Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

    A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
    Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

    Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

    Adding nested groups to Azure AD would add a lot of value to Azure AD.

    1,900 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    407 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.

    Use case A: nested group in a cloud security group inherits apps assignment
    Use case B: nested group in a cloud security group inherits license assignment
    Use case C: nesting groups under Office 365 groups

  2. Allow the use of all user attributes for SAML token attributes

    We are developing a POC to have Cisco WebEx and Jabber integrate directly with Azure AD. Authentication works just fine. However, when there is a change to a user's profile in Active Directory, say title or phone number, in order for that change to update in WebEx or Jabber the "whenChanged" attribute needs to be sent as "updateTimeStamp" in the SAML token. "whenChanged" cannot be extended as a Directory Extension so maybe use of the "LastDirSyncTime" attribute in Azure would be a suitable replacement. Also, it would be beneficial to also allow the use of the "mobilePhone" Azure attribute in…

    86 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add group as owner on Azure AD Application and Service Principal

    When managing Application and Service Principal objects in Azure Active Directory, it's difficult to provide granular access controls.

    Azure currently supports adding "Users" as Owners through the Azure Portal, and we can also assign other "Service Principals" as Owners using PowerShell (or by creating the new SPN with an existing SPN), however it's not possible to add a Group.

    When you try to do this, you get the following error message:

    #

    PS C:&gt; Add-AzureADApplicationOwner -ObjectId <removed> -RefObjectId <removed>
    Add-AzureADApplicationOwner : Error occurred while executing AddApplicationOwner
    Code: RequestBadRequest
    Message: The reference target 'Group
    <removed>' of type 'Group' is invalid…

    81 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Find and Replace Claims Transformation Function

    When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:

    If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.​

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  5. BUG: Unable to Delete an Application's AppRole

    Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".

    When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).

    After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).

    27 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for reporting this!

    I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.

    For now, there are two options to work around this:

    1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697

    2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

    / Philippe Signoret

  6. Azure AD Applications - Needs


    • Allow applications in Azure AD to be organised into folders so business units who work in this space can 'claim' applications.

    • Provide the ability to rename applications or application instances once created.

    • Provide visbility of what user created an application.

    • Provide the ability to 'lock' applications from being accidently deleted.

    • Deletion of applications requires X global admins to approve, at the moment a rogue admin could destroy an SSO setup for an entire company in minutes...

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback, some of the suggestions are already available:

    - Ability to rename applications
    - Provide visibility of what users created an application: You can use audit activity reports: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logs

    Regarding the other suggestions, I’ll update this once it’s a planned feature. In the meantime, keep the voting coming so we can prioritize this higher.

    /Luis
    Program Manager

  7. SAML SSO, pass Restricted Claims

    It would be good if you could specify a restricted claim to be passed to the relying party such as isCompliant etc if a user is on a managed device. Clearly these claims should not be modifiable.

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow User Consent per Scope

    Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".

    Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow Directory Extensions as claim in SAML Token

    This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.

    If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).

    I have found that you can include a directory extension attribute as an optional claim in the…

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add some more fields to the App Registration

    When adding an app to the app registration there should be additional fields to capture metadata about the app like a description and some other fields. Or If you could implement the Tags features around the App Registration that would work as well.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. Custom error messages per SaaS App and tenant-wide also

    It would be really awesome, if Microsoft would provide developers with an option to provide custom error messages per Azure AD SaaS Apps and Global Admin to define some tenant-wide custom error messages as well. The error messages provided from Microsoft is not especially user-friendly or customer specific yet. This creates some confusions among internal and B2B users.

    I hope this would be taken into considerations like the Azure Conditional Access custom error messages.

    /Peter Selch Dahl
    Azure MVP

    Also see these related request:

    Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application:
    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6795635-fix-error-aadsts50020-when-logged-in-user-doesn-t

    Customize error…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    We don’t plan to provide the capability to customize the error message for now. But, we have been working on making the error messages more actionable.

    If you have any suggestions for improving an specific error message. Please create another post and the team will improve it.

