Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure MFA server does not support E-Mail as an Authentication method, i.e. OTP getting delivered to EMail. This feature is required.

    Azure MFA does not support OTP over E-Mail, The support for the same is required for scenarios where Mobile is not allowed inside the premises due to security and has to be submitted outside at security desk. In such cases, OTP can be checked over E-MAil but that is not supported by MFA. Please suggest,

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Filtering on “MFA Auth Method” via the interface

    Filtering on “MFA Auth Method” via the interface, would be beneficial on the report we are looking at. Downloading the report is not really a good option as the report has over 250000 rows and last time we tried the download failed.

    The report doesn’t show us any data as we aren’t using MFA server, just Conditional Access policies.

    The report shows us the data, but doesn’t allow us to filter on MFA Auth Method.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Log IP of password reset requests and source IP of MFA triggers

    We recently experienced a user getting an MFA prompt as part of an attempted password reset request, but there is no logging of the IP or source of the request. Having IP data would allow for correlation of data with successful/failed logon attempts.

    It's actually amazing this isn't already a thing.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. MFA, option to request setup only when outside the organisation/trusted IP scope

    I would like an option to select a group and not prompt them to setup MFA unless they are outside the trusted IP scope.

    Whilst on the trusted IP scope, the user shoudl have access to setup or continue onto office365

    Currently once MFA is enforced the user has no option but to set it up otherwise they cannot access office365 sharepoint homepage, if they cannot do it there and then it stops them from working

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow for the default Microsoft Authenticator account named of “Azure AD” to be configurable.

    If a user goes to https://aka.ms/mfasetup and sets up their account preference then they do get an account named accordingly in their Authenticator app…
    However if a user doesn’t setup their account preferences and they log into the Outlook app on their phone for the first time and receive Intune app protection policies they end up with an Authenticator account named “Azure AD”.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

  6. Provide Office Phone as a Multi-Factor Authentication (MFA) option

    Please add Office Phone and Extension as an option in the preview feature of MFA Registration process. It is very hard for us to require end-users to use their personal phone for MFA business needs. Here are references to this change that Microsoft is previewing... https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. MFA

    Hi,
    It would be great to have an option, to use Azure MFA, which is part of ADFS 2019, while using Alternate Login ID, other than UPN. We can use Alternate Login ID, like mail, to sign in to o365 and use MFA that is configured on AZURE side. But if you want to do preauthentication for your onpremiss application, it is impossible to configure MFA, because only UPN is checked on ADFS during MFA request. If user are using Alternate Login ID, error is thrown that user has no MFA option configured.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. MFA authenticator improvement

    It would be helpful to know which app was requesting the code or the approval. When the whole office suite is asking for it for example. On startup it can be Skype ondrive outlook teams SharePoint and more. Pretty annoying. Especially if the notification for the application on your PC hides behind the actual application you won't notice

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure Policy - MFA Policies support for an internal MFA Server

    We would like to use the Azure MFA policies, however they assume the usage of Azure MFA, and within our company we are using an On-premise MFA server. We have now disabled the policies, based on a statement from the PG on supporting this feature:


    • You have disabled the default policies since you had no clear view on when it works.

    • We have checked the policy "Audit accounts with write permissions who are not MFA enabled on a subscription" and some of the users that had write permissions on the subscription were not enabled for MFA in Azure AD. You…
    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to up-vote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  10. Allow MFA via Email for external vendors

    The current MFA tools are tied to a device that a 3rd party would likely take with them if released from their employer, which poses a high potential for a security risk. If email based MFA was allowed for vendor access, then emails would be sent to a corporate mail server ensuring that the employee was still employed.

    I understand the argument that sending an email to the account you're trying to access is poor security posture, but if it is being send to a different domain, that risk should be mitigated and overall a better security mechanism.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Make the wizard fill the window for combined MFA and password reset registration experience in Office apps

    When an user opens an Office App (Outlook) and need to register for MFA and SSPR in the new registration Experience. The browser kiosk window is square, but the wizard is rectangular.
    Because if this, the Next buttons aren't visible without scrolling to the right site.
    Make the wizard fill the window.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Please update the MFA page to just redirect to AD Premium

    I still get customers and sellers saying that there is still an option for paying for MFA against an Azure Subscription. From what I understand this is no longer available, that you must purchase AD Premium. If I am correct, please remove the MFA page altogether or update it to reflect the new pricing model and put the old pricing model in the FAQ or something.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. USE AUTHENTICATOR AS 2nd factor

    This is as classic a mind numbing and soul crushing experience as I have experienced in my 30 plus years of a Microsoft missionary . Have 4 or 5 hours to waste? look for documentation showing you how to set up logging into windows 10 on an AAD machine which triggers an authentication in the authenticator app - just admin its the most value added thing you could do and for some reason it doesn't exist - but you can do it for FREE with your Microsoft account - WHY??? PATENTLY RIDICULOUS

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure MFA OATH Tokens

    when importing csv of oath tokens they show up in myapps.microsoft.com as Authenticator App. Would be good to enter custom name or last 4 digits of serial number.

    When you have testing and or users with multiple tokens no way to know which one you are deleting/changing

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. MFA Phone Numbers Verification or Encryption in DB

    It would be beneficial to be able to enforce that multiple users are not using the same phone number for MFA within the on-prem MFA server.

    Additionally due to privacy concerns, it would be beneficial if the phone number field were encrypted in the database such that admins are unable to retrieve them in clear text from the server.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Change Sign-ins from infected devices title to Sign-ins from suspicious IP

    Change Sign-ins from infected devices title to Sign-ins from suspicious IP. The title of this detection is inaccurate, it is actually when a sign in has been detected from a suspicious IP. Improved wording would be appreciated.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. MFA Limit the Amount of One-Time Bypasses Allowed

    It would be nice if it were possible to limit the amount of one-time bypasses a user can issue themselves within a 24 hour period. Because a user is able to login to the MFA User Portal using security questions when they do not have access to their primary MFA device, someone can essentially bypass MFA altogether by using security questions and issuing themselves a one-time bypass as many time as they want. This also violates PCI compliance in that it doesn't meet the criteria that "MFA should be implemented so that authentication mechanisms are independent of each other."

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Unique Sender

    We have been reported by our users that the MFA codes are being sent by totally different numbers. Although we know that this is an expected behaviour, it would be good to consider at least calling the senders in the same way, and if possible not Microsoft, but an agnostic name.

    It would also be good to be able to customise the message with a custom text to offer a better user experience.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. MFA Verification Method, "Call to phone", The user answers the call and presses #. This should be a configurable option to use different key

    Sometimes the users' local phone system reserves the "#" key for a special purpose on incoming calls. Meaning that the touch tone sound is not passed onto the caller, in this case the MFA incoming call. Currently, MFA doesn't allow changing this to use a different key. This should be configurable (to use a different key) in the same way that the voice message being played is configurable.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base