Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

We have a new log in experience integrated with Azure AD, and we strongly recommend you log in with your Azure AD (Office 365) account. If your UserVoice account is the same email address as your Azure AD account, your previous activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for the Microsoft Authenticator app in B2C

    Enable the Microsoft Authenticator app to be used for 2FA in Azure B2C.

    175 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are looking to add additional MFA options for Azure AD B2C in the next few months. As part of the investigation, we want to learn more about your requirements. Email your feedback to aadb2cpreview@microsoft.com.

    When you say “support for Microsoft Authenticator”, which feature are you referring to?
    1. The ability to see the codes in the authenticator app
    2. The ability to receive push notifications for MFA

    If both, which do you prefer more?

    Again, please email your feedback to aadb2cpreview@microsoft.com. Feel free to include more details about your scenarios/requirements!

  2. CORS for App Proxy

    There should be CORS setting available on App Proxy just like we have the CORS available for App Services.

    Making calls from Azure Apps into an Azure App Proxy App is a very common scenario, especially when on-prem applications are surfaced externally using App proxy.

    More details - http://stackoverflow.com/questions/43955808/cors-prelight-issue

    89 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    We’ve hit some roadblocks in our design for this feature and will need to re-evaluate options. To help us validate the scenarios we need to address, please continue to share feedback. We will update in the next couple months once we have a better idea of our timeline and approach.

  3. Allow blocking "Sign-ins from anonymous IP addresses"

    I would like to be able to block ALL sign-ins from anonymous IP addresses.

    61 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow Azure AD App Proxy Apps to use the Azure Web Application Firewall (WAF)

    Applications published with the Azure AD Application Proxy should be allowed to be configured to have traffic go through the Azure Web Application Firewall (WAF). We currently have to purchase a 3rd party WAF instead of using the Azure WAF when publishing applications.

    This should be built-in functionality that can be added onto the Azure AD App Proxy configuration.

    48 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  5. Log user authentications in Azure Active Directory B2C

    The logs available in Azure Active Directory, "Audit Logs" and "Sign-in" don't show activity related to consumer authentications. Having a view of consumer logins via the Azure Active Directory or Azure AD B2C sections would be very useful.

    35 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow MFA to be enabled for selected set of B2C users

    We would like users to choose if they want MFA enabled, and therefore a policy should trigger MFA only if the user or admin opts in for it.

    22 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow access and use of Citrix Xenapp applications via Azure AD Application Proxy

    There doesn't seem much documentation available for configuration of Rich protocol support (Citrix)
    Unlike previous UAG support where there is at least some communications around the connectivity of using UAG to connect to Citrix applications.

    https://blogs.technet.microsoft.com/edgeaccessblog/2010/03/25/how-to-publish-citrix-xenapp-5-x-with-uag-2010/

    It would be good to be able to replicate the above, which refers to UAG, in the Azure AD Application proxy.

    18 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Hybrid Reporting

    Extend current Hybrid-Identity functionality to allow for the synchronization to Azure AD Reporting of the details of the operations performed in MIM and not just a subset of the SSPR and group management operations. Ideally we would want to have the option to select what specific information to synchronize to Azure AD.

    17 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  9. Have one portal

    There are too many portals for administrators and end users. Users can be confused by the myapps.microsoft.com and portal.office.com/myapps pages. Each of these pages provides a different end user experiece. Administrative portals are a nightmare. Trying to provide temporary MFA code for a user involves going thorugh multiple portals to get to the appropriate area, and the user experience for this is still not clear.

    10 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  10. Management Groups

    Management groups (MGs) are currently at the scope of a single tenant only. Customer(s) wish to use Management groups in a multi-tenanted scenarios and want management groups to span multiple AAD tenants. Otherwise they would have to replicate the MG(s) across each tenant and then apply the same Azure polices and RBAC roles multiple times to MGs in each tenant separately, which becomes a management/maintenance issue.

    8 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →

    We are designing a feature that will allow Management groups to connect to subscriptions and management groups in different tenants. There is no timeline yet other than it is being planned for the 2nd half of 2019 to be worked on.

    One question we do have is what services in Azure would you like to see supported in the cross tenant scenario? Azure Policy, Blueprints, RBAC Accesses, Security Monitoring, Deployments, etc…

  11. Support Azure Conditional Access for Azure SQL Server

    Allow clients with a Azure Conditional Access compliant device to access the Azure SQL database independently of the IP location.

    Basically great a just-in-time access for Azure AD compliant devices that are able to authenticate using some kind of PKAuth (Public Key Authentication Protocol) against the Microsoft Azure SQL server that allows access for that specific client.

    @Caleb

    https://feedback.azure.com/forums/908035-sql-server/suggestions/35919877-support-azure-conditional-access-for-sql-connectiv

    8 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the suggestion Peter. Can you give a bit more detail on the use case? You can apply conditional access policy to Azure SQL today. Is the additional requirement here to lock down access to specific devices (for example: not all compliant devices)?

