Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Pre-configure Microsoft Authenticator Application

    I was wondering if its possible to pre-configure Microsoft Authenticator application when pushed out through SCCM/Intune for managed devices. It would be nice if the Authenticator Application could be pre-configured with both Code & URL-Address for the MFA setup, so that end-users wont have to do it themselves. It would also enhance the security aspect if its pre-configured centrally.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow customization of MFA Text Messaging

    Allow the customization of MFA Texts to be branded by company name. currently, this is hard-coded to be "Use this code for Microsoft verification". I've been asked by my Executives to allow this to be branded for our company rather than Microsofts. i.e. "Use this code for <CompanyName> verification."

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Integrate Azure MFA with the Windows login process, maybe through Windows Hello for Business.

    From what I can see it's not currently possible to integrate Azure MFA into the Windows domain login process as a second factor. For example, if a user was to authenticate to the local AD first and then be required to use Azure MFA to add a second factor, using the Microsoft Authenticator app. This would remove the need for third party smartcards or hardware tokens.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add phone call language support for non-browser based apps (VPN) to Cloud Azure MFA

    Please provide a method to set a default phone call language per user when using hosted/cloud Azure MFA to protect non-browser based applications (ex. VPN). Have the ability to set the phone call language either per user or based on other user attributes. This is possible today in the on-premise MFA server and should also be possible when using Azure MFA in the cloud.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Conditional access validated prior to password

    Today, authentication validated the password before hitting the conditional access, therefore allow for password sprays to lock the accounts.

    Office 365 and Azure logins should take the password (as we do today), proceed with conditional access, even if the password is wrong, allowing conditional access to block password sprays. Then if the password is incorrect, deny the access or send for approval in the azure app or request the token, whatever is the preferred choice for MFA.

    Hope I was clear...

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow users with MFA to login via CLI (az login)

    az login currently does not work with Microsoft accounts or accounts that have two-factor authentication enabled, see: https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login

    Following the idea of Infrastructure-as-Code (IaC), we pro-grammatically use `az login` to set up our infrastructure. However, we would highly prefer using user account when running such scripts manually compared to service principals:
    a) Audit logs on Azure should show *who* (= real user) triggered infrastructural changes
    b) MFA-backed accounts are more secure

    See also: https://github.com/Azure/azure-cli/issues/6962

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Reset MFA Authenticator setup as an admin

    For several months now, the "Additional security verification" page (http://aka.ms/setupmfa) from Azure MFA has memorized the Authenticator app and the corresponding device. (See attachment)
    Please offer the possibility to the administrators to remove the old paired device and the associated Authenticator app.

    Reason (for us):
    To configure Windows Hello 4 Business the Authenticator app must be used. Many employees have connected an old device that they no longer own or use.
    We do not have the SMS option set to available, and have set Multi-Factor Auth to Enforced. Using the "manage settings" from the MFA portal is still…

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow only some users to create app passwords

    App passwords are a bad idea. They are ugly enough that users are going to write them down on a post it and leave it on their desk. (Which is worse for security)
    I don't want some of my users to be able to create App passwords, like external partners who have internal accounts. But it looks like this is only a global setting.

    It would be nice if I could be more granular with this control.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Enable MFA when a delegated partner (CSP) accesses a customer tenant

    We have enabled MFA for users in the AAD tenant associated with our CSP enrollment. MFA works properly when we access the Partner Center portal; however, MFA does not work when we directly access a customer tenant, e.g., Azure Management Portal, using our CSP tenant credentials. For example, accessing https://portal.azure.com/ using our CSP credentials invokes MFA but accessing https://portal.azure.com/<customer_tenant> using the same credentials does not.

    According to Microsoft support, this is because MFA can only be triggered for users in the AAD tenant, not the partner's CSP tenant.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Extend Azure MFA with features that are only supported by the MFA server on-prem

    Extend Azure MFA with features that are only supported by the MFA server on-prem!

    Caching
    On-time bypass
    Customized text messages
    Token Support (I read it is planned)

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make Azure MFA work on ADFS when Alternate login ID enabled

    We just have tested the Azure MFA (cloud version) integration with ADFS. In ADFS we have the email as Alternate Login ID and our users are synced to Azure AD using the UPN value.

