Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SSO / Sign in to Azure via Google Apps IDP

    We'd like to enable our users for lots of Azure services (incrementally), starting with some RemoteApp services. We do *not* want to move user authentication to Azure AD (users have lots of complex Google Apps logins, with 2-Factor and U2F Keys).

    Is there an easy way for us to enable Google Apps as an IdP in Azure AD?

    Like, can we copy user profiles from Google Apps -> Azure, and on login attempt, redirect to the Google Apps sign in screen?

    65 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      6 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
    • SAML claims more customizable

      It would be nice if the SAML claims were customizable by using regular expressions and custom c# code (like api manager policies).
      For example I would like to create a new custom claim by executing some custom logic on User and User groups data.

      For example, at the moment it is not possible to return the user group names in SAML response. I would like to add a custom claim (said groupList) in which I can aggregate (comma separated) all the group names the user is member of.

      40 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        8 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
      • 26 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
        • Mapping orgUnitPath attributes for Google Apps while provisioning

          I configured Azure AD to provision users to Google Apps.
          Today I can customize attribute flow with preview capability, but there is no orgUnitPath attribute of Google Apps to map. My customer currently using organizational units in Google Apps to delegate administration rights to their subsidiaries, so they must use custom scripts or other identity management solution to manage users in Google Apps after implement Azure AD provisioning capabilities.
          To improve the value of Azure AD, I believe that the capability to customize target system's attributes is very important.

          19 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
          • Please make nested Groups for assigning groups to an app or app role possible!

            Why is this feature not already here after all those Years of Azure AD? its a "Basic" feature in On Prem AD why is it not in Azure ?

            17 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
            • SCIM defects

              1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
              As per, https://tools.ietf.org/html/rfc7644#section-1.3,
              The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
              Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.

              2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no…

              17 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                3 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
              • Azure AD Applications - Needs

                - Allow applications in Azure AD to be organised into folders so business units who work in this space can 'claim' applications.
                - Provide the ability to rename applications or application instances once created.
                - Provide visbility of what user created an application.
                - Provide the ability to 'lock' applications from being accidently deleted.
                - Deletion of applications requires X global admins to approve, at the moment a rogue admin could destroy an SSO setup for an entire company in minutes...

                14 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                  Thank you for your feedback, some of the suggestions are already available:

                  - Ability to rename applications
                  - Provide visibility of what users created an application: You can use audit activity reports: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logs

                  Regarding the other suggestions, I’ll update this once it’s a planned feature. In the meantime, keep the voting coming so we can prioritize this higher.

                  /Luis
                  Program Manager

                • Default 'approval required' method for apps (new/unused)

                  Please can we have a global catchall for all new or previously unused applications that link to Office365 accounts/resources?

                  An example. draw.io has not yet been used and therefore there is no enterprise app to configure in Azure AD.
                  One first attempt to log in to draw.io with an Office365 account an approval request should be sent to the Office365 administrators to review the application and the permissions/access it requires.
                  Then the enterprise app can be configured accordingly - utilising Self-Service, assignment and approvals as deemed necessary.

                  12 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                    Thank you for the feedback. We have this feature in our backlog. I’d like to understand the specific scenarios that are driving this request. Please let me know if you have 20 minutes to chat about it.

                    /Luis

                  • Allow the use of all user attributes for SAML token attributes

                    We are developing a POC to have Cisco WebEx and Jabber integrate directly with Azure AD. Authentication works just fine. However, when there is a change to a user's profile in Active Directory, say title or phone number, in order for that change to update in WebEx or Jabber the "whenChanged" attribute needs to be sent as "updateTimeStamp" in the SAML token. "whenChanged" cannot be extended as a Directory Extension so maybe use of the "LastDirSyncTime" attribute in Azure would be a suitable replacement. Also, it would be beneficial to also allow the use of the "mobilePhone" Azure attribute in…

                    11 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                    • Engage Approval process when attempting to use the app directly

                      Please can we initiate the approval process at the application level, not just when being added into the application portal (myapps)?

                      An example. draw.io has been configured to require authentication and assignment. A user goes to draw.io and logs in with their Office365 account. They see a user-unfriendly error message as below: -

                      [OneDriveSDK Error] errorType: badResponse, message: AADSTS50105:+The+signed+in+user+is+not+assigned+to+a+role+for+the+application+'01234567-89ab-cdef-0123-56789abcdef0'. Trace+ID:+01234567-89ab-cdef-0123-56789abcdef0 Correlation+ID:+01234567-89ab-cdef-0123-56789abcdef0 Timestamp:+2000-01-01+00:00:00Z

                      Instead - I would want the application to prompt with the same approval process notification/initiator that is seen when attempting to add the app via MyApps.

