Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. MFA unblock needs to be available to a role that is not a global admin user

    Our user admins cannot be assigned a global admin role in O365. They therefore cannot see any users who are MFA blocked under: Azure Active Directory > Security > MFA > Block/unblock users

    My request to Microsoft is: PLEASE make MFA User Block/Unblocking more manageable
    Per support: As of now, Dec 16 2019, currently, only a Global Admin has rights to view this and it's stored on the MFA backend which does not connect to PowerShell in any way. This is a known issue for our Product Group as well, and there are some changes and/or additional administrative roles coming…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Give option not to use trusted device as the MFA source

    We have noticed you don't get prompted for MFA, even if you have, "Require multi-factor authentication", "All Locations" and "Browser" ticked in Azure.

    I've been told by Microsoft Support that this is because the device I'm logging in from is a, "Trusted Device" (It is a Windows 10 laptop with, "Access work or school" in Accounts configured).

    You get prompted for full MFA if using Google Chrome, but if you are using Edge or IE then this is bypassed because the laptop fulfils the MFA request.

    In Conditional Access policy, "Require multi-factor authentication" is defined as, "User must complete additional…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Combined security information registration (Preview) language issue

    The Combined Security Information Registration outlined in the follow documentation is not functioning as described.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined

    The Language is not pulling from the browser. In my scenario if I set this up using French language and have my German users attempt the process they are receiving the security questions in French and not German. The documentation outlines the language settings are of the computer accessing the page. This is not what I am experiencing.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Beter whitelist controls for MFA NPS Extention

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced

    IP_WHITELIST only allows for single IP addresses. Would be very usefull to provide CIDR ranges.

    Would also be nice to have to specify for wich IP address MFA should be triggered. So by default no MFA, only when the authenticating device matches criteria (e.g. IP address, etc.) Would be great if that was integrated in de NPS configuration.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow multiple tenants connect to the same Azure MFA NPS extension or on-premise installed MFA server

    Right now it is only possible to connect the Azure MFA NPS extension to one Azure Tenant ID. For hosters it would be great to use a central NPS/Radius server or MFA servers where all the customers can connect to. Sll with their own tenant ID.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Different authentications options for MFA roles

    Currently you have one one service-wide setting of MFA authentication options. It would be very useful to have different MFA settings for different user/usage roles, e.g. have phone, mobile app and OTP for general users but only app and OTP for high risk users.

    Background is, that some compliance frameworks (PCI DSS, NIST etc.) recommend not to use phone calls or SMS, but that some real life scenarios require just that - either for technical reasons or for ease of use (aka user acceptance). So for some user groups it may be OK or even necessary to use phone calls…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. precedence and priority for conditional access controls. When compliance, MFA, and Hybrid Azure AD join are all checked

    Hello All,
    One of my questions, that I’ve never been able to get answered, it’s not in the Microsoft documentation, is the question of precedence and priority for conditional access controls. When compliance, MFA, and Hybrid Azure AD join are all checked – how does Intune determine which one is to be applied? If MFA is checked, will it always be presented to the user, or will it not be used when a device is compliant? What logic is used? Sadly the documentation is lacking for this.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. One of the things I miss is RADIUS support which can authenticate against Azure AD.

    Azure MFA with RADIUS extension requires big setup. Azure has everything except RADIUS support. I
    I ended up using foxpass. That would be a nice addition.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Use Cortana's voice for Azure MFA phone verification/callback service

    Azure MFA already has support for custom voice messages [1].

    To provide a consistent experience across all Windows 10 devices, it would be neat if the Azure MFA callback service had Cortana's voice.

    This would also allow Azure MFA to benefit from the Cortana accent regionalisation efforts (American English for en-us, Australian English for en-au).