    Well, MFA works for all the users with the same UPN/email value, but for users with diferent UPN and email values, MFA fails. Basically ADFS tries to locate the user for Azure MFA using the Alternate login ID (the email) and as our users are synced to Azure AD using the UPN value, ADFS throws an exception telling that the user was not found in Azure…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. NPS extension for Azure MFA - Allow to use the Realm manipulation in Connection Request Policies

    NPS server cannot perform real manipulation to change the domain name from the user UPN before the AD authentication happens, even if the Connection Request Policies contains the appropriate rule. This is a limitation for us when consolidating companies through AD on premises and Azure AD, including Azure AD MFA. Actually, UPNs are different until the AD migration is complete and having a chance to manipulate the realm might help us to accelerate the integration.
    Having said that, it would be a nice feature to have the NPS server to NOT ignore the realm manipulation when the rule is active…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Reports to find that how many users have skipped MFA because of IP White list option in MFA

    Reports to find that how many users have skipped MFA because of IP White list option in MFA

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Change the message text to "Use a verification code from my mobile app or hardware token"

    Currently, when users configured Azure MFA for hardware token and phone number, they can choose MFA method when signing in azure portal.
    In the Azure AD logon page, users see following options.

    -------------------------
    ・ Use a verification code from my mobile app
    ・ Text +XX XXXXXXXXX
    -------------------------

    It's not intuitive for customers to choose "Use a verification code from my mobile app" even though they are using hardware token.
    So please change the message text to "Use a verification code from my mobile app or hardware token".
    I am support professional and I am receiving unnecessary support calls from users…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. MFA NPS ext - Support for Network policies via RADIUS-Challange msg via SMS & OTP

    When you have NPS extension, The problem is that when a user is using SMS or OTP, the user is not granted access based on the network policies that are defined in RADIUS server.

    This is known limitation (MS says) with NPS where the network policies are not applied for SMS or OTP Flows.

    If you use a challenge method it does not support the NAP policies. These are only evaluated during primary authentication.
    When using Radius Challenge(for SMS or OTP), the Challenge response skips primary auth and so these policies are not evaluated.

    But when the users have chosen…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Prevent users from changing authentication methods and authentication phone number (mfasetup)

    We would need the following features:

    • The possibility to assign different auth methods based on groups for MFA.

    • A way to prevent users from changing the authentication phone number. IT department should be able to predefine one authentication phone number and the user should not be able to change the number or setup an alternate phone number by himself.

    • One way to control the access to MFA setup using Conditional Access Policies.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Make Trusted IPs a Standard Feature of MFA for Office 365 and MFA for Azure AD Admins

    Not being able to set Trusted IPs for MFA for our Office 365 users and Azure AD admins is the primary reason we have not implemented MFA.
    For admins, admin tasks are done almost exclusively while on our LAN. When we tried enabling MFA, it was too cumbersome to use when authenticating to each service in PowerShell.
    For Office 365 users, our biggest threat is compromised credentials being used by malicious actors from outside of our company. Requiring MFA to be used while on our LAN slows down the adoption of all but the most basic Office 365 services (in…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add capability for MFA at user login to MacOS

    It would be great if Azure MFA had the capability to enforce multifactor authentication (MFA) at user login to MacOS - similar to how Duo works.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable One Time Passcode (OTP) option via alternate email address, as a verification option for Azure MFA (cloud).

    This will enable a way for those with no landline or mobile device to receive an OTP via their personal email account, in order to complete MFA challenge. Good option to have, as then we don't need hardware token support like OATH TOTP.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Port Azure MFA Server (PhoneFactor) reports from "classic portal" to "new"/current portal and give "Security Reader" role access to them.

    Port Azure MFA Server (PhoneFactor) reports from "classic portal" to "new"/current portal and give "Security Reader" role access to them.

    The Azure MFA Server - Activity Report which is currently available in the "new"/current Azure portal and all of the MFA Server reports that are only available in the "Classic" are only consumable by "Global Admin" role members. This makes it difficult to utilize with the rest of the security protection model available to the "Security Reader" role members.
    It would be useful to get these reports moved to the "new"/current Azure portal and get them accessible to the "Security…

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base