Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Keep SSO user Signed in into JIRA

    When a user closes the web browser after signing in thru the Azure AD SSO plug-in for JIRA, the user is shown the JIRA login-screen again, however he is still logged in to Azure AD/Office 365. This requires the user click the Azure AD sign in button again. The user is then signed in into JIRA instantly.
    Is it possible to keep the user logged in into JIRA after closing the browser window, as he keeps logged in state in AzureAD

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  2. Application Roles UI

    Support the assignment of multiple application roles to users via the new portal. In the classic portal you can only assign a single application role to a user (and have to use the API to assign more).

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support different Workday datacenters in federation

    Hello everyone, right now the Workday federation only works if your Workday solution is hosted out of their west coast data center. As a European company our data will never be there, can we push to get federations to the other data centers, especially Dublin, please?

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add SCIM to support UserType field in Scoping Filter

    If AAD UserType field was available in SCIM Scoping Filter, it would be easy to filter out all guest users from the scope of synchronization.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Hi we will review.

    One option to consider is to set the filter to filter out specific domains that guest users are coming from. You could also control who is provisioned based on groups that users are assigned to.

    That being said, the need to scope on user type makes sense.

  5. We would like to have an advanced claim transformation process to simply the configuration of AWS app integrations

    For the integration of AWS with AzureSSO we need to send via the claim "https://aws.amazon.com/SAML/Attributes/Role" the aws account and role information, which will be used for authentication on AWS side. For our scenario, we create for each users an own role in AWS and want to generate the role claim based on the user mail address.

    The transformation of the claim should work like:
    1.) Extract the mail prefix from the user with ExtractMailPrefix()
    2.) Execute on the value from 1.) a tolowercase()
    3.) Use the value from 2.) in a Replace transformation

    The result should look like…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. Password based SSO - support multiple app profiles per user

    The Password based SSO solution does not allow for multiple app profiles.
    Eg use case:
    Digital Marketing team supports multiple brands, and requires access to multiple accounts within the same social platform, like facebook.com.

    A single user or group can be assigned multiple Password based SSO Apps.
    User installs PlugIn in Chrome or IE or FireFox.
    User navigates to facebook.com url and there is no auto sign in. - ok
    User goes to MyApps portal and clicks Brand A Facebook app. - User is signed in.
    User does what they need to do and then change accounts.
    They click to…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. Service Principals is so broken from a UI standpoint. Needs to be redone.

    Here is a link to the official documentation, notice how it is like 200 steps:

    https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal

    This is HORRIBLE guys. On Amazon, to grant API access to something it is one click - Generate API Key.

    I wasted 20 minutes trying to follow above steps. Guess what - at the end, it still doesn't work. Awesome! Now I get to debug your broken system for you instead of being productive.

    Can you please either:


    • Get rid of Service Principals (please shoot it), and just add a Generate API key command to replace it.

    • Add Generate API Key as an alternative…
    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Provisioning connector to Dashlane

    Dashlane is a cloud based password management solution that supports SAML 2.0 https://support.dashlane.com/hc/en-us/articles/212111089. Would it possible to it to the App Gallery?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. AzureAD custom developed apps appRoles management UI

    Currently AzureAD appRole claims for custom developed apps are managed differently withing portal UI.

    For appRoles decalared as "user" on a custom developed app are manged through User/Group while appRoles declared as "Application" are managed through configuratin/Permissions.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow group for admin consent requests (Enterprise applications)

    I know admin consent requests are still in preview, but maybe this will help to get a better GA version:

    Currently, if you configure admin consent requests for enterprise apps, you can only add user accounts for review, that have the required role. Only accounts that have a required role assigned are being displayed. This sort of breaks a strategy of zero standing administrative privileges and zero standing access (which MS has successfully deployed themselves) in a customer environment.

