Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for webhooks when users are invited, added, removed from Azure AD + Azure AD B2B Collaboration

    Currently it is not possible to receive a notification from Azure AD when a user has been invited (through B2B Collaboration) or added directly through Graph API or the portal.

    67 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  2. banned password message azure ad password protection

    Add GPO or client to Windows Client for Azure AD Password protection to display the corporate password policy on login when the user's change password and it's banned. Give users on prem what they can and cannot use as feedback if they put a bad one in.

    64 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Force admins to verify via MFA with every activation request

    If PIM role activation requires MFA verification the MFA back-end will abide by the "Don't prompt me again for X days" option which results in admins not being prompted to verify for a role activation.

    PIM should allow for the ability to ignore this setting and prompt admins every time they activate an admin role even though they may not have been prompted when logging into the Azure portal. Placing the MFA gate in front of admin role activation is the whole point to PIM.

    62 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  6 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. SSPR configurable password policy text window (for tenants using ADFS/write-back)

    We have Azure AD using ADFS, so SSPR is using password write-back.

    We have a 3rd party password filter implemented on-prem because built-in password policies are so poor (complexity enabled with fine-grained password policies still allows passwords like "Password1", "Microsoft1", etc)

    While Azure AD has added some smarts to block "bad" passwords (good job!) - on-prem AD doesn't, which means we can't rely purely on new password filtering functionality in Azure AD.

    The end result is that SSPR is very frustrating to use, because it carries no information about what the on-prem password policy requirements are.

    Please provide a custom…

    62 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  5. SCOM Management Pack for Azure AD Connect

    Please create a management pack for SCOM to monitor AAD Connect, including the Pass-through authentication functionality. This is a critical component in the Microsoft cloud ecosystem. All on-prem products are supposed to be shipped with a SCOM management pack for monitoring them. This has been in prod for years and it is still missing.

    And no, AD Connect health does not cut it. For example, it does not even send an alert email when the "Microsoft AAD Application Proxy Connector" is not running.

    60 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support Hybrid AD join when using VDI

    Please support Hybrid AD join when using VDI to deal with conditional access policy.

    59 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add Powershell module for MIM Service and Synchronziation service

    Provide an efficient way for FIM/MIM admins to automate some daily tasks and troubleshooting as well.

    59 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow extensibility of portal through the use of custom controls

    There are some business scenarios which currently cannot be built in the FIM portal due to the limited set of Uoc controls available, and their lack of customization. This leads to external tools needing to be made, fracturing the experience for FIM users. Allowing the Uoc base control to be made public and inheritable opens up scenarios for controls with extended validations, external lookups, code behind, and much more.

    59 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow BambooHR to write to AD Azure when a new starter is created so it creates a new user. HRaaM.

    Okta has the ability to use HR as a source of truth and are really engaging with HR as a master for AD. I know Bamboo can do that with Okta and Workday can as well. This would be a great way to have a flawless clear process using HR systems. From recruiting, to creating an employee in the system and then pushing it to ADAzure. Otherwise it's better to go with Okta. Higher price point but lower risk.

    58 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support for Workday "Integration System" custom attributes

    Sourced from https://github.com/MicrosoftDocs/azure-docs/issues/21671

    Adjust Workday web service call (get_workers) by adding a reference criteria call

    As an AD Admin, I would like the Azure AD Workday connector to support "integration system" attributes which are retrieved through special modification to the Get_Workers() API call.

    It would be beneficial if the web service call for workers could be adjusted to call another integration to get values that the normal API call won't get.
    Example: Some values needed or recommended for provisioning might be part of custom objects or derived from other objects in Workday.
    What I propose is that you at least…

    57 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add passwordless sign-in for Apple Watch

    The password less sign-in option only works with the authenticator app on the phone and not on the Apple Watch ("Request type not supported on your watch"). It would be most convenient to be able to have this supported on the Apple Watch as well.

    55 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Passwordless  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure AD B2C Support Social IDP Profile Picture

    Add support for a built-in attribute type for storing a profile picture URL. Azure AD B2C should then store the profile picture URL as a user attribute when signing in with a social provider. This attribute can then be selected as an application claim attribute so applications can have access to social provider profile pictures. The attribute should also update on any subsequent successful sign in attempts when there is an updated profile picture from the social provider.

