Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Adding non-listed 3rd Party MFA via Azure AD Custom Controls

    How do you get an MFA Server on the list, as at present it seems to be restricted to RSA, Duo and Trusona. Or when will you open up support for the general MFA providers, and/or provide the information that will allow another vendor to integrate in the same fashion.

    Reason:
    We have a very large customer we are working on with their whole of Staff UAM 2FA upgrade. They are looking at both on-premise and cloud options, but require the 2FA to be on-premise. Azure's approach with ADFS will be restrictive as compared to AWS and GCP's approach, especially…

    57 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure AD MFA enhancements

    Like to suggests a couple of enhancements to Azure MFA (not MFA server).

    Ability to pre-provision users at scale (send QR code to selected users via email, import mobile numbers to protected 'authentication contact info' area in users profile via PowerShell, etc.)

    Provide method for users to change MFA device or bypass MFA if device isn't available (security / secret questions in lieu of MFA, alternate email - personal, etc. )

    Provide administrators a method to bypass MFA for a user (one time bypass, bypass MFA for 'x' amount of time, provide temp code that will work for 'x' amount…

    55 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. change default MFA method / configuratble default MFA method

    Hi,
    Currently when users enable MFA on their accounts, "OneWaySMS" method is the default option. This is a less secure and higher friction UX of the available options.

    It being the default method seems to contribute to it being the most common method used.

    Request the defaults to be reconsidered.
    - no default. Require the user to make an explicit choice
    - change the default to either PhoneAppNotification or PhoneAppOTP
    - make the default an admin configurable option

    thanks

    50 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure MFA Trusted IP limitation of 50 address ranges

    Currently per the article: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next the Trusted IP for configuration "For requests from a specific range of public IPs" is restricted to a hard limit of 50 IP Address ranges.

    Please provide the ability to extend this number as there are companies like ours where the limit of 50 IP Address ranges makes this not usable for production environments.

    50 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Prevent Change Contact Phone Number by Users in Azure Multi-Factor Autentication.

    I want to allow change contact Phone Number by users ofAdministrator in Azure Multi-Factor Authentication.
    To prevent user to sign-in to system outside of the comany.

    If prevent change contact phone number by users,
    Admin set User's contact phone number to Admin's phone Number,
    and set Trusted IP of Azure Multi-Factor Autentication to the company office's public ip.
    and prevent change contact phone number by useres.

    49 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. MFA NPS ext - Support for Network policies via RADIUS-Challange msg via SMS & OTP

    When you have NPS extension, The problem is that when a user is using SMS or OTP, the user is not granted access based on the network policies that are defined in RADIUS server.

    This is known limitation (MS says) with NPS where the network policies are not applied for SMS or OTP Flows.

    If you use a challenge method it does not support the NAP policies. These are only evaluated during primary authentication.

    When using Radius Challenge(for SMS or OTP), the Challenge response skips primary auth and so these policies are not evaluated.

    But when the users have chosen…

    46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow users with MFA to login via CLI (az login)

    az login currently does not work with Microsoft accounts or accounts that have two-factor authentication enabled, see: https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login

    Following the idea of Infrastructure-as-Code (IaC), we pro-grammatically use az login to set up our infrastructure. However, we would highly prefer using user account when running such scripts manually compared to service principals:
    a) Audit logs on Azure should show who (= real user) triggered infrastructural changes
    b) MFA-backed accounts are more secure

    See also: https://github.com/Azure/azure-cli/issues/6962

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add company preferred MFA option

    Company should have option to choose preferred option for MFA for users. For example, we allow Mobile Phone and App. But in onboarding, portal asks only for phone setup and not for app. Users complain about SMS codes, they do not find an App option in advance settings.

    40 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure MFA synchronization between on premise and cloud

    Hi. We are currently AAD Premium subscribers (via EMS) If I'm reading all current documentation correctly deploying a MFA server on premise would be completely independent of any Cloud based MFA registrations for O365 and other SSO apps. This results in a userbase needing to register with 2 different MFA servers and causing some confusion. It would be nice if the on premise MFA server could synchronize or even proxy requests to the cloud based MFA server so only 1 registration would be needed.

