Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
2,559 votesWe’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.
Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups -
Find and Replace Claims Transformation Function
When customizing the claims issued in the SAML token by Azure AD for single sign on, there should be a claims transformation rule that allows for a Find and Replace transformation. For example:
If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.
42 votesWe have enabled a contains() function. We will be working on the capability to Replace().
/Luis
-
BUG: Unable to Delete an Application's AppRole
Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).
After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).
27 votesThanks for reporting this!
I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.
For now, there are two options to work around this:
1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697
2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).
/ Philippe Signoret
-
Allow User Consent per Scope
Provide option to allow admins to control which scopes the user can consent to, rather than the blanket disable available currently in "User settings".
Primarily this would be helpful to allow users to consent to apps that only require access to "Sign in and read user profile" (User.Read) for SSO purposes but not scopes that potentially contain sensitive company data.
19 votesWe have started the work on this capability. I’ll share more information about the ETA as we get closer to a public preview. Current ETA is by end of April.
Thanks,
Luis -
Allow Directory Extensions as claim in SAML Token
This idea is essentially a re-post of https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32988082-support-directory-extensions-as-saml-token-attribu which was incorrectly marked as completed as the response given didn't address the issue whatsoever.
If you create a directory extension attribute there doesn't seem to be way to include it as a claim (ie. set the value to 'user.mycustomextension') when configuring the SAML Token Attributes for an application. I have tried specifying the full extension attribute name however it becomes wrapped in quotation marks and is sent as a string literal instead (see screenshot).
I have found that you can include a directory extension attribute as an optional claim in the…
15 votesWe have work in progress to enable directory extension attributes from the Enterprise apps UI. You can use PowerShell to get unblocked: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping
In the comments, Ross has shared a link to a forum where you can find the exact policy.
-
Managed Whitelist of Enterprise Applications
Please provide facility to whitelist which 3rd party applications are 'approved'.
Ideally this would be more than just single 'bit' of information, and allow multiple lists - for example, a whitelist for 'regular company business' and another for TOPSECRET, to be integrated with other parts of the azure framework, such as being used in Conditional Access Policy and the EMS E5 features.
Currently OAuth consent by any user will automatically register an application and this cannot be disabled. Blacklist is possible, but whitelist is not without completely removing ability for users to manage their own consent, which is undesirable from…
9 votesWe have started worked on this features. For an initial release, we’re thinking on allowing admins to select the set of permissions users will be able to consent.
-
Service Principals is so broken from a UI standpoint. Needs to be redone.
Here is a link to the official documentation, notice how it is like 200 steps:
This is HORRIBLE guys. On Amazon, to grant API access to something it is one click - Generate API Key.
I wasted 20 minutes trying to follow above steps. Guess what - at the end, it still doesn't work. Awesome! Now I get to debug your broken system for you instead of being productive.
Can you please either:
- Get rid of Service Principals (please shoot it), and just add a Generate API key command to replace it.
- Add Generate API Key as an alternative…
3 votesHi We are in the process of revamping the app registration process
/ Arvind
-
Filter Source Object Scope when Provisioning Enterprise Application
Is there the ability to reduce the scope of user objects provisioned to an enterprise application? We only want to provision a few accounts to test connectivity and in future do not want to synchronise our entire Azure AD to the application (See attached greyed out 'Source Object Scope')
2 votesWork is in progress here.
/Arvind
- Don't see your idea?