Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Granular options for Self Service Password Reset Factors
It would be nice to be able to configure self service password reset MFA with as much granularity as application MFA policies.
1) Restrict what factors you can use based on trusted device, network location, etc.
2) Specify different policies for different user groups. For example, administrative users who are not AAD administrators.
3) Restrict by domain and have different rules per domains syncing up to the same tenant.
30 votesWe are currently working to address #2 – granular controls for which group of users can use which methods. We’ll keep you up to date as we make progress. Thanks!
-
AADB2C: Support Twitter
B2C currently supports authenticating with various social networks, but not Twitter. Please consider supporting Twitter as well.
30 votesTwitter is now in public preview! It should be available as one of the identity providers in your Azure AD B2C tenant. Here are the instructions to get setup – https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-twitter-app.
Check it out and let us know if you have any feedback!
/Parakh
-
App grouping
Currently conditional access policies can be scoped only to individual applications.
This has strong limitations:
* No more than hundreds of applications per policy
* In large environments with lots of applications, this gets very complex and unmanageable
* Changes to Conditional Access policies are always risky and should be minimized
* Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automationAll these issues can be solved by the following set of features:
* Provide a mechanism to group apps
* Allow CA policies to be scoped to these app groupsDepending…
28 votes -
AzureAD join give user Admin access- needs to restrict
By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.
27 votesThanks for the feedback, this is currently in development. We will be adding an option in Azure AD to control this
Currently, this can be controlled via Windows Autopilot or Bulk enrollment. Please see https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan#understand-your-provisioning-options for more details
/Ravi
-
BUG: Unable to Delete an Application's AppRole
Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).
After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).
27 votesThanks for reporting this!
I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.
For now, there are two options to work around this:
1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697
2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).
/ Philippe Signoret
-
Make Azure Ad Application 'permissions to other applications' optional not mandatory
From what I understand, adding permissions in the 'permissions to other applications' section of an Azure AD Application means that any tenant administrator trying to grant access to that application using the Admin consent flow must have all the services requested. E.g. if requesting Office 365 'Read users email' permission and CRM Online 'Access CRM Online as organization users' permission the requesting tenant must have both of those Microsoft Services linked to their Azure AD.
If you don't have access to all requested services you receive the following error:
'AADSTS65005: The application needs access to a service that your organization…
27 votesThe v2 endpoint for Azure AD supports incremental/dynamic consent, by which an app requests the permissions it needs at run time, dynamically. This will allow your app to get tokens for basic scenarios first (e.g. sign in and get profile) and only get tokens for other, optional, scenarios (e.g. read and send mail as the user) later.
Be sure to review the current limitations on which services the v2 endpoint will grant tokens for, as this does work for all scenarios or all Microsoft services yet: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations#restrictions-on-services-and-apis
-
Return social IdP's native access tokens back to the app
Return social IdP's native access tokens (for e.g., Facebook access tokens) back to the app.
21 votesAzure AD B2C now allows the access tokens of OAuth 2.0 identity providers to be passed as a claim in the B2C token. Please try it out (see instructions below) and give us feedback at aadb2cpreview@microsoft.com.
User flows (built-in policies)
https://docs.microsoft.com/azure/active-directory-b2c/idp-pa…
Custom policies
https://docs.microsoft.com/azure/active-directory-b2c/idp-pass-through-custom
-
My Apps portal getting crowded with Published Apps
The Azure My Apps portal is getting crowded with Published Apps and there is no way to customize the look and feel. It would be nice if the portal allowed better oganization/customizations of the published apps where you could move around apps, hide apps, put apps into a folder structure, etc....
20 votesHi You are now able to hide apps. We are in the process of designing grouping apps.
/Arvind
-
Allow User Consent per Scope
Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".
Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.
19 votesWe have started the work on this capability. I’ll share more information about the ETA as we get closer to a public preview. Current ETA is by end of April.
Thanks,
Luis -
The Password-based SSO Extension should inactivate the option of saving passwords in the browser.
The Password-based SSO Extension "My Apps Secure Sign-in Extension" should inactivate the option of saving passwords in the browser.
Currently, any user can just save the passwords in the browser. Edge is manageable but Chrome, FireFox and Internet Explorer as supported browsers for the extension should inactivate the password manager.
19 votesYes, we are working on an update to suppress the save password prompt when using the My Apps extension. Thanks for your feedback!
-
Workday trigger delta sync
The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.
18 votesHi we are working on the ability to sync a specific user / group on demand so you don’t have to wait for the next sync cycle.
/Arvind
-
AAD Connect - Sync a single object
AAD Connect - Allow sync of a selected object. This is useful in troubleshooting one object versus parsing through everything else.
17 votes -
Latency in sync between Azure ad and Managed domain
There is a delay in sync between Azure ad and domain services.
It will be great if we can reduce this sync delay.
Some times sync will not be up to date so need access to restart the sync between Azure ad and Managed domain.17 votes -
proxyaddresses
Make the ProxyAddresses attribute available through LDAPS when using Managed Domain
Many Anti-Spam applications (ex: Zero Spam) need to connect via LDAPS to list users, and get their email address(es) but only the mail attribute is available...
Since LDAPS managed domain is using our Azure AD , and AzureAD already has this attributes ( synched from our onPremise AD) I don't understand why it is not available through LDAPS
17 votesHi all,
We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!
Erin Greenlee
Program Manager
IAM Core | Domain Services -
OpenID Connect id_token is missing email claim
The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?
17 votesWe have begun work on the V2 endpoint to support the email scope for id tokens. It can be provided on the V1 endpoint (or in V2 endpoint access tokens) via the optional claim ( https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims )
-
Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy
Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy. Currently the Azure Application Proxy does not support the Strict-Transport-Security header. Please make App Proxy support this and maybe other customizable headers for DHS BOD 18-01 compliance. https://cyber.dhs.gov/bod/18-01/ The On-prem solution (Web Application Proxy) is also not compliant.
16 votesWe’re working on a feature to enable this as a setting on an application. If you would like this enabled for your tenant as part of a preview please reach out to aadapfeedback@microsoft.com.
-
Access review
Option to include non user Service principals in Access review of Azure PIM resource roles.
All Elevated members access ( owners , contributors) to Azure subscription need to be reviewed as part of SOX compliance and currently Non user service principals ( like VSO Service principals used for automated deployments in Azure) are not included in the Access reviews initiated for Azure Resource roles.
16 votes -
Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity
Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.
It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.
Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"
Att.: Caleb and Dhanyah
/Peter Selch Dahl
16 votes -
Create Policy differentiation from a BYOD vs CYOD device both PC and Mobile devices.
Many organizations would like to specify certain applications can only be accessed via corporate owned assets but would still like to take advantage of BYOD scenarios for other applications. To that end a differentiation of devices from BYOD and CYOD through to PC's would be great.
Also there should be a process to move devices between the two groups.
16 votes -
Add support for creating native AD applications via PowerShell cmdlets
The current version of the New-AzureRMADApplication cmdlet only supports creating web applications in Azure AD. Please add support for creating Native Applications as well.
16 votesThe new Azure AD PowerShell module that is under development will include support for applications. (Note: These will be following the -AzureAD pattern, not -AzureRm, convention, which is specific to Azure Resource Manager.)
- Don't see your idea?