Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add dynamic validation rules to Self Service Password Reset

    When trying to reset your password via Azure SSPR with writeback to onprem AD, you currently don't get much detail as to why a password reset may have failed (not enough characters, not complex enough, etc). Our on-prem password reset tool can validate your new password as you type so that you can make sure the new password meets your company policies and it would be great if Azure SSPR could do this to. Even just more details on why a password reset fails would be of great help to end users.

    31 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback! We will take this into consideration and welcome any specific ideas or feedback you have in the meantime. Would you like to see some sort of custom password strength meter? Or maybe just text that tells the user what the on-prem password policy is? Thank you in advance!

    Sadie Henry (sahenry)

  2. Users must not delete resource groups if they are not allowed to delete the resources.

    We created custom roles to allow another team to operate our environment. To avoid accidental deletion of data, we removed the delete action for several storage components, for example Data Lake Store Gen1.

    Unfortunately when deleting a resource group, it completely ignores the permissions on resource level. For example, I do not have deletion rights on ADLS, but I can still remove it, by deleting the whole resource group.

    Resource Groups are simple containers and restricting people on managing them on their own will have a huge impact. We will waste a lot of time to define processes and executing…

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  3. Access package policy for dynamic assignment

    The ability to have a policy to dynamically assign access packages automatically to users, based on criteria / filters is very important, as this will greatly improve an organizations ability to provide a set of default access packages to their users based on division, company, etc.

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Conditional Access for B2B Guest users

    For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    We’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?

  5. Address VDI and M365 licensing

    Hello everyone, this is a requested change for the components of Azure AD machine join. The use case here is for clients to upgrade their existing Windows PC (7,8,10) to Windows 10 enterprise. Our customer base uses VMware's Horizon view for VDI. VMware's official supported license is KMS. Our clients would love to transition to a cloud based licensing model, but the Windows 10 E3 license does not work with the cloning technology for a couple of reasons.

    Horizon Cloning options & pool types:
    • Manual - VM is not built in Horizon, only brokered through it.
    • Full Clone…

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Join  ·  Flag idea as inappropriate…  ·  Admin →
  6. Service Principal RBAC simulator

    When handling shared subscriptions and deploying certain third party services we require to have a Service Principal that follows the principle of least privilege.
    Nevertheless, after creating this intricate granular Service Principal, there is no proper way to test out it's functionality. The only way to see if your SP works is by actually deploying your service and see where it fails, update the SP and repeat.

    AWS offers IAM policy simulator that does the job in their case. Something similar would be very helpful to have to improve the deployment experience.

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  7. Customize the Azure AD Application Proxy Gateway errorpage

    When you are using the Application Proxy Gateway and there is some error in the connection, e.g. user is not authorized or there is a timeout, you get a error page that is not company branded. See the attached picture.

    It would be nice if it was possible to either use the existing company branding or add separate branding to that error pages.

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Improve Device Listing Page - Export, sort, filter

    The All Device listing in Azure Active Directory has good information but you can not export it, sort it or filter efficiently.

    Would really appreciate the typical 'Export' option.

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  9. domain services

    Upgrade the Azure AD Domain Services Domain Controllers to be Windows Server 2016 instead of Windows Server 2012 R2.

    We've switched to having our domain be AAD Domain Services and connected to our Office 365 domain and we'd like to enable Windows Hello for Business, but until those domain controllers are upgraded we can't utilize it. This makes the nice fingerprint scanners on our new machines useless.

    29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  4 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support Managed Service Identity on VMs in Azure Batch Pool

    Enabling MSI for Windows VMs created by an Azure Batch Pool would allow us to use this service in Azure Data Factory .Net custom code activities running on Azure Batch.

    26 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure AD - SaaS - SCIM provisioning of AD attribute thumbnailPhoto

    Azure AD SCIM Provisioning should allow for the provisioning/mapping of the AD attribute thumbnailPhoto to SaaS applications. This value is already present within Azure.

