Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

We have a new log in experience integrated with Azure AD, and we strongly recommend you log in with your Azure AD (Office 365) account. If your UserVoice account is the same email address as your Azure AD account, your previous activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Remove requirement for onprem Exchange when using DirSync

    as per : http://tinyurl.com/kqgjvqx

    Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.

    313 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    34 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  2. Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

    Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

    This is obviously not ideal. We currently having to perform the rollover task manually each month.

    Please look at how this process could be improved for automation.

    193 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    34 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    We are currently working on an approach that will allow Tenant Admins to do key rollover from the Azure AD portal; without the need for PowerShell or scripting. This will be released within the next 4-6 months. Subsequently, we will release an update that will perform key rollover automatically every 30 days

    Swaroop

  3. Allow Conversion of AD Synced Accounts to "In Cloud Only"

    Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
    After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.

    Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.

    125 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    47 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  4. Enable User Writeback to On Premise AD from Azure AD

    We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...

    101 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    Hi – this is not a feature we are planning in AADConnect. We’re currently designing a new feature based on a new technology that would allow us to write back users and group from AAD to various different targets – AD, other directories, applications – and hope to be able to tell you more about it in the coming months.

    Rob de Jong

  5. Unattended installation Azure AD Connect

    Provide The ability to perform unattended/silent installation of Azure AD Connect using either/ or both commandline or answer file for the installation parameters.

    This is highly needed for re-Deployment of test/Dev environments and especially for hosting/service providers with many customers

    93 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  6. Update UPN-Suffix Change from one federated UPN Suffix to another federated UPN Suffix

    According to Support Article 2669550 (https://support.microsoft.com/en-us/help/2669550), AzureAD Connect doesn't update a user’s userPrincipalName in AzureAD when we change the users UPN-Suffix from one federated Domain to another federated Domain. So we need to fix such changes manually or by a custom script.
    I understand that preventing such updates by AzureAD Connect is a good choice for many customers. But for customers with several dozens or hundreds of federated domains, I would like to have a choice whether to sync such changes using AzureAD Connect or leave it on the default behavior of not allowing upn-changes form one federated…

    67 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support for multi-valued attributes synchronized from on premises AD

    AD Connect supports synchronizing multi-valued attributes to AAD.
    However, AAD doesn't support multi-valued attributes synchronized from on premises AD.

    Would be great to have this supported so that for example Dynamic Groups can use multi-value attributes for group membership rules.

    64 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  8. Introduce account 'unlock' feature when an account gets locked out during passthrough authentication. (instead of waiting for 30 minutes)

    It will be very helpful if we have the ability to unlock on demand when an O365 user's account is locked (self service), without waiting for the account lockout duration. Currently this feature was confirmed by MS tech that it does not exist and that the end user has to wait for the account lockout duration period. This specially is very useful for accounts that are sync'd via AAD Connect and pwd reset in O365 does not apply because the account is a sync'd account.

    57 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  9. Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)

    Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.

    I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.

    Aaron posted a great workaround solution:
    https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/

    We would like something built-in Active AD Connect that solves this out of the box

    55 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enable change a password when is set with the flag ForceChangePasswordNextSignin on Active Directory on premises

    We will like to change a password from AAD when the account have the flag ForceChangePasswordNextSignin ON in Active Directory on premises.

    38 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more

    Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more. We Synced 65K members out of which it only synced 29K. When it reached 29K it recognized the member count is more than 50 and it stopped syncing members. It should atleast sync 50K members and then stop.

    31 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow password expiration policy to sync from on-prem AD to Azure AD

    Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.

    30 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enable "Owner" attribute for Group Object on Azure AD Connect Sync

    Currently, the group owner on Azure AD Portal is mapped to "Owner" attribute while the Office 365 Admin Portal is mapped to "ManagedBy". For a group which is synced from local AD to the AAD via AAD Connect, there is no way to update the "Owner" attribute on Azure AD.

    The AAD Connect does not support "Owner" attribute for sync and we can't assign "Owner" on Azure AD as it is a synced object.

    So to resolve this issue, the "Owner" attribute should be supported as an attribute for sync on the Azure AD Connect.

    29 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  14. The seamless SSO feature does not work with Windows 10 and Edge browser. Can this be enabled?

    The seamless SSO feature we have enabled through AAD Sync does not work with Windows 10 and Edge browser. Can this be fixed? It only works in IE and Chrome. Thank you.

    28 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  15. Ability to export Azure Active Directory Connect configuration to a backup servers

    Our configuration changes often and there is a concern the backup server (in Staging Mode) may not get updated - by an oversight. Then on the day we cut over a department may get impacted by not being in the search scope.

    A simple way to export the Configuration(new connectors, search scope, custom attributes etc ) to the backup server may reduce the chance of this happening.

    21 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  16. Optionable Automatic Fallback from PTA to PHS

    If last PTA agent fail and sync group has only invalid agents, there should be a optionable configuration to start Password Sync automatically if admin choose this for trully HA with local disaster (or internet connectivity fail down). And also, send notification when authentication endpoint will fail will be great.

    20 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  17. 20 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow to sync authentication data (Alternate Email, Mobile Phone, etc) with Azure AD Connect.

    The only seemingly supportable way that is currently documented to synchronize the authentication data properties in Azure AD is to user PowerShell.

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-data

    This is not really a great Enterprise method to manage and keep user data up to date. For multiple reasons in various cases we prefer to set some of these properties for our user population. It would be a much better scenario to be able to use the already existing on-prem to Azure AD sync tool that is Azure AD Connect.

    19 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  19. Fix AD Connect auto-update mechanism so it doesn't cause VSS SQL failures

    Issue has been going on for at least a year. When AD Connect auto-updates, it messes something up with its 'SQL Server 2012 Express LocalDB' instance such that VSS backups of the server fail until addressed.

    'Fix' is to run a repair installation of the LocalDB instance, after which the VSS operations succeed without requiring a server reboot.

    https://forums.veeam.com/veeam-backup-replication-f2/bunch-of-servers-vss-writer-errror-0x800423f4-t37483.html

    19 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  20. Enable UPN suffixes of on-premise domains to be syncrhonised to Azure AD and be used with the Seamless SSO feature

    Currently any UPN suffixes in an on-premise domain are not picked up in the Seamless SSO domains feature of the Azure AD Connect. It would be great if UPN suffixes could be added to the Seamless SSO domains, as they are picked up by Azure AD Connect and uploaded to Azure AD as a user's UPN anyway.

    18 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6 7 8
  • Don't see your idea?

Feedback and Knowledge Base