Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Update UserType from portal
Be able to see and change the userType from the portal.
(This is only available in Powershell : example: change from Guest -> member, in order to see the directory as an external user.)Set-MsolUser -UserPrincipalName xxxhotmail.com#EXT#@xxxhotmail.onmicrosoft.com -UserType Member
328 votesThanks for the great feedback and comments. We are working on this, but don’t have an ETA yet. We will share an update when we are closer to release.
-
B2B Guest User Expiration
Looking for the functionality where you can schedule Azure B2B users to exist in your tenant for a predetermined period of time. This would operate similarly to the O365 Groups expiration functionality that exist today. Additionally, managers would be allowed to extend these periods of time and automated reminders would be sent to the manager of these users.
226 votesWe do have some capabilities in this space by using either Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) or the newly-released-to-preview Entitlement Management feature (https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview).
If neither of those fulfill your requirements, please add a comment with your scenario for the feature to help us prioritize and design it better.
/Elisabeth
-
B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant
In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.120 votesWe’re working on features to make this experience better. Thanks for the feedback!
/Elisabeth
-
remove b2b user when host account is removed
We use Azure B2B extensively. However where B2B users have been into our directory and the user has left the third party organisation and thus had their account removed does not clean up the guest account records in our directory.
Over time this leaves thousands of 'orphaned' guest accounts in our directory, with no ability for our administrators to identify which accounts are orphaned. and thus numbers of guest users in our our directory expands over time infinity
Azure AD should automatically in the in the event of a user object being removed from the third party directory remove the…
108 votesThis is in our backlog, but votes and comments about how you would expect this to work are very helpful to our planning/designing the feature so please keep them coming.
Also, for some scenarios in this space Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) can be a good way of removing users who no longer need access, including those who don’t have accounts anymore. (Thanks Shawn for pointing that out for everyone!)
/Elisabeth
-
Allow Azure AD to Azure AD Trust
Add the ability to trust another 365 tenant like exists with on prem active directory. The scenario is a company that has an establish 365 acquires another company that has a 365 environment. In a on prem scenario a domain trust would be put in place, however federation and external user access is the only options. This capability needs to be in place for Azure AD to trust another Azure AD.
100 votesWe’re working on a few features in this space that will likely help address this scenario but don’t have an ETA yet to share. Thanks to the folks who have added additional details of what they’re looking for, and if you have more scenarios for how this capability could help you please do add them as comments.
Thanks,
Elisabeth -
Need some way to deal with: "AADB2B_0001 : We cannot create a self-service Azure AD account for you because the directory is federated"
Not all B2B invites can be redeemed successfully. Failures happen for reasons that are out of the inviters control (leading to an inability to fix the problem) and are not predictable (leading to poor user experience).
I suspect this problem happens most frequently when a partner organization bungles taking ownership of their tenant. MSFT needs to make it much harder for people to render their production tenant in such a disfunctional state.
96 votes -
Who created guest user
Hi,
Currently i have no possibility to see who created a guest-user, except going through the audit-logs.
Maybe the User inviting the guest could be automatically set to the "Manager" attribute(which is currently not available for guest users).Then the monthly review of created guest-accounts would be much easier to handle, as you could ask the inviter/manager if still needed.
77 votesThis is good feedback and is in our backlog but not currently under development. While we work on prioritizing/designing the feature, it’s helpful to hear from you how you would use this information in your scenarios. Please let us know by adding comments here.
Thanks,
Elisabeth -
Bring through external user profile fields when using B2B
Currently, when you invite someone from another AzureAD, using the B2B process, only their DisplayName and EmailAddress comes through (both of which are actually provided in the B2B CSV file).
It would be very useful if more profile information could be retrieved, possibly with the user's authorisation.
In particular, details like Firstname, Lastname and Country, would be a useful start, but potentially more profile fields (address, phone numbers, title, etc) would be ideal.
57 votesMarking this as part of our backlog. The votes and comments about how you would use this are really helpful, please keep voting/commenting if this is an interesting scenario for you.
/Elisabeth
-
Allow B2B Guest users to authenticate on Windows 10 Azure AD joined Devices
Allow B2B collaboration users (Guest users who signs in with an account that's managed by another Azure AD directory) login into Azure AD Windows 10 joined devices.
Use case: Collaboration between an educational institution and a public library. Adding student Azure AD (AAD) accounts from the educational institution as AAD Guest accounts in the public library AAD tenant would allow students to use their educational institution AAD credentials to login into the public library Windows 10 AAD joined devices.
