Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SSO / Sign in to Azure via Google Apps IDP

    We'd like to enable our users for lots of Azure services (incrementally), starting with some RemoteApp services. We do *not* want to move user authentication to Azure AD (users have lots of complex Google Apps logins, with 2-Factor and U2F Keys).

    Is there an easy way for us to enable Google Apps as an IdP in Azure AD?

    Like, can we copy user profiles from Google Apps -> Azure, and on login attempt, redirect to the Google Apps sign in screen?

    65 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      6 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
    • SAML claims more customizable

      It would be nice if the SAML claims were customizable by using regular expressions and custom c# code (like api manager policies).
      For example I would like to create a new custom claim by executing some custom logic on User and User groups data.

      For example, at the moment it is not possible to return the user group names in SAML response. I would like to add a custom claim (said groupList) in which I can aggregate (comma separated) all the group names the user is member of.

      48 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        9 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
      • Allow the use of all user attributes for SAML token attributes

        We are developing a POC to have Cisco WebEx and Jabber integrate directly with Azure AD. Authentication works just fine. However, when there is a change to a user's profile in Active Directory, say title or phone number, in order for that change to update in WebEx or Jabber the "whenChanged" attribute needs to be sent as "updateTimeStamp" in the SAML token. "whenChanged" cannot be extended as a Directory Extension so maybe use of the "LastDirSyncTime" attribute in Azure would be a suitable replacement. Also, it would be beneficial to also allow the use of the "mobilePhone" Azure attribute in…

        30 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
        • 26 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
          • SCIM defects

            1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
            As per, https://tools.ietf.org/html/rfc7644#section-1.3,
            The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
            Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.

            2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no…

            22 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              5 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
            • Azure AD Applications - Needs

              - Allow applications in Azure AD to be organised into folders so business units who work in this space can 'claim' applications.
              - Provide the ability to rename applications or application instances once created.
              - Provide visbility of what user created an application.
              - Provide the ability to 'lock' applications from being accidently deleted.
              - Deletion of applications requires X global admins to approve, at the moment a rogue admin could destroy an SSO setup for an entire company in minutes...

              16 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                Thank you for your feedback, some of the suggestions are already available:

                - Ability to rename applications
                - Provide visibility of what users created an application: You can use audit activity reports: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logs

                Regarding the other suggestions, I’ll update this once it’s a planned feature. In the meantime, keep the voting coming so we can prioritize this higher.

                /Luis
                Program Manager

              • Workday to AAD/AD provisioning query scope

                Workday to AD/AAD provisioning
                please add the ability to scope the query passed to get_workers api. For instance, pass to get_workers company=schoolA.
                Workday is now implementing shared tenants in the EDU space. In a shared tenant, the current query to get_workers pulls all workers and then allows scoping. but the worker data for all schools has to be pulled before it can be scoped. The result is AAD audit logs saturated with other schools employee data. Also need to be able to control audit data written to azure activity logs, or at least be able to clear the provisioning logs.

                14 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                  Hi we are working on pulling the provisioning events out of the audit logs so that they are easier to manage. I’ll reach out to people internally about being able to set the scope to a particular school.

                  / Arvind

                • Default 'approval required' method for apps (new/unused)

                  Please can we have a global catchall for all new or previously unused applications that link to Office365 accounts/resources?

                  An example. draw.io has not yet been used and therefore there is no enterprise app to configure in Azure AD.
                  One first attempt to log in to draw.io with an Office365 account an approval request should be sent to the Office365 administrators to review the application and the permissions/access it requires.
                  Then the enterprise app can be configured accordingly - utilising Self-Service, assignment and approvals as deemed necessary.

                  12 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                    Thank you for the feedback. We have this feature in our backlog. I’d like to understand the specific scenarios that are driving this request. Please let me know if you have 20 minutes to chat about it.

                    /Luis

                  • Do you know if the connector can update an Employee's Username in Workday?

                    Our client is planning on using email address as the Username in Workday which also drives the SSO. The issue is - Let's say John Doe is hired in Workday and gets assigned John.doe@xyz.com. the new hire flows across to Active Directory and AD says that email is already in use and it needs to be updated to John.Doe1@xyz.com . We are using the Azure connector where the Azure app is able to update the worker's work contact information. Not sure if the Azure app has the ability to update the Username attribute in Workday account.

                    9 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                      Hello,

                      This scenarios is not currently possible with the Workday writeback connector. We’re evaluating solutions but it’s not planned yet.

                      Keep voting to help us prioritize.

                      Thanks,
                      Luis

                    • Enhanced AAD Support for SAP SuccessFactors

                      Hi

                      SAP SalesForce (SF) is pre-integrated with AAD, but SalesForce is comprised of numerous applications (HR modules). It would be nice if AAD conditional access, user provisioning and MFA rules could be applied differently based on the SF applications.

                      1. MFA: It would helpful if AAD supported MFA for SAP SuccessFactors by SuccessFactors module. e.g. ability to force MFA for the Performance Management & Goals application, but not force MFA for the Learning Management System (Training) application.

                      2. User Provisioning: It would helpful if AAD supported automated user (de)provisioning of accounts in SAP SuccessFactors, again based on SF application.