    [1] https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/#custom-voice-messages

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Converged MFA and SSPR

    We have enable the converged Multi-factor Authentication (MFA) and Self-Service Password reset (SSPR). I feel this is easier for end users to update their info as it is all in one place. However, There should be some indication on each type of authentication/security option for what is can be used for (SSPR OR MFA or Both). This would help non-technical end users understand the configuration better.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Preserve MFA enrollment settings when changing from User State mode to Conditional Access

    We enrolled MFA a long time ago when the standard enrollment type was user state mode, we got 3000 users enrolled. Now we are considering to change from User state mode to Conditional Access mode, but we have identified a major blocker in this change.
    To use CA we need to set the User State to MFA disabled, and activate the CA policy, but when the CA policy enforce the user to use MFA the user need to enroll in MFA again! I really don't understand why you have implemented it in this way, we need to have the possibility…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add MFA support for server login including console mode (not RDP)

    I see many companies are using third-party MFA solutions to secure their servers.
    These solutions have 3rd party add-on that modify the GINA.dll so the server login screen will have additional field for OTP or will have a wait mechanism for push notifications. The add-on applies for both RDP and direct (console) connections without the need for RDG, and works on servers 2008 R2 to 2016.

    Azure AD MFA should also be able to:
    1. Leverage GINA.dll (it is MS code)
    2. Be able to pass requests to and from MFA Server or NPS Server
    3. It should be agent-less…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Better MFA solution for Remote Desktop access to servers

    Currently, requiring MFA for RDP access to domain servers requires going through a RD Gateway (AFAIK). It would be great to be able to require MFA at the server level and have such servers connect to Azure MFA for the second factor without having to go through a RD Gateway. Maybe proxy the Azure auth connection through an on-premises server... The RD Gateway method is slow and clunky.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. mfa

    For MFA signup policy, it would be best to offer a 'user opt-in' option, rather than forced YES or NO. We are seeing a use-case where this would be needed as some users simply can't deal with the complexity.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Set UK Phone Number as Caller ID for Azurre Multi-Factor Authentication

    As our customer base is entirely in the UK we would like to set the caller ID to be from a UK number so that customers feel more assured about the two factor process.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Move Identity Protection MFA Registration Policy to Azure AD Free or AADP1

    Each customer needs an easy way to request the MFA registration of his employees. With Conditional Access the registration is unfortunately only requested when the employee needs MFA for the first time, but the previous registration would be much better. Therefore, please move the Identity Protection MFA Registration Policy to Azure AD Free or at least AADP1.

    Yes security defaults would accomplish this but I have a lot of AADP1 / E3 customers that would like to enforce the enrollment. A workaround would be via SSPR reg policy. The CA policy with user action would only "secure" the registration not…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. provide a radius service for azure active directory so vpn clients can use azure mfa

    provide a radius service for azure active directory so vpn clients can use azure mfa

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Azure Multi-Factor Authentication (MFA) - Microsoft Authenticator code reset options

    Provide us with the ability to ensure the MFA code reset password can be chopped up and sent to multiple individuals.

    I.e. the first half of the code gets sent to you and the second half gets sent to the IT Security Manager, System Admin or other Manager.

    Reason being is that I updated my work phone and needed to reset my Microsoft Authenticator code through the authentication web page. I followed the prompts to have it reset and the code was sent to my phone, from there I was able to scan the QR code on the screen and…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Provide support in ADAL4J library to authenticate MFA enabled user

    We are using ADAL4J library for Azure AD User Authentication, which enables a Native Client Application to do authentication using Username and Password without User Interaction. But for Multi Factor Authentication enabled Azure AD Users, Authentication is failing with AdalClaimsChallengeException with no API to provide the second factor.

    Please provide support for authenticating MFA enabled user using ADAL4J library.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Provide additional details about a push notification (ie, source ip, source service, time, logs, etc)

    As we are starting to push MFA in our organisation, it will become more common to have popups from the authenticator app. We have issues where many of our user accounts get compromised, and we have noticed that some users just blindly click accept for a MFA push notification.

    What we would like to see is the ability to push more information along with the notification. This could possibly be done by sending specific VSAs to our NPS Radius server which in turn could deliver these variables to the client.

    Ie, source IP address, source country, source service (vpn, outlook,…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base