemented on-prem because built-in password policies are so poor (complexity enabled with fine-grained password policies still allows passwords like "Password1", "Microsoft1", etc)

    While Azure AD has added some smarts to block "bad" passwords (good job!) - on-prem AD doesn't, which means we can't rely purely on new password filtering functionality in Azure AD.

    The end result is that SSPR is very frustrating to use, because it carries no information about what the on-prem password policy requirements are.

    Please provide a custom…

    51 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add Shibboleth to the set of authentication protocols

    At present Azure AD can authenticate to SaaS using SAML, OAuth etc. Many academic institutions use Shibboleth which is based on SAML. Currently this means that they have to maintain a separate Shibboleth service in addition to AD FS (if using that for authentication). If a Shibboleth service could be added to Azure AD this would reduce the hardware/software complexity on-site and allow more Universities to take advantage of the Cloud Identity provided by Azure. Shibboleth is generally used to access shared education services, journals and other shared services.

    48 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  15 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Managed Service Identity support for containers.

    We currently are moving towards containerization of applications using service fabric. Is it possible to enable MSI extension for VM on host and then consume the service from the container?

    47 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  14. Can Azure AD Application Proxy be used for publising Exchange on-premise

    Can Azure AD Application Proxy be used for publishing Exchange on-premise (2013 / 2016). I have came across guidelines for SharePoint and RD gateway on https://blogs.technet.microsoft.com/applicationproxyblog/, however not able to find it for exchange

    46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. MIM Service REST API

    Provide a REST API for the core MIM Service as they did for Certificate Management and also Privileged Access Management.

    45 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  16. Adding YubiKey Support to Azure AD and Edge on iOS/iPadOS

    YubiKey's 5Ci security keys allows password-less authentication via Lightning connector. It's the first security key that can plug into a iPhone or iPad Lightning port and USB-C port. Several apps supports authentication such as Brave, a browser app based on Chromium.
    https://brave.com/partnership-with-yubico/

    It would be great if Azure Active Directory and Edge supports the YubiKey for password-less authentication.

    There is also an upcoming SDK to support the new NFC authentication capabilities in iOS. This will allow FIDO2 authentication over NFC and Lightning as well.
    https://www.yubico.com/2019/09/yubico-ios-authentication-expands-to-include-nfc/

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Passwordless  ·  Flag idea as inappropriate…  ·  Admin →
  17. RBAC permissions to see Application Gateway Backend Health

    RBAC permissions to see Application Gateway Backend Health
    The RBAC reader' and 'monitoring reader' roles do not allow users of those permissions to see the backend health.
    Error is the client 'user' does not have authorisation to perform action '/Microsoft.Network/applicationGateways/backendhealth/action' over scope 'subscription...resourceGroups/providers/Microsoft.Network/applicationGateways/applicationgatewayane'
    Is it possible to modify the reader / monitoring reader permissions so that viewings the backend health status is allowed for those roles, and/or advise of a read only role that allows this as don't want to grant users modify access to the application gateways just so to enable them to see backend health.

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  18. Implement a way to manually initiate dynamic device group membership evaluations

    Currently, there is no SLA/timeframe on when dynamic AAD device groups evaluate memberships.

    Here is the recommended troubleshooting steps for these groups not populating, straight from the Azure portal:
    "Please allow time for the group to populate. Depending on the size of your tenant, the group may take up to 24 hours for populating for the first time or after a rule change."

    If admins are using dynamic AAD device groups for any sort of application deployment or policy targeting, waiting up to 24 hours may not be reasonable. It would be very helpful if there was a way to…

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

    In the interim, we’ve added the ability to view the processing status for the dynamic membership rule of a group in the Azure Admin portal. This is not providing an SLA for the rule evaluation, however, it does provide information including that the processing is complete.

  19. Customizable Password Policy and Account Locking Features


    1. Configurable password requirements (e.g., complex passwords, password length, character limitations etc)

    2. Configurable number of attempts before Account is locked

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →

    Hey folks, thanks for the interest in this, and we have some good news to share. Configurable lockout is in development now (mostly done, actually) and we’re aiming for June or July public preview.

    For configurable password complexity, length, etc, we hear you. Longer passwords are in planning now, and we’re thinking about our approach to how we want to enable the other configurability features. I don’t have any more details to share on this for now, but we do have interest in building features.

  20. Azure AD Join - Password Change At Logon

    When a users password expires or has been set to change at next logon, they are unable to logon on Azure AD Joined Machines, there is no 'password must be changed' dialog as there is with Local AD. Can this please be added?

    42 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base