Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Implement a feature that allows password expiry notifications from Azure Active Directory

    Enable functionality where admins can turn on "Your password is about to expire" email notifications for Azure Active Directory users. Add configuration items to this so it can be configured to send an email to users at 5 different stages (eg. 14 days out, 7 days, 3 days, 2 days, 1 day) etc. It's 2017 already.

    42 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow the "Forgot my password" link to be removed from the Sign-In page (for tiers that do not support it)

    The basic AAD tier does not allow the passwords to be reset through the "forgot my password" function.

    However, the sign-in page still provides a "Forgot my password" link. If users follow that link and go through the process they are shown the following message:

    "You cannot reset your password at this time because your administrator has not configured password reset for your organization"

    However, password reset cannot be configured for the subscribed tier.

    It would be preferable to avoid the user going through the reset process in this case.

    40 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support PIM for service principals

    We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

    We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

    This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Enable dedicated App Proxy Authentication Header

    When you connect App Proxy with pre-authentication via a native client following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application the authentication header is removed by the App Proxy. This stops single sign on requests from working and breaks a number of automation scenarios if the backend service does not support a dedicated authentication header. Ideally I would like to see the following behaviour:


    1. By default the Authorization header is used to authenticate with App Proxy

    2. If multiple values are provided as per https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers each one is checked for authentication against App Proxy, if one is valid, remove it from the header and pass…
    37 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  5. PowerShell PIM Access Reviews

    It doesn't appear like there are any PowerShell cmdlets for PIM to support access review creation and management. This would be helpful for automation purposes so someone doesn't have to log into the GUI to create access reviews, check status, etc.

    37 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  5 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support for Workday "Integration System" custom attributes

    Sourced from https://github.com/MicrosoftDocs/azure-docs/issues/21671

    Adjust Workday web service call (get_workers) by adding a reference criteria call

    As an AD Admin, I would like the Azure AD Workday connector to support "integration system" attributes which are retrieved through special modification to the Get_Workers() API call.

    It would be beneficial if the web service call for workers could be adjusted to call another integration to get values that the normal API call won't get.
    Example: Some values needed or recommended for provisioning might be part of custom objects or derived from other objects in Workday.
    What I propose is that you at least…

    37 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  7. Expose AzureAD PIM Alerts via an API

    AzureAD (AAD) PIM generates alerts when there is suspicious or unsafe activity in the environment. When an AAD PIM alert is triggered, it shows up on the PIM dashboard. We would like for the PIM alerts to be exposed via an API so that we can integrate these alerts with our SIEM solution.

    36 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Terms of use and privacy policy

    It would be great if AD B2C could manage all the process for terms of use and privacy policy management.
    There is actually no way to manage it in the sign-up policy...

    35 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We have created samples to do this in custom policies here:

    Sample: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/source/aadb2c-ief-terms-of-use

    Readme: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/scenarios/readme.md

    While we realize this is only works for custom policies (the part where you can track versions of consent), we currently don’t have plans to implement this in built in policies.

  9. Workday-driven automatic AD group assignment

    When a new AD account is created using Workday, it should be possible to assign birthright AD groups to the user automatically.

    34 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  10. Provision Exchange Online Mailbox (Enable-RemoteMailbox)

    In an hybrid exchange Scenario when you only assign a license for Exchange Online to a synchronized user to Provision his mailbox the corresponding onPRem AD attribues are not set.

    So These mailboxes cannot be managed from the onPrem Exchange Admin console.

    So it might be a good idea to have also "Exchange Online Provisioning" wihtin the AD connector and not only onPRem Exchanges.
    Connector should call the "Enable-RemoteMailbox" cmdlet which sets the appropriate Attribute onPrem and after synch and assign license users can use their mailbox.

    Btw: Please rename the "Exchange 2010" provisioning option to "Exchange 2010-2016", in every…

    34 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  11. Can i use Azure AD B2B collaboration together with Azure AD B2C within one tenant?