    25 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  12 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure Active Directory Seamless Single Sign-On - Multi-tenants in a single forest hosting environment.

    We have multi-tenants in a single forest hosting environment synchronizing different customers (each in a different OU) to their own O365/Azure AD tenant account. At the current moment, Seamless Single Sign-On only supports one O365/Azure AD tenant for sign on in the current setup we have. This is due to a computer created called AZUREADSSOACC in Windows AD. We want to adopt the Seamless Single Sign-On but as it only supports one O365/Azure AD tenant for sign on we cannot use it.

    25 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  6 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow Organisations to force users to complete a new MFA challenge when elevating to a role in Privileged Identity Management

    Currently the behavior is that if a user signed into the Azure Portal and completed an MFA challenge they will not be prompted again when they elevate to a role in PIM even if the role settings are set to "Require MFA on elevation" as PIM will use the existing MFA claim/token that was completed upon sign-in.

    Please allow us to force PIM to acquire a new MFA claim on elevation.

    22 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ability to export results from the Metaverse Search screen in sync engine

    Ability to export results from the Metaverse search screen in sync engine. This was an idea mentioned while I was out on client site. When one does queries the the "Metaverse Search" tab of the sync engine there is no way to save the results a csv or excel file. You could obviously query the backend SQL database but this isn't very customer friendly.

    22 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  15. Do not require database SysAdmin privilege for installation/upgrade of MIM

    Requiring the highest level of privilege for installing and updating MIM is not seen as acceptable by Database Administrators as it causes security concerns, especially in an environment where databases use shared hardware. In the UK/EU and probably equivalents elsewhere, this is of particular concern for organisations that need to adhere to PCI DSS (Payment Card Industry Data Security Standard) or GDPR (General Data Protection Regulation).

    The MIM installer should require the least privileges it needs to do it's job so that the database administrator can define a role that meets these requirements. Anything that truly needs to be done…

    22 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  16. More control over FIMService MA

    FIMService MA being treated as a special one (no transforms, MRE control etc)

    In some cases we need more control on FIMService MA where we can do controls like any other MA. We have seen reverse joins also not working very well and in a DR scenario FIMService MA caused issues for us..

    22 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow approver to revoke approvals

    Designated approvers for an access package should be able to revoke approval, e.g. select the approval in the history and be able to revoke the access approval.

    At the moment, only access package owners can remove access.

    Approvers may make a mistake or access may have been approved on a basis that changed, so they should have a self-service functionality to revoke an approval and thereby remove access.

    In one of our projects this is a requirement, because business owners need to approve access to specific data, but they also need to be able to remove access - also outside…

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Entitlement Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure cli PIM activation

    To reduce churn. It would be good if there was a CLI method of activating PIM Azure Resource roles so that the process was less laborious.

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Adding Touch ID Support for MFA/password-less on Chromium (macOS)

    Google has added fingerprint authentication on Chrome including support of Apple's biometric sensors "Touch ID" last year:
    https://www.chromestatus.com/feature/5962264427364352

    This seems to be implemented via Web Authentication API.
    It would be awesome to use Touch ID as 2nd Factor or password-less option in Azure Active Directory. Currently you are able to choose between NFC and USB only (tested on lastest build of Chrome).

    It would be even better if Edge Chromium supported the built-in fingerprint of MacBooks. :)
    However, it seems to be a limitation of Azure Active Directory.

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Passwordless  ·  Flag idea as inappropriate…  ·  Admin →
  20. Workday to AAD/AD provisioning query scope

    Workday to AD/AAD provisioning
    please add the ability to scope the query passed to getworkers api. For instance, pass to getworkers company=schoolA.
    Workday is now implementing shared tenants in the EDU space. In a shared tenant, the current query to get_workers pulls all workers and then allows scoping. but the worker data for all schools has to be pulled before it can be scoped. The result is AAD audit logs saturated with other schools employee data. Also need to be able to control audit data written to azure activity logs, or at least be able to clear the…

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning from Cloud HR  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base