Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Remove requirement for onprem Exchange when using DirSync

    as per : http://tinyurl.com/kqgjvqx

    Currently for a small business who want password sync, but make the move to 365. they have to keep Exchange running on premise simply to be able to edit user attributes related to Exchange. - an active directory DLL, standalone app or simply support in the 365 portal would solve this for so many customers.

    418 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    44 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  2. Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

    Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

    This is obviously not ideal. We currently having to perform the rollover task manually each month.

    Please look at how this process could be improved for automation.

    285 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    53 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    Hi everyone,
    Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
    Thanks for your patience!

    Jairo Cadena
    Principal Program Manager
    Microsoft Identity

  3. Allow Conversion of AD Synced Accounts to "In Cloud Only"

    Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
    After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.

    Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.

    201 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    57 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    We are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
    We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”.

  4. Enable User Writeback to On Premise AD from Azure AD

    We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...

    127 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  5. Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)

    Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.

    I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.

    Aaron posted a great workaround solution:
    https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/

    We would like something built-in Active AD Connect that solves this out of the box

    87 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  6. Introduce account 'unlock' feature when an account gets locked out during passthrough authentication. (instead of waiting for 30 minutes)

    It will be very helpful if we have the ability to unlock on demand when an O365 user's account is locked (self service), without waiting for the account lockout duration. Currently this feature was confirmed by MS tech that it does not exist and that the end user has to wait for the account lockout duration period. This specially is very useful for accounts that are sync'd via AAD Connect and pwd reset in O365 does not apply because the account is a sync'd account.

    75 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add support for Kerberos AES and drop RC4_HMAC_MD5

    Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4_HMAC_MD5 encryption type for Kerberos."
    Please add support for modern ciphers and drop that obsolete RC4_MD5!

    72 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow password expiration policy to sync from on-prem AD to Azure AD

    Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.

    56 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  9. Enable change a password when is set with the flag ForceChangePasswordNextSignin on Active Directory on premises

    We will like to change a password from AAD when the account have the flag ForceChangePasswordNextSignin ON in Active Directory on premises.

    41 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more

    Azure AD Connect has limitation to sync 50k members in any group as per Microsoft article. But it does not sync 50k members if count is more. We Synced 65K members out of which it only synced 29K. When it reached 29K it recognized the member count is more than 50 and it stopped syncing members. It should atleast sync 50K members and then stop.

    40 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    e cannot share any timelines right now. Our first iteration is to deploy and use a new service end point that would eventually be able to handle larger groups. It will likely take several months to get this deployed and tested before we can take a next step, which would be to increase the group size limit – probably to 250K members.
    If you want to be part of the private preview program, please reach out to me: rodejo@microsoft.com

  11. Ability to export Azure Active Directory Connect configuration to a backup servers

    Our configuration changes often and there is a concern the backup server (in Staging Mode) may not get updated - by an oversight. Then on the day we cut over a department may get impacted by not being in the search scope.

    A simple way to export the Configuration(new connectors, search scope, custom attributes etc ) to the backup server may reduce the chance of this happening.

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  12. Admin audit function for Azure AD Connect Synchronization Service changes

    It would be helpful if attribute to being synced is unchecked or any changes are made to AAD sync connector configuration. It should be logged to AADConnect log or trace file, or report on event log with changes in sync values and data, time, and sign-in account used.

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow to sync authentication data (Alternate Email, Mobile Phone, etc) with Azure AD Connect.

    The only seemingly supportable way that is currently documented to synchronize the authentication data properties in Azure AD is to user PowerShell.

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-data

    This is not really a great Enterprise method to manage and keep user data up to date. For multiple reasons in various cases we prefer to set some of these properties for our user population. It would be a much better scenario to be able to use the already existing on-prem to Azure AD sync tool that is Azure AD Connect.

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  14. Audit Azure AD Account Lockout for Pass-through Authentication.

    I would like to be able to view if an Azure AD account is locked out and have an audit trail of previous lockout events.
    Also there should be a way for an Admin to unlock an account/

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  15. Specify intervals/Force upgrade option

    Please specify the intervals of automatic upgrade of AD connect or an option to force manually

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  16. Fix AD Connect auto-update mechanism so it doesn't cause VSS SQL failures

    Issue has been going on for at least a year. When AD Connect auto-updates, it messes something up with its 'SQL Server 2012 Express LocalDB' instance such that VSS backups of the server fail until addressed.

    'Fix' is to run a repair installation of the LocalDB instance, after which the VSS operations succeed without requiring a server reboot.

    https://forums.veeam.com/veeam-backup-replication-f2/bunch-of-servers-vss-writer-errror-0x800423f4-t37483.html

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  17. In Exchange Hybrid Mode, add Capability to writeback Mailbox Type Attributes to AD

    When Mailbox is changed from Mailbox to Shared Mailbox or Resources, we have to manually modify two attributes in AD: msExchangeRecipientTypeDetails and msExchangeRemoteRecipientType.

    We would like these attributed to be updated automatically.

    This step is often overlooked and caused issues for end users.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enable UPN suffixes of on-premise domains to be syncrhonised to Azure AD and be used with the Seamless SSO feature

    Currently any UPN suffixes in an on-premise domain are not picked up in the Seamless SSO domains feature of the Azure AD Connect. It would be great if UPN suffixes could be added to the Seamless SSO domains, as they are picked up by Azure AD Connect and uploaded to Azure AD as a user's UPN anyway.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support Inbound Synchronization from SuccessFactors

    HR systems are main sources of identity information such as supervisor - direct report relationships, position (job title) information which can be a basis for granting access, and so on.
    Workday inbound sync already exists: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-workday-inbound-tutorial
    Other HR systems should also be supported. My company uses SuccessFactors, hence my request.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  20. High availability support for AAD Connect

    Please provide HA support for AAD Connect with automatic failover! The staging server process is hopeless, and it doesn't support a shared SQL DB. At the moment, the fastest way to do AAD Connect recovery in case the AAD Connect server is destroyed, is to have an default installed Win2016 server with the AAD Connect install files downloaded (and not installed). Due to the fact that both the production and staging server must have same version (or higher), there's a risk that some stuff will not work when you do a recovery to a second server and there's a version…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  3 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base