Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. B2B: Please expose the "source" property in the Graph API

    We would like to have the Source attribute available in order to manage guest accounts differently based upon what kind of account it is ("Microsoft Azure Active Directory", "Microsoft account", or "Microsoft Azure AD (other directory)"). If the account is a Microsoft Account, we need to be able to have more scrutiny around it. (ie. check to see if the user still works for the partner company.)

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  2. Ability to filter users with onPremisesSamAccountName with Microsoft Graph API

    I would like to have a filter on the users api of Microsoft Graph API, where I will be able to filter the users based on onPremisesSamAccountName, which is currently not available with Graph API.

    We have the internal employee id to be stored with onPremisesSamAccountName variable which is present in users API of Microsoft Graph. We are trying to filter with onPremisesSamAccountName property to filter based on the internal employee id. Currently we are not able to do that with Graph API but we really need this to be workling or would be happy if we get know any…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  3. Make it possible to get group license assignment error message via Powershell or API.

    Currently, we can only see the group license assignment error message from the Azure portal UI.

    I want a feature that can get this error message using PowerShell or API.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  4. Restrciting access to Azure Service Principals.

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md

    >

    Best possible scnario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.

    Can MS look into this please.
    I had raised case with MS…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  5. Deleted AAD Graph permissions remain.

    When API access permission of AAD Graph to the registered application was deleted, it was deleted on the UI. However, the AAD Graph access permission that should have been deleted was remain.

    Example:
    1. Grant Group.Read.All and User.ReadWrite.All with AAD Graph .
    2. The administrator agrees to the granted permissions
    3. Delete Group.Read.All
    4. The administrator agrees to the granted permissions
    5. It has been deleted on the UI, however the group information is acquired as a result.
      I tried the same process as above with MS Graph, but I couldn't get group information.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  6. Create Azure AD programmatically

    My organization needs the capability for creating Azure AD programmatically. This is because the multi-tenant SaaS solution we have requires each client (an organization) to have their own Azure AD where they will part of a provider / consumer scheme and sometimes take on both roles (provider and consumer, such as a reseller). There are times where our clients will create and manage their own Azure AD and Azure Subscriptions. However, most of the client base we anticipate serving (acting as consumers) are small businesses and do not have the knowledge nor the staff to handle managing an Azure Subscription…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  7. 4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  8. Powershell Azure AD provisioning and registrations of FIDO2 keys

    Powershell Azure AD provisioning and registrations of FIDO2 keys

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow signed JWT Bearer token flow (get user access token without password / SAML)

    We will need Oauth support to get user access token without having to provide the user name password or saml assertion from ADFS.

    The trust would be the certificate trust.

    Other implementations from other vendors -

    https://tools.ietf.org/html/rfc7523


    1. Google https://www.jhanley.com/google-cloud-creating-oauth-access-tokens-for-rest-api-calls/
      Refer to --

    def createsignedjwt(pkey, pkeyid, email, scope): and
    exchange that for the user access token in
    def exchangeJwtForAccessToken(signed
    jwt):

    Docusign https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken


    1. Atlassian https://developer.atlassian.com/cloud/jira/software/oauth-2-jwt-bearer-token-authorization-grant-type/


    2. Box https://developer.box.com/docs/construct-jwt-claim-manually#section-3-create-jwt-assertion


    3. Saleforce - https://help.salesforce.com/articleView?id=remoteaccessoauthjwt_flow.htm&type=0


    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  10. Release API capabilities for Access Packages and Identity Governance

    I want to automate Access Package deployment with Terraform as I do with user groups as well as make dynamic groups compatible with Access Packages. This would allow me to assign users to groups based on user attributes, as I can do with Dynamic groups, but also enable group members the ability to request an access package based on their dynamic group membership, which are automatically created after deploying a new subscription with Terraform. Access Packages would be specific to each subscription and include resource and application roles that are applicable to users of that subscription. This would replace the…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  11. API to manage SAML SSO

    graph API to automate managing SAML SSO configuration : renew certificate, configure SSO details...

    with the amount of apps configured for SSo it started to be hard to manage Certificate ( renew process is so manual)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  12. C++ Library

    It would be nice to have client libraries for C++.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  13. Provide a means of retreiving App registration permissions that have admin consent and be able to revoke consent for certain permissions

    Currently, the azure ad api provides no means of retrieving which permissions have admin consent or a means of revoking admin consent for a given permission.

    Supporting such actions shall allow for fine grained control of permissions in CI/CD pipelines and the extension of tools such as the terraform provider.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide samples that work with asp.net core 3.0 and cover more scenarios, e.g., web apps are purely front-ends (no controllers).

    Provide samples that work with asp.net core 3.0 and cover more scenarios. Currently, the section on "web app calls web apis" did not cover the case where a web app is purely front-ends (no controllers), and most (if not all) of the samples only work with asp.net framework.
    I also find most of instructions are either misleading or very incomplete. Following these instructions just never works for me.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  15. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure AD Page correction

    Error on page: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-remove-app

    The "Delete" option has been moved to the Properties page, top Menu.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  17. Approval Workflow for Self-Service registration

    Currently Azure provides capabilities to the users to self-register the application from "MyApps Panel". This involves an approval workflow which would require Tenant admin to configure "Approvers" for each application.

    If there are 2 approvers for the application - Approver1 and Approver2 , can we build an approval workflow where approval request first goes to Approver1 , adds some relevant comments and then approval request goes to Approver2. ?

    The business use case is that these approvers exist in different business functions and there needs to be some communication between them for approval.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  18. Does Custom Claims per application (previewa) work with accounts synces to AAD from on-prem?

    Does Custom Claims per application (preview) work with accounts synced to AAD from on-prem AD? I know guests are not supported.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow onpremisessamaccountname be filled

    The onpremisessamaccountname attribute should be filled without Azure AD Connect by API or PowerShell if needed. Because it is required for some apps and for lgecy apps and for creating profile with the proper localized characters with Autopilot and AAD Join.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
  20. Scripting creation of OAuth2PermissionGrant for Service Principal

    I am trying to set up a System-Assigned Managed Identity to be able to get an OAuth token for the client credentials flow. It doesn't appear in the portal like an App Registration does so I can't click through the configuration for OAuth application permissions. I need to be able to script this but there is no Powershell or AZ CLI command for this.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure AD API  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base