Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. MFA NPS ext - Support for Network policies via RADIUS-Challange msg via SMS & OTP

    When you have NPS extension, The problem is that when a user is using SMS or OTP, the user is not granted access based on the network policies that are defined in RADIUS server.

    This is known limitation (MS says) with NPS where the network policies are not applied for SMS or OTP Flows.

    If you use a challenge method it does not support the NAP policies. These are only evaluated during primary authentication.

    When using Radius Challenge(for SMS or OTP), the Challenge response skips primary auth and so these policies are not evaluated.

    But when the users have chosen…

    67 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure MFA Trusted IP limitation of 50 address ranges

    Currently per the article: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next the Trusted IP for configuration "For requests from a specific range of public IPs" is restricted to a hard limit of 50 IP Address ranges.

    Please provide the ability to extend this number as there are companies like ours where the limit of 50 IP Address ranges makes this not usable for production environments.

    62 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Azure AD MFA enhancements

    Like to suggests a couple of enhancements to Azure MFA (not MFA server).

    Ability to pre-provision users at scale (send QR code to selected users via email, import mobile numbers to protected 'authentication contact info' area in users profile via PowerShell, etc.)

    Provide method for users to change MFA device or bypass MFA if device isn't available (security / secret questions in lieu of MFA, alternate email - personal, etc. )

    Provide administrators a method to bypass MFA for a user (one time bypass, bypass MFA for 'x' amount of time, provide temp code that will work for 'x' amount…

    61 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow users with MFA to login via CLI (az login)

    az login currently does not work with Microsoft accounts or accounts that have two-factor authentication enabled, see: https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login

    Following the idea of Infrastructure-as-Code (IaC), we pro-grammatically use az login to set up our infrastructure. However, we would highly prefer using user account when running such scripts manually compared to service principals:
    a) Audit logs on Azure should show who (= real user) triggered infrastructural changes
    b) MFA-backed accounts are more secure

    See also: https://github.com/Azure/azure-cli/issues/6962

    56 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Prevent Change Contact Phone Number by Users in Azure Multi-Factor Autentication.

    I want to allow change contact Phone Number by users ofAdministrator in Azure Multi-Factor Authentication.
    To prevent user to sign-in to system outside of the comany.

    If prevent change contact phone number by users,
    Admin set User's contact phone number to Admin's phone Number,
    and set Trusted IP of Azure Multi-Factor Autentication to the company office's public ip.
    and prevent change contact phone number by useres.

    56 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Require re-register MFA, it should revoke Microsoft Authenticator app, not just phone numbers.

    When revoking a users MFA sessions and requiring re-registration of MFA, AAD only removes the phone numbers from the users account. It does not remove the associated Authenticator app. There is no method to for a Global Admin to remove the Authenticator app association from the user. The only supported method is for the end user to log-in and remove it from the myprofile.microsoft.com page.

    50 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make Azure MFA work on ADFS when Alternate login ID enabled

    We just have tested the Azure MFA (cloud version) integration with ADFS. In ADFS we have the email as Alternate Login ID and our users are synced to Azure AD using the UPN value.

    Well, MFA works for all the users with the same UPN/email value, but for users with diferent UPN and email values, MFA fails. Basically ADFS tries to locate the user for Azure MFA using the Alternate login ID (the email) and as our users are synced to Azure AD using the UPN value, ADFS throws an exception telling that the user was not found in Azure…

    50 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow only some users to create app passwords

    App passwords are a bad idea. They are ugly enough that users are going to write them down on a post it and leave it on their desk. (Which is worse for security)
    I don't want some of my users to be able to create App passwords, like external partners who have internal accounts. But it looks like this is only a global setting.

    It would be nice if I could be more granular with this control.

    47 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow Applications to be Protected by MFA through CA

    Allow the following appliations to be protected by MFA through Conditional Access:

    • Office365 Shell WCSS-Client
    • Microsoft Office 365 Portal
    • O365 Suite UX

    These applications are related to the Office Portal.

    44 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add company preferred MFA option

    Company should have option to choose preferred option for MFA for users. For example, we allow Mobile Phone and App. But in onboarding, portal asks only for phone setup and not for app. Users complain about SMS codes, they do not find an App option in advance settings.