                      7 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                      • 7 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                          Hi,

                          Thanks for the feedback, we have started the work to support UpperCase and LowerCase transformation for SAML claims.

                          I’ll update this post once we an ETA to share.

                          Thanks,
                          Luis

                        • Allow user folder provisioning for Box upon user assignment in Azure ADP

                          We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.

                          One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.

                          We would like…

                          7 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                          • Enhanced AAD Support for SAP SuccessFactors

                            Hi

                            SAP SalesForce (SF) is pre-integrated with AAD, but SalesForce is comprised of numerous applications (HR modules). It would be nice if AAD conditional access, user provisioning and MFA rules could be applied differently based on the SF applications.

                            1. MFA: It would helpful if AAD supported MFA for SAP SuccessFactors by SuccessFactors module. e.g. ability to force MFA for the Performance Management & Goals application, but not force MFA for the Learning Management System (Training) application.

                            2. User Provisioning: It would helpful if AAD supported automated user (de)provisioning of accounts in SAP SuccessFactors, again based on SF application.

                            Take…

                            7 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                            • Do you know if the connector can update an Employee's Username in Workday?

                              Our client is planning on using email address as the Username in Workday which also drives the SSO. The issue is - Let's say John Doe is hired in Workday and gets assigned John.doe@xyz.com. the new hire flows across to Active Directory and AD says that email is already in use and it needs to be updated to John.Doe1@xyz.com . We are using the Azure connector where the Azure app is able to update the worker's work contact information. Not sure if the Azure app has the ability to update the Username attribute in Workday account.

                              5 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                                Hello,

                                This scenarios is not currently possible with the Workday writeback connector. We’re evaluating solutions but it’s not planned yet.

                                Keep voting to help us prioritize.

                                Thanks,
                                Luis

                              • Integrate JWT for Zendesk to work with Azure AD

                                Currently, you can only integrate Zendesk with Azure AD through SAML. Azure AD supports JWT authentication, is there a way you can allow Zendesk to integrate Azure AD using JWT?

                                5 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                • Rename Azure AD Application "Office 365 Exchange Online" to "Outlook"

                                  Users with Office 365 license when accessing myapps.microsoft.com do not understand that in order to open "Outlook Web App" they should use "Office 365 Exchange Online" icon. Please rename Azure AD Application "Office 365 Exchange Online" to "Outlook" or "Outlook Web App".

                                  5 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                  • IDP-Initiated SAML flow option for all gallery applications

                                    Gallery integration for some SaaS applications (such as ServiceNow) use SP-Initiated sign-in flows. This makes ADFS -> Azure AD "migrations" for customers difficult as there is no way to validate the user experience without making Azure AD the default SSO provider. Additionally, some customers rely on just-in-time SAML provisioning, which is seamless with IDP-Initiated flow.

                                    4 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      unplanned  ·  0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Support synchronization and modification of binary attributes

                                      Add support for the synchronization of binary attributes within the Azure AD provisioning / sync system.

                                      Example: The Workday to AAD or ADDS integration allows you to extend the attribute list (e.g. photo). AAD is able to receive that attribute but wont be able to sync it to AAD or ADDS due to size limitations on the photo attributes (<100k).

                                      In best case, provide us with a function which can be used in a expression of the attribute mappings. Possible ways: 1) photo specific function which allows you to provide pixel height and/or width (if only one is specified the…

                                      4 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Workday to OnPremise Sync with non Global Admin Account

                                        In the current configuration of the "Workday to Active Directory Provisioning"  you are required to create an account in Azure with Global Admin permissions to be used by the onPremise agent.   All changes made to Active directory are made in the onPremise AD and not in Azure and the permissions appear to be above the needed level in order to maintain our security delegation of lowest level required to perform a task.     
                                        Is there are a solution to have the interaction between onPremise Agent, Azure and Workday that does not require this level of permission?

                                        4 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Option to enforce authentication every time you access a SSO app (e.g. SaaS app)

                                          Add a option to enforce authentication every time you access a SSO app (e.g. SaaS):
                                          - Option could be possible per app
                                          - Option could be 1) re-enter password (ignore SSO) 2) guaranteed MFA prompt (ignore MFA token)

                                          Use case:
                                          Shared PCs, Personal Logins, SaaS App has sensitive payroll data, Concern: People don't log off -> anyone can walk to the PC and get into SaaS app via SSO. As of now even MFA doesn't help due to MFA token or Windows Hello strong auth. You could only play with token life-time.

                                          4 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4
                                          • Don't see your idea?

                                          Feedback and Knowledge Base