Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. AADB2C: Send email invitation for new user to sign up

    I would like the ability to trigger an email invitation be sent to new users for our web application that I want to authenticate with AADB2C. In our multi-tenant design, each tenant will be responsible for adding their own users to their tenant. I would like the admin of the tenant to be able to send an email invitation to the new user and then that user can complete the sign-up process.

    344 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    27 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add support for the Microsoft Authenticator app in B2C

    Enable the Microsoft Authenticator app to be used for 2FA in Azure B2C.

    199 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are looking to add additional MFA options for Azure AD B2C in the next few months. As part of the investigation, we want to learn more about your requirements. Email your feedback to aadb2cpreview@microsoft.com.

    When you say “support for Microsoft Authenticator”, which feature are you referring to?
    1. The ability to see the codes in the authenticator app
    2. The ability to receive push notifications for MFA

    If both, which do you prefer more?

    Again, please email your feedback to aadb2cpreview@microsoft.com. Feel free to include more details about your scenarios/requirements!

  3. CORS for App Proxy

    There should be CORS setting available on App Proxy just like we have the CORS available for App Services.

    Making calls from Azure Apps into an Azure App Proxy App is a very common scenario, especially when on-prem applications are surfaced externally using App proxy.

    More details - http://stackoverflow.com/questions/43955808/cors-prelight-issue

    105 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    We’ve hit some roadblocks in our design for this feature and will need to re-evaluate options. To help us validate the scenarios we need to address, please continue to share feedback. We will update in the next couple months once we have a better idea of our timeline and approach.

  4. Allow Azure AD App Proxy Apps to use the Azure Web Application Firewall (WAF)

    Applications published with the Azure AD Application Proxy should be allowed to be configured to have traffic go through the Azure Web Application Firewall (WAF). We currently have to purchase a 3rd party WAF instead of using the Azure WAF when publishing applications.

    This should be built-in functionality that can be added onto the Azure AD App Proxy configuration.

    56 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  5. Log user authentications in Azure Active Directory B2C

    The logs available in Azure Active Directory, "Audit Logs" and "Sign-in" don't show activity related to consumer authentications. Having a view of consumer logins via the Azure Active Directory or Azure AD B2C sections would be very useful.

    36 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow MFA to be enabled for selected set of B2C users

    We would like users to choose if they want MFA enabled, and therefore a policy should trigger MFA only if the user or admin opts in for it.

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  7. bitlocker recovery

    Delegate permission to view the Bitlocker recovery key to other roles than Global admins (e.g. Device administrators). Our clients guys are responsible for managing the devices, and they will support the end users.
    Or provide RBAC for Azure AD to build customer roles.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow access and use of Citrix Xenapp applications via Azure AD Application Proxy

    There doesn't seem much documentation available for configuration of Rich protocol support (Citrix)
    Unlike previous UAG support where there is at least some communications around the connectivity of using UAG to connect to Citrix applications.

    https://blogs.technet.microsoft.com/edgeaccessblog/2010/03/25/how-to-publish-citrix-xenapp-5-x-with-uag-2010/

    It would be good to be able to replicate the above, which refers to UAG, in the Azure AD Application proxy.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure AD B2B better support for users who don't know their organisation has O365

    We invite quite a lot of external guests into our SPOnline tenant. Originally via the (old Azure portal) bulk add (CSV) B2B process, but more recently via the (new Azure portal) invite guest user B2B/B2C process.

    We're getting more and more B2B users that fit into one or more of the following:

    1. Don't know their organisation has O365
    2. Don't know their O365 login (it's not always their email address)
    3. Their organisation/domain is registered for O365, but they don't have a license.
    4. Have O365, but aren't syncing their AD with AzureAD.
    5. Aren't able to get their…

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

    We’ve made several improvements in this area to support users who don’t have O365 or who are using email addresses that differ from their O365 login information (such as supporting proxy addresses, direct federation support, and email one-time passcodes), but we know there’s more work to do in this space. Please let us know what other scenarios are causing you and your guests the most pain so we can use that information to triage and prioritize future investments.

    /Elisabeth

  10. enterprise certificate authority (ca)

    Allow for creating Enterprise CA

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    need-feedback  ·  4 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  11. Hybrid Reporting

    Extend current Hybrid-Identity functionality to allow for the synchronization to Azure AD Reporting of the details of the operations performed in MIM and not just a subset of the SSPR and group management operations. Ideally we would want to have the option to select what specific information to synchronize to Azure AD.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add Redis Cache Support for Managed Service Identity

    Allow managed service identity to be used for connections to redis cache via the redis session state provider

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Azure Active Domain Services Synchronisation Report

    Currently, it is not possible to get accurate information from AADDS about what and when attributes are synchronised from Azure AD to Azure ADDS. It would be most helpful if customers could query on a per user or per directory basis to find out what attributes were synced and at what time (including password changes)

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    need-feedback  ·  1 comment  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  14. Fix Windows 10 AAD Join not allowing user to share local resources

    When a machine is only joined to AAD then these credentials are not allowed to be exposed to sharing local resources on workstations.

