Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow the User Admin role to Enable/Disable MFA for users

    Managing MFA settings for users seems to fit the scope of the User Admin role. I don't think this activity should require Global Admin access.

    503 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      89 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

      This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.

    • Support for Hardware Token in Cloud hosted Multi-Factor Authentication

      If the MFA server supports hardware tokens, why can't the azure hosted MFA support it ?!
      Please add this feature.

      249 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        50 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
      • PowerShell and Graph API support for managing Multi-Factor Authentication

        Currently, the only available option to automate Azure MFA administration appears to be the MSOnline PowerShell module, released back in 2015.

        The MSOnline module's Set-MsolUser and Get-MsolUser cmdlets allow administrators to enable and disable MFA on a user object using PowerShell scripts.

        Alas, the MSOnline module itself does not support MFA when connecting to Azure AD. Administrators hoping to make use of the MSOnline module cannot have MFA enabled on their accounts. In short, for an admin to manage MFA with PowerShell, the admin's account can't be protected by MFA.

        The new AzureAD and AzureADPreview PowerShell modules support connecting to…

        98 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          16 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
        • Provide support for YubiKey / FIDO as the MFA

          Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.

          https://www.yubico.com/about/background/fido/

          98 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            12 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
          • 97 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              13 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
              under review  ·  Anonymous responded

              Please provide more details. DirectAccess is an on-premises technology and as such may not fall into Azure Active Directory.

            • Add MFA support to Secure the Windows 10 logon

              Creating a way to secure the Logon to a Windows 10 workstation with MFA would then remove much of the complexity required to secure all the applications installed upon it (such as DA etc).

              This would need to have the ability to store offline logins somehow which is possible with RSA SecurID.

              It would and the final touches to a really great solution.

              72 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
              • Automatically enable MFA for all members of an Azure AD Group.

                Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

                42 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                  Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
                  We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

                  Richard

                • Allow User Account Administrator to enable MFA for users, not require global admin

                  A best practice is to limit the number of global admins, yet a global admin is required to enable MFA for users. This should be allowed in the User Account Administrator role to enable MFA for users.

                  39 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                    We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA.

                  • phone factor

                    Surface/expose Azure MFA (Phone Factor) attribute data in GRAPH to facilitate API-based manipulation and mitigate some of the current limitations in RBAC within "cloud only" deployments of the Azure MFA service.

                    34 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                      StrongAuthentication data can be read via PowerShell, but StrongAuthenticationUserDetails can’t be set via PowerShell. It is planned to expose the StrongAuthentication data via Graph, but no ETA to provide yet.

                    • Backup Codes for Azure MFA

                      Please add support for "Backup Codes" to Azure MFA as soon as possible. Many popular MFA services already support Backup Codes, basically a list of 10 valid authentication codes that a user can print off and use in situations where there regular authentication method is not available.

                      Use cases for backup codes include:

                      - User's mobile phone is lost, stolen, or damaged.
                      - User will be in an area with out good mobile phone service or consistent access to a land line.
                      - Users let's mobile phone battery drain..

                      33 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                        There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.

                        Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.

                        Richard

                      • Set Default Country Code in Azure MFA

                        When importing users from AD, if the country code isn't included in attribute Azure MFA will set the country code to +1(USA).
                        Can a feature be added to allow the default country code to be set a the global level. So that in our case we could set all number to default to +44(Great Britain) .

                        32 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                        • Azure MFA synchronization between on premise and cloud

                          Hi. We are currently AAD Premium subscribers (via EMS) If I'm reading all current documentation correctly deploying a MFA server on premise would be completely independent of any Cloud based MFA registrations for O365 and other SSO apps. This results in a userbase needing to register with 2 different MFA servers and causing some confusion. It would be nice if the on premise MFA server could synchronize or even proxy requests to the cloud based MFA server so only 1 registration would be needed.

                          For example, user John Smith has 2FA turned on in the O365 cloud portal, and goes…

                          30 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                          • User Opt-In to Azure MFA with Office 365

                            We have enabled MFA at our Office 365 tenant, but requires Admins to enable users. For organizations that would like to phase MFA in for their users, it would be nice for users to self opt-in sort of like they do with personal email accounts. Then over time, administrators can "require" MFA by a certain date for users holding out. One way to handle this is to include a link for the end user under user settings to "Sign up for Multi-Factor Authentication". Right now, nothing appears under a users security settings until they are enabled by an administrator. Thx!

                            28 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              10 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                            • Enable Flash SMS for MFA/Multi Factor Authentication

                              I'd like the possibility to use Flash SMS (http://en.wikipedia.org/wiki/Short_Message_Service#Flash_SMS) when sending one-way OTPs using Azure MFA / Multi-Factor Authentication.

                              26 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                              • Add company preferred MFA option

                                Company should have option to choose preferred option for MFA for users. For example, we allow Mobile Phone and App. But in onboarding, portal asks only for phone setup and not for app. Users complain about SMS codes, they do not find an App option in advance settings.

                                24 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                • Azure AD MFA enhancements

                                  Like to suggests a couple of enhancements to Azure MFA (not MFA server).

                                  Ability to pre-provision users at scale (send QR code to selected users via email, import mobile numbers to protected 'authentication contact info' area in users profile via PowerShell, etc.)

                                  Provide method for users to change MFA device or bypass MFA if device isn't available (security / secret questions in lieu of MFA, alternate email - personal, etc. )

                                  Provide administrators a method to bypass MFA for a user (one time bypass, bypass MFA for 'x' amount of time, provide temp code that will work for 'x' amount…

                                  23 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Enable app password creation when MFA is enforced using Azure Conditional Access

                                    I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.

                                    I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that…

                                    21 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Azure Authenticator (MFA) Desktop App

                                      SUMMARY:
                                      Due to limited capability to use the Microsoft Authenticator Mobile app on a mobile device, there is a requirement to get a desktop version of the app that has the same functionality.

                                      BUSINESS CASE/BACKGROUND:
                                      We make use of MFA for all remote users who are connecting to our network from a non-managed device (i.e not a company laptop/desktop). These remote users would then be expected to use the Microsoft Authenticator app on a mobile device with the following Authentication options;
                                      - Text Code to my authentication phone number
                                      - Notify me through app
                                      - Use verification code from app

                                      20 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                      • MFA only allow initial setup from inside corporate network.

                                        Please allow configuration of initial MFA setup for users so that they can only provision MFA from within our corporate network. Also the ability to pre-provision and lock-down their MFA settings (cell phones etc). We need to be able to make sure that not just anyone from outside can do the initial provisioning of a users MFA setup. In case a users password is compromised.

                                        19 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Add apple watch app for multi factor authentication

                                          Please add apple watch app for multi factor authentication so we can verify logins right from watch without having to take the phone out

                                          19 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 6 7
                                          • Don't see your idea?

                                          Feedback and Knowledge Base