Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Support NPS/RADIUS for Azure AD Domain Services
Add support for Microsoft NPS/RADIUS in Azure AD Domain Services
273 votesCONFIRMED that NPS and Azure AD Domain Service can work with the Azure MFA NPS extension to enable MFA for RDP to virtual machines. That said, Azure Bastion Host (https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) provides the same value without the additional infrastructure of NPS. We have a doc bug created to add the nuance to our documentation, which is to 1) Skip registering the NPS server and 2) ensure your network policy has “Ignore user account dial-in properties” selected.
Leaving the topic open as we continue to investigate/validate other NPS use cases (e.g. VPN and 802.x scenarios)Mike Stephens
Senior Program Manager
Azure Identity
IAM Core | Domain Services -
Span AADDS domain across multi regions
Span the same AADDS domain to multi regions - currently only possible with vnet pairing and VPN gateways. Would also add redundancy to the domain if say a region were to go down or the AADDS service were to stop within a region.
72 votesEngineering has begun work on this.
-
Azure Active Directory Domain Services - More Pricing Tiers
Can we have more pricing tiers? I run a small consultancy business with 1 user and enabling AADDS will cost in excess of £90 a month, even though I won't have anything like the 25000 objects minimum tier cap. However AADDS is useful for demonstrating to SME clients how they can go cloud only so it would make sense to provide an entry level price point, for example max 2500 objects to suit the smaller scenarios.
51 votes -
Allow B2B users to logon to VMs using Azure AD domain services
Currently B2B users cannot login to a Azure AD Domain Services joined virtual machine. In this scenario we do not have AAD Connect, only Azure AD directory with domain services running. We can join the VMs to the AAD DS domain and sign on with member accounts but cannot sign in with B2B guest accounts.
50 votes -
Add more attributes to AADDS
Expand the attributes that are syncd with AADDS and available via LDAPS. The one I'm specifically interested in at the moment is the Manager attribute, but others are important too.
37 votesHi all,
We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!
Erin Greenlee
Program Manager
IAM Core | Domain Services -
domain services
Upgrade the Azure AD Domain Services Domain Controllers to be Windows Server 2016 instead of Windows Server 2012 R2.
We've switched to having our domain be AAD Domain Services and connected to our Office 365 domain and we'd like to enable Windows Hello for Business, but until those domain controllers are upgraded we can't utilize it. This makes the nice fingerprint scanners on our new machines useless.
26 votes -
enterprise certificate authority (ca)
Allow for creating Enterprise CA
21 votes -
Manage AADDS DNS powershell
Currently, I am unable to find any documented methods for managing DNS in AADDS using PowerShell. If it is possible, can we get an article published that states specifically how to use PowerShell to manage DNS in AADDS? If it doesn't exist, can we get the functionality created? Using MMC is dated and limits our abilities to be automate.
19 votes -
proxyaddresses
Make the ProxyAddresses attribute available through LDAPS when using Managed Domain
Many Anti-Spam applications (ex: Zero Spam) need to connect via LDAPS to list users, and get their email address(es) but only the mail attribute is available...
Since LDAPS managed domain is using our Azure AD , and AzureAD already has this attributes ( synched from our onPremise AD) I don't understand why it is not available through LDAPS
17 votesHi all,
We’ve started work on adding the Manager, ProxyAddress, and employeeID attributes to AAD-DS. Thank you for your patience!
Erin Greenlee
Program Manager
IAM Core | Domain Services -
Azure Active Domain Services Synchronisation Report
Currently, it is not possible to get accurate information from AADDS about what and when attributes are synchronised from Azure AD to Azure ADDS. It would be most helpful if customers could query on a per user or per directory basis to find out what attributes were synced and at what time (including password changes)
14 votes -
Latency in sync between Azure ad and Managed domain
There is a delay in sync between Azure ad and domain services.
It will be great if we can reduce this sync delay.
Some times sync will not be up to date so need access to restart the sync between Azure ad and Managed domain.10 votes -
Use Seamless SSO in AADDS environments.
At the moment, having seamless SSO in Azure Active Directory Domain Services doesn't work. Logically, this feature should be automatic...
At the moment, you can join a machine to AADDS domain, and log in to it with Azure AD credentials. But users still need to sign in manually to Office.com, office apps, etc.
This is extremely important in a AADDS Windows Virtual Desktop scenario (where Microsoft Office is hosted as RemoteApps). To access Office, users will need to log in to WVD, then AGAIN into the remoteapp host itself, and AGAIN into the Microsoft Office apps - all with the…
8 votes -
AD and German Cloud
Provide Azure AD Domain Services for the German Cloud!!!!!
6 votes -
Azure Domain Services Allow DHCP Authorization
Could you grant AAD DC Administrators DHCP Authorization rights so we can setup a DHCP server on a non-domain server and still have it register with DNS / AD records?
Currently this is blocked.
6 votes -
Allow the creation of more than one Managed Domain on different subscription.
The idea of replacing our IaaS DC servers with managed domains is great, but how can we not create a second domain, if we have different subscriptions, i.e. different VNet and there is no communication between them??
5 votes -
Implement Domains and Trusts from ADDS to on premise AD
After you have deployed ADDS you may want to complete a domain trust to an existing on premise domain, this is currently not possible but would be great if it was released as this is a blocker for organisations.
5 votes -
group policy ad domain services
As part of Azure AD Domain Services -> all new group policies to be made
Allow files to be uploaded to NETLOGON folder.
4 votes -
I changed the attribute to "not set" in Azure AD but the attribute doesn't sync to Azure ADDS.
When I update the attributes, I can see the updated values on the Azure ADDS.
However, if he delete the value of an attribute (= update with not set), the value is not changed.Please correct this behavior.
3 votesWe have begun work on fixing this; the proposed change will support clearing attributes.
Erin Greenlee
Program Manager
IAM Core | Domain Services -
Support for Kerberos authentication security events
The idea behind is to enable Kerberos Authentication Service event from Azure AD Domain controller to get Network Information and Account Information from the computers connected to Azure AD Domain Services https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
In a Microsoft Active Directory, we could easily get event ID 4768 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. But in Azure AD DS we could not get this event, even after if you enabled the security audits https://docs.microsoft.com/en-us/azure/active-directory-domain-services/security-audit-events
The Event Id 4768 is not listed under the Account Logon security event lists …
2 votes -
add GC port 3269 to AD-DS created LB
Hi,
right now we can't access port 3269 (Global Catalog) of our AD-DS service.
After open it in NSG and modify the LB it only stay open for hours. The LB get's overwritten every now and then.Request: Add LB rule for 3269 to the auto-create script of AD-DS. Customer still can control access this via NSG.
2 votes
- Don't see your idea?