    For example, if one machine wants to access a share on another machine we need to be able to use the AAD credentials between the machines as an authenticator.. however, these credentials do not present themselves to the local machines.

    Somehow, we need to be able to take a local share, assign it to an AAD Group then be allowed to add/remove AAD users to and from that group so that local resources can be authenticated with…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    AAD joined machines are meant to work in a primarily cloud environment where all sharing happens through cloud collaboration tools – OneDrive, Sharepoint and Teams, or for large storage – Azure Files

    Sharing local resources on workstations is a legacy on-premises concept when devices were connected on a common network, and required to share resources. In a cloud-first world, there are more capable tools to enable this functionality.. We recommend using them for collaboration so that the access is not dependent on the device being online and active to access those resources.

    If there are specific use cases where the above does not work, we’d like to hear those

    /Ravi

  15. App Proxy - Multiple Internal Urls attached to External urls

    Azure AD App Proxy enables hostname url's to work when browsed via Intune Managed Browser or with the MyApps Edge plugin (from Microsoft Store).

    This requires you to publish an application with the hostname https://contoso and a second application with the FQDN https://contoso.internaldomain.com

    This leads to you having 2 published tenantname.msappproxy.net external URLs.

    It would be better if multiple internal URL's could be attached to 1 external URL

    Perhaps this could be implemented under Azure AD >App Registrations, like custom homepages?

    Thanks

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Have one portal

    There are too many portals for administrators and end users. Users can be confused by the myapps.microsoft.com and portal.office.com/myapps pages. Each of these pages provides a different end user experiece. Administrative portals are a nightmare. Trying to provide temporary MFA code for a user involves going thorugh multiple portals to get to the appropriate area, and the user experience for this is still not clear.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  17. Management Groups

    Management groups (MGs) are currently at the scope of a single tenant only. Customer(s) wish to use Management groups in a multi-tenanted scenarios and want management groups to span multiple AAD tenants. Otherwise they would have to replicate the MG(s) across each tenant and then apply the same Azure polices and RBAC roles multiple times to MGs in each tenant separately, which becomes a management/maintenance issue.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    We are designing a feature that will allow Management groups to connect to subscriptions and management groups in different tenants. There is no timeline yet other than it is being planned for the 2nd half of 2019 to be worked on.

    One question we do have is what services in Azure would you like to see supported in the cross tenant scenario? Azure Policy, Blueprints, RBAC Accesses, Security Monitoring, Deployments, etc…

  18. Conditional Access granularity -- We need support for "and/or" scenarios for conditions, and more granularity for client/device types.

    We are in the process of moving to Exchange Online from an on-prem environment, with the following assumptions:

    A) We are already a Duo shop for MFA and management does not want to have a second MFA strategy (Azure AD MFA)

    B) We use Passthrough Authentication for authentication into Azure AD. We do not wish to deploy ADFS for only O365.

    With these assumptions, our way of adding MFA to our logins in O365 is with Conditional Access and a custom control for our Duo 2FA.

    We have created policies that only allow connections from clients that support Modern Authentication,…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable conditional access rules to enforce MFA when users access Powershell

    Conditional access provides a great way to enforce additional checks when users access sensitive services in Azure, It is already possible to enforce MFA when users (e.g. with contributor rights) access the Azure portal. However there is no way to explicitly require the same users to Authenticate with MFA when accessing the same privileges in Powershell. Please add Powershell, in the list of cloud applications such that it can be included in an rule that enforces MFA for privileged functions

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Today you can set a conditional access policy on “Microsoft Azure Management”, which will apply to any client requesting access tokens to the Azure Management API. This includes the Azure portal (https://portal.azure.com) and Azure PowerShell (e.g. Login-AzureRmAccount).

    It does not apply to Azure AD PowerShell. To apply a conditional access policy to Azure AD PowerShell (e.g. Connect-MsolService and Connect-AzureAD, for the MSOnline and AzureAD modules, repsectively), you must target the “All cloud apps”, which means all sign-ins for the targeted users must satisfy the MFA requirement. The main reason for this is that the AzureAD PowerShell module is a thin wrapper around the Azure AD Graph API, which is also used by the vast majority of Azure AD-integrated apps (e.g. Office 365, Azure, etc.) out there.

    Thus, even if there was a way to set a policy on “Azure AD Graph API” (there isn’t), the…

  20. Support Azure Conditional Access for Azure SQL Server

    Allow clients with a Azure Conditional Access compliant device to access the Azure SQL database independently of the IP location.

    Basically great a just-in-time access for Azure AD compliant devices that are able to authenticate using some kind of PKAuth (Public Key Authentication Protocol) against the Microsoft Azure SQL server that allows access for that specific client.

    @Caleb

    https://feedback.azure.com/forums/908035-sql-server/suggestions/35919877-support-azure-conditional-access-for-sql-connectiv

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the suggestion Peter. Can you give a bit more detail on the use case? You can apply conditional access policy to Azure SQL today. Is the additional requirement here to lock down access to specific devices (for example: not all compliant devices)?

    -Caleb

← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base