    For external customers we will use Azure AD B2B to login in and for external users (from custom domains i.e. Hotmail.com, Outlook.com) we would like to use Azure AD B2C to log on.

    So, one tenant with Azure AD B2B extension and Azure B2C extension coexisting.

    34 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  12. Update or remove the CAPTCHA verification in the SSPR

    The CAPTCHA verification in the initial SSPR portal page is most of the time really hard to read and it take 4-5 attempts to actually start the password reset or account unlock process and this frustrates our end-users.

    I understand the reason the CAPTCHA is there but maybe replace it by the reCAPTCHA with images instead of those hard to read letters.

    Ps. the current captcha is case-sensitive but there are no info in SSPR to highlight that :(

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  13. Update Azure AD B2C claims when signing in with social providers

    When an Azure AD B2C account is set up after signing in with a social provider, the basic claim details are populated with data from the social provider, such as surname, given/family name, emails, etc. When this information is changed in the social provider account, can it be automatically updated in the B2C claims on the next sign in?

    In essence, when a Facebook/Google/Microsoft/Amazon/LinkedIn user changes their name, email address, etc. I want their B2C account claims updated to reflect the new info the next time they sign in to my B2C app.

    I am attempting to do this without…

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback. So to clarify, you would the ability to interrupt the user during the sign in process to ensure their info is in sync with the identity provider they are using. Is that correct? Would you like to see this at all times or just when the data is out of sync?

  14. Self-Service Password Reset Customize UserName Hint like Example@company.com

    Add Self-Service Password Reset Customize UserName Hint with url parameter YourExample@Yourcompany.com instead of default value of " user@contoso.onmicrosoft.com or user@contoso.com". This would work like Azure AD Customization with UserName Hint

    31 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support webhooks for Azure PIM Approval Request

    It would be really great, if you would consider adding support for Webhooks as part of the newly introduced Azure PIM Approval workflowfeature. We would be able to do a lot of interesting stuff with this option :). Alternatively we would have to perform a pull for new approval request all the time. #automation #flow #apps

    https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

    31 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Users must not delete resource groups if they are not allowed to delete the resources.

    We created custom roles to allow another team to operate our environment. To avoid accidental deletion of data, we removed the delete action for several storage components, for example Data Lake Store Gen1.

    Unfortunately when deleting a resource group, it completely ignores the permissions on resource level. For example, I do not have deletion rights on ADLS, but I can still remove it, by deleting the whole resource group.

    Resource Groups are simple containers and restricting people on managing them on their own will have a huge impact. We will waste a lot of time to define processes and executing…

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  17. customize B2B signup process

    When working with partners it is critical to have customized and company specific branding and experience.

    complete customization verification emails and domain name in signup URL

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  18. Address VDI and M365 licensing

    Hello everyone, this is a requested change for the components of Azure AD machine join. The use case here is for clients to upgrade their existing Windows PC (7,8,10) to Windows 10 enterprise. Our customer base uses VMware's Horizon view for VDI. VMware's official supported license is KMS. Our clients would love to transition to a cloud based licensing model, but the Windows 10 E3 license does not work with the cloning technology for a couple of reasons.

    Horizon Cloning options & pool types:
    • Manual - VM is not built in Horizon, only brokered through it.
    • Full Clone…

    29 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Join  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure AD App Proxy - SSL Certificate Renewal

    when renewing the ssl cert it would be good to upload just once and have it propogate to all apps using the current cert that is about to be replaced.

    We use wildcards for a single domain so would be good to have this rather than upload the same file 50 times and counting to update our cert,

    ANytime you create a new application it knows to use the same cert.

    29 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Service Principal RBAC simulator

    When handling shared subscriptions and deploying certain third party services we require to have a Service Principal that follows the principle of least privilege.
    Nevertheless, after creating this intricate granular Service Principal, there is no proper way to test out it's functionality. The only way to see if your SP works is by actually deploying your service and see where it fails, update the SP and repeat.

    AWS offers IAM policy simulator that does the job in their case. Something similar would be very helpful to have to improve the deployment experience.

    29 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base