Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Include an AAD Connect Health Gateway for DCs without internet connectivity

    An easy to configure gateway install similar to the OMS gateway to act as a proxy for servers without internet connectivity would be a useful addition.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect Health  ·  Flag idea as inappropriate…  ·  Admin →
  2. 18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Organisations to force users to complete a new MFA challenge when elevating to a role in Privileged Identity Management

    Currently the behavior is that if a user signed into the Azure Portal and completed an MFA challenge they will not be prompted again when they elevate to a role in PIM even if the role settings are set to "Require MFA on elevation" as PIM will use the existing MFA claim/token that was completed upon sign-in.

    Please allow us to force PIM to acquire a new MFA claim on elevation.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Marking a risky sign in as "Confirmed Safe" in the ID protection blade should factor in to the algorithm for future sign ins

    In the risky sign ins report or risky users report in AD Identity Protection you can mark a risky sign in as "confirmed safe." However this does not allow future sign ins from this IP. If an administrator confirms that the sign in is not risky, future sign ins for this user from this location should not be considered risky.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. We are reviewing options for integrating feedback provided by confirm safe/compromised. In the interim, if you want to mark specific IPs as safe for Identity Protection in your tenant, you can do so my marking them as trusted locations. More information is available here (make sure to check the “mark as trusted location” checkbox): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations

  5. Improve custom roles assgignable scope options

    Add the option to set all ressource groups of a(/multiple) subscription as valid assignable scope. Something like:

    “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/*”

    Currently it is only possible to make a role assignable to specific RGs. A wildcard option would be much more flexible.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  6. NIST 800-63B Digital Identity Guidelines

    Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.

    Also the ability to build a password blacklist.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We’re well aware of the NIST 800-63B guidelines (and it’s my team that wrote that password whitepaper!). We’re currently making some foundational changes that should subsequently let us implement many or most of the password composition guidelines.

    As for a password blacklist, today we have a banned password list in place that prevents users from using known-bad words, phrases, and passwords. We also have a custom list feature that lets you define your own words and patterns. That’s in private preview today and we’re working to get it to public preview over the next few months.

  7. serviceNow

    I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.

    For example, the user table within ServiceNow looks similar to the sample snippet below:

    TABLE - User [sys_user]

    FIELD - Username [username] - string
    FIELD - Name [name] - string
    FIELD - Email [email] - string
    FIELD - Department [department] - references Department [cmn
    department] table
    FIELD - Location [location] - references Location [cmn_location] table
    FIELD - etc. etc.

    Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem…

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. dsregcmd.exe with help

    The command dsregcmd.exe should have /help switch to show all viable option of this command with usage examples.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  9. Pass Through Auth in ADconnect for Azure Government

    Support of PTA in Azure Gov meeting HSPD-12 mandates.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. IsPresent operator for SyncRule Scoping Filters

    Add support for an IsPresent/NotPresent operator in outbound scoping filters

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  11. Self service password reset on free

    The free Azure AD offering isn't really very credible without a self-service password reset. Since it's an offering where large numbers are expected and price is an issue, expecting administrators to manage individual passwords is not realistic. We expected to have up to 1000 remote end users, and basic is unrealistically expensive just to get the password reset.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure Active Domain Services Synchronisation Report

    Currently, it is not possible to get accurate information from AADDS about what and when attributes are synchronised from Azure AD to Azure ADDS. It would be most helpful if customers could query on a per user or per directory basis to find out what attributes were synced and at what time (including password changes)

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add option to disable TLS 1.0 for the application proxy cloud endpoint

    TLS 1.0 is an option for connecting to the cloud endpoint of the application proxy. This causes security audit tools to complain that TLS 1.0 is not in alignment with PCI and other compliance regimes.

    There has been a toggle in the UI for the web app service to disable TLS 1.0 for nearly a year and the same option should be available for the application proxy too.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  14. View all Enterprise Apps configured to Azure AD App Proxy

    Requirement is for a screen to view all apps currently configured for App Proxy, The current process is a hit and miss excercise whereby you navigate to Enterprise Application and guess the app name and navigate to the configuration to see if an app is using app proxy.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. When the Password Writeback limitations can be removed?

    This document described the current limitations that it is un-supported to trigger password writeback via Powershell v1, v2 and Azure AD Graph API (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback). Which means currently there's no way to trigger password writeback programmatically.

    There's also a statement in that article that you are working to remove these limitations but no specific timeline can share. Can we know the possible timeline when the limitations can be removed (for example second half of the year or the early of next year)?

    Thanks.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback! This is a limitation that we would like to address. At this time, I don’t have an estimate of when this update would be released. However, please continue to vote on this feature if it’s important to your organization.

    Thank you,
    Sadie Henry

  16. AD Application Proxy: Enable home realm discovery using domain hint

    It would be nice to have an option to be able to set a domain hint when we are exposing internal web applications using the AD Application proxy. This way we can direct user to our own ADFS federation page without going through the generic sign-in page first.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  17. Changes in MyAccess and MyApps


    1. In MyAccess portal, change the view by Catalogs and not by Access Packages

    2. combine MyApps and MyAccess portals for better user experience

    3. Add an option to add Logo and company icon to MyApps and MyAccess that the end user will know he in the right place (the new myapps portal)

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  18. Audit logs for Application Proxy

    Audit logs for the connector group modifications on the AAD Application proxy is not enabled for administrators viewing on AAD portal.
    We had an issue, in which the connector group was changed by an admin and we raised a MS Case to find out who modified the setting and after months investigation we found that this specific audit log is not enabled for viewing for admins.
    If audit logs is enabled for such settings modifications, then there is no need for admin to raise an MS case every time when there is modification ..!!!

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Where is application registered in Azure Active Directory?

    I registered a new application in https://apps.dev.microsoft.com and afterwards it says "This application will be registered in the Azure Active Directory instance used to manage your xxxx@yyyy.zzz account." I can't see it anywhere.

    How about providing a link to it instead of hiding it away where I can't find it, that is if it is even actually visible.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →

    Alan, if I understand correctly, you are saying you cannot see the converged apps you registered on apps.dev.microsoft.com in the Azure Portal. Converged apps cannot currently be managed in the Azure Portal, even though they are registered in the Azure AD tenant listed in the message. If you would like to manage converged apps in the Azure Portal, please post that as an idea/suggestion or vote for it once the post exists.

  20. Adding Touch ID Support for MFA/password-less on Chromium (macOS)

    Google has added fingerprint authentication on Chrome including support of Apple's biometric sensors "Touch ID" last year:
    https://www.chromestatus.com/feature/5962264427364352

    This seems to be implemented via Web Authentication API.
    It would be awesome to use Touch ID as 2nd Factor or password-less option in Azure Active Directory. Currently you are able to choose between NFC and USB only (tested on lastest build of Chrome).

    It would be even better if Edge Chromium supported the built-in fingerprint of MacBooks. :)
    However, it seems to be a limitation of Azure Active Directory.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Passwordless  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base