Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Return social IdP's native access tokens back to the app
Return social IdP's native access tokens (for e.g., Facebook access tokens) back to the app.
20 votesAzure AD B2C now allows the access tokens of OAuth 2.0 identity providers to be passed as a claim in the B2C token. Please try it out (see instructions below) and give us feedback at aadb2cpreview@microsoft.com.
User flows (built-in policies)
https://docs.microsoft.com/azure/active-directory-b2c/idp-pa…
Custom policies
https://docs.microsoft.com/azure/active-directory-b2c/idp-pass-through-custom
-
Customer tenants should be manageable by PIM
PIM should be able to manage access to customer's tenants. Partner has employees with their own source of authority but should still be able to give out access based on Azure lighthouse for instance. AzLighthouse currently supports groups only, which are not supported by PIM.
19 votesLighthouse customers will be able to use PIM so they don’t have standing access to customer data.
-
PIM - Configure default settings for all role assignments
Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.
Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.
e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.
Thanks
Ben.18 votes -
Allow User Consent per Scope
Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".
Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.
18 votesWe have started the work on this capability. I’ll share more information about the ETA as we get closer to a public preview. Current ETA is by end of April.
Thanks,
Luis -
The Password-based SSO Extension should inactivate the option of saving passwords in the browser.
The Password-based SSO Extension "My Apps Secure Sign-in Extension" should inactivate the option of saving passwords in the browser.
Currently, any user can just save the passwords in the browser. Edge is manageable but Chrome, FireFox and Internet Explorer as supported browsers for the extension should inactivate the password manager.
18 votesYes, we are working on an update to suppress the save password prompt when using the My Apps extension. Thanks for your feedback!
-
Workday trigger delta sync
The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.
17 votesHi we are working on the ability to sync a specific user / group on demand so you don’t have to wait for the next sync cycle.
/Arvind
-
proxyaddresses
Make the ProxyAddresses attribute available through LDAPS when using Managed Domain
Many Anti-Spam applications (ex: Zero Spam) need to connect via LDAPS to list users, and get their email address(es) but only the mail attribute is available...
Since LDAPS managed domain is using our Azure AD , and AzureAD already has this attributes ( synched from our onPremise AD) I don't understand why it is not available through LDAPS
17 votesHi all,
We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!
Erin Greenlee
Program Manager
IAM Core | Domain Services -
Add support for creating native AD applications via PowerShell cmdlets
The current version of the New-AzureRMADApplication cmdlet only supports creating web applications in Azure AD. Please add support for creating Native Applications as well.
16 votesThe new Azure AD PowerShell module that is under development will include support for applications. (Note: These will be following the -AzureAD pattern, not -AzureRm, convention, which is specific to Azure Resource Manager.)
-
Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity
Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.
It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.
Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"
Att.: Caleb and Dhanyah
/Peter Selch Dahl
15 votes -
Create Policy differentiation from a BYOD vs CYOD device both PC and Mobile devices.
Many organizations would like to specify certain applications can only be accessed via corporate owned assets but would still like to take advantage of BYOD scenarios for other applications. To that end a differentiation of devices from BYOD and CYOD through to PC's would be great.
Also there should be a process to move devices between the two groups.
15 votes -
IPv6 Whitelisting option in Azure Multi-Factor Authentication
The Azure Multi-Factor Authentication server software only allows IPv4 whitelisting. IPv6 whitelisting would be great for the future.
15 votesHey folks,
The work for this has started. We hope to have an update for you really soon.
@MarkMorow
-
Allow creation of custom directory roles in Azure AD
Being able to create custom directory roles in Azure AD can allow Administrators the ability to grant users custom tailored roles in Azure AD. One example would be allowing the security office in your organization access to the risky events and risky users tabs with the ability to close,reopen, or mark for false positive without having to give them permissions that they do not need. This essentially takes the idea of "least privileged roles" and expands it to allow for further customization.
14 votesHi,
This is duplicate of – https://feedback.azure.com/forums/169401/suggestions/12868950 . Latest status of Azure AD custom roles will be updated there.Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.
You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.
Abhijeet Sinha
Azure AD RBAC team -
AAD Connect - Sync a single object
AAD Connect - Allow sync of a selected object. This is useful in troubleshooting one object versus parsing through everything else.
14 votes -
Allow Directory Extensions as claim in SAML Token
This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.
If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).
I have found that you can include a directory extension attribute as an optional claim in the…
14 votesWe have work in progress to enable directory extension attributes from the Enterprise apps UI. You can use PowerShell to get unblocked: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping
In the comments, Ross has shared a link to a forum where you can find the exact policy.
-
OpenID Connect id_token is missing email claim
The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?
14 votesWe have begun work on the V2 endpoint to support the email scope for id tokens. It can be provided on the V1 endpoint (or in V2 endpoint access tokens) via the optional claim ( https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims )
-
AAD connect as a service
I would love to see Microsoft offering AAD Connect as a Service. Either with an agent on a DC or member server much like the pass-through auth server works. But having the sync and metaverse running in a service in the cloud.
14 votes -
aad custom roles
Would be nice if we could create custom aad roles, might be wrong but the concept of creator/owner and being able to assign permissions to the owner role would be nice.
13 votesHi,
This is duplicate of – https://feedback.azure.com/forums/169401/suggestions/12868950 . Latest status of Azure AD custom roles will be updated there.Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.
You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.
Abhijeet Sinha
Azure AD RBAC team -
Latency in sync between Azure ad and Managed domain
There is a delay in sync between Azure ad and domain services.
It will be great if we can reduce this sync delay.
Some times sync will not be up to date so need access to restart the sync between Azure ad and Managed domain.13 votes -
Assign directory roles to groups
Allow the ability to assign Groups to directory roles for better RBAC implementations. As an example, I would like to assign the role "Application Administrator" to a group using the cmdlt add-MsolRoleMember -RoleObjectId "objectID" -RoleMemberType Group -RoleMemberObjectId "objectID" but even though the switch for group is available, it is not supported. So I have to add every single individual user to this role (and many others) in order to extend our on-prem RBAC model to Azure. This is not scalable.
13 votesHi,
Assigning cloud groups to built-in roles is in public preview starting today. Thanks a ton for all the great feedback that you shared with us. Here’s the published documentation -https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept
Next steps —> Support for custom roles and on-prem groups. Stay tuned!
This feedback is similar to – https://feedback.azure.com/forums/169401/suggestions/12938997. Latest status of assigning groups to Azure AD roles will be updated there.
Regards,
Abhijeet Kumar Sinha
Azure Active Directory Team -
Hybrid Joined Devices support with FIDO2
I realise the support for FIDO2 logins with Azure AD was only just released recently, but what timeline is there for support for hybrid joined devices login?
12 votesThis is currently in progress and will be announced shortly.
- Don't see your idea?