Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

    A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
    Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

    Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

    Adding nested groups to Azure AD would add a lot of value to Azure AD.

    1,656 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    368 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.

    Use case A: nested group in a cloud security group inherits apps assignment
    Use case B: nested group in a cloud security group inherits license assignment
    Use case C: nesting groups under Office 365 groups

  2. Merge office365 and live accounts that use the same email address

    I use both Azure/msdn and office 365
    I already had an msdn account mvdl@our-company.com ( Windows Live account) and our company recently migrated to Office 365 which resulted in a mvdl@our-company.com Office365 account.

    Wich is causing a lot of grieve when switching between asure web portal / msdn web portal / office 365 web portal

    Even when I have no portals open, I cant switch accounts. I need to explicity open the portal that I last logged in to. Log out, and then I can switch accounts.

    And having both office 365 portal and Azure portal open at the same…

    1,267 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    235 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →

    Folks,

    Thanks for the questions and suggestions. And apologies for not sharing any update on this thread for so long. We’ve been working on this problem and have announced changes on our official team blog (see here: https://cloudblogs.microsoft.com/enterprisemobility/2016/09/15/cleaning-up-the-azure-ad-and-microsoft-account-overlap/).

    First, we are acutely aware of the UX pain this is causing and we are sorry for this. We are trying to undo a decade and a half of systems divergence. There are literally hundreds of different engineering teams across Microsoft involved in this effort. So this is taking time.

    Second, we can’t easily “merge” two accounts, or allow IT to “take over” personal Microsoft accounts. There are two main hurdles: (1) The terms of service are fundamentally different for the two account types and (2) they are based on different technologies with different stacks (different identifiers, SDKs, token formats, etc.). We’re working to converge the two stacks but again this…

  3. Customer-owned domains

    Run Azure AD B2C's sign-up & sign-in pages under a custom domain, for e.g., login.contoso.com, instead of login.microsoftonline.com.

    743 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    107 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Due to various technical limitations, the first iteration of the customer-owned domains functionality will not be available for a few more months. We will provide an update as soon as we can get a more specific ETA.

    If you are looking to use custom domains to use javascript, we are now looking to enable that experience by providing a new (non-customizable) domain. Please look for updates here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15493536-add-support-for-javascript-inside-the-custom-ui-br

    /Parakh

  4. Support exporting and importing conditional access policies using PowerShell

    Support exporting and importing conditional access policies using PowerShell. This would be handy for backup purposes, but also for re-use of the same policy rules between test and production tenants.

    The Microsoft Graph API currently do not have any REST APIs for accessing and creating conditional access policies: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intunegraphoverview

    706 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    49 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Remove requirement for onprem Exchange when using DirSync

    as per : http://tinyurl.com/kqgjvqx

    Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.

    536 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    58 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    We’re working on a solution and will update you when we know more.

  6. Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

    Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

    This is obviously not ideal. We currently having to perform the rollover task manually each month.

    Please look at how this process could be improved for automation.

    465 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    71 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    Hi everyone,
    Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
    Thanks for your patience!

    Jairo Cadena
    Principal Program Manager
    Microsoft Identity

  7. AzureAD Role Delegation to Groups

    Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
    Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation…

    450 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    64 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Folks,
    We are working on it. There is an elevation of privilege concern associated with this feature. If a group is assigned a role, any IT admin who can manage group membership can manage that group’s membership and indirectly manage who gets the role. So, we have to ensure that the feature is secure.

    We are taking a staged approach to execute this feature –
    Stage 1: Supporting cloud groups to be assigned to roles
    Stage 2: Supporting on-prem groups to be assigned to roles

    Stay tuned!

    Regards,
    Abhijeet Kumar Sinha
    Azure Active Directory Team

  8. RBAC for AAD

    The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.

    Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

    293 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    32 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi folks,
    Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

    You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

    Regards,
    Vince Smith
    Azure Active Directory Team

  9. Authentication Phone

    Make the Authentication Phone and Authentication Email field settable with Powershell.

    248 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    33 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add IPv6 addresses/ranges in named locations

    Hi,

    we set up Named Locations in Azure ID to "avoid" risky Azure AD logins.

    I added all our IPv4 public IPs/ranges but could not enter the IPv6 IPs/ranges. I got in touch with the Azure support and they said it is not possible yet.

    As we also use IPv6 surf IPs, could you enable the feature to add IPv6 IPs/ranges as well?

    Kind regards
    André

    218 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    37 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Programmatically register B2C applications

    I want to be able to call a Graph API to register new B2C applications

    196 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  12. 161 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    This is in the works, hoping to be able to release a new version in the next couple of weeks that supports running on Linux (and Mac)

  13. Ability to update Named Locations using PowerShell

    We have around 200 locations that use dynamic IP addresses that change frequently. We have the ability to pull the public IP addresses via REST API/PowerShell, but there is currently no way to update the Named Locations list programmatically. Without PowerShell, we are forced to manually dump the list to a CSV and upload the new file.

    We would like to have the ability to add, remove, update Named Locations and entries in the IP Ranges of a Named Location.

    153 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    20 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support for 3rd party EMM solutions when requiring device compliance

    We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.

    Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.

    136 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    27 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for your feedback. Microsoft is currently working with third party MDM providers to enable this scenario. We will update this thread once we have more information to share.

  15. Utilize AAD Security Groups for Device "Additional Local Administrators" support

    Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).

    136 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    We’re currently working on this capability and will provide an update when it’s done.

    However, instead of expanding the “Additional Local administrators” setting, we will support adding AAD groups to Windows 10 local groups (.e.g Administrators, Remote Desktop Users) via MDM policy and elevate user privileges on logon. This will provide greater flexibility to assign different groups to different devices


    Ravi

  16. Go Direct to Password Reset from Sign-In/Sign-Up

    The Sign-in only policy allows the user to go directly to the password reset.

    The Sign-in/Sign-Up does not allow this. The user gets redirected back and you have to handle AADB2C90118.

    Reference: https://stackoverflow.com/questions/41497158/azure-ad-b2c-self-service-password-reset-link-doesnt-work

    While this flow is useful for some people the opposite is also true. Please allow me to specify the password reset policy in my sign-in/sign-up policy so the round trip is not required if I don't want it.

    126 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    33 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add reporting to see how many users have or have not registered for Self Service Password Reset.

    Would be helpful so we know who to target to get them registered within our organization

    119 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    20 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  18. Custom password complexity

    Allow the ability to set different password complexities for local accounts in a B2C tenant.

    107 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable synchronized AD groups (or AAD groups) to map to PIM.

    Rather than adding single accounts from AAD (which may be synched from AD), it would be great to map AAD (or synched AD) groups to eligibility rules. E.g. AAD group A is eligible for Role Exchange Admin. That way, one could administer AD groups for privileged access like in RBAC and use PIM to activate the privileges. Adding single users may be difficult to handle in large environments.

    96 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  10 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Span AADDS domain across multi regions

    Span the same AADDS domain to multi regions - currently only possible with vnet pairing and VPN gateways. Would also add redundancy to the domain if say a region were to go down or the AADDS service were to stop within a region.

    93 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base