45 votes -
Can i use Azure AD B2B collaboration together with Azure AD B2C within one tenant?
For external customers we will use Azure AD B2B to login in and for external users (from custom domains i.e. Hotmail.com, Outlook.com) we would like to use Azure AD B2C to log on.
So, one tenant with Azure AD B2B extension and Azure B2C extension coexisting.
34 votesWe’re still considering this, and would love to hear your scenarios for this combination. Please add comments to give us more details.
/Elisabeth
-
Azure AD B2B better support for users who don't know their organisation has O365
We invite quite a lot of external guests into our SPOnline tenant. Originally via the (old Azure portal) bulk add (CSV) B2B process, but more recently via the (new Azure portal) invite guest user B2B/B2C process.
We're getting more and more B2B users that fit into one or more of the following:
- Don't know their organisation has O365
- Don't know their O365 login (it's not always their email address)
- Their organisation/domain is registered for O365, but they don't have a license.
- Have O365, but aren't syncing their AD with AzureAD.
- Aren't able to get their IT to give them O365…
33 votesWe’ve made several improvements in this area to support users who don’t have O365 or who are using email addresses that differ from their O365 login information (such as supporting proxy addresses, direct federation support, and email one-time passcodes), but we know there’s more work to do in this space. Please let us know what other scenarios are causing you and your guests the most pain so we can use that information to triage and prioritize future investments.
/Elisabeth
-
customize B2B signup process
When working with partners it is critical to have customized and company specific branding and experience.
complete customization verification emails and domain name in signup URL
32 votesPlease add more comments to let us know what scenarios you’d complete using this feature, and upvote to help us understand its priority for you.
/Elisabeth
-
I want to restrict users of my tenants from being invited from other tenants.
I want to restrict users of my tenants from being invited from other tenants.
Now the administrator can not see where users of their tenants are accessing.
Since there is a security problem, I would like to have the ability to control the tenants that users will be invited as guest users.
28 votes -
Cross tenant support for managed identity
Please add support for cross tenant use of managed identities. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant
26 votesThank you for reaching out to feedback suggestion forum. Please share more information around your scenario/use-case, end goal, what type of tenants/directories etc. this will help us to understand need and design this integration.
-
Permit OTP for users who do have a corresponding Azure AD account
We sometimes encounter situations where a user may actually have an existing Azure AD account (in another tenant) or and MSA - but we want to invite them as an OTP user.
The reason for this - using the existing AAD account as an example - is that this may be an account that is the product of some abandoned POC that this other org did. And as a result, the user does not know the password and SSPR may not be enabled. The result is that the user is unable to redeem a non-OTP invite.
For best flexibility, maybe…
25 votes -
OTP Precedence order and migration of existing B2B users
Currently, the new OTP B2B feature provides this as the default authentication type for non AAD or MS accounts. We want the ability to force this method of auth for those who already have MS accounts. We also want the ability to convert already invited users who are using MS and viral accounts to use OTP. This way, we only have to support two types of guest users - Those with organisational O365 accounts and those using OTP.
23 votes -
Make B2B guest accounts less sensitive to changes in the source AAD/MS account
I have a customer that uses B2B for any partner collaboration they do within their corporate environment.
There were partners that went through the following scenario's:
- They moved their AAD users to another AAD tenant due to a reorganization
- They changed company name and had a new UPN / SignInIn both cases the B2B account broke down. When the user tries to login they get the error: Sorry, but we’re having trouble with signing you in.
AADSTS50177: User account '' from identity provider 'https://sts.windows.net//' does not exist in tenant '' and cannot access…
20 votes -
Invitation (or import) Security Groups from other tenant
It would be great if we can import Security Groups from other tenant using Azure B2B.
18 votes -
Set a due date for guest users
Currently there are a lot of unneeded guest users in Azure AD.
So I want to set a due date for guest users.For instance, Guest users don't sign in for 90 days, it is deleted or blocked automatically.
17 votes -
Update displayed username for a guest user when its' UPN is changed
You can change UPN on guest users using PowerShell. You can even drop the "#EXT#"-part, and use any verified domain in the guest tenant, not only the initial onmicrosoft address.
One problem with this, is that the visible username for the actual guest user when logging into Azure for instance is not changed. It remains the email address used to invite the user initially. Even though the SMTP address or UPN used for inviting is removed from both the source and the guest tenant, this is still shown in the username.Request: Update displayed username for a B2B guest user…
17 votes
- Don't see your idea?