Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add phone call language support for non-browser based apps (VPN) to Cloud Azure MFA

    Please provide a method to set a default phone call language per user when using hosted/cloud Azure MFA to protect non-browser based applications (ex. VPN). Have the ability to set the phone call language either per user or based on other user attributes. This is possible today in the on-premise MFA server and should also be possible when using Azure MFA in the cloud.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Prevent users from changing authentication methods and authentication phone number (mfasetup)

    We would need the following features:

    • The possibility to assign different auth methods based on groups for MFA.

    • A way to prevent users from changing the authentication phone number. IT department should be able to predefine one authentication phone number and the user should not be able to change the number or setup an alternate phone number by himself.

    • One way to control the access to MFA setup using Conditional Access Policies.

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Change the message text to "Use a verification code from my mobile app or hardware token"

    Currently, when users configured Azure MFA for hardware token and phone number, they can choose MFA method when signing in azure portal.
    In the Azure AD logon page, users see following options.


    ・ Use a verification code from my mobile app

    ・ Text +XX XXXXXXXXX

    It's not intuitive for customers to choose "Use a verification code from my mobile app" even though they are using hardware token.
    So please change the message text to "Use a verification code from my mobile app or hardware token".
    I am support professional and I am receiving unnecessary support calls from users because the…

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add capability for MFA at user login to MacOS

    It would be great if Azure MFA had the capability to enforce multifactor authentication (MFA) at user login to MacOS - similar to how Duo works.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Conditional access validated prior to password

    Today, authentication validated the password before hitting the conditional access, therefore allow for password sprays to lock the accounts.

    Office 365 and Azure logins should take the password (as we do today), proceed with conditional access, even if the password is wrong, allowing conditional access to block password sprays. Then if the password is incorrect, deny the access or send for approval in the azure app or request the token, whatever is the preferred choice for MFA.

    Hope I was clear...

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Enable One Time Passcode (OTP) option via alternate email address, as a verification option for Azure MFA (cloud).

    This will enable a way for those with no landline or mobile device to receive an OTP via their personal email account, in order to complete MFA challenge. Good option to have, as then we don't need hardware token support like OATH TOTP.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. users want to set up the MFA Setup Wizard later

    In the MFA release plan of a large company, thousands users are impossible to actually "force" from the day.

    So, the user needs a period which setting for the MFA can be skipped, before force setting period.

    In the period, it provide a selection such as "set up later" in the MFA setting wizard at the initial sign-in.

    if someone did not have a mobile device on that day,
    if someone wants to ask questions about MFA, etc...
    they can not access any Office 365.
    becouse, even if you set a policy to skip MFA on the LAN, the MFA…

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Enable MFA when a delegated partner (CSP) accesses a customer tenant

    We have enabled MFA for users in the AAD tenant associated with our CSP enrollment. MFA works properly when we access the Partner Center portal; however, MFA does not work when we directly access a customer tenant, e.g., Azure Management Portal, using our CSP tenant credentials. For example, accessing https://portal.azure.com/ using our CSP credentials invokes MFA but accessing https://portal.azure.com/<customer_tenant> using the same credentials does not.

    According to Microsoft support, this is because MFA can only be triggered for users in the AAD tenant, not the partner's CSP tenant.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Extend Security Group queries with attribute for MFA enabled users

    Extend the dynamic user groups with ability to query for users that have or do not have MFA enabled/setup on there account.

    This will allow for more automization around conditional access, visibility and communication.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Extend Azure MFA with features that are only supported by the MFA server on-prem

    Extend Azure MFA with features that are only supported by the MFA server on-prem!

    Caching
    On-time bypass
    Customized text messages
    Token Support (I read it is planned)

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Reports to find that how many users have skipped MFA because of IP White list option in MFA

    Reports to find that how many users have skipped MFA because of IP White list option in MFA

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. MFA status after enabling MFA for users who have registered MFA notification destinations in advance

    We are deploying Azure MFA by the following method, and we perform various controls depending on the status of MFA ([Forced] or [Enabled]).
    https://docs.microsoft.com/ja-jp/azure/active-directory/authentication/howto-mfa-userstates
    Even without enabling MFA, I understand that it is possible to directly access 「https://aka.ms/mfasetup」 and register the MFA notification destination in advance.
    However, if you enable MFA after registering the MFA notification destination, the status of MFA will not be changed to [Forced] even though MFA setup has been completed.