                      Take…

                      8 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                      • Engage Approval process when attempting to use the app directly

                        Please can we initiate the approval process at the application level, not just when being added into the application portal (myapps)?

                        An example. draw.io has been configured to require authentication and assignment. A user goes to draw.io and logs in with their Office365 account. They see a user-unfriendly error message as below: -

                        [OneDriveSDK Error] errorType: badResponse, message: AADSTS50105:+The+signed+in+user+is+not+assigned+to+a+role+for+the+application+'01234567-89ab-cdef-0123-56789abcdef0'. Trace+ID:+01234567-89ab-cdef-0123-56789abcdef0 Correlation+ID:+01234567-89ab-cdef-0123-56789abcdef0 Timestamp:+2000-01-01+00:00:00Z

                        Instead - I would want the application to prompt with the same approval process notification/initiator that is seen when attempting to add the app via MyApps.

                        7 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                        • Allow user folder provisioning for Box upon user assignment in Azure ADP

                          We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.

                          One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.

                          We would like…

                          7 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                          • Support for Workday "Integration System" custom attributes

                            Sourced from https://github.com/MicrosoftDocs/azure-docs/issues/21671

                            Adjust Workday web service call (get_workers) by adding a reference criteria call

                            As an AD Admin, I would like the Azure AD Workday connector to support "integration system" attributes which are retrieved through special modification to the Get_Workers() API call.

                            It would be beneficial if the web service call for workers could be adjusted to call another integration to get values that the normal API call won't get.
                            Example: Some values needed or recommended for provisioning might be part of custom objects or derived from other objects in Workday.
                            What I propose is that you at least…

                            6 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                            • Support synchronization and modification of binary attributes

                              Add support for the synchronization of binary attributes within the Azure AD provisioning / sync system.

                              Example: The Workday to AAD or ADDS integration allows you to extend the attribute list (e.g. photo). AAD is able to receive that attribute but wont be able to sync it to AAD or ADDS due to size limitations on the photo attributes (<100k).

                              In best case, provide us with a function which can be used in a expression of the attribute mappings. Possible ways: 1) photo specific function which allows you to provide pixel height and/or width (if only one is specified the…

                              6 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                              • Option to enforce authentication every time you access a SSO app (e.g. SaaS app)

                                Add a option to enforce authentication every time you access a SSO app (e.g. SaaS):
                                - Option could be possible per app
                                - Option could be 1) re-enter password (ignore SSO) 2) guaranteed MFA prompt (ignore MFA token)

                                Use case:
                                Shared PCs, Personal Logins, SaaS App has sensitive payroll data, Concern: People don't log off -> anyone can walk to the PC and get into SaaS app via SSO. As of now even MFA doesn't help due to MFA token or Windows Hello strong auth. You could only play with token life-time.

                                6 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                • Azure AD needs to support SAML token encryption

                                  Support SAML token-encryption for SSO. This is requirement for all applications meeting FedRamp moderate controls which align to the Federated Authentication Levels outlined in NIST 800-63C.

                                  https://www.fedramp.gov/assets/resources/documents/CSP_Digital_Identity_Requirements.pdf

                                  https://pages.nist.gov/800-63-3/sp800-63c.html

                                  5 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Rename Azure AD Application "Office 365 Exchange Online" to "Outlook"

                                    Users with Office 365 license when accessing myapps.microsoft.com do not understand that in order to open "Outlook Web App" they should use "Office 365 Exchange Online" icon. Please rename Azure AD Application "Office 365 Exchange Online" to "Outlook" or "Outlook Web App".

                                    5 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Workday trigger delta sync

                                      The ability to trigger a delta sync in the Workday provisioning application would be helpful during development of the connector as well as for emergency scenarios. In addition, the ability to change the sync interval (15 min afaik) to something different.

                                      4 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Custom error messages per SaaS App and tenant-wide also

                                        It would be really awesome, if Microsoft would provide developers with an option to provide custom error messages per Azure AD SaaS Apps and Global Admin to define some tenant-wide custom error messages as well. The error messages provided from Microsoft is not especially user-friendly or customer specific yet. This creates some confusions among internal and B2B users.

                                        I hope this would be taken into considerations like the Azure Conditional Access custom error messages.

                                        /Peter Selch Dahl
                                        Azure MVP

                                        Also see these related request:
                                        ---------------------------------------------------------------------

                                        Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application:
                                        https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6795635-fix-error-aadsts50020-when-logged-in-user-doesn-t

                                        Customize…

                                        4 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

                                          We don’t plan to provide the capability to customize the error message for now. But, we have been working on making the error messages more actionable.

                                          If you have any suggestions for improving an specific error message. Please create another post and the team will improve it.

                                          /Luis
                                          Program Manager

                                        • IDP-Initiated SAML flow option for all gallery applications

                                          Gallery integration for some SaaS applications (such as ServiceNow) use SP-Initiated sign-in flows. This makes ADFS -> Azure AD "migrations" for customers difficult as there is no way to validate the user experience without making Azure AD the default SSO provider. Additionally, some customers rely on just-in-time SAML provisioning, which is seamless with IDP-Initiated flow.

                                          4 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            unplanned  ·  0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4
                                          • Don't see your idea?

                                          Feedback and Knowledge Base