Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SCIM defects


    1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
      As per, https://tools.ietf.org/html/rfc7644#section-1.3,
      The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
      Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.


    2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since…

    42 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    The first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility

    OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing

    Work is underway to make the authorization code grant flow available for custom apps.

    Link to understand the code grant flow – https://tools.ietf.org/html/rfc6749#page-24

  2. Allow 3rd party MFA with PIM

    Azure conditional access policies allow for 3rd party MFA, such as Duo, but Azure PIM does not allow this level of customization with the "Require MFA" configuration for a PIM role. This means that we need to manage 2 different MFA platforms if we're going to leverage both Duo MFA and Azure PIM for security. I'd like the ability to use Duo MFA when activating a PIM role.

    41 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Disable new features, which impact all AzureAD users, per default

    We always appreciate new Features in AzureAD, but if a new feature impacts all our users, we would like to be completely in control of enabling the feature once our organization is ready.
    I specifically refer to the "LinkedIn Integration in AzureAD" which will be enabled by default.
    When deploying future releases, please keep in mind that there are organizations out there, which have strict processes for enabling new features for their employees. Enabling a new feature, which impacts all AzureAD users by default is really disruptive!

    39 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support for OAuth 2.0 SAML Bearer Assertion Flow

    I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.

    Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccessoauthSAMLbearerflow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.

    I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the…

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Reposting so that folks get a notification – from Paul:

    Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

    We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

  5. Allow the possibility to assign Dynamics Device Groups to Conditional Access policies

    I'd like to enforce enrollment for Corporate devices but not for Personal devices; for the same user account. So I can create Dynamics Device Groups but I if I assign these groups to Conditional Access policies, it doesn't work.

    34 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support HTML support in Azure AD Branding

    My colleague and I receive several customer requests regarding enabling support HTML support in Azure AD Branding like Samuel D. (Mr.ADFS) provided for ADFS.

    Microsoft currently only support plaintext for the "sign in page text".

    Please support the following bold, italics, colours, etc. text and support href links?

    Top request is for bold text and links. We don't need advanced stuff like JavaScript injection like in ADFS.

    34 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  7. CORS for token endpoint

    For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
    In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
    Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?

    33 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. High availability support for AAD Connect

    Please provide HA support for AAD Connect with automatic failover! The staging server process is hopeless, and it doesn't support a shared SQL DB. At the moment, the fastest way to do AAD Connect recovery in case the AAD Connect server is destroyed, is to have an default installed Win2016 server with the AAD Connect install files downloaded (and not installed). Due to the fact that both the production and staging server must have same version (or higher), there's a risk that some stuff will not work when you do a recovery to a second server and there's a version…

    33 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  9. Find and Replace Claims Transformation Function

    When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:

    If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.​

    31 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. Apply the role faster on the backend

    Our customers often mentioned it takes a long time for the role to become active for the end users.

    Can you make it apply the role faster on the backend. They expect maybe 30 seconds for the role to become active.

    31 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. AADB2C: Support Twitter

    B2C currently supports authenticating with various social networks, but not Twitter. Please consider supporting Twitter as well.

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  12. Get Privilege Role with their Eligible and Permanent Members List using Powershell

    Please add Azure PIM command, which can provide all roles & their members list (should show Eligible & Permanent attribute too) ?

    Get-PrivilegedRoleAssignment shows role details for logged in user only.

    29 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Granular options for Self Service Password Reset Factors

    It would be nice to be able to configure self service password reset MFA with as much granularity as application MFA policies.

    1) Restrict what factors you can use based on trusted device, network location, etc.

    2) Specify different policies for different user groups. For example, administrative users who are not AAD administrators.

    3) Restrict by domain and have different rules per domains syncing up to the same tenant.

    29 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  14. BUG: Unable to Delete an Application's AppRole

    Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".

    When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).

    After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for reporting this!

    I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.

    For now, there are two options to work around this:

    1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697

    2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

    / Philippe Signoret

  15. Make Azure Ad Application 'permissions to other applications' optional not mandatory

    From what I understand, adding permissions in the 'permissions to other applications' section of an Azure AD Application means that any tenant administrator trying to grant access to that application using the Admin consent flow must have all the services requested. E.g. if requesting Office 365 'Read users email' permission and CRM Online 'Access CRM Online as organization users' permission the requesting tenant must have both of those Microsoft Services linked to their Azure AD.

    If you don't have access to all requested services you receive the following error:

    'AADSTS65005: The application needs access to a service that your organization…

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →

    The v2 endpoint for Azure AD supports incremental/dynamic consent, by which an app requests the permissions it needs at run time, dynamically. This will allow your app to get tokens for basic scenarios first (e.g. sign in and get profile) and only get tokens for other, optional, scenarios (e.g. read and send mail as the user) later.

    Be sure to review the current limitations on which services the v2 endpoint will grant tokens for, as this does work for all scenarios or all Microsoft services yet: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations#restrictions-on-services-and-apis

  16. B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant

    In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
    The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
    I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  17. AzureAD join give user Admin access- needs to restrict

    By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  18. Make the content of Access Review emails customizable.

    The emails sent to complete an access review have unnecessary additional content (e.g. Microsoft Address) and do not allow addition of more information to help those that receive a message.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Ben,

    Thanks for the feedback! Good news is that we are working to improve the emails to provide the reviewers the necessary information succinctly. Some of the information you see, the Microsoft logo and address, some are there because of legal reasons. We are actively working on this right now and will provide updates here.

    Follow up question for you, what else do you think is unnecessary, and what would you like to see?

    Thanks
    Fionna

  19. Allow multi-tenant automatic registration of windows domain-joined devices

    The guide available here:

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup

    Is not multi-tenant aware.

    This prevents the use of meaningful conditional access polices where multiple customers are sharing the same source Windows Server OnPrem AD in a hybrid 365 scenario.

    I would like a solution that allows the SCP information to be delivered by an alternate means, GPO for example.

    We could then sync multiple customers in AD to multiple 365 tenants and implement conditional access effectively.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →

    We are in the process of updating docs to include Hybrid Azure AD join as a supported scenario in a single AD forest to multiple Azure AD tenants. This could be achieved using client side SCP settings that can be configured using GPO. However, there are certain limitations with a single AD forest to multiple Azure AD tenant setup. Capabilities like Windows Hello for Business using cert trust deployment model, enabling Conditional Access for on-prem apps federated with AD FS, Syncing Office 365 Groups back to on-prem Exchange, enabling Seamless SSO and enabling Azure AD Password Protection for on-prem AD DS will not work.

  20. My Apps portal getting crowded with Published Apps

    The Azure My Apps portal is getting crowded with Published Apps and there is no way to customize the look and feel. It would be nice if the portal allowed better oganization/customizations of the published apps where you could move around apps, hide apps, put apps into a folder structure, etc....

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base