Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
-
Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
584 votesWe definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
/Parakh
Old message:
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C? -
Fully customizable verification emails
Currently, Azure AD B2C sends verification codes via emails to end users during sign-up and password reset flows. These emails have limited customization. Add support for full customization of the email body & content.
497 votesHi all, a quick update here. We are looking at different options in allowing this customization. We understand that this is very important when you want to keep the look of the emails consistent with your brand to avoid confusing your users. We should have another update in the coming months as we figure out how to accomplish this.
/Sam
-
Remove requirement for onprem Exchange when using DirSync
as per : http://tinyurl.com/kqgjvqx
Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.
202 votesWe’re reviewing the best architectural solution here and will updated when we know more.
-
Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers
Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?
139 votesThank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?
BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…
We look forward to your feedback
/Jose Rojas
-
Reduce pricing for Azure AD B2C
Azure AD B2C seems to be an interesting and very important service, however in my opinion it is >dramatically< overpriced. Having to pay thousands of dollars >per month< just for a few million users is in no relation to other Azure Services.
E.g. Storing 10 million users would cost 950k * €0.00093 + 9mil * €0.00076 = 7723,5€ per month. And this doesn't even include authentications.
This makes me wondering if your case study Real Madrid really would like all of their 450 million fans use this service. I think they would have to sell a player in that case!…104 votesRestating what Alex Simons said in the comments below:
The vast majority of our B2C customers see monthly active user rates in the 10 – 15% at the very high end. In addition, most set their token lifetimes to be relatively long (you don’t want users on a mobile device to have to authenticate more than is absolutely necessary) so even though a user might be actively using your app each month, they might only be requesting a token every other month – or maybe even less.
So if you compare this to either AWS or running your own authentication server (make sure you included the full cost to maintain/run/upgrade/etc.) I think you will find it’s very price competitive.
That said, we are looking at some additional pricing options that would give apps that have a very high usage rate (50% or more of users active each month) some options…
-
AADB2C: Force password reset
Add the ability to force user's to reset password at next login. It would be ideal if this was available for both individual users as well as in bulk. This is necessary for situations such as credential leaks, etc.
99 votesWe are reviewing this feature request and hope to make progress on it later this year (Fall or later). Will make another update then.
/Parakh
-
Add Multifactor Authentication (MFA) support for DirectAccess remote technology
One Time Password access to the DirectAccess user tunnel using MFA
90 votesPlease provide more details. DirectAccess is an on-premises technology and as such may not fall into Azure Active Directory.
-
Make https://passwordreset.microsoftonline.com responsive design or app for password reset
It would be nice, if the passwordreset.microsoftonline.com looked great on a mobile device as well as on a PC. It isn't responsive and looks weird on a phone. You have to pinch to see the text and textboxes on the page.
Alternative Microsoft should consider integrating "Password Reset" / "Lockout" functionality in a new app or the existing Azure Authenticator app. This will notify the user about account lockout and also provide a way for the user to do a quick password reset a device. Of cause the user will need to answer a couple of questions, enter a pin…
74 votesThanks for the feedback. Responsive UI for the password reset page is something we’re reviewing.
-
Dynamic Groups: Member of group
Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.
Example:
(user.objectId -memberOf group.objectId)
(user.objectId -notMemberOf group.ObjectId)Use case 1 - Group Based Licensing.
If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.Use case 2 - Exceptions
All users should have a MDM policy applied, accept those of a specific group.67 votesThank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.
Chen
-
Provide support for YubiKey / FIDO as the MFA
Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.
63 votesAzure MFA is currently designing the experience for FIDO 2.0. This is the next iteration of the FIDO U2F standard that the link references.
Richard
-
Expand navigation property of children with a single query
Impossible to get members of Azure AD group with expanded 'manager' property in one request.
for example:
https://graph.windows.net/<tenant_id>/directoryObjects/<group_id>/members/?api-version=1.6&$expand=managerwe gets the following response:
{"code":"Request_UnsupportedQuery","message":{"lang":"en","value":"An unsupported query was observed. Please ensure you query does not navigate across multiple reference-properties."}I suppose reason of such response is clear. and current workaround is the following:
1) Get group members
2) for each five members(using OData batch) get manager
But this way make us do a lot of requests to Azure AD and we expect performance degradation here.We develop multi tenant application which access Azure AD of all our customers and it's…
62 votesWe are still looking into it! It is due to current platform limitation, and there is some work going on to address this. Again, thank you for the suggestions! Keep the votes coming.
