Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
1,119 votesWe definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
/Parakh
Old message:
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C? -
Dynamic Groups: Member of group
Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.
Example:
(user.objectId -memberOf group.objectId)
(user.objectId -notMemberOf group.ObjectId)Use case 1 - Group Based Licensing.
If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.Use case 2 - Exceptions
All users should have a MDM policy applied, accept those of a specific group.597 votesThank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.
Chen
-
PowerShell and Graph API support for managing Multi-Factor Authentication
Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.
The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.
Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.
The new AzureAD and AzureADPreview PowerShell modules support connecting to…
335 votesThe MFA team is currently working on adding get/set/read/delete abilities for StrongAuthentication data to the Graph API.
Richard
-
232 votes
You can remove directories by contacting the organization that owns the directory and asking them to remove you.
We can add the ability to hide them, if this is a popular request.
-
Ability to trigger a dynamic group update
It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.
211 votesOur feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.
-
Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers
Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?
204 votesThank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?
BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…
We look forward to your feedback
/Jose Rojas
-
Ability to Grant Permissions via API or Powershell
Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.
Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your…
162 votesThank you for the feedback! This is in the backlog and we are looking into this. We don’t have an ETA yet, but we will share once we have one. Please keep voting if this feature matters to you.
-
Disable user's ability to change password (via cloud/portals)
We need to disable a user's ability to change their password. We need to manage password changes in our own application.
NOTE: I am not referring to password resets (which we can easily disable). Rather I'm talking about preventing users from changing their password via a Microsoft portal when they know their existing password.
We are looking for an equivalent of the (non Azure) AD powershell command Set-ADUser -CannotChangePassword.
143 votesHi folks! I apologies for the delay in response and I deeply appreciate your feedback. I understand how important this feature is for your and your users. We do not yet have plans to implement this feature, but please keep voting if this is important to you to help us prioritize appropriately.
-
Provide support for YubiKey / FIDO as the MFA
Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.
138 votesAzure MFA is currently designing the experience for FIDO 2.0. This is the next iteration of the FIDO U2F standard that the link references.
Richard
-
Deploy and manage Active Directory B2C using ARM templates and RM PowerShell cmdlets.
When building Azure-based applications intended for generalization and multiple deployment, it would simplify both the development and deployment experience if B2C directories could be configured using the standard Azure RM template and PowerShell cmdlet functionality.
134 votesGiven that a Azure AD B2C tenant should only be used for configuring Azure AD B2C, would having programmatic API’s to configure all of the Azure AD B2C settings be useful or is there more that you are looking to achieve using ARM templates?
/Parakh
-
Enable PIM role assignment by Group membership.
It would be nice to enable PIM roles to be linked not only to direct assignment to users but also to groups. This enables integration with on-premise IAM solutions that have not been extended to support the Graph API calls to PIM for role management.
111 votes -
Enable SSPR to reset Windows cached credentials
In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows
Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we…
109 votesHey folks! Thank you for your feedback. We are reviewing this ask and will keep you up to date on our findings. We have also added information about this limitation in our documentation. Thank you!
-
AD Groups in Application Owners
Would be great to be able to add groups to application owners in AD instead of only users. Scenario is to use on-prem AD synced with Azure to keep management of application roles/groups/etc on-prem for cloud hosted solutions.
Thanks!
107 votes -
Support for multi-valued attributes synchronized from on premises AD
AD Connect supports synchronizing multi-valued attributes to AAD.
However, AAD doesn't support multi-valued attributes synchronized from on premises AD.Would be great to have this supported so that for example Dynamic Groups can use multi-value attributes for group membership rules.
106 votesWe are investigating what it would take to add support for multi-value attributes in Dynamic Groups to enable this and related scenarios.
Kristina Bain Smith
-
Add Multifactor Authentication (MFA) support for DirectAccess remote technology
One Time Password access to the DirectAccess user tunnel using MFA
102 votesPlease provide more details. DirectAccess is an on-premises technology and as such may not fall into Azure Active Directory.
-
SSPR - Allow user unlock from the windows 10 logon screen.
You recently implemented the password reset from the Windows 10 logon screen. However, the possibility of unlocking the user when they remembered the password was lacking.
I remember that this functionality already exists through the MIM or Azure reset link.
96 votesHi folks! Thank you for your feedback. We don’t yet have plans to release this feature, but we are still considering it. We will update you if anything changes.
-
Password expiry notification for Azure AD joined devices?
It would be great if a Password Expiry notification could be implement for full Windows 10 Azure AD-joined clients in the same way as the domain joined clients receive them. A notification that pops up at bottom-right corner of the screen. At the moment I wasn't able to find any way of enabling that.
We use Azure Directory Sync - no ADFS.86 votesThank you for your feedback! Would you like the feature to be controlled by the admin or available for everyone?
Thanks,
Sadie Henry -
Automatically enable MFA for all members of an Azure AD Group.
Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.
79 votesToday, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.Richard
-
Introduce account 'unlock' feature when an account gets locked out during passthrough authentication. (instead of waiting for 30 minutes)
It will be very helpful if we have the ability to unlock on demand when an O365 user's account is locked (self service), without waiting for the account lockout duration. Currently this feature was confirmed by MS tech that it does not exist and that the end user has to wait for the account lockout duration period. This specially is very useful for accounts that are sync'd via AAD Connect and pwd reset in O365 does not apply because the account is a sync'd account.
77 votesWe are currently investigating this feature request.
-
Device-level authentication as primary authentication like ADFS 4.0 (Windows 2016) in Azure AD
It would be AWESOME, if Azure Active Directory would provide device-level authentication as primary authentication like ADFS 4.0 (Windows 2016)
We need this please!
71 votesThanks for your suggestion. This is under review and in our backlog but initially you will see this capability show up in AD FS in Windows Server 2016.
/ Brjann Brekkan
- Don't see your idea?