    Alternatively, just update AD B2C to set the user's social profile picture as the AD thumbnail photo when creating an account.

    55 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Although we do not directly support this feature, there is a new workaround available which is to use the IdP token (like Facebook’s token) to grab the profile photo. You can do this by calling Facebook directly from the app using the facebook token.

    Azure AD B2C now allows the access tokens of OAuth 2.0 identity providers to be passed as a claim in the B2C token. Please try it out (see instructions below) and give us feedback at aadb2cpreview@microsoft.com.

    User flows (built-in policies)

    https://docs.microsoft.com/azure/active-directory-b2c/idp-pa

    Custom policies

    https://docs.microsoft.com/azure/active-directory-b2c/idp-pass-through-custom

  13. Provide MIM Portal to authenticate by SAML or any other federation standard.

    Add SAML or WS-* support to MIM Portal to authenticate in a federated scenario and remove the account dependency from any local Active Directory.

    54 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure AD Join - Password Change At Logon

    When a users password expires or has been set to change at next logon, they are unable to logon on Azure AD Joined Machines, there is no 'password must be changed' dialog as there is with Local AD. Can this please be added?

    52 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  15. Can Azure AD Application Proxy be used for publising Exchange on-premise

    Can Azure AD Application Proxy be used for publishing Exchange on-premise (2013 / 2016). I have came across guidelines for SharePoint and RD gateway on https://blogs.technet.microsoft.com/applicationproxyblog/, however not able to find it for exchange

    52 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Adding YubiKey Support to Azure AD and Edge on iOS/iPadOS

    YubiKey's 5Ci security keys allows password-less authentication via Lightning connector. It's the first security key that can plug into a iPhone or iPad Lightning port and USB-C port. Several apps supports authentication such as Brave, a browser app based on Chromium.
    https://brave.com/partnership-with-yubico/

    It would be great if Azure Active Directory and Edge supports the YubiKey for password-less authentication.

    There is also an upcoming SDK to support the new NFC authentication capabilities in iOS. This will allow FIDO2 authentication over NFC and Lightning as well.
    https://www.yubico.com/2019/09/yubico-ios-authentication-expands-to-include-nfc/

    51 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Passwordless  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow the "Forgot my password" link to be removed from the Sign-In page (for tiers that do not support it)

    The basic AAD tier does not allow the passwords to be reset through the "forgot my password" function.

    However, the sign-in page still provides a "Forgot my password" link. If users follow that link and go through the process they are shown the following message:

    "You cannot reset your password at this time because your administrator has not configured password reset for your organization"

    However, password reset cannot be configured for the subscribed tier.

    It would be preferable to avoid the user going through the reset process in this case.

    51 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add Shibboleth to the set of authentication protocols

    At present Azure AD can authenticate to SaaS using SAML, OAuth etc. Many academic institutions use Shibboleth which is based on SAML. Currently this means that they have to maintain a separate Shibboleth service in addition to AD FS (if using that for authentication). If a Shibboleth service could be added to Azure AD this would reduce the hardware/software complexity on-site and allow more Universities to take advantage of the Cloud Identity provided by Azure. Shibboleth is generally used to access shared education services, journals and other shared services.

    51 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  15 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. MIM Service REST API

    Provide a REST API for the core MIM Service as they did for Certificate Management and also Privileged Access Management.

    50 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  20. RBAC permissions to see Application Gateway Backend Health

    RBAC permissions to see Application Gateway Backend Health
    The RBAC reader' and 'monitoring reader' roles do not allow users of those permissions to see the backend health.
    Error is the client 'user' does not have authorisation to perform action '/Microsoft.Network/applicationGateways/backendhealth/action' over scope 'subscription...resourceGroups/providers/Microsoft.Network/applicationGateways/applicationgatewayane'
    Is it possible to modify the reader / monitoring reader permissions so that viewings the backend health status is allowed for those roles, and/or advise of a read only role that allows this as don't want to grant users modify access to the application gateways just so to enable them to see backend health.

    48 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base