Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Sync Azure Active Directory Down to On-Premises AD

    It would be great to be able to sync Azure AD down to On-premise AD. I want to centrally manage my users, passwords, and groups from Azure AD. That way the on-premise server just acts as a medium for the local environment.

    Here: http://msdn.microsoft.com/en-us/library/azure/dn798669.aspx

    It says "coming soon" for cloud to on premise sync. It was last updated on September 5th 2014. I cant find any new information on if this is out.

    210 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  64 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  2. Unattended installation Azure AD Connect

    Provide The ability to perform unattended/silent installation of Azure AD Connect using either/ or both commandline or answer file for the installation parameters.

    This is highly needed for re-Deployment of test/Dev environments and especially for hosting/service providers with many customers

    106 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    20 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  3. Remove the SharePoint prerequisite for MIM portal.

    The fact that MIM Portal runs on top of SharePoint just adds a lot of extra complexity and moving parts. If MIM Portal instead was just a simple IIS application it would become a lot easier to set up and maintain.

    94 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  4. Date picker in MIM Portal

    A lot of customers are asking why there is no such thing like proper date picker in MIM Portal - in search, in user's form and so on. And even we can write the date in search, there is no way to include hours.

    61 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  5. Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups

    Baseline Policy: Require MFA for Admins (Preview) needs to be able to exclude groups.

    This policy does not pay attention to trusted location. Therefore, your global admin or other admin SERVICE ACCOUNTS will get blocked unless you exclude them one-by-one.

    This is very disruptive. This policy used to allow excluding groups and they changed it to only excluding users. Not all companies can move at the pace Microsoft is enforcing. We cannot make all of our service accounts into some other solution which won't get impacted and still work for us.

    Bring back group exclusion for manageability!!

    60 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support roaming/sync of start menu layout

    There is a desire for Enterprise State Roaming to support the roaming of the start screen/start menu as was done in Windows 8.x with MSA.

    56 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Devices  ·  Flag idea as inappropriate…  ·  Admin →
  7. Multi-tenant capabilities in Azure AD Sync

    Problem scenario: single on-premise domain, multiple O365 / Azure subscriptions. As it stands today it looks like you still need FIM and the Azure AD Connector to accomplish this (or DirSync on a seperate server for each tenant).

    I was hoping to be able to use the AADsync tool for this and consolidate the current DirSync servers to a single VM for it.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    26 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add Custom Identity Provider feature to Azure AD

    We have a custom IDp on old ACS and use ADAL v1 to auth a desktop app. We need to use new thinks of ADAL v2 or newer versions.

    We already have this app in production so we realy need a way to use Azure b2c with our custom identity provider. In fact we want the feature of custom Idp in Azure AD in order to substitute ACS.

    50 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  9. AADB2C: Password Expiration

    Unlike Azure AD, B2C does not allow you to set a password expiration policy. Please allow similar capability in B2C to set both a password expiry as well as the length prior to a notice being sent to the user before their password expires.

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add possibility to exclude groups/users from Security defaults

    Almost all tenants have some accounts that can't do MFA, e.g. for info screens or system integration. Security defaults would be enforced upon all users... meaning we can't enable Security defaults for most of our customers! Microsoft also recommends excluding an emergency access account from MFA.

    40 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Security Defaults is targeted towards customers that have simple security requirements and do not have complex environments. If you require policy customization, we recommend using Conditional Access which allows for rich flexibility and customization. However, certain system integrations and automation can be tackled with dedicated service principals.

  11. AADB2C: Integrate Office 365 to work with B2C

    You have B2C integration for cloud applications but there is no integration of B2C with Office 365 licenses. That makes no sense. Office 365 is a cloud application and so should therefore be able to be assigned licenses from a corporation to their B2C users.

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support application specific roles in B2C

    I would like to be able to add roles that are specific to an application. If you're using Azure AD B2C with multiple applications, you will certainly have different roles, used for Authorization, in the different apps.

    Moreover, a user with a role, say administrator, in one application might not be an administrator of another application. This scenario could be supported by adding application roles.

    37 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  13. AAD Sync; make mobile attribute authoritative again after AAD/tenant/portal update

    AAD Sync; make mobile attribute authoritative again after AAD/tenant/portal update.

