Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Granular options for Self Service Password Reset Factors

    It would be nice to be able to configure self service password reset MFA with as much granularity as application MFA policies.

    1) Restrict what factors you can use based on trusted device, network location, etc.

    2) Specify different policies for different user groups. For example, administrative users who are not AAD administrators.

    3) Restrict by domain and have different rules per domains syncing up to the same tenant.

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  2. AADB2C: Support Twitter

    B2C currently supports authenticating with various social networks, but not Twitter. Please consider supporting Twitter as well.

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  3. App grouping

    Currently conditional access policies can be scoped only to individual applications.
    This has strong limitations:
    * No more than hundreds of applications per policy
    * In large environments with lots of applications, this gets very complex and unmanageable
    * Changes to Conditional Access policies are always risky and should be minimized
    * Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automation

    All these issues can be solved by the following set of features:
    * Provide a mechanism to group apps
    * Allow CA policies to be scoped to these app groups

    Depending…

    28 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. AzureAD join give user Admin access- needs to restrict

    By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.

    27 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  5. BUG: Unable to Delete an Application's AppRole

    Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".

    When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).

    After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).

    27 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for reporting this!

    I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.

    For now, there are two options to work around this:

    1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697

    2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

    / Philippe Signoret

  6. Make Azure Ad Application 'permissions to other applications' optional not mandatory

    From what I understand, adding permissions in the 'permissions to other applications' section of an Azure AD Application means that any tenant administrator trying to grant access to that application using the Admin consent flow must have all the services requested. E.g. if requesting Office 365 'Read users email' permission and CRM Online 'Access CRM Online as organization users' permission the requesting tenant must have both of those Microsoft Services linked to their Azure AD.

    If you don't have access to all requested services you receive the following error:

    'AADSTS65005: The application needs access to a service that your organization…

    27 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →

    The v2 endpoint for Azure AD supports incremental/dynamic consent, by which an app requests the permissions it needs at run time, dynamically. This will allow your app to get tokens for basic scenarios first (e.g. sign in and get profile) and only get tokens for other, optional, scenarios (e.g. read and send mail as the user) later.

    Be sure to review the current limitations on which services the v2 endpoint will grant tokens for, as this does work for all scenarios or all Microsoft services yet: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations#restrictions-on-services-and-apis

  7. Return social IdP's native access tokens back to the app

    Return social IdP's native access tokens (for e.g., Facebook access tokens) back to the app.

    21 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  8. My Apps portal getting crowded with Published Apps

    The Azure My Apps portal is getting crowded with Published Apps and there is no way to customize the look and feel. It would be nice if the portal allowed better oganization/customizations of the published apps where you could move around apps, hide apps, put apps into a folder structure, etc....

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow User Consent per Scope

    Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".

    Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. The Password-based SSO Extension should inactivate the option of saving passwords in the browser.

    The Password-based SSO Extension "My Apps Secure Sign-in Extension" should inactivate the option of saving passwords in the browser.

    Currently, any user can just save the passwords in the browser. Edge is manageable but Chrome, FireFox and Internet Explorer as supported browsers for the extension should inactivate the password manager.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  11. Workday trigger delta sync

    The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  12. AAD Connect - Sync a single object

    AAD Connect - Allow sync of a selected object. This is useful in troubleshooting one object versus parsing through everything else.

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  13. Latency in sync between Azure ad and Managed domain

    There is a delay in sync between Azure ad and domain services.
    It will be great if we can reduce this sync delay.
    Some times sync will not be up to date so need access to restart the sync between Azure ad and Managed domain.

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  14. proxyaddresses

    Make the ProxyAddresses attribute available through LDAPS when using Managed Domain

    Many Anti-Spam applications (ex: Zero Spam) need to connect via LDAPS to list users, and get their email address(es) but only the mail attribute is available...

    Since LDAPS managed domain is using our Azure AD , and AzureAD already has this attributes ( synched from our onPremise AD) I don't understand why it is not available through LDAPS

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    Hi all,

    We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!

    Erin Greenlee
    Program Manager
    IAM Core | Domain Services

  15. OpenID Connect id_token is missing email claim

    The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?

    17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy

    Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy. Currently the Azure Application Proxy does not support the Strict-Transport-Security header. Please make App Proxy support this and maybe other customizable headers for DHS BOD 18-01 compliance. https://cyber.dhs.gov/bod/18-01/ The On-prem solution (Web Application Proxy) is also not compliant.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  17. Access review

    Option to include non user Service principals in Access review of Azure PIM resource roles.

    All Elevated members access ( owners , contributors) to Azure subscription need to be reviewed as part of SOX compliance and currently Non user service principals ( like VSO Service principals used for automated deployments in Azure) are not included in the Access reviews initiated for Azure Resource roles.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity

    Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.

    It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.

    Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"

    Att.: Caleb and Dhanyah

    /Peter Selch Dahl

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Create Policy differentiation from a BYOD vs CYOD device both PC and Mobile devices.

    Many organizations would like to specify certain applications can only be accessed via corporate owned assets but would still like to take advantage of BYOD scenarios for other applications. To that end a differentiation of devices from BYOD and CYOD through to PC's would be great.

    Also there should be a process to move devices between the two groups.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add support for creating native AD applications via PowerShell cmdlets

    The current version of the New-AzureRMADApplication cmdlet only supports creating web applications in Azure AD. Please add support for creating Native Applications as well.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base