Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Get user membership groups in the claims with AD B2C

    As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

    Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

    1,555 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    88 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

    That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.

    Apologies for the delay.

    /Parakh


    Old message:
    We’re doing some research both on the specifics of this ask as well as what it would take to support this.
    Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?

  2. Dynamic Groups: Member of group

    Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.

    Example:
    (user.objectId -memberOf group.objectId)
    (user.objectId -notMemberOf group.ObjectId)

    Use case 1 - Group Based Licensing.
    If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.

    Use case 2 - Exceptions
    All users should have a MDM policy applied, accept those of a specific group.

    1,273 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    98 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.

    Chen

  3. Authenticating wireless access points \ RADIUS through Azure AD

    I would like to see Authenticating wireless access points \ RADIUS servers through Azure AD , not having to store user accounts in local active directory

    993 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    89 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback, we’re currently reviewing this capability to see how we can support RADIUS auth on NPS specifically, for AAD Joined Windows 10 devices to authenticate to WiFi access points

    If there are scenarios beyond the above, please provide the details in the comments


    Ravi

  4. Set an AzureAD account to expire on a specified date

    Just like in active directory allow accounts to be set to expire on a specified date. Our company policy is to set network accounts for non-employees (consultants, contractors, temporary employees, interns) to expire at a certain interval after they are created. We want the same functionality within Office 365.

    826 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

  5. Ability to trigger a dynamic group update

    It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.

    462 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    55 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

  6. Support NPS/RADIUS for Azure AD Domain Services

    Add support for Microsoft NPS/RADIUS in Azure AD Domain Services

    422 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    53 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →

    UPDATE 01/06/2020
    Multiple scenarios are still being investigated.
    (We changed the status to because Started implied we were working on the feature and we did not want to represent it inaccurately. We are investigating and therefore, we are marking it under review.

  7. Enable SSPR to reset Windows cached credentials

    In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

    Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we…

    360 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    50 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  8. MFA: remember device permanently (& remember per device, not per app)

    Please:
    1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
    2. Make it so that MFA is remembered once per device (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).

    Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or…

    298 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers

    Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?

    256 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    44 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?

    BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…

    We look forward to your feedback

    /Jose Rojas

  10. 249 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    64 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  11. Disable user's ability to change password (via cloud/portals)

    We need to disable a user's ability to change their password. We need to manage password changes in our own application.

    NOTE: I am not referring to password resets (which we can easily disable). Rather I'm talking about preventing users from changing their password via a Microsoft portal when they know their existing password.

    We are looking for an equivalent of the (non Azure) AD powershell command Set-ADUser -CannotChangePassword.

    240 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    28 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Hi folks! I apologies for the delay in response and I deeply appreciate your feedback. I understand how important this feature is for your and your users. We do not yet have plans to implement this feature, but please keep voting if this is important to you to help us prioritize appropriately.

  12. Deploy and manage Active Directory B2C using ARM templates and RM PowerShell cmdlets.

    When building Azure-based applications intended for generalization and multiple deployment, it would simplify both the development and deployment experience if B2C directories could be configured using the standard Azure RM template and PowerShell cmdlet functionality.

    229 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    26 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Given that a Azure AD B2C tenant should only be used for configuring Azure AD B2C, would having programmatic API’s to configure all of the Azure AD B2C settings be useful or is there more that you are looking to achieve using ARM templates?

    /Parakh

  13. Ability to Grant Permissions via API or Powershell

    Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

    Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your…

    216 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thank you for the feedback! This is in the backlog and we are looking into this. We don’t have an ETA yet, but we will share once we have one. Please keep voting if this feature matters to you.

  14. Support for multi-valued attributes synchronized from on premises AD

    AD Connect supports synchronizing multi-valued attributes to AAD.
    However, AAD doesn't support multi-valued attributes synchronized from on premises AD.

    Would be great to have this supported so that for example Dynamic Groups can use multi-value attributes for group membership rules.

    200 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    34 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    We are investigating what it would take to add support for multi-value attributes in Dynamic Groups to enable this and related scenarios.

    Kristina Bain Smith

  15. Recycle Bin For Deleted Devices

    Would be great if there was a recover-msoldevice cmdlet or some way to recover a bitlocker recovery key after a device was deleted.

    184 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    30 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for your feedback. We are looking into it and evaluating different options for solving the use cases mentioned in this thread. We will update this thread once we have more information to share.

  16. Enable app password creation when MFA is enforced using Azure Conditional Access

    I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.

    I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that…

    172 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. AD Groups in Application Owners

    Would be great to be able to add groups to application owners in AD instead of only users. Scenario is to use on-prem AD synced with Azure to keep management of application roles/groups/etc on-prem for cloud hosted solutions.

    Thanks!

    172 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  15 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  18. Password expiry notification for Azure AD joined devices?

    It would be great if a Password Expiry notification could be implement for full Windows 10 Azure AD-joined clients in the same way as the domain joined clients receive them. A notification that pops up at bottom-right corner of the screen. At the moment I wasn't able to find any way of enabling that.
    We use Azure Directory Sync - no ADFS.

    157 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    26 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  19. Conditional Access blocking Office Activation and signin.

    When the Conditional Access Policy is configured with All cloud Apps option, Office activation is also blocked, although there isn´t any cloud app dedicated for Office activation exclusion. Please create one dedicated cloud app for Office activation.

    153 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Introspection endpoint for Azure Active Directory

    Hi,
    Times, there will be cases when the user logs out but the token associated with the user on the client doesn't expire and so when the Resource Servers/APIs invoked with these tokens gets serviced/honored. It would be great to have an introspection endpoint with AAD to check the validatity of the token (as mentioned in RFC 7662 https://tools.ietf.org/html/rfc7662) so that all APIs/Resources can leverage it and accept or reject the token instead of creating a custom repository at our end to blacklist these tokens.

    133 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thanks for the feedback! We will look into this and share an update when we have more information.

← Previous 1 3 4 5 14 15
  • Don't see your idea?

Feedback and Knowledge Base