    If you update the mobile attribute as a user or admin in the tenant, this no longer flows from on premises AAD Sync. If the user has made a mistake and you wish this to flow again from on premises, there is no way to make it authoritative again.

    36 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add more claims to LiveID for ACS

    The nameidentifier claim containing a made up ID unique to my application is not sufficient for authenticating a user. With no way to get additional user identifiable information, a user could authenticate with Live and then fill out a local profile on my application for whomever they wanted. They could claim to be Bill Gates, I would have no way of verifying that based on the nameidentifier claim coming from LiveID.

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
    declined  ·  Anonymous responded

    The Azure Active Directory team has aligned its resources behind services in Azure Active Directory. This effort will eventually replace functionality available in ACS. The blog post – http://blogs.technet.com/b/ad/archive/2013/06/22/azure-active-directory-is-the-future-of-acs.aspx – provides a high-level overview of this transition. The ideas posted around ACS have been collected and passed the team. We will close out ideas posted around ACS to return votes used on this topic. Please feel free to post additional ideas here, and/or email me directly – robert.faller@microsoft.com.
    The Azure Active Directory team greatly appreciates the feedback. We look forward to hearing from the community as much as possible. It is one of the essential ways we can continue to create and enhance our service offerings to meet your needs. Thank you.

  15. Editable trusted Root CA List in ACS

    Today SAML Tokens which are signed using a certificate issued by a local CA cannot be validated and are therefore rejected by ACS. This is because ACS only trusts Root CAs which are on the out-of-the-box windows trusted CA List. It would be very useful for ACS Customers to decide for themselves which Root-CA they trust or not.

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
    declined  ·  Anonymous responded

    The Azure Active Directory team has aligned its resources behind services in Azure Active Directory. This effort will eventually replace functionality available in ACS. The blog post – http://blogs.technet.com/b/ad/archive/2013/06/22/azure-active-directory-is-the-future-of-acs.aspx – provides a high-level overview of this transition. The ideas posted around ACS have been collected and passed the team. We will close out ideas posted around ACS to return votes used on this topic. Please feel free to post additional ideas here, and/or email me directly – robert.faller@microsoft.com.
    The Azure Active Directory team greatly appreciates the feedback. We look forward to hearing from the community as much as possible. It is one of the essential ways we can continue to create and enhance our service offerings to meet your needs. Thank you.

  16. "Backport" the new sync engine features from AAD Connect to MIM

    There are several new and handy scope operations, functions & operators available in AAD Connect that are not available in MIM Sync. Would be very useful to have in MIM aswell, for example NOW, SWITCH, ISMEMBEROF etc.

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  17. password strength meter

    Similarly to the AD password reset, provide the option to show a password strength meter for local account sign-up and password reset.

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  18. Fully support AzureAD Join with AzureADDS regarding Kerberos

    In a classic hybrid Scenario (ADDS DCs synched with AzureAD), AzureAD joined devices get a Kerberos Ticket form a DCs if a DC is reachable through the network.
    When doing the same thing using AzureAD and AzureAD Domain Services, AzureAD joined Devices never get a Kerberos Ticket from AzureAD Domain Services since this is currently not supported. (Case 116070414368551)
    Regarding AzureAD Join, it would be very useful if AzureAD Domain Services would behave similar like classical ADDS DCs and deliver Kerberos Tickets to AzureAD Joined devices.

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  1 comment  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  19. MFA as second authentication factor for SSPR

    With SSPR we can active several authentication methods (office phone, mobile, alternate email, security questions). This is great, but it would be perfect if we there would be an extra validation on MFA if the user is enrolled.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Based on the comments, it sounds like the ask is to integrate security questions into MFA. We do not plan to do this at this time. However, we have made mobile app notification and code available for SSPR and have converged the registration and management experiences for SSPR and MFA. You can learn more at aka.ms/securityinfodocs. Thanks!

  20. AADDS: Allow pausing of Domain Services

    On a demo or MSDN subscription I would like to pause Domain Services like I can pause an AD VM. That will save me costs on a demo or development focused Azure subscription. Otherwise, AAD Domain Services uses a significant portion of the $100/month MSDN credit.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    declined  ·  1 comment  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 12 13
  • Don't see your idea?

Feedback and Knowledge Base