Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

We have a new log in experience integrated with Azure AD, and we strongly recommend you log in with your Azure AD (Office 365) account. If your UserVoice account is the same email address as your Azure AD account, your previous activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Fully customizable verification emails

    Currently, Azure AD B2C sends verification codes via emails to end users during sign-up and password reset flows. These emails have limited customization. Add support for full customization of the email body & content.

    730 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      100 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
    • Allow the User Admin role to Enable/Disable MFA for users

      Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.

      719 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        152 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

        This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.

      • AADB2C: Force password reset

        Add the ability to force user's to reset password at next login. It would be ideal if this was available for both individual users as well as in bulk. This is necessary for situations such as credential leaks, etc.

        179 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          20 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

          We have started the planning for this feature and hope to have a preview by the end of the calendar year. In the meantime, could you respond to aadb2cpreview@microsoft.com with the answers to the following questions:
          - In which scenarios do you plan to force the user to change his/her password?
          - What kind of information (if any) would you like to get back if the user goes through the reset flow?
          - Do you currently or plan to track which users have reset their password?

        • Allow for customized error messages in Azure AD Conditional Access policies

          Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional…

          178 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            16 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

            Hi,

            I wanted to give a quick update on this. We agree this makes a lot of sense and is useful in many different cases, so have added it to our backlog. I don’t have a date to share yet, but will post updates here. Thanks for the interest.

            -Caleb Baker

          • Support Remote Desktop Web Client HTML5 on Azure AD App Proxy

            Microsoft doesn't support the Azure AD Application Proxy on RD WebClient (HTML5). Like this MFA and Condintional Access would be possible.
            Another benefit is that HTML5 works on all Webbrowsers without downloading software.
            https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin

            165 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              17 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
            • RBAC for AAD

              The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.
              Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

              154 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                17 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
              • Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application.

                Currently if the logged in users doesnt exist in the Tenant Directory for a given application. The user is shown a very unhelpful page with the following:

                Sorry, but we’re having trouble signing you in.
                We received a bad request.

                The debug error is :
                AADSTS50020: User account 'some email address' from external identity provider 'https://sts.windows.net/someguid/'; is not supported for application 'https://someappurl'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

                122 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  planned  ·  32 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
                • AzureAD Role Delegation to Groups

                  Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
                  Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation…

                  116 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    18 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                  • Phone number sign-up

                    Local accounts currently allows email addresses and usernames as sign-in identifiers. Add phone numbers as well.

                    114 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      32 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

                      We are interested in enabling this scenario and are looking for more data.
                      - Would you want to be able to use this in conjunction with email or would you only be interested in one way to sign up accounts at a time?
                      - Would you like to be able to create the account without needing an email at all?

                      /Sam

                    • Allow different login branding customizations per-domain

                      We have a number of subdomains in our tenant which are used for various purposes - clients, partners, staff etc.
                      It would be great to be able to customise the login branding customisation settings on a per-domain basis rather than globally across the tenant.

                      105 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        11 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
                      • Make https://passwordreset.microsoftonline.com responsive design or app for password reset

                        It would be nice, if the passwordreset.microsoftonline.com looked great on a mobile device as well as on a PC. It isn't responsive and looks weird on a phone. You have to pinch to see the text and textboxes on the page.

                        Alternative Microsoft should consider integrating "Password Reset" / "Lockout" functionality in a new app or the existing Azure Authenticator app. This will notify the user about account lockout and also provide a way for the user to do a quick password reset a device. Of cause the user will need to answer a couple of questions, enter a pin…

                        104 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          16 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
                        • "Change password" policy

                          Add a new Azure AD B2C policy that allows a signed-in user to change his or her password. Not the same as password reset.

                          99 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            13 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

                            We are in the process of planning this feature and hope to have a preview available by the end of november. In the meantime, could you please respond to aadb2cpreview@microsoft.com with your responses to the following questions:

                            - If you had a “password change” policy, what kind of information would you like to get back once the policy has been executed?
                            - Would you prefer to have a policy that forces you to sign in first, and then asks you to change the password, or one that let’s you do it all on the same page?
                            - Would you want an email to get sent out to the user whenever the password is changed?

                          • Allow User Account Administrator to enable MFA for users, not require global admin

                            A best practice is to limit the number of global admins, yet a global admin is required to enable MFA for users. This should be allowed in the User Account Administrator role to enable MFA for users.

                            73 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                              We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA.

                            • phone factor

                              Surface/expose Azure MFA (Phone Factor) attribute data in GRAPH to facilitate API-based manipulation and mitigate some of the current limitations in RBAC within "cloud only" deployments of the Azure MFA service.

                              69 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                14 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                                StrongAuthentication data can be read via PowerShell, but StrongAuthenticationUserDetails can’t be set via PowerShell. It is planned to expose the StrongAuthentication data via Graph, but no ETA to provide yet.

                              • Allow more customization of the myapps.microsoft.com portal.

                                Would be great if I could forward a subdomain to our myapps.microsoft.com portal. Instead of giving users a the microsoft.com URL, I want to give them one.theblaze.com.

                                Second, would be great if there was a newsfeed widget at the top of the portal that could show an RSS feed of company news.

                                66 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  10 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →

                                  Thanks so much for the feedback! Customizations of the My Apps portal for both end users and admins are on our roadmap. This includes providing the ability to re-arrange and group apps and as well as using a customizable domain.

                                  We are also looking to see if we can enable embedding other components like widgets. We’re still in process of validating options for this.
                                  Please keep sharing your feedback and ideas around this!

                                • CORS for App Proxy

                                  There should be CORS setting available on App Proxy just like we have the CORS available for App Services.

                                  Making calls from Azure Apps into an Azure App Proxy App is a very common scenario, especially when on-prem applications are surfaced externally using App proxy.

                                  More details - http://stackoverflow.com/questions/43955808/cors-prelight-issue

                                  59 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    2 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Add AAD B2C to CSP

                                    B2C is currently available on the CSP pricing calculator, it can be found in the CSP portal, but it is not actually activated for CSP. Why isn't it available yet, and how do I get on the list to be an early user?

                                    57 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      22 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Azure B2C custom user attribute validation like using regex, range etc. e.g. postcode, date of birth

                                      Ability to validate custom attributes like postcode, date of birth etc. On the user sign-up page / edit profile pages, either by providing a validation choice like "RegEx/Range" or by allowing JS.

                                      57 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Add IPv6 addresses/ranges in named locations

                                        Hi,

                                        we set up Named Locations in Azure ID to "avoid" risky Azure AD logins.

                                        I added all our IPv4 public IPs/ranges but could not enter the IPv6 IPs/ranges. I got in touch with the Azure support and they said it is not possible yet.

                                        As we also use IPv6 surf IPs, could you enable the feature to add IPv6 IPs/ranges as well?

                                        Kind regards
                                        André

                                        53 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          11 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                                        • MFA Remembering Device

                                          Have the configuration option to remember a device for MFA, like with non-B2C tenants, instead of requiring MFA each time a user logs in.

                                          52 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            13 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5
                                          • Don't see your idea?

                                          Feedback and Knowledge Base