Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add Manager Option to Reviewers in Access Reviews
Our organization requires Managers to approve access to Applications. Please give the option to require a manager to approve application access via the Access Reviews option.
29 votesGood news – Manager as reviewer is currently in private preview. If you are interested in trying out this feature, please feel free to comment on this thread or email accessreviews@microsoft.com.
-
Allow multi-tenant automatic registration of windows domain-joined devices
The guide available here:
Is not multi-tenant aware.
This prevents the use of meaningful conditional access polices where multiple customers are sharing the same source Windows Server OnPrem AD in a hybrid 365 scenario.
I would like a solution that allows the SCP information to be delivered by an alternate means, GPO for example.
We could then sync multiple customers in AD to multiple 365 tenants and implement conditional access effectively.
28 votesWe are in the process of updating docs to include Hybrid Azure AD join as a supported scenario in a single AD forest to multiple Azure AD tenants. This could be achieved using client side SCP settings that can be configured using GPO. However, there are certain limitations with a single AD forest to multiple Azure AD tenant setup. Capabilities like Windows Hello for Business using cert trust deployment model, enabling Conditional Access for on-prem apps federated with AD FS, Syncing Office 365 Groups back to on-prem Exchange, enabling Seamless SSO and enabling Azure AD Password Protection for on-prem AD DS will not work.
-
AzureAD join give user Admin access- needs to restrict
By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.
27 votesThanks for the feedback, this is currently in development. We will be adding an option in Azure AD to control this
Currently, this can be controlled via Windows Autopilot or Bulk enrollment. Please see https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan#understand-your-provisioning-options for more details
/Ravi
-
BUG: Unable to Delete an Application's AppRole
Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).
After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).
27 votesThanks for reporting this!
I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.
For now, there are two options to work around this:
1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697
2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).
/ Philippe Signoret
-
Make Azure Ad Application 'permissions to other applications' optional not mandatory
From what I understand, adding permissions in the 'permissions to other applications' section of an Azure AD Application means that any tenant administrator trying to grant access to that application using the Admin consent flow must have all the services requested. E.g. if requesting Office 365 'Read users email' permission and CRM Online 'Access CRM Online as organization users' permission the requesting tenant must have both of those Microsoft Services linked to their Azure AD.
If you don't have access to all requested services you receive the following error:
'AADSTS65005: The application needs access to a service that your organization…
27 votesThe v2 endpoint for Azure AD supports incremental/dynamic consent, by which an app requests the permissions it needs at run time, dynamically. This will allow your app to get tokens for basic scenarios first (e.g. sign in and get profile) and only get tokens for other, optional, scenarios (e.g. read and send mail as the user) later.
Be sure to review the current limitations on which services the v2 endpoint will grant tokens for, as this does work for all scenarios or all Microsoft services yet: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations#restrictions-on-services-and-apis
-
PIM - Configure default settings for all role assignments
Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.
Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.
e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.
Thanks
Ben.26 votes -
Make the content of Access Review emails customizable.
The emails sent to complete an access review have unnecessary additional content (e.g. Microsoft Address) and do not allow addition of more information to help those that receive a message.
26 votesHi Ben,
Thanks for the feedback! Good news is that we are working to improve the emails to provide the reviewers the necessary information succinctly. Some of the information you see, the Microsoft logo and address, some are there because of legal reasons. We are actively working on this right now and will provide updates here.
Follow up question for you, what else do you think is unnecessary, and what would you like to see?
Thanks
Fionna -
App grouping
Currently conditional access policies can be scoped only to individual applications.
This has strong limitations:
* No more than hundreds of applications per policy
* In large environments with lots of applications, this gets very complex and unmanageable
* Changes to Conditional Access policies are always risky and should be minimized
* Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automationAll these issues can be solved by the following set of features:
* Provide a mechanism to group apps
* Allow CA policies to be scoped to these app groupsDepending…
25 votes -
Return social IdP's native access tokens back to the app
Return social IdP's native access tokens (for e.g., Facebook access tokens) back to the app.
