Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Enable usage of attribute "StrongAuthenticationUserDetails" for dynamic group membership

    Currently the attribute StrongAuthenticationUserDetails cannot be used for Dynamic Security Groups in Azure (on which we would like to apply conditional access). Could this be added as one of the additional attributes for a complex dynamic membership rule?

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add a filter to show "disabled" multi-factor users

    The multi-factor authentication users list has three filters currently

    All
    Enabled
    Enforced

    When the most important thing for me to know is the users who DONT have multi-factor enabled, wouldn't it make sense to have a filter for "disabled" ?

    Right now I have to page through 300 users looking for any that are "disabled" because I cant even sort by this column.

    Anyway, I am requesting that a filter for "disabled" be added and the ability to click the column headers to sort.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Azure MFA is 2-step. It needs to be 2-factor.

    Our PCI auditor told us that Azure MFA will not be compliant with DSS 3.2 starting in January 2018.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Set context/description for MFA bypass IP address subnets

    It would me great, if Microsoft would provide a field that would provide IT security admin to set a description for the IP address subnets that he/she is white listing for MFA byPass.

    Basically just the same as the Azure AD Reporting team did for trusted locations.

    Thanks!

    @Shawn Bishop

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Manage Multi Factor Authentication via Group association

    Please add the option to add Multi Factor Authentication to Groups. Makes it much easier to manage.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. MFA “Remember Me” should work with Guest accounts

    “Remember Me” works with Member accounts but not Guest accounts. Guest accounts don’t get the “don’t ask me again for x days” prompt. Remember me is an element of the overall MFA policy, and with CA policies lets me decide how to balance authentication assurance and risk with what the resulting user experience is. I typically don’t discriminate between member and guest accounts in my MFA and CA policies, and I am generally shooting for a typical online consumer banking like MFA experience for all of my users. Right now I can’t achieve that with my guest users.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Exchange ActiveSync and MFA

    Currently Exchange ActiveSync logins are not recorded correctly in Azure AD MFA, and therefore we cannot see if MFA was requested for users, especially for sign-ins from unfamiliar locations. They appear to not have MFA applied.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. MFA For Admin Baseline needs more granular settings

    We were introduced to the new securescore.com items recently as we started working with MFA & Conditional access policies to help better protect our workforce at large, & the very first item on our secure score checklist was "Enable MFA For admins" using the baseline to improve our score.

    Yesterday we tried switching this on & basically had to disable it due to impacts it had on mail enabled admin accounts & causing headaches with Outlook & Mobile device email by forcing those end points to have to re-authenticate daily to receive email.

    We would like to propose adding more…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure MFA verification options scoped to security group

    The verification options seem to be a global tenant setting. We'd like the ability to scope the options to security groups. GroupA would have one set of methods and GroupB could use a different set of methods. eg.;

    GroupA Methods = {Text message to phone, Notification through mobile app, Verification code from mobile app or hardware token}

    GroupB Methods = {Text message to phone,Verification code from mobile app or hardware token}

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Management portal for enrolled MFA using conditinoal access users

    Hi

    azure ad conditional access is a great thing .
    but when using it and for example forcing a group to use MFA .
    the users are registered and enrolled.
    but as admin, i dont have any way to manage those users via gui, i can manage them and to check if they are enrolled via powershell.
    there is any plan to create a dashboard that will assist to manage users who already enrolled mfa that were required via conditional access?

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Under MFA Server >activity report it'd be nice if we could schedule an email to be sent

    Under MFA Server>activity report instead of having to download the report manually it'd be nice if a report could be scheduled to be sent via email.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. 6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Offer granular controls for "Require Multi-Factor Auth to join devices" setting

    The setting "Require Multi-Factor Auth to join devices" always applies to all users and all kinds of device registrations (e.g. Device Registrations and Intune enrolments). As with other access controls (like Conditional Access for example), this setting should allow more granular controls.

    For example: To require MFA for device registrations done because of MAM without enrollment policies (Intune App Protection Policies without enrollment) you currently have to enable the setting mentioned above.
    -> This then automatically also enables MFA requirements for ALL Intune enrollments, without any way to exempt certain user groups or any other controls.

    Please offer some control…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow AD attributes to be passed to RADIUS clients in Azure MFA

    Azure MFA can pass static values to radius clients, could this be expanded to pass values stored as AD attributes from the authenticated user on to the client.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Public API for Azure MFA cloud service

    With Azure MFA Server no longer supported for new installations as of mid-2019, RADIUS is no longer an option for Azure MFA authentication. I want to use a different (non-AzureAD) primary auth method and use Azure MFA only as a 2nd auth factor - but there is no SDK or public API access to Azure MFA cloud service. This would be very helpful now that Azure MFA server is being deprecated.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. provide more specific error message for user MFA proof up

    when user is blocked for MFA and trying to proof up MFA in aka.ms/mfasetup, the returned error message is not so helpful - it just show "please check the phone number you specified or change your preferred option", along with a correlation ID and session ID. it would be better to return the specific failed reason so we could save a lot of time for troubleshooting.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow the creation of custom administrator roles in Azure Active Directory

    Allow the creation of custom administrator roles in Azure Active Directory. In our case we want to assign rights to our helpdesk to allow them to reset users MFA forcing them to proof up. The Authentication Administrator role allows for this but also grants too many other permissions that we don't want to give. Creating a custom role allowing for just MFA reset would resolve this

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow E.164 formated data for Office Phone in Azure MFA registration page

    Office Phone in Azure MFA registration page usually get the data syncs from Azure AD but it will fail to get the data and display on Azure MFA registration page if the Azure AD is having the data in E.164 standard format.

    Either let the users enter the office phone in the MFA registration page https://aka.ms/setup by themselves or allow the E.164 standard format from Azure AD to Azure MFA registration page

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Request code during MFA authentication - Conditionnal access

    To reduce the risk of identity theft or employee that always press approve on their mobile phone during the 2 step validation, could it be possible to add a request code so the user can validate that he/she approve a legitimate authentication request?

    For integrity purpose, this process will give the opportunity to the end-user to easily identify from which application he/she initiate the authentication and approve the right request on their mobile device during the MFA notification (phone call or by the Authenticator app).

    This feature is already in place for 2FA validation for personnal account (hotmail.com email address…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. See recent MFA events, source IP, & requested app

    On the mobile app, display source IP and requested app in the prompt, as well as show recent requests in a list sortable by timestamp

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base