-
SSO / Sign in to Azure via Google Apps IDP
We'd like to enable our users for lots of Azure services (incrementally), starting with some RemoteApp services. We do *not* want to move user authentication to Azure AD (users have lots of complex Google Apps logins, with 2-Factor and U2F Keys).
Is there an easy way for us to enable Google Apps as an IdP in Azure AD?
Like, can we copy user profiles from Google Apps -> Azure, and on login attempt, redirect to the Google Apps sign in screen?
62 votesWe are reviewing this capability for all up Azure AD but initially you will see the ability to support Google ID for users in our B2C release.
/Brjann Brekkan
-
Device-level authentication as primary authentication like ADFS 4.0 (Windows 2016) in Azure AD
It would be AWESOME, if Azure Active Directory would provide device-level authentication as primary authentication like ADFS 4.0 (Windows 2016)
We need this please!
61 votesThanks for your suggestion. This is under review and in our backlog but initially you will see this capability show up in AD FS in Windows Server 2016.
/ Brjann Brekkan
-
Add PowerShell commands to manage "Users flagged for risk" in Azure AD
I have quite a few users who have been tagged as "Users flagged for risk" in Azure AD. I'd like to be able to "Dismiss all events" for those users that were "Last updated" more than XX days ago. It seems I can only do this via the web GUI one user at a time. This stinks. This particular report had gone unwatched for a bit. PowerShell to the rescue please!
53 votesHi – Thanks for the suggestion. We understand this is a problem today and we are planning to bring an option to multi-select users and the “Dismiss risk” on them in the new UX. If your requirement is to dismiss risk on hundreds of users, please reach out to the CSS team and they will guide you to the right contacts.
Rajat
-
Delegate permissions to remove devices
The user role User administrator is not able to remove users registered device objekts in Azure AD. I think that roles should be granted that permisson.
Or create an addiotional role that have the permission to remove device objects in Azure AD.53 votesThank you for the feedback and suggestion. This capability is under review.
-
Allow extensibility of portal through the use of custom controls
There are some business scenarios which currently cannot be built in the FIM portal due to the limited set of Uoc controls available, and their lack of customization. This leads to external tools needing to be made, fracturing the experience for FIM users. Allowing the Uoc base control to be made public and inheritable opens up scenarios for controls with extended validations, external lookups, code behind, and much more.
48 votesThanks for your feedback! — David Steadman | MIM Lead & PM Identity governance and administration engineering team
-
PowerShell and Graph API support for managing Multi-Factor Authentication
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureADPreview PowerShell modules support connecting to…
45 votesThe MFA team is currently working on adding get/set/read/delete abilities for StrongAuthentication data to the Graph API.
Richard
-
Unattended installation Azure AD Connect
Provide The ability to perform unattended/silent installation of Azure AD Connect using either/ or both commandline or answer file for the installation parameters.
This is highly needed for re-Deployment of test/Dev environments and especially for hosting/service providers with many customers
42 votesHi – we’re currently investigating this idea to see what we can do.
Rob de Jong
-
Modern end-user portal
One of the main blockers to deploy MIM is lack of a modern end-user facing portal. One doesn't need to port all the functionalities to such a portal straight away and MPRs, Workflows etc can stay within an old portal for admins, but users should see responsive and simple interface (not based on SharePoint)
41 votesThanks for your feedback! — David Steadman | MIM Lead & PM Identity governance and administration engineering team
-
Add Application's ServicePrincipal using powershell
Today it's possible to add an applications serviceprincipal to a customer's tenant using msol Pow-ershell cmdlets. BUT unfortunately a serviceprincipal created using powershell is not visible is the userers Azure Management portal. According to Azure Support:
"You will not be able to use the Azure PowerShell cmdlets to have your application be visible within the Azure Management Portal as the cmdlets do not support this functionality. The only option at present is to use the Azure Management Portal to register and add the application to Active Directory."
My suggestion is to add this functionality to the Powershell cmdlets.41 votesYour suggestion has been passed to the appropriate Program Manager for their review.
- Don't see your idea?