21 votesAzure AD B2C now allows the access tokens of OAuth 2.0 identity providers to be passed as a claim in the B2C token. Please try it out (see instructions below) and give us feedback at aadb2cpreview@microsoft.com.
User flows (built-in policies)
https://docs.microsoft.com/azure/active-directory-b2c/idp-pa…
Custom policies
https://docs.microsoft.com/azure/active-directory-b2c/idp-pass-through-custom
-
My Apps portal getting crowded with Published Apps
The Azure My Apps portal is getting crowded with Published Apps and there is no way to customize the look and feel. It would be nice if the portal allowed better oganization/customizations of the published apps where you could move around apps, hide apps, put apps into a folder structure, etc....
20 votesHi You are now able to hide apps. We are in the process of designing grouping apps.
/Arvind
-
The Password-based SSO Extension should inactivate the option of saving passwords in the browser.
The Password-based SSO Extension "My Apps Secure Sign-in Extension" should inactivate the option of saving passwords in the browser.
Currently, any user can just save the passwords in the browser. Edge is manageable but Chrome, FireFox and Internet Explorer as supported browsers for the extension should inactivate the password manager.
19 votesYes, we are working on an update to suppress the save password prompt when using the My Apps extension. Thanks for your feedback!
-
Allow User Consent per Scope
Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".
Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.
18 votesWe have started the work on this capability. I’ll share more information about the ETA as we get closer to a public preview. Current ETA is by end of April.
Thanks,
Luis -
Workday trigger delta sync
The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.
18 votesHi we are working on the ability to sync a specific user / group on demand so you don’t have to wait for the next sync cycle.
/Arvind
-
AAD Connect - Sync a single object
AAD Connect - Allow sync of a selected object. This is useful in troubleshooting one object versus parsing through everything else.
17 votes -
proxyaddresses
Make the ProxyAddresses attribute available through LDAPS when using Managed Domain
Many Anti-Spam applications (ex: Zero Spam) need to connect via LDAPS to list users, and get their email address(es) but only the mail attribute is available...
Since LDAPS managed domain is using our Azure AD , and AzureAD already has this attributes ( synched from our onPremise AD) I don't understand why it is not available through LDAPS
17 votesHi all,
We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!
Erin Greenlee
Program Manager
IAM Core | Domain Services -
Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy
Support HSTS HTTP Strict-Transport-Security on Azure AD Application Proxy. Currently the Azure Application Proxy does not support the Strict-Transport-Security header. Please make App Proxy support this and maybe other customizable headers for DHS BOD 18-01 compliance. https://cyber.dhs.gov/bod/18-01/ The On-prem solution (Web Application Proxy) is also not compliant.
16 votesWe’re working on a feature to enable this as a setting on an application. If you would like this enabled for your tenant as part of a preview please reach out to aadapfeedback@microsoft.com.
-
Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity
Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.
It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.
Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"
Att.: Caleb and Dhanyah
/Peter Selch Dahl
16 votes -
Latency in sync between Azure ad and Managed domain
There is a delay in sync between Azure ad and domain services.
It will be great if we can reduce this sync delay.
Some times sync will not be up to date so need access to restart the sync between Azure ad and Managed domain.16 votes -
Add support for creating native AD applications via PowerShell cmdlets
The current version of the New-AzureRMADApplication cmdlet only supports creating web applications in Azure AD. Please add support for creating Native Applications as well.
16 votesThe new Azure AD PowerShell module that is under development will include support for applications. (Note: These will be following the -AzureAD pattern, not -AzureRm, convention, which is specific to Azure Resource Manager.)
-
Allow Directory Extensions as claim in SAML Token
This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.
If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).
I have found that you can include a directory extension attribute as an optional claim in the…
15 votesWe have work in progress to enable directory extension attributes from the Enterprise apps UI. You can use PowerShell to get unblocked: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping
In the comments, Ross has shared a link to a forum where you can find the exact policy.
- Don't see your idea?