Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Get user membership groups in the claims with AD B2C

    As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

    Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

    1,020 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    66 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

    That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.

    Apologies for the delay.

    /Parakh


    Old message:
    We’re doing some research both on the specifics of this ask as well as what it would take to support this.
    Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?

  2. Dynamic Groups: Member of group

    Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.

    Example:
    (user.objectId -memberOf group.objectId)
    (user.objectId -notMemberOf group.ObjectId)

    Use case 1 - Group Based Licensing.
    If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.

    Use case 2 - Exceptions
    All users should have a MDM policy applied, accept those of a specific group.

    410 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.

    Chen

  3. Remove requirement for onprem Exchange when using DirSync

    as per : http://tinyurl.com/kqgjvqx

    Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.

    337 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  4. PowerShell and Graph API support for managing Multi-Factor Authentication

    Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

    The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

    Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

    The new AzureAD and AzureADPreview PowerShell modules support connecting to…

    281 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    34 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. 230 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    63 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support NPS/RADIUS for Azure AD Domain Services

    Add support for Microsoft NPS/RADIUS in Azure AD Domain Services

    208 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  34 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers

    Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?

    193 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    35 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?

    BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…

    We look forward to your feedback

    /Jose Rojas

  8. Azure Domain Services Support for LAPS

    Allow (or automatically install) LAPS within Azure Domain Services since this is the Microsoft supported standard for local administrator accounts.

    LAPS: https://technet.microsoft.com/en-us/library/security/3062591.aspx

    191 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    34 comments  ·  Azure AD Join  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support Azure AD domain join for Windows Server 2016

    Microsoft should strongly consider implementing support for Azure AD join in future builds of Windows Server 2016. I how a couple of customers that have nearly finished the transition to all cloud and is left with a couple of servers due to legacy software. They are currently left with the option to deploy Azure AD Domain Services for supporting a couple (2-5) servers.

    https://windowsserver.uservoice.com/forums/295047-general-feedback/suggestions/32995450-support-azure-ad-domain-join-for-windows-server-20

    168 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  10. Provide support for YubiKey / FIDO as the MFA

    Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.

    https://www.yubico.com/about/background/fido/

    130 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Ability to trigger a dynamic group update

    It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.

    126 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

  12. Disable user's ability to change password (via cloud/portals)

    We need to disable a user's ability to change their password. We need to manage password changes in our own application.

    NOTE: I am not referring to password resets (which we can easily disable). Rather I'm talking about preventing users from changing their password via a Microsoft portal when they know their existing password.

    We are looking for an equivalent of the (non Azure) AD powershell command Set-ADUser -CannotChangePassword.

    114 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Hi folks! I apologies for the delay in response and I deeply appreciate your feedback. I understand how important this feature is for your and your users. We do not yet have plans to implement this feature, but please keep voting if this is important to you to help us prioritize appropriately.

  13. Ability to Grant Permissions via API or Powershell

    Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

    Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your…

    113 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  14. Deploy and manage Active Directory B2C using ARM templates and RM PowerShell cmdlets.

    When building Azure-based applications intended for generalization and multiple deployment, it would simplify both the development and deployment experience if B2C directories could be configured using the standard Azure RM template and PowerShell cmdlet functionality.

    111 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Given that a Azure AD B2C tenant should only be used for configuring Azure AD B2C, would having programmatic API’s to configure all of the Azure AD B2C settings be useful or is there more that you are looking to achieve using ARM templates?

    /Parakh

  15. Enable User Writeback to On Premise AD from Azure AD

    We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...

    111 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    Hi – this is not a feature we are planning in AADConnect. We’re currently designing a new feature based on a new technology that would allow us to write back users and group from AAD to various different targets – AD, other directories, applications – and hope to be able to tell you more about it in the coming months.

    Rob de Jong

  16. Unattended installation Azure AD Connect

    Provide The ability to perform unattended/silent installation of Azure AD Connect using either/ or both commandline or answer file for the installation parameters.

    This is highly needed for re-Deployment of test/Dev environments and especially for hosting/service providers with many customers

    103 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  17. 100 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Anonymous responded

    Please provide more details. DirectAccess is an on-premises technology and as such may not fall into Azure Active Directory.

  18. AD Groups in Application Owners

    Would be great to be able to add groups to application owners in AD instead of only users. Scenario is to use on-prem AD synced with Azure to keep management of application roles/groups/etc on-prem for cloud hosted solutions.

    Thanks!

    98 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  12 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  19. Utilize AAD Security Groups for Device "Additional Local Administrators" support

    Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).

    86 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  20. SSPR - Allow user unlock from the windows 10 logon screen.

    You recently implemented the password reset from the Windows 10 logon screen. However, the possibility of unlocking the user when they remembered the password was lacking.

    I remember that this functionality already exists through the MIM or Azure reset link.

    83 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 11 12
  • Don't see your idea?

Feedback and Knowledge Base