Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Enable dedicated App Proxy Authentication Header

    When you connect App Proxy with pre-authentication via a native client following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application the authentication header is removed by the App Proxy. This stops single sign on requests from working and breaks a number of automation scenarios if the backend service does not support a dedicated authentication header. Ideally I would like to see the following behaviour:


    1. By default the Authorization header is used to authenticate with App Proxy

    2. If multiple values are provided as per https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers each one is checked for authentication against App Proxy, if one is valid, remove it from the header and pass…
    47 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  2. Managed Service Identity support for containers.

    We currently are moving towards containerization of applications using service fabric. Is it possible to enable MSI extension for VM on host and then consume the service from the container?

    47 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  3. Customizable Password Policy and Account Locking Features


    1. Configurable password requirements (e.g., complex passwords, password length, character limitations etc)

    2. Configurable number of attempts before Account is locked

    47 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →

    Hey folks, thanks for the interest in this, and we have some good news to share. Configurable lockout is in development now (mostly done, actually) and we’re aiming for June or July public preview.

    For configurable password complexity, length, etc, we hear you. Longer passwords are in planning now, and we’re thinking about our approach to how we want to enable the other configurability features. I don’t have any more details to share on this for now, but we do have interest in building features.

  4. Implement a feature that allows password expiry notifications from Azure Active Directory

    Enable functionality where admins can turn on "Your password is about to expire" email notifications for Azure Active Directory users. Add configuration items to this so it can be configured to send an email to users at 5 different stages (eg. 14 days out, 7 days, 3 days, 2 days, 1 day) etc. It's 2017 already.

    46 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  5. PowerShell PIM Access Reviews

    It doesn't appear like there are any PowerShell cmdlets for PIM to support access review creation and management. This would be helpful for automation purposes so someone doesn't have to log into the GUI to create access reviews, check status, etc.

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  7 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  6. Implement a way to manually initiate dynamic device group membership evaluations

    Currently, there is no SLA/timeframe on when dynamic AAD device groups evaluate memberships.

    Here is the recommended troubleshooting steps for these groups not populating, straight from the Azure portal:
    "Please allow time for the group to populate. Depending on the size of your tenant, the group may take up to 24 hours for populating for the first time or after a rule change."

    If admins are using dynamic AAD device groups for any sort of application deployment or policy targeting, waiting up to 24 hours may not be reasonable. It would be very helpful if there was a way to…

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

    In the interim, we’ve added the ability to view the processing status for the dynamic membership rule of a group in the Azure Admin portal. This is not providing an SLA for the rule evaluation, however, it does provide information including that the processing is complete.

  7. Terms of use and privacy policy

    It would be great if AD B2C could manage all the process for terms of use and privacy policy management.
    There is actually no way to manage it in the sign-up policy...

    42 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We have created samples to do this in custom policies here:

    Sample: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/source/aadb2c-ief-terms-of-use

    Readme: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/scenarios/readme.md

    While we realize this is only works for custom policies (the part where you can track versions of consent), we currently don’t have plans to implement this in built in policies.

  8. Expose AzureAD PIM Alerts via an API

    AzureAD (AAD) PIM generates alerts when there is suspicious or unsafe activity in the environment. When an AAD PIM alert is triggered, it shows up on the PIM dashboard. We would like for the PIM alerts to be exposed via an API so that we can integrate these alerts with our SIEM solution.

    41 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Provision Exchange Online Mailbox (Enable-RemoteMailbox)

    In an hybrid exchange Scenario when you only assign a license for Exchange Online to a synchronized user to Provision his mailbox the corresponding onPRem AD attribues are not set.

    So These mailboxes cannot be managed from the onPrem Exchange Admin console.

    So it might be a good idea to have also "Exchange Online Provisioning" wihtin the AD connector and not only onPRem Exchanges.
    Connector should call the "Enable-RemoteMailbox" cmdlet which sets the appropriate Attribute onPrem and after synch and assign license users can use their mailbox.