    43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure MFA synchronization between on premise and cloud

    Hi. We are currently AAD Premium subscribers (via EMS) If I'm reading all current documentation correctly deploying a MFA server on premise would be completely independent of any Cloud based MFA registrations for O365 and other SSO apps. This results in a userbase needing to register with 2 different MFA servers and causing some confusion. It would be nice if the on premise MFA server could synchronize or even proxy requests to the cloud based MFA server so only 1 registration would be needed.

    For example, user John Smith has 2FA turned on in the O365 cloud portal, and goes…

    41 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Conditional access validated prior to password

    Today, authentication validated the password before hitting the conditional access, therefore allow for password sprays to lock the accounts.

    Office 365 and Azure logins should take the password (as we do today), proceed with conditional access, even if the password is wrong, allowing conditional access to block password sprays. Then if the password is incorrect, deny the access or send for approval in the azure app or request the token, whatever is the preferred choice for MFA.

    Hope I was clear...

    39 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. MFA cloud-only solution should support an additional PIN option.

    In order to compete with equivalent solutions available today, it would be great to have the ability to enforce a PIN as a prefix or suffix to a verification code, or even as per the current on-premise MFA offering. This allows systems an additional "what you know" option, where primary authentication is weak or only deals with identification and not authentication.

    39 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Pre-configure Microsoft Authenticator Application

    I was wondering if its possible to pre-configure Microsoft Authenticator application when pushed out through SCCM/Intune for managed devices. It would be nice if the Authenticator Application could be pre-configured with both Code & URL-Address for the MFA setup, so that end-users wont have to do it themselves. It would also enhance the security aspect if its pre-configured centrally.

    35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Control “Remember MFA for devices that users trust” on an application basis

    At the moment “Remember Multi-Factor Authentication for devices that users trust” is only a global setting

    For most of our application InfoSec is fine to have 14 day before reauthentication and that’s a fair compromise between usability and security especially for things like the SfB App on the mobile

    Nevertheless for some applications we want to have AAD enforce MFA for every login as the data in those systems is highly confidential, e.g. the system that manages the payroll and benefits for our top executives

    So we’re asking to have an option to overwrite the “Remember Multi-Factor Authentication for devices…

    35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure AD role to unblock or block MFA for users

    I am unsure if someone posted an idea about this, but is there an existing Azure AD role that allows an administrator to block or unblock MFA for users? As it seems today, only a Global administrator can unblock or block MFA for a user. If there an Azure AD role that does this today, please let me know. Otherwise, it would be nice to incorporate the block/unblock MFA permission with an existing role or create a new one. Just a thought! :)

    34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. MFA unblock on same menu as MFA settings

    Put MFA unblock on same menu as MFA settings.

    In the MFA settings menu "Admin Center, AAD, Users, MutiFactor Authentication, select user and then click on ‘Manage User Settings", there is no setting to ‘unblock’ the user. To unblock user, you have to go to "Admin Center, AAD, Security, MFA, Block/Unblock Users"

    May I suggest that the unblock user setting also appear in the "Admin Center, AAD, Users, MutiFactor Authentication, select user and then click on ‘Manage User Settings" menu?

    And/or consider under "Admin Center, AAD, Security, MFA" that you point to the same menu where you can manage user…

    33 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Prevent users from changing authentication methods and authentication phone number (mfasetup)

    We would need the following features:

    • The possibility to assign different auth methods based on groups for MFA.

    • A way to prevent users from changing the authentication phone number. IT department should be able to predefine one authentication phone number and the user should not be able to change the number or setup an alternate phone number by himself.

    • One way to control the access to MFA setup using Conditional Access Policies.

    33 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. There seems to be no Azure AD role to manage OATH tokens

    Currently it seems only Global Admins can manage OATH tokens in Azure AD. Would be good if you could delegate that topic.

    32 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Show Sign-in info (location, client, device-type, etc) in Authenticator app

    especially for users (e.g. admins) who receive a lot of MFA signin requests via their Authenticator App (sometimes at unexpected moments), it is crucial that they can quickly verify where the authentication request originated from (detailed location info) and more details on the device (client app, device-type, etc) so the user can make an informed decision if the MFA authentication request on his phone is legitimate or not.

    32 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base