    -Caleb

  12. Conditional access policy - Cloud Apps - All 3rd Party Applications

    Provide a simple radio buttons for

    "All Non-Microsoft Applications" ("All 3rd Party Applications")
    "All Microsoft Applications"
    "All Cloud Applications"

    to be used in Inclusion and Exclusion rules under Cloud App for Conditional Access Policies.

    Currently does not seem to be possible to block just 3rd party apps. It is not possible to select all of the Microsoft applications in the Exclusion rules as they are not presented for selection unless registered with a URL.

    And if it _were_ possible to select everything required for Microsoft applications, it would still be an administration burden to continue to update the whitelist with…

    8 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Can you give a bit more detail about why you would want to block 3rd party apps? Why are there 3rd party apps registered in your directory, that you want to block? I’m just wondering if there is a bigger issue here. Please add any feedback to the Azure feedback item.

    Thanks

  13. App Proxy - Multiple Internal Urls attached to External urls

    Azure AD App Proxy enables hostname url's to work when browsed via Intune Managed Browser or with the MyApps Edge plugin (from Microsoft Store).

    This requires you to publish an application with the hostname https://contoso and a second application with the FQDN https://contoso.internaldomain.com

    This leads to you having 2 published tenantname.msappproxy.net external URLs.

    It would be better if multiple internal URL's could be attached to 1 external URL

    Perhaps this could be implemented under Azure AD >App Registrations, like custom homepages?

    Thanks

    8 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add the ability to prioritize Azure AD Application Proxy Connectors that are part of a Connector Group (priority load balancing)

    That way a primary or preferred host that has a connector that is part of a connector group installed can be leveraged. This would help in situations when hosts having connectors installed are geo-diverse (active disaster recovery site), as well as when connectors are associated with applications with an active/standby model (in which case it is not desired that the passive node serve requests unless the primary node is down).

    7 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  15. Dynamics NAV mobile app support for Azure AD Application Proxy

    The Dynamics NAV mobile app cannot login to a Dynamics NAV server which is behind Azure AD Application Proxy, you'll just receive a "Could not connect to the server" prompt from the app.

    7 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  16. Skipping account selection page in Azure AD v2 on consent

    Hello,
    We are using AD v2 implicit flow to authenticate a user from within SharePoint.
    The base url is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=<>&client_id=<>&redirect_uri=<>&state=<>&nonce=<>&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.1&client-request-id=<>&response_mode=fragment

    Prompt consent in combination with domain hint for an organization does not seem to work correctly.
    Here are our observations with the following parameters:
    A. &prompt=none&domain_hint=organizations | Works correctly and uses the organisational account
    B. &prompt=consent&domain_hint=organizations | Does not work and restarts the user login process incl. re-entering email address
    C. &prompt=consent | Works correctly and gives the user selection of logged-in accounts

    We would like if scenario B would work the same as A taking the user directly…

    7 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for filing this. I cannot reproduce this under any variety of circumstances. prompt=consent & domain_hint=organizations drops me on the account picker as expected.

    Please reach out if this still happens for you, and we’ll help debug the issue.

    Thanks,
    Azure Identity AuthN team.

  17. Make it possible to add security groups to Roles and administrators, now we can select only members

    Make it possible to add security groups to Roles and administrators, now we can select only members

    6 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  18. Customizable password reset screen

    Enable the admins to customize the password reset screen that can allow to add the company name and a customized message for password expiry. Also the expiry notification to appear on the users email prior to 14 days.

    6 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable conditional access rules to enforce MFA when users access Powershell

    Conditional access provides a great way to enforce additional checks when users access sensitive services in Azure, It is already possible to enforce MFA when users (e.g. with contributor rights) access the Azure portal. However there is no way to explicitly require the same users to Authenticate with MFA when accessing the same privileges in Powershell. Please add Powershell, in the list of cloud applications such that it can be included in an rule that enforces MFA for privileged functions

    6 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Today you can set a conditional access policy on “Microsoft Azure Management”, which will apply to any client requesting access tokens to the Azure Management API. This includes the Azure portal (https://portal.azure.com) and Azure PowerShell (e.g. Login-AzureRmAccount).

    It does not apply to Azure AD PowerShell. To apply a conditional access policy to Azure AD PowerShell (e.g. Connect-MsolService and Connect-AzureAD, for the MSOnline and AzureAD modules, repsectively), you must target the “All cloud apps”, which means all sign-ins for the targeted users must satisfy the MFA requirement. The main reason for this is that the AzureAD PowerShell module is a thin wrapper around the Azure AD Graph API, which is also used by the vast majority of Azure AD-integrated apps (e.g. Office 365, Azure, etc.) out there.

    Thus, even if there was a way to set a policy on “Azure AD Graph API” (there isn’t), the…

  20. Add Redis Cache Support for Managed Service Identity

    Allow managed service identity to be used for connections to redis cache via the redis session state provider

    5 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base