Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Fully customizable verification emails

    Currently, Azure AD B2C sends verification codes via emails to end users during sign-up and password reset flows. These emails have limited customization. Add support for full customization of the email body & content.

    932 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    120 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow the User Admin role to Enable/Disable MFA for users

    Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.

    932 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    180 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. AzureAD Role Delegation to Groups

    Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
    Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation…

    335 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    46 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow for customized error messages in Azure AD Conditional Access policies

    Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional…

    306 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support Remote Desktop Web Client HTML5 on Azure AD App Proxy

    Microsoft doesn't support the Azure AD Application Proxy on RD WebClient (HTML5). Like this MFA and Condintional Access would be possible.
    Another benefit is that HTML5 works on all Webbrowsers without downloading software.
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin

    272 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    37 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow Conversion of AD Synced Accounts to "In Cloud Only"

    Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
    After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.

    Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.

    258 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    62 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    We are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
    We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”.

  7. AADB2C: Force password reset

    Add the ability to force user's to reset password at next login. It would be ideal if this was available for both individual users as well as in bulk. This is necessary for situations such as credential leaks, etc.

    247 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    37 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We have started the planning for this feature and hope to have a preview by the end of the calendar year. In the meantime, could you respond to aadb2cpreview@microsoft.com with the answers to the following questions:
    - In which scenarios do you plan to force the user to change his/her password?
    - What kind of information (if any) would you like to get back if the user goes through the reset flow?
    - Do you currently or plan to track which users have reset their password?

  8. Azure Domain Services Support for LAPS

    Allow (or automatically install) LAPS within Azure Domain Services since this is the Microsoft supported standard for local administrator accounts.

    LAPS: https://technet.microsoft.com/en-us/library/security/3062591.aspx

    245 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    43 comments  ·  Azure AD Join  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure AD B2C Data Residency in Australia

    Although Azure AD B2C is available for use in Australia, there is not option to create a directiry for which the user data resides in Australia. We would like to be able to ensure that our Azure AD B2C user data remains in Australia.

    216 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    51 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow different login branding customizations per-domain

    We have a number of subdomains in our tenant which are used for various purposes - clients, partners, staff etc.
    It would be great to be able to customise the login branding customisation settings on a per-domain basis rather than globally across the tenant.

    152 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  11. Phone number sign-up

    Local accounts currently allows email addresses and usernames as sign-in identifiers. Add phone numbers as well.

    141 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    39 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are interested in enabling this scenario and are looking for more data.
    - Would you want to be able to use this in conjunction with email or would you only be interested in one way to sign up accounts at a time?
    - Would you like to be able to create the account without needing an email at all?

    /Sam

  12. Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application.

    Currently if the logged in users doesnt exist in the Tenant Directory for a given application. The user is shown a very unhelpful page with the following:

    Sorry, but we’re having trouble signing you in.
    We received a bad request.

    The debug error is :
    AADSTS50020: User account 'some email address' from external identity provider 'https://sts.windows.net/someguid/' is not supported for application 'https://someappurl'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

    141 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  39 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  13. Make https://passwordreset.microsoftonline.com responsive design or app for password reset

    It would be nice, if the passwordreset.microsoftonline.com looked great on a mobile device as well as on a PC. It isn't responsive and looks weird on a phone. You have to pinch to see the text and textboxes on the page.

    Alternative Microsoft should consider integrating "Password Reset" / "Lockout" functionality in a new app or the existing Azure Authenticator app. This will notify the user about account lockout and also provide a way for the user to do a quick password reset a device. Of cause the user will need to answer a couple of questions, enter a pin…

    138 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow blocking "Sign-ins from anonymous IP addresses"

    I would like to be able to block ALL sign-ins from anonymous IP addresses.

    130 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    29 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. phone factor

    Surface/expose Azure MFA (Phone Factor) attribute data in GRAPH to facilitate API-based manipulation and mitigate some of the current limitations in RBAC within "cloud only" deployments of the Azure MFA service.

    124 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. "Change password" policy

    Add a new Azure AD B2C policy that allows a signed-in user to change his or her password. Not the same as password reset.

    122 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are in the process of planning this feature and hope to have a preview available by the end of november. In the meantime, could you please respond to aadb2cpreview@microsoft.com with your responses to the following questions:

    - If you had a “password change” policy, what kind of information would you like to get back once the policy has been executed?
    - Would you prefer to have a policy that forces you to sign in first, and then asks you to change the password, or one that let’s you do it all on the same page?
    - Would you want an email to get sent out to the user whenever the password is changed?

  17. Allow more customization of the myapps.microsoft.com portal.

    Would be great if I could forward a subdomain to our myapps.microsoft.com portal. Instead of giving users a the microsoft.com URL, I want to give them one.theblaze.com.

    Second, would be great if there was a newsfeed widget at the top of the portal that could show an RSS feed of company news.

    120 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    30 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks so much for the feedback! Customizations of the My Apps portal for both end users and admins are on our roadmap. This includes providing the ability to re-arrange and group apps and as well as using a customizable domain.

    We are also looking to see if we can enable embedding other components like widgets. We’re still in process of validating options for this.
    Please keep sharing your feedback and ideas around this!

  18. Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)

    Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.

    I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.

    Aaron posted a great workaround solution:
    https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/

    We would like something built-in Active AD Connect that solves this out of the box

    111 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow User Account Administrator to enable MFA for users, not require global admin

    A best practice is to limit the number of global admins, yet a global admin is required to enable MFA for users. This should be allowed in the User Account Administrator role to enable MFA for users.

    91 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA.

  20. Deny Access Control in the RBAC

    Please add the options below to RBAC.
    Disable inheritance.
    Deny.

    91 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    We recently added deny capability to Azure’s RBAC system, in the form of deny assignments that can be set by the system only. The first Azure feature to use deny is BluePrint. We intend to add a configurable deny capability in the future, but have not yet announced any details.

    Cheers,
    /Stuart and Balaji

← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base