Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

We have a new log in experience integrated with Azure AD, and we strongly recommend you log in with your Azure AD (Office 365) account. If your UserVoice account is the same email address as your Azure AD account, your previous activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Get user membership groups in the claims with AD B2C

    As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

    Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

    891 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      55 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

      We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

      That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.

      Apologies for the delay.

      /Parakh


      Old message:
      We’re doing some research both on the specifics of this ask as well as what it would take to support this.
      Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?

    • Remove requirement for onprem Exchange when using DirSync

      as per : http://tinyurl.com/kqgjvqx

      Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.

      291 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

      • Dynamic Groups: Member of group

        Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.

        Example:
        (user.objectId -memberOf group.objectId)
        (user.objectId -notMemberOf group.ObjectId)

        Use case 1 - Group Based Licensing.
        If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.

        Use case 2 - Exceptions
        All users should have a MDM policy applied, accept those of a specific group.

        248 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          13 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

          Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.

          Chen

        • 225 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            63 comments  ·  Flag idea as inappropriate…  ·  Admin →
          • PowerShell and Graph API support for managing Multi-Factor Authentication

            Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

            The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

            Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

            The new AzureAD and AzureADPreview PowerShell modules support connecting to…

            210 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              26 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
            • Update UserType from portal

              Be able to see and change the userType from the portal.
              (This is only available in Powershell : example: change from Guest -> member, in order to see the directory as an external user.)

              Set-MsolUser -UserPrincipalName xxxhotmail.com#EXT#@xxxhotmail.onmicrosoft.com -UserType Member

              199 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                11 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

                Thank you for the feedback on this issue. We’re still considering it but don’t have a specific ETA so updating the status. It’s helpful to understand your scenarios around this and other features so please feel to keep commenting with how you would use this.

                -Elisabeth

              • Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers

                Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?

                173 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  31 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

                  Thank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?

                  BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…

                  We look forward to your feedback

                  /Jose Rojas

                • Azure Domain Services Support for LAPS

                  Allow (or automatically install) LAPS within Azure Domain Services since this is the Microsoft supported standard for local administrator accounts.

                  LAPS: https://technet.microsoft.com/en-us/library/security/3062591.aspx

                  151 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    24 comments  ·  Azure AD Join  ·  Flag idea as inappropriate…  ·  Admin →
                  • Reduce pricing for Azure AD B2C

                    Azure AD B2C seems to be an interesting and very important service, however in my opinion it is >dramatically< overpriced. Having to pay thousands of dollars >per month< just for a few million users is in no relation to other Azure Services.

                    E.g. Storing 10 million users would cost 950k * €0.00093 + 9mil * €0.00076 = 7723,5€ per month. And this doesn't even include authentications.
                    This makes me wondering if your case study Real Madrid really would like all of their 450 million fans use this service. I think they would have to sell a player in that case!…

                    125 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      12 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

                      Restating what Alex Simons said in the comments below:

                      The vast majority of our B2C customers see monthly active user rates in the 10 – 15% at the very high end. In addition, most set their token lifetimes to be relatively long (you don’t want users on a mobile device to have to authenticate more than is absolutely necessary) so even though a user might be actively using your app each month, they might only be requesting a token every other month – or maybe even less.

                      So if you compare this to either AWS or running your own authentication server (make sure you included the full cost to maintain/run/upgrade/etc.) I think you will find it’s very price competitive.

                      That said, we are looking at some additional pricing options that would give apps that have a very high usage rate (50% or more of users active each month) some options…

                    • Support Azure AD domain join for Windows Server 2016

                      Microsoft should strongly consider implementing support for Azure AD join in future builds of Windows Server 2016. I how a couple of customers that have nearly finished the transition to all cloud and is left with a couple of servers due to legacy software. They are currently left with the option to deploy Azure AD Domain Services for supporting a couple (2-5) servers.

                      https://windowsserver.uservoice.com/forums/295047-general-feedback/suggestions/32995450-support-azure-ad-domain-join-for-windows-server-20

                      122 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        12 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

                        Thanks for the feedback. We’re reviewing feasibility for this feature. No timelines yet, but this is on our roadmap.

                        Please share any additional feedback on this suggestion for us to review


                        Ravi

                      • Provide support for YubiKey / FIDO as the MFA

                        Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.

                        https://www.yubico.com/about/background/fido/

                        114 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          12 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                        • Add PowerShell commands to manage "Users flagged for risk" in Azure AD

                          I have quite a few users who have been tagged as "Users flagged for risk" in Azure AD. I'd like to be able to "Dismiss all events" for those users that were "Last updated" more than XX days ago. It seems I can only do this via the web GUI one user at a time. This stinks. This particular report had gone unwatched for a bit. PowerShell to the rescue please!

                          109 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            35 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →

                            Hi – Thanks for the suggestion. We understand this is a problem today and we are planning to bring an option to multi-select users and the “Dismiss risk” on them in the new UX. If your requirement is to dismiss risk on hundreds of users, please reach out to the CSS team and they will guide you to the right contacts.

                            Rajat

                          • Support NPS/RADIUS for Azure AD Domain Services

                            Add support for Microsoft NPS/RADIUS in Azure AD Domain Services

                            105 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              under review  ·  13 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
                            • 99 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                13 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                under review  ·  Anonymous responded

                                Please provide more details. DirectAccess is an on-premises technology and as such may not fall into Azure Active Directory.

                              • AD Groups in Application Owners

                                Would be great to be able to add groups to application owners in AD instead of only users. Scenario is to use on-prem AD synced with Azure to keep management of application roles/groups/etc on-prem for cloud hosted solutions.

                                Thanks!

                                90 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  under review  ·  11 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
                                • B2B Guest User Expiration

                                  Looking for the functionality where you can schedule Azure B2B users to exist in your tenant for a predetermined period of time. This would operate similarly to the O365 Groups expiration functionality that exist today. Additionally, managers would be allowed to extend these periods of time and automated reminders would be sent to the manager of these users.

                                  87 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    7 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Enable User Writeback to On Premise AD from Azure AD

                                    We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...

                                    87 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      Hi – this is not a feature we are planning in AADConnect. We’re currently designing a new feature based on a new technology that would allow us to write back users and group from AAD to various different targets – AD, other directories, applications – and hope to be able to tell you more about it in the coming months.

                                      Rob de Jong

                                    • Disable user's ability to change password (via cloud/portals)

                                      We need to disable a user's ability to change their password. We need to manage password changes in our own application.

                                      NOTE: I am not referring to password resets (which we can easily disable). Rather I'm talking about preventing users from changing their password via a Microsoft portal when they know their existing password.

                                      We are looking for an equivalent of the (non Azure) AD powershell command Set-ADUser -CannotChangePassword.

                                      84 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        15 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Unattended installation Azure AD Connect

                                        Provide The ability to perform unattended/silent installation of Azure AD Connect using either/ or both commandline or answer file for the installation parameters.

                                        This is highly needed for re-Deployment of test/Dev environments and especially for hosting/service providers with many customers

                                        83 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                        • Expose user last password changed date

                                          Please add the capability to retrieve the date a user change the last password using the Graph API.

                                          81 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            5 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →

                                            We’re currently working on an API to provide CRUD access to authentication methods (password, SMS, voice, etc), and we’re considering adding last pw change time and/or password expiration time. Thanks for the feedback!

                                            Michael

                                          ← Previous 1 3 4 5 10 11
                                          • Don't see your idea?

                                          Feedback and Knowledge Base