    For example, user John Smith has 2FA turned on in the O365 cloud portal, and goes…

    40 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow Applications to be Protected by MFA through CA

    Allow the following appliations to be protected by MFA through Conditional Access:

    • Office365 Shell WCSS-Client
    • Microsoft Office 365 Portal
    • O365 Suite UX

    These applications are related to the Office Portal.

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow only some users to create app passwords

    App passwords are a bad idea. They are ugly enough that users are going to write them down on a post it and leave it on their desk. (Which is worse for security)
    I don't want some of my users to be able to create App passwords, like external partners who have internal accounts. But it looks like this is only a global setting.

    It would be nice if I could be more granular with this control.

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. MFA cloud-only solution should support an additional PIN option.

    In order to compete with equivalent solutions available today, it would be great to have the ability to enforce a PIN as a prefix or suffix to a verification code, or even as per the current on-premise MFA offering. This allows systems an additional "what you know" option, where primary authentication is weak or only deals with identification and not authentication.

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Require re-register MFA, it should revoke Microsoft Authenticator app, not just phone numbers.

    When revoking a users MFA sessions and requiring re-registration of MFA, AAD only removes the phone numbers from the users account. It does not remove the associated Authenticator app. There is no method to for a Global Admin to remove the Authenticator app association from the user. The only supported method is for the end user to log-in and remove it from the myprofile.microsoft.com page.

    35 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Control “Remember MFA for devices that users trust” on an application basis

    At the moment “Remember Multi-Factor Authentication for devices that users trust” is only a global setting

    For most of our application InfoSec is fine to have 14 day before reauthentication and that’s a fair compromise between usability and security especially for things like the SfB App on the mobile

    Nevertheless for some applications we want to have AAD enforce MFA for every login as the data in those systems is highly confidential, e.g. the system that manages the payroll and benefits for our top executives

    So we’re asking to have an option to overwrite the “Remember Multi-Factor Authentication for devices…

    33 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enable Flash SMS for MFA/Multi Factor Authentication

    I'd like the possibility to use Flash SMS (http://en.wikipedia.org/wiki/ShortMessageService#Flash_SMS) when sending one-way OTPs using Azure MFA / Multi-Factor Authentication.

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Pre-configure Microsoft Authenticator Application

    I was wondering if its possible to pre-configure Microsoft Authenticator application when pushed out through SCCM/Intune for managed devices. It would be nice if the Authenticator Application could be pre-configured with both Code & URL-Address for the MFA setup, so that end-users wont have to do it themselves. It would also enhance the security aspect if its pre-configured centrally.

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Make Azure MFA work on ADFS when Alternate login ID enabled

    We just have tested the Azure MFA (cloud version) integration with ADFS. In ADFS we have the email as Alternate Login ID and our users are synced to Azure AD using the UPN value.

    Well, MFA works for all the users with the same UPN/email value, but for users with diferent UPN and email values, MFA fails. Basically ADFS tries to locate the user for Azure MFA using the Alternate login ID (the email) and as our users are synced to Azure AD using the UPN value, ADFS throws an exception telling that the user was not found in Azure…

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. We would like to activate MFA at our designated time.

    At present, MFA is activated at the time when the administrator enables MFA per user.
    We would like to activate MFA at the administrator's designated time. We believe that this enables us to broaden our range of operation.
    It would be great if we could, for example, control by designating the time to parameter "RememberDevicesNotIssuedBefore".

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow customization of MFA Text Messaging

    Allow the customization of MFA Texts to be branded by company name. currently, this is hard-coded to be "Use this code for Microsoft verification". I've been asked by my Executives to allow this to be branded for our company rather than Microsofts. i.e. "Use this code for <CompanyName> verification."

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Reset MFA Authenticator setup as an admin

    For several months now, the "Additional security verification" page (http://aka.ms/setupmfa) from Azure MFA has memorized the Authenticator app and the corresponding device. (See attachment)
    Please offer the possibility to the administrators to remove the old paired device and the associated Authenticator app.

    Reason (for us):
    To configure Windows Hello 4 Business the Authenticator app must be used. Many employees have connected an old device that they no longer own or use.
    We do not have the SMS option set to available, and have set Multi-Factor Auth to Enforced. Using the "manage settings" from the MFA portal is still…

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base