Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure AD - Conditional Access Policy - On-Premise MFA Server

    Azure AD should allow for redirect via a conditional access rule to On-Premise MFA Server and not just the cloud version of MFA. You can create a conditional access rule to redirect to other 3rd party MFA solutions such as DUO, but not you own Microsoft On-Premise MFA solution. This will allow for companies to leverage their on-premise MFA server to which may already have a large technology investment.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Provide support in ADAL4J library to authenticate MFA enabled user

    We are using ADAL4J library for Azure AD User Authentication, which enables a Native Client Application to do authentication using Username and Password without User Interaction. But for Multi Factor Authentication enabled Azure AD Users, Authentication is failing with AdalClaimsChallengeException with no API to provide the second factor.

    Please provide support for authenticating MFA enabled user using ADAL4J library.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Hardware OATH token management

    System should allow admin to upload all OATH tokens without associating with users. After that, admin should be able to assign users aBe activate token or remove token from users.

    This will help a lot. Also, minimizes the need to keep secret keys handy and reduces admin workload

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Different authentications options for MFA roles

    Currently you have one one service-wide setting of MFA authentication options. It would be very useful to have different MFA settings for different user/usage roles, e.g. have phone, mobile app and OTP for general users but only app and OTP for high risk users.

    Background is, that some compliance frameworks (PCI DSS, NIST etc.) recommend not to use phone calls or SMS, but that some real life scenarios require just that - either for technical reasons or for ease of use (aka user acceptance). So for some user groups it may be OK or even necessary to use phone calls…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Better MFA solution for Remote Desktop access to servers

    Currently, requiring MFA for RDP access to domain servers requires going through a RD Gateway (AFAIK). It would be great to be able to require MFA at the server level and have such servers connect to Azure MFA for the second factor without having to go through a RD Gateway. Maybe proxy the Azure auth connection through an on-premises server... The RD Gateway method is slow and clunky.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. precedence and priority for conditional access controls. When compliance, MFA, and Hybrid Azure AD join are all checked

    Hello All,
    One of my questions, that I’ve never been able to get answered, it’s not in the Microsoft documentation, is the question of precedence and priority for conditional access controls. When compliance, MFA, and Hybrid Azure AD join are all checked – how does Intune determine which one is to be applied? If MFA is checked, will it always be presented to the user, or will it not be used when a device is compliant? What logic is used? Sadly the documentation is lacking for this.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure MFA Server Add AD user logins for their domain account

    Why wasn't user domain logins one of the first things added to Azure MFA Server? That makes the most sense. I mean seriously. I understand application 2FA but user login without 2FA is an even higher security risk.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. One of the things I miss is RADIUS support which can authenticate against Azure AD.

    Azure MFA with RADIUS extension requires big setup. Azure has everything except RADIUS support. I
    I ended up using foxpass. That would be a nice addition.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Use Cortana's voice for Azure MFA phone verification/callback service

    Azure MFA already has support for custom voice messages [1].

    To provide a consistent experience across all Windows 10 devices, it would be neat if the Azure MFA callback service had Cortana's voice.

    This would also allow Azure MFA to benefit from the Cortana accent regionalisation efforts (American English for en-us, Australian English for en-au).

    [1] https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/#custom-voice-messages

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. provide a radius service for azure active directory so vpn clients can use azure mfa

    provide a radius service for azure active directory so vpn clients can use azure mfa

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Converged MFA and SSPR

    We have enable the converged Multi-factor Authentication (MFA) and Self-Service Password reset (SSPR). I feel this is easier for end users to update their info as it is all in one place. However, There should be some indication on each type of authentication/security option for what is can be used for (SSPR OR MFA or Both). This would help non-technical end users understand the configuration better.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Control what NPS policies are forced for secondary auth to AAD MFA

    Control what NPS policies are forced authentication to AAD MFA. Currently installing the NPS extension forces ALL policies to have MFA enabled.

    Makes it very difficult to be able to roll-out specifically desired use-cases. Premier states only workaround will be setup a LB in between two NPS Servers, with different policies = yuck.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add MFA support for server login including console mode (not RDP)

    I see many companies are using third-party MFA solutions to secure their servers.
    These solutions have 3rd party add-on that modify the GINA.dll so the server login screen will have additional field for OTP or will have a wait mechanism for push notifications. The add-on applies for both RDP and direct (console) connections without the need for RDG, and works on servers 2008 R2 to 2016.

    Azure AD MFA should also be able to:
    1. Leverage GINA.dll (it is MS code)
    2. Be able to pass requests to and from MFA Server or NPS Server
    3. It should be agent-less…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. radius client notified by NPS when challenge sent is in process

    Due to a technical limitation in ASA firewall for whom the max retry interval of authentication cannot be set higher than 10 seconds (it's a bug but Cisco does not want to fix it) the radius client cannot be notified by NPS when challenge sent is in process, when "Notify me through app" or "Call my mobile/office phone" option is used.
    This leads to unnecessary dropped radius events in the NPS servers and unnecessary log events in the event viewer. I really would like NPS extension to be able to manage this kind of events. Thanks

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Provide Government MFA support for Azure File Shares, and allow integration with Azure Active Directory.

    Response from a recent Microsoft ticket "In short, MFA will not be possible for access to the Azure Files Shares, at least in the foreseeable future. Additionally, the Azure File Shares are not designed to integrate with Azure Active Directory. " when trying to monitor/provide MFA support for accessing a file share on the Azure Government platform.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. mfa

    For MFA signup policy, it would be best to offer a 'user opt-in' option, rather than forced YES or NO. We are seeing a use-case where this would be needed as some users simply can't deal with the complexity.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Set UK Phone Number as Caller ID for Azurre Multi-Factor Authentication

    As our customer base is entirely in the UK we would like to set the caller ID to be from a UK number so that customers feel more assured about the two factor process.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Always prompt for MFA for an Enterprise Application

    I'd like to mark a particular Enterprise Application as "critical" and always ask for MFA when a user is accessing it regardless of their logged in state.

    I.e. when accessing Payroll (SuccessFactors) or our Remote Access Tool - I want to ensure MFA is being asked for again (and again) every time the close that browser window/session/tab even if the user has a logged in session to O365 - any other enterprise app is fine and can be accessed if user is already logged in.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure Multi-Factor Authentication (MFA) - Microsoft Authenticator code reset options

    Provide us with the ability to ensure the MFA code reset password can be chopped up and sent to multiple individuals.

    I.e. the first half of the code gets sent to you and the second half gets sent to the IT Security Manager, System Admin or other Manager.

    Reason being is that I updated my work phone and needed to reset my Microsoft Authenticator code through the authentication web page. I followed the prompts to have it reset and the code was sent to my phone, from there I was able to scan the QR code on the screen and…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Provide additional details about a push notification (ie, source ip, source service, time, logs, etc)

    As we are starting to push MFA in our organisation, it will become more common to have popups from the authenticator app. We have issues where many of our user accounts get compromised, and we have noticed that some users just blindly click accept for a MFA push notification.

    What we would like to see is the ability to push more information along with the notification. This could possibly be done by sending specific VSAs to our NPS Radius server which in turn could deliver these variables to the client.

    Ie, source IP address, source country, source service (vpn, outlook,…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base