    Btw: Please rename the "Exchange 2010" provisioning option to "Exchange 2010-2016", in every…

    37 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure AD App Proxy - SSL Certificate Renewal

    when renewing the ssl cert it would be good to upload just once and have it propogate to all apps using the current cert that is about to be replaced.

    We use wildcards for a single domain so would be good to have this rather than upload the same file 50 times and counting to update our cert,

    ANytime you create a new application it knows to use the same cert.

    35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  11. AAD Connect Cloud Provisioning: Add support for password writeback

    Currently Cloud Provisioning does not support password writeback, so using Azure AD SSPR with on-Prem synched passwords is not possible.

    Would be great to have that as one of the first enhancements of Cloud Provisioning

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  4 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  12. Workday-driven automatic AD group assignment

    When a new AD account is created using Workday, it should be possible to assign birthright AD groups to the user automatically.

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  13. Update or remove the CAPTCHA verification in the SSPR

    The CAPTCHA verification in the initial SSPR portal page is most of the time really hard to read and it take 4-5 attempts to actually start the password reset or account unlock process and this frustrates our end-users.

    I understand the reason the CAPTCHA is there but maybe replace it by the reCAPTCHA with images instead of those hard to read letters.

    Ps. the current captcha is case-sensitive but there are no info in SSPR to highlight that :(

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  14. Update Azure AD B2C claims when signing in with social providers

    When an Azure AD B2C account is set up after signing in with a social provider, the basic claim details are populated with data from the social provider, such as surname, given/family name, emails, etc. When this information is changed in the social provider account, can it be automatically updated in the B2C claims on the next sign in?

    In essence, when a Facebook/Google/Microsoft/Amazon/LinkedIn user changes their name, email address, etc. I want their B2C account claims updated to reflect the new info the next time they sign in to my B2C app.

    I am attempting to do this without…

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback. So to clarify, you would the ability to interrupt the user during the sign in process to ensure their info is in sync with the identity provider they are using. Is that correct? Would you like to see this at all times or just when the data is out of sync?

  15. Can i use Azure AD B2B collaboration together with Azure AD B2C within one tenant?

    For external customers we will use Azure AD B2B to login in and for external users (from custom domains i.e. Hotmail.com, Outlook.com) we would like to use Azure AD B2C to log on.

    So, one tenant with Azure AD B2B extension and Azure B2C extension coexisting.

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  16. Self-Service Password Reset Customize UserName Hint like Example@company.com

    Add Self-Service Password Reset Customize UserName Hint with url parameter YourExample@Yourcompany.com instead of default value of " user@contoso.onmicrosoft.com or user@contoso.com". This would work like Azure AD Customization with UserName Hint

    32 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  17. customize B2B signup process

    When working with partners it is critical to have customized and company specific branding and experience.

    complete customization verification emails and domain name in signup URL

    32 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  18. HAve the ability to use all Azure AD user attributes for Customize claims available for Azure AD SAML token.

    Allow the use of all Azure AD User attributes in a claim, currently we have a requirement to add Azure AD synced attributes to be sent as a claim for SAML authentication. for example, attributes such as 'Manager' or 'immutable ID' are not supported. Can we have the option to use all available attributes as part of the claim.

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support webhooks for Azure PIM Approval Request

    It would be really great, if you would consider adding support for Webhooks as part of the newly introduced Azure PIM Approval workflowfeature. We would be able to do a lot of interesting stuff with this option :). Alternatively we would have to perform a pull for new approval request all the time. #automation #flow #apps

    https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. FIM Portal Create RCDC's flexiblity (Allow Custom Events)

    Allow Custom Events on Controls in RCDC so that it is possible to set some Checkboxes in the RCDC to true or false.
    Example:
    UocRadioControl with Option like SharedMailbox, RoomMailbox, EquipmentMailbox.

    Based on that it should be possible to define which Attributes or groupings are visible.
    This give more flexibility on creation RCDC's.

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base