Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. B2B: Please expose the "source" property in the Graph API

    We would like to have the Source attribute available in order to manage guest accounts differently based upon what kind of account it is ("Microsoft Azure Active Directory", "Microsoft account", or "Microsoft Azure AD (other directory)"). If the account is a Microsoft Account, we need to be able to have more scrutiny around it. (ie. check to see if the user still works for the partner company.)

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  2. Ability to filter users with onPremisesSamAccountName with Microsoft Graph API

    I would like to have a filter on the users api of Microsoft Graph API, where I will be able to filter the users based on onPremisesSamAccountName, which is currently not available with Graph API.

    We have the internal employee id to be stored with onPremisesSamAccountName variable which is present in users API of Microsoft Graph. We are trying to filter with onPremisesSamAccountName property to filter based on the internal employee id. Currently we are not able to do that with Graph API but we really need this to be workling or would be happy if we get know any…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  3. Make it possible to get group license assignment error message via Powershell or API.

    Currently, we can only see the group license assignment error message from the Azure portal UI.

    I want a feature that can get this error message using PowerShell or API.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  4. Restrciting access to Azure Service Principals.

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md
    #>

    Best possible scnario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.

    Can MS look into this please.
    I had raised case with MS…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  5. Deleted AAD Graph permissions remain.

    When API access permission of AAD Graph to the registered application was deleted, it was deleted on the UI. However, the AAD Graph access permission that should have been deleted was remain.

    Example:
    1. Grant Group.Read.All and User.ReadWrite.All with AAD Graph .
    2. The administrator agrees to the granted permissions
    3. Delete Group.Read.All
    4. The administrator agrees to the granted permissions
    5. It has been deleted on the UI, however the group information is acquired as a result.
      I tried the same process as above with MS Graph, but I couldn't get group information.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  6. Create Azure AD programmatically

    My organization needs the capability for creating Azure AD programmatically. This is because the multi-tenant SaaS solution we have requires each client (an organization) to have their own Azure AD where they will part of a provider / consumer scheme and sometimes take on both roles (provider and consumer, such as a reseller). There are times where our clients will create and manage their own Azure AD and Azure Subscriptions. However, most of the client base we anticipate serving (acting as consumers) are small businesses and do not have the knowledge nor the staff to handle managing an Azure Subscription…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  7. 4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow signed JWT Bearer token flow (get user access token without password / SAML)

    We will need Oauth support to get user access token without having to provide the user name password or saml assertion from ADFS.

    The trust would be the certificate trust.

    Other implementations from other vendors -

    https://tools.ietf.org/html/rfc7523

    1. Google https://www.jhanley.com/google-cloud-creating-oauth-access-tokens-for-rest-api-calls/
    Refer to --

    def create_signed_jwt(pkey, pkey_id, email, scope): and
    exchange that for the user access token in
    def exchangeJwtForAccessToken(signed_jwt):

    Docusign https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken

    2. Atlassian https://developer.atlassian.com/cloud/jira/software/oauth-2-jwt-bearer-token-authorization-grant-type/

    3. Box https://developer.box.com/docs/construct-jwt-claim-manually#section-3-create-jwt-assertion

    4. Saleforce - https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=0

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  9. Release API capabilities for Access Packages and Identity Governance

    I want to automate Access Package deployment with Terraform as I do with user groups as well as make dynamic groups compatible with Access Packages. This would allow me to assign users to groups based on user attributes, as I can do with Dynamic groups, but also enable group members the ability to request an access package based on their dynamic group membership, which are automatically created after deploying a new subscription with Terraform. Access Packages would be specific to each subscription and include resource and application roles that are applicable to users of that subscription. This would replace the…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  10. do not have one

    Azure or other ****

    We do not have time, to play. You want my email?

    How u stop sync?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  11. Does Custom Claims per application (previewa) work with accounts synces to AAD from on-prem?

    Does Custom Claims per application (preview) work with accounts synced to AAD from on-prem AD? I know guests are not supported.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow onpremisessamaccountname be filled

    The onpremisessamaccountname attribute should be filled without Azure AD Connect by API or PowerShell if needed. Because it is required for some apps and for lgecy apps and for creating profile with the proper localized characters with Autopilot and AAD Join.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  13. fax number

    Now I know this is not for a Fax number as such but I have a customer that uses the fax number field to store information used by a third party. It just so happens they decided upon the fax number field. I thought OK, kind of not sure why they used that but no problem I can pull that back for a user and use it in PowerApps and ultimately a flow but nooooooooooooooooo, it is not surfaced. I appreciate this is easy for me to say but surely it is not too big a deal to have it…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  14. Scripting creation of OAuth2PermissionGrant for Service Principal

    I am trying to set up a System-Assigned Managed Identity to be able to get an OAuth token for the client credentials flow. It doesn't appear in the portal like an App Registration does so I can't click through the configuration for OAuth application permissions. I need to be able to script this but there is no Powershell or AZ CLI command for this.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure AD Smart Lockout unlock capability via MS Graph for admins

    there are other requests posted regarding the ability of the admins to unlock users in Azure AD. We would like to have the ability made available also to MS Graph once it gets released.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  16. Admin consent workflow is not working correctly

    I'm unable to grant admin consent for my users in one of my Azure app. Support said it is still to uncompleted Admin workflow features. We would like the feature to be looked into.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  17. Turn Off Risky Users Impact to AD/Office

    You're clearly not ready to introduce this feature, it's in Preview, so shut off the impact. You are blocking users on a product I don't have rights to turn on or off.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  18. API to manage SAML SSO

    graph API to automate managing SAML SSO configuration : renew certificate, configure SSO details...

    with the amount of apps configured for SSo it started to be hard to manage Certificate ( renew process is so manual)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  19. Powershell Azure AD provisioning and registrations of FIDO2 keys

    Powershell Azure AD provisioning and registrations of FIDO2 keys

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  20. Native app user consent

    After the update of the Microsoft Identity Platform to version 2.0 it seems users cannot perform the "User Consent" for Native app registration programatically or via Azure Portal.
    For web application based on Power BI Embedded it is a problem because without the "User Consent" the application doesn't work.
    After the update only Global Admin user can grant the permissions but it is a very restrictive condition.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base