    In my view, the best option would be to be able to add a distribution list or group for consent review…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. *Workday to Azure AD UPN attribute our requirement is upn and email should create like this firstnamefirstletterandlastname@domain.com.au

    *Workday to Azure AD UPN attribute

    our requirement is upn and email should create like this firstnamefirstletterandlastname@domain.com.au
    for Example

    Firstname : Sam
    lastname :Dood
    upn should like this sdood@domain.com.au
    With the help of an expression its creating no issue.

    Issue is if we have a duplicate user and if the upn already exist in Azure AD ,based on our expression user is not provisioning .Not sure the expression is correct.
    we need to create upn based on this requirement firstnamefirst2letterandlastname@domain.com.au

    for example Samson Dood
    First Name : Samson
    Last Name :Dood

    UPN should create like this : sadood@domain.com.au

    Please provide…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow adding a suffix to the end of the email in the name identifier(nameID)

    Allow to add a suffix to the end of the email and send it as the name ID. For example:
     

    user@domain.com is the email, that is being sent as the nameID, but we need to add a suffix at the end, example "test", so Azure will send user@domain.com.test as the name identifier(nameID)

    We know that this possible with AD FS using replace email suffix with new email suffix and we need to have the same behavior in Azure AD. This is needed because we have multiple ORG at Salesforce and each ORG needs to use a unique email address…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. workday-AAD please add support for sending email notifications after provisioning operations complete

    From the FAQ: "Does the solution support sending email notifications after provisioning operations complete?
    No, sending email notifications after completing provisioning operations is not supported in the current release."
    This would be useful as all of our current processes include emailing a few people per region a user is created in.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. Workday to AD multiple domain support: Resolve manager references across domains

    As an AD Admin, when configuring Workday to Active Directory User Provisioning integration we would like the user provisioning service to resolve manager references across domains so that it supports the scenario where a user in one child domain and the user's manager is in another domain.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support Chrome Credentials Passing API for SAML SSO

    Using Azure AD SAML SSO with G Suite, when logging into a Chrome OS device after completing the Azure AD sign in you need to enter your password in to a Chrome dialog. Google has an API available to SAML vendors to bypass this extra step: https://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  16. Application Registration Portal - error when saving edited manifest with optionalClaims

    On apps.dev.microsoft.com I'm trying to edit a manifest to enable the optional "email" claim. I'm adding a block near the bottom of the manifest, and it looks valid:

    "optionalClaims": {
    
    "idToken": [
    {
    "name": "verified_primary_email",
    "essential": false
    }
    ]
    }

    Based on this reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

    but when saving I get:

    The request body contains unexpected characters/content for the specified content type and encoding.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. We have a few non-gallery applications we would like to be added.

    We are a K-12 School District and cannot afford the Premium upgrade. The apps are:
    ez-proxy - https://www.oclc.org/en/ezproxy.html
    Frontlineeducation.com (Absense Management and Professional Growth)
    GoGuardian
    Schoolwires (part of Blackboard.com)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure AD->EnterpriseApp->All App->New App button is disabled

    Azure AD->EnterpriseApp->All App->New App button is disabled for normal user, it should give a warning that this feature is not available for a normal user or "You need to have Admin " permissions to enable this feature.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  19. Filter Source Object Scope when Provisioning Enterprise Application

    Is there the ability to reduce the scope of user objects provisioned to an enterprise application? We only want to provision a few accounts to test connectivity and in future do not want to synchronise our entire Azure AD to the application (See attached greyed out 'Source Object Scope')

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Amend the userprincipalname within a SAML Token Attribute

    A really useful feature would be to allow us to amend the userprincipalname (email address) before passing it (to an SaaS Application such as salesforce) as part of a SAML Token Attribute using the Single sign on connector with Azure AD.

    We currently have two instances of SalesForce/RemedyForce and we need our users to have logins into both but the logins need to be unique so I want to add .ds to the end of the userprincipalname in one of the instances but still allow them to use single sign on.

    I have been informed that it is not possible…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base