Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add report for Extranet Lockout Protection - Account Lockout

    Add a new report to Azure AD Connect Health that allows support staff to see which accounts are locked out by ADFS Extranet Lockout Protection.

    56 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add CORS support for discovery and JSON Web Key Set endpoints

    Adding CORS support to the following endpoints would allow them to be downloaded via a JavaScript application:
    - https://login.microsoftonline.com/<tenantid>/v2.0/.well-known/openid-configuration
    - https://login.microsoftonline.com/<tenantid>/discovery/v2.0/keys

    The signatures for these endpoints could then be used to verify JWT's directly within the JavaScript.

    49 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow the possibility to assign Dynamics Device Groups to Conditional Access policies

    I'd like to enforce enrollment for Corporate devices but not for Personal devices; for the same user account. So I can create Dynamics Device Groups but I if I assign these groups to Conditional Access policies, it doesn't work.

    48 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  7 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. SCIM defects


    1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
      As per, https://tools.ietf.org/html/rfc7644#section-1.3,
      The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
      Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.


    2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since…

    48 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    The first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility

    OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing

    Work to support the code grant as well as client credentials on the non-gallery app is currently in our backlog. It’s intended to be done, but not yet funded.

    In the meantime, the 1KB token limitation has been lifted.

  5. Allow Applications to be added to AD Security Groups

    See https://stackoverflow.com/questions/47762262/add-aad-application-as-a-member-of-a-security-group

    Basically allow adding Service Principals (i.e. Applications) into AD Security Groups just like User Principals are allowed today.

    47 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  6. 45 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  7. AADB2C: Add multiply reply URLs with the same domain

    If you create an Azure Active Directory B2C and then add an Application for your Web API, your Web API will only be able to receive tokens from a client that shares the same Application ID.

    Currently, building a Web API that is accessed from several different clients is not supported.

    This means that if you want to add different clients, you can configure them with the restriction that redirect URLs must all belong to the same domain.

    But when you try to add them, for example:
    https://client1.domain.com

    https://client2.domain.com

    I receive an error saying that the reply URLs are not…

    44 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    It is possible to add multiple reply URLs within the same domain, unfortunately the experience is a bit clunky and we’re working on fixing this.

    At this time, in order to achieve this a setup with client1.domain.com and client2.domain.com as redirect URIs, you must first add the overarching domain as a redirect URI and then add the sub-domains, like so:

    1) https://domain.com
    2) https://client1.domain.com
    3) https://client2.domain.com

    Check out this article for more info:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-limitations#restrictions-on-redirect-uris

  8. Find and Replace Claims Transformation Function

    When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:

    If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.​

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. Get Privilege Role with their Eligible and Permanent Members List using Powershell

    Please add Azure PIM command, which can provide all roles & their members list (should show Eligible & Permanent attribute too) ?

    Get-PrivilegedRoleAssignment shows role details for logged in user only.

    42 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  6 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add the option to block only one drive and not the hole sharepoint

    Many large organizations that move to Office 365 have the need to block One Drive for certain users, but leave them the ability to use Sharepoint Online. After opening a support case, the responce was that it is currently not supported and the only option is to block both One Drive and Sharepoint Online.

    41 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Disable new features, which impact all AzureAD users, per default

    We always appreciate new Features in AzureAD, but if a new feature impacts all our users, we would like to be completely in control of enabling the feature once our organization is ready.
    I specifically refer to the "LinkedIn Integration in AzureAD" which will be enabled by default.
    When deploying future releases, please keep in mind that there are organizations out there, which have strict processes for enabling new features for their employees. Enabling a new feature, which impacts all AzureAD users by default is really disruptive!

    40 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support for OAuth 2.0 SAML Bearer Assertion Flow

    I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.

    Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccessoauthSAMLbearerflow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.

    I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the…

    39 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Reposting so that folks get a notification – from Paul:

    Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

    We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

  13. High availability support for AAD Connect

    Please provide HA support for AAD Connect with automatic failover! The staging server process is hopeless, and it doesn't support a shared SQL DB. At the moment, the fastest way to do AAD Connect recovery in case the AAD Connect server is destroyed, is to have an default installed Win2016 server with the AAD Connect install files downloaded (and not installed). Due to the fact that both the production and staging server must have same version (or higher), there's a risk that some stuff will not work when you do a recovery to a second server and there's a version…

    38 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  14. CORS for token endpoint

    For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
    In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
    Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?

    37 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Customer tenants should be manageable by PIM

    PIM should be able to manage access to customer's tenants. Partner has employees with their own source of authority but should still be able to give out access based on Azure lighthouse for instance. AzLighthouse currently supports groups only, which are not supported by PIM.

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Apply the role faster on the backend

    Our customers often mentioned it takes a long time for the role to become active for the end users.

    Can you make it apply the role faster on the backend. They expect maybe 30 seconds for the role to become active.

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Support HTML support in Azure AD Branding

    My colleague and I receive several customer requests regarding enabling support HTML support in Azure AD Branding like Samuel D. (Mr.ADFS) provided for ADFS.

    Microsoft currently only support plaintext for the "sign in page text".

    Please support the following bold, italics, colours, etc. text and support href links?

    Top request is for bold text and links. We don't need advanced stuff like JavaScript injection like in ADFS.

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  18. Make the content of Access Review emails customizable.

    The emails sent to complete an access review have unnecessary additional content (e.g. Microsoft Address) and do not allow addition of more information to help those that receive a message.

    32 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Ben,

    Thanks for the feedback! Good news is that we are working to improve the emails to provide the reviewers the necessary information succinctly. Some of the information you see, the Microsoft logo and address, some are there because of legal reasons. We are actively working on this right now and will provide updates here.

    Follow up question for you, what else do you think is unnecessary, and what would you like to see?

    Thanks
    Fionna

  19. PIM - Configure default settings for all role assignments

    Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.

    Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.

    e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.

    Thanks
    Ben.

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow multi-tenant automatic registration of windows domain-joined devices

    The guide available here:

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup

    Is not multi-tenant aware.

    This prevents the use of meaningful conditional access polices where multiple customers are sharing the same source Windows Server OnPrem AD in a hybrid 365 scenario.

    I would like a solution that allows the SCP information to be delivered by an alternate means, GPO for example.

    We could then sync multiple customers in AD to multiple 365 tenants and implement conditional access effectively.

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →

    We are in the process of updating docs to include Hybrid Azure AD join as a supported scenario in a single AD forest to multiple Azure AD tenants. This could be achieved using client side SCP settings that can be configured using GPO. However, there are certain limitations with a single AD forest to multiple Azure AD tenant setup. Capabilities like Windows Hello for Business using cert trust deployment model, enabling Conditional Access for on-prem apps federated with AD FS, Syncing Office 365 Groups back to on-prem Exchange, enabling Seamless SSO and enabling Azure AD Password Protection for on-prem AD DS will not work.

  • Don't see your idea?

Feedback and Knowledge Base