    /Luis
    Program Manager

  12. Support claims transformation on user.assignedroles

    I can't apply a claim transformation method to the source attribute user.assignedroles or any multi value.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. Better governance for SaaS apps (App Registration description)

    Azure App Registration needs some kind of better governance. The amount of applications is exploding within companies with all kind of apps all ranging from breakfast to compliance applications. Microsoft needs to add some some extra property fields that can be used for description of the application purpose, but also a field that can be used for service management. I do not think that a Azure Tag would be sufficient. It must be some kind of value that can be set on the application.

    Reference:
    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13102086-azure-ad-applications-needs

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. Force Azure AD to verify the signature in the SAML request

    Enable optional SAML request signature when federating with a SAML 2.0 IDP

    SAML Authn request from AAD to a third party SAML 2.0 IDP are not signed. This leaves the third party IDP open to DoS attacks on their credential repository.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback.

    We would like to hear why you absolutely need this option before you move to Azure AD.

    Azure AD accepts a signed SAML request; however, it will not verify the signature. Azure AD has different methods to protect against malicious calls. For example, Azure AD uses the reply URLs configured in the application to validate the SAML request. Azure AD will only send a token to reply URLs configured for the application.

  15. Add support for Chrome OS

    We need users access Exchange only from Android and iOS. In Conditional Access rule, "Any device" is selected and grant access only if user access from "Approved Client App". But users are able to access email from Outlook in Chrome OS. As per Microsoft, neither conditional access nor Approve app support Chrome OS. So users are able to access emails from Chrome OS.

    Can Chrome OS support be added as part of Conditional Access rule? This is a major security threat for us as we are finance.organization.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  16. IDP-Initiated SAML flow option for all gallery applications

    Gallery integration for some SaaS applications (such as ServiceNow) use SP-Initiated sign-in flows. This makes ADFS -> Azure AD "migrations" for customers difficult as there is no way to validate the user experience without making Azure AD the default SSO provider. Additionally, some customers rely on just-in-time SAML provisioning, which is seamless with IDP-Initiated flow.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    unplanned  ·  1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. Managed Whitelist of Enterprise Applications

    Please provide facility to whitelist which 3rd party applications are 'approved'.

    Ideally this would be more than just single 'bit' of information, and allow multiple lists - for example, a whitelist for 'regular company business' and another for TOPSECRET, to be integrated with other parts of the azure framework, such as being used in Conditional Access Policy and the EMS E5 features.

    Currently OAuth consent by any user will automatically register an application and this cannot be disabled. Blacklist is possible, but whitelist is not without completely removing ability for users to manage their own consent, which is undesirable from…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Engage Approval process when attempting to use the app directly

    Please can we initiate the approval process at the application level, not just when being added into the application portal (myapps)?

    An example. draw.io has been configured to require authentication and assignment. A user goes to draw.io and logs in with their Office365 account. They see a user-unfriendly error message as below: -

    [OneDriveSDK Error] errorType: badResponse, message: AADSTS50105:+The+signed+in+user+is+not+assigned+to+a+role+for+the+application+'01234567-89ab-cdef-0123-56789abcdef0'. Trace+ID:+01234567-89ab-cdef-0123-56789abcdef0 Correlation+ID:+01234567-89ab-cdef-0123-56789abcdef0 Timestamp:+2000-01-01+00:00:00Z

    Instead - I would want the application to prompt with the same approval process notification/initiator that is seen when attempting to add the app via MyApps.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    First, we’re working to allow end-users to request Admins to consent to an application that requires Admin permissions.

    As a next step for this feature, we’re considering to add other scenarios like this one where user assignment is required.

    Please keep voting to help us prioritize

    /Luis

  19. Adding the managedBy attribute to the ServiceNow API for Group Provisioning

    Would it be possible to add a mapping for the Active Directory Group attribute managedBy and map it to the ServiceNow attribute Manager? I have been in contact with Premier Support under case # [REG:216032413880333001] SaaS group provisioning manager attribute missing regarding this request.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Rename Azure AD Application "Office 365 Exchange Online" to "Outlook"

    Users with Office 365 license when accessing myapps.microsoft.com do not understand that in order to open "Outlook Web App" they should use "Office 365 Exchange Online" icon. Please rename Azure AD Application "Office 365 Exchange Online" to "Outlook" or "Outlook Web App".

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base