Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add MFA support for server login including console mode (not RDP)

    I see many companies are using third-party MFA solutions to secure their servers.
    These solutions have 3rd party add-on that modify the GINA.dll so the server login screen will have additional field for OTP or will have a wait mechanism for push notifications. The add-on applies for both RDP and direct (console) connections without the need for RDG, and works on servers 2008 R2 to 2016.

    Azure AD MFA should also be able to:
    1. Leverage GINA.dll (it is MS code)
    2. Be able to pass requests to and from MFA Server or NPS Server
    3. It should be agent-less…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Better MFA solution for Remote Desktop access to servers

    Currently, requiring MFA for RDP access to domain servers requires going through a RD Gateway (AFAIK). It would be great to be able to require MFA at the server level and have such servers connect to Azure MFA for the second factor without having to go through a RD Gateway. Maybe proxy the Azure auth connection through an on-premises server... The RD Gateway method is slow and clunky.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. mfa

    For MFA signup policy, it would be best to offer a 'user opt-in' option, rather than forced YES or NO. We are seeing a use-case where this would be needed as some users simply can't deal with the complexity.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Set UK Phone Number as Caller ID for Azurre Multi-Factor Authentication

    As our customer base is entirely in the UK we would like to set the caller ID to be from a UK number so that customers feel more assured about the two factor process.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Move Identity Protection MFA Registration Policy to Azure AD Free or AADP1

    Each customer needs an easy way to request the MFA registration of his employees. With Conditional Access the registration is unfortunately only requested when the employee needs MFA for the first time, but the previous registration would be much better. Therefore, please move the Identity Protection MFA Registration Policy to Azure AD Free or at least AADP1.

    Yes security defaults would accomplish this but I have a lot of AADP1 / E3 customers that would like to enforce the enrollment. A workaround would be via SSPR reg policy. The CA policy with user action would only "secure" the registration not…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure Multi-Factor Authentication (MFA) - Microsoft Authenticator code reset options

    Provide us with the ability to ensure the MFA code reset password can be chopped up and sent to multiple individuals.

    I.e. the first half of the code gets sent to you and the second half gets sent to the IT Security Manager, System Admin or other Manager.

    Reason being is that I updated my work phone and needed to reset my Microsoft Authenticator code through the authentication web page. I followed the prompts to have it reset and the code was sent to my phone, from there I was able to scan the QR code on the screen and…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide support in ADAL4J library to authenticate MFA enabled user

    We are using ADAL4J library for Azure AD User Authentication, which enables a Native Client Application to do authentication using Username and Password without User Interaction. But for Multi Factor Authentication enabled Azure AD Users, Authentication is failing with AdalClaimsChallengeException with no API to provide the second factor.

    Please provide support for authenticating MFA enabled user using ADAL4J library.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Provide additional details about a push notification (ie, source ip, source service, time, logs, etc)

    As we are starting to push MFA in our organisation, it will become more common to have popups from the authenticator app. We have issues where many of our user accounts get compromised, and we have noticed that some users just blindly click accept for a MFA push notification.

    What we would like to see is the ability to push more information along with the notification. This could possibly be done by sending specific VSAs to our NPS Radius server which in turn could deliver these variables to the client.

    Ie, source IP address, source country, source service (vpn, outlook,…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Hardware OATH token management

    System should allow admin to upload all OATH tokens without associating with users. After that, admin should be able to assign users aBe activate token or remove token from users.

    This will help a lot. Also, minimizes the need to keep secret keys handy and reduces admin workload

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. radius client notified by NPS when challenge sent is in process

    Due to a technical limitation in ASA firewall for whom the max retry interval of authentication cannot be set higher than 10 seconds (it's a bug but Cisco does not want to fix it) the radius client cannot be notified by NPS when challenge sent is in process, when "Notify me through app" or "Call my mobile/office phone" option is used.
    This leads to unnecessary dropped radius events in the NPS servers and unnecessary log events in the event viewer. I really would like NPS extension to be able to manage this kind of events. Thanks

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add a filter to show "disabled" multi-factor users

    The multi-factor authentication users list has three filters currently

    All
    Enabled
    Enforced

    When the most important thing for me to know is the users who DONT have multi-factor enabled, wouldn't it make sense to have a filter for "disabled" ?

    Right now I have to page through 300 users looking for any that are "disabled" because I cant even sort by this column.

    Anyway, I am requesting that a filter for "disabled" be added and the ability to click the column headers to sort.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure MFA is 2-step. It needs to be 2-factor.

    Our PCI auditor told us that Azure MFA will not be compliant with DSS 3.2 starting in January 2018.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Manage Multi Factor Authentication via Group association

    Please add the option to add Multi Factor Authentication to Groups. Makes it much easier to manage.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. There seems to be no Azure AD role to manage OATH tokens

    Currently it seems only Global Admins can manage OATH tokens in Azure AD. Would be good if you could delegate that topic.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. MFA “Remember Me” should work with Guest accounts

    “Remember Me” works with Member accounts but not Guest accounts. Guest accounts don’t get the “don’t ask me again for x days” prompt. Remember me is an element of the overall MFA policy, and with CA policies lets me decide how to balance authentication assurance and risk with what the resulting user experience is. I typically don’t discriminate between member and guest accounts in my MFA and CA policies, and I am generally shooting for a typical online consumer banking like MFA experience for all of my users. Right now I can’t achieve that with my guest users.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Always prompt for MFA for an Enterprise Application

    I'd like to mark a particular Enterprise Application as "critical" and always ask for MFA when a user is accessing it regardless of their logged in state.

    I.e. when accessing Payroll (SuccessFactors) or our Remote Access Tool - I want to ensure MFA is being asked for again (and again) every time the close that browser window/session/tab even if the user has a logged in session to O365 - any other enterprise app is fine and can be accessed if user is already logged in.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Exchange ActiveSync and MFA

    Currently Exchange ActiveSync logins are not recorded correctly in Azure AD MFA, and therefore we cannot see if MFA was requested for users, especially for sign-ins from unfamiliar locations. They appear to not have MFA applied.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. MFA For Admin Baseline needs more granular settings

    We were introduced to the new securescore.com items recently as we started working with MFA & Conditional access policies to help better protect our workforce at large, & the very first item on our secure score checklist was "Enable MFA For admins" using the baseline to improve our score.

    Yesterday we tried switching this on & basically had to disable it due to impacts it had on mail enabled admin accounts & causing headaches with Outlook & Mobile device email by forcing those end points to have to re-authenticate daily to receive email.

    We would like to propose adding more…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Email address is available in Azure MFA

    Currently, email address is available only SSPR in Azure AD.
    But I would like to use user's email in Azure MFA.

    For instance, users receive a verification code by email.
    Then users perform two-step verification using a verification code.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure MFA verification options scoped to security group

    The verification options seem to be a global tenant setting. We'd like the ability to scope the options to security groups. GroupA would have one set of methods and GroupB could use a different set of methods. eg.;

    GroupA Methods = {Text message to phone, Notification through mobile app, Verification code from mobile app or hardware token}

    GroupB Methods = {Text message to phone,Verification code from mobile app or hardware token}

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base