    The specifications are different from the status of each MFA status described in the Microsoft public documentation.
    Since the control is based on the…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. NPS extension for Azure MFA - Allow to use the Realm manipulation in Connection Request Policies

    NPS server cannot perform real manipulation to change the domain name from the user UPN before the AD authentication happens, even if the Connection Request Policies contains the appropriate rule. This is a limitation for us when consolidating companies through AD on premises and Azure AD, including Azure AD MFA. Actually, UPNs are different until the AD migration is complete and having a chance to manipulate the realm might help us to accelerate the integration.
    Having said that, it would be a nice feature to have the NPS server to NOT ignore the realm manipulation when the rule is active…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Improve Azure MFA NPS extension logging

    We had an issue deploying the Azure MFA NPS extension recently as per this thread - https://social.msdn.microsoft.com/Forums/en-US/6fd88b14-8353-4eac-be42-501ce1986c11/troubleshooting-azure-mfa-extension-for-nps-issue?forum=windowsazureactiveauthentication.

    After a number of weeks trying to solve it, we ultimately had to move NPS to new servers as we could not find a solution. This was mainly because the logging from the extension is great when it is functioning relatively normally (successful logons, simple failures like missing certificates, ACCESS-REJECT messages received etc.), but for less well defined failure modes there seems to be a complete lack of useful logging.

    In the case of the above issue, we had verbose logging turned…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Require Authenticator Option within Combined MFA/SSPR Registration

    The new combined MFA/SSPR registration experience is a step forward, but it does not allow configuring a scenario where you want one factor that is Authenticator (push and/or TOTP token) or two factors with at least one of them being Authenticator. Currently when configuring the supported methods, it does not allow Authenticator when the policy is to require a single method, and when requiring two methods, it requires that two other non Authenticator options are enabled (e.g. sms/phone) which means the user can bypass Authenticator.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Make Trusted IPs a Standard Feature of MFA for Office 365 and MFA for Azure AD Admins

    Not being able to set Trusted IPs for MFA for our Office 365 users and Azure AD admins is the primary reason we have not implemented MFA.
    For admins, admin tasks are done almost exclusively while on our LAN. When we tried enabling MFA, it was too cumbersome to use when authenticating to each service in PowerShell.
    For Office 365 users, our biggest threat is compromised credentials being used by malicious actors from outside of our company. Requiring MFA to be used while on our LAN slows down the adoption of all but the most basic Office 365 services (in…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Port Azure MFA Server (PhoneFactor) reports from "classic portal" to "new"/current portal and give "Security Reader" role access to them.

    Port Azure MFA Server (PhoneFactor) reports from "classic portal" to "new"/current portal and give "Security Reader" role access to them.

    The Azure MFA Server - Activity Report which is currently available in the "new"/current Azure portal and all of the MFA Server reports that are only available in the "Classic" are only consumable by "Global Admin" role members. This makes it difficult to utilize with the rest of the security protection model available to the "Security Reader" role members.
    It would be useful to get these reports moved to the "new"/current Azure portal and get them accessible to the "Security…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow removal of Office Phone option in Azure MFA cloud portal

    We sync Office Phone so that its in the GAL for our o365 deployment, but we do not want that listed in the Azure MFA portal (aka.ms/mfasetup). We want only the primary and backup phone options that the user must enter themselves during enrollment.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add Windows Server 2016 support for Azure MFA server

    I hope that Microsoft will soon add for Windows Server 2016 for the Azure MFA server. Perhaps it should be added to Windows as a new role

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. IPv6 Whitelisting option in Azure Multi-Factor Authentication

    The Azure Multi-Factor Authentication server software only allows IPv4 whitelisting. IPv6 whitelisting would be great for the future.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base