Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

We have a new log in experience integrated with Azure AD, and we strongly recommend you log in with your Azure AD (Office 365) account. If your UserVoice account is the same email address as your Azure AD account, your previous activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. RBAC for AAD

    The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.
    Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

    154 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      17 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
    • AzureAD Role Delegation to Groups

      Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
      Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation…

      116 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        18 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
      • Deny Access Control in the RBAC

        Please add the options below to RBAC.
        Disable inheritance.
        Deny.

        42 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          7 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

          We recently added deny capability to Azure’s RBAC system, in the form of deny assignments that can be set by the system only. The first Azure feature to use deny is BluePrint. We intend to add a configurable deny capability in the future, but have not yet announced any details.

          Cheers,
          /Stuart and Balaji

        • Custom Roles at the Management Group Level

          Please add the ability to define custom roles for Azure RBAC at the new Management Group level. Would like to be able to create custom roles and set the assignable scope to our root management group so that the role definition is available throughout our tenant.

          https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

          33 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            6 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
          • Admin-Delegation to AzureAD Parnter Tenants for Azure Subscriptions - similar to O365 Admin Delegation

            Currently the Admin Access to Azure Subscription can be delegated to invdividual Microsoft Accounts (MSA) or Users of the AzureAD Tenant which is assigned to the Subscription. Since we support our customers with their Azure Deployments, our employees need Access to the customer's Subscription. This is currently only possible with delegating Admin-Access to the employee's private MSA. If a Customer could delegate Admin-Access to our AzureAD Partner Tenant, it would be much easier to us and our customers. Moreover we would have the same experience as with 365...

            33 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              6 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

              We’re working on ways to simplify how a service provider can get access to customer Azure subscriptions. In the meanwhile, we recommend you check out Azure AD B2B.

              Cheers,
              /Vince and Stuart

            • We need to be able to manage Azure AD helpdesk administration & other administration roles via on-prem AD groups

              One Item I would like corrected \ added as a feature.
              We need to be able to manage Azure AD helpdesk administration & other administration roles via on-prem AD groups. Currently we need to add users individually to each of the various roles. Helpdesk is a good example of this as many people come & go from this role & we need to add and remove users individually to the Azure AD Helpdesk administration role. If we had a AD group (example: Servicedesk AD group) with all members of the helpdesk in there, we just have to manage this group…

              32 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
              • Allow Applications to be added to AD Security Groups

                See https://stackoverflow.com/questions/47762262/add-aad-application-as-a-member-of-a-security-group

                Basically allow adding Service Principals (i.e. Applications) into AD Security Groups just like User Principals are allowed today.

                22 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  3 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                • Support Inheriting Roles in Nested Groups

                  Group 1
                  Has a Role from my Application
                  Has a Member called Group 2

                  Currently, roles in nested groups are not transitive. If I am a member of Group 2 above, I do not have the Role granted to Group 1, even though Group 2 is a member of Group 2.

                  I can't believe, this is not implemented, I wasted 3 hours trying to figure this out.

                  22 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                  • BUG: Unable to Delete an Application's AppRole

                    Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error "Property value cannot be deleted unless it is disabled first".

                    When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools (See first attached image).

                    After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too (See second attached image).

                    21 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

                      Thanks for reporting this!

                      I know it was reported quite some time ago, and we do apologize for the delay in responding to this and getting it addressed.

                      For now, there are two options to work around this:

                      1. Using Azure AD PowerShell, you can disable and then remove the app role. I’ve posted a sample script which does this here on StackOverflow: https://stackoverflow.com/a/47595128/325697

                      2. An alternative option is to use the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role’s isEnabled attribute to “false”. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

                      / Philippe Signoret

                    • bitlocker recovery

                      Delegate permission to view the Bitlocker recovery key to other roles than Global admins (e.g. Device administrators). Our clients guys are responsible for managing the devices, and they will support the end users.
                      Or provide RBAC for Azure AD to build customer roles.

                      19 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                      • Ability to add groups as Additional local administrators on Azure AD joined devices

                        I want to be able to set staff members as local admins on their devices but can't add them one at a time like the current system allows. There are too many to maintain. Instead I would like the ability to point to a group and if the user is in the group, then they are a local admin on an Azure joined device.

                        15 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

                          Hi, thank you for your feedback. We’re working on support for assigning Azure AD roles to groups, but we don’t have a definitive date yet for when we will release it. Having said that, it is a priority for us to be able to support this.

                        • RBAC permissions to see Application Gateway Backend Health

                          RBAC permissions to see Application Gateway Backend Health
                          The RBAC reader' and 'monitoring reader' roles do not allow users of those permissions to see the backend health.
                          Error is the client 'user' does not have authorisation to perform action '/Microsoft.Network/applicationGateways/backendhealth/action' over scope 'subscription...resourceGroups/providers/Microsoft.Network/applicationGateways/applicationgatewayane'
                          Is it possible to modify the reader / monitoring reader permissions so that viewings the backend health status is allowed for those roles, and/or advise of a read only role that allows this as don't want to grant users modify access to the application gateways just so to enable them to see backend health.

                          13 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                          • Add Administrative Units to Azure AD Portal

                            AU:s (Azure AD OUs) are only possible to administer in a convoluted way with Powershell today. Please make it possible to administer AU:s in the new modern Azure AD portal.

                            12 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              3 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                            • Create role for MFA portal admin

                              Create a role that can manage MFA portal. Currently only Global Admin has access to MFA portal.

                              9 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                3 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                              • Allow creation of custom directory roles in Azure AD

                                Being able to create custom directory roles in Azure AD can allow Administrators the ability to grant users custom tailored roles in Azure AD. One example would be allowing the security office in your organization access to the risky events and risky users tabs with the ability to close,reopen, or mark for false positive without having to give them permissions that they do not need. This essentially takes the idea of "least privileged roles" and expands it to allow for further customization.

                                8 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                                • Assign Azure subscription permissions to use Office 365 groups

                                  Allow admins to assign RBAC on Azure subscription using Office 365 Groups as opposed to just security groups or other basic groups,

                                  8 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                                  • differentiate permissions for creating and modifying resources

                                    creating RBAC roles for users who may edit resource settings (e.g. change replication of a storage account or add a disk to a VM) but not deploy new resources of that kind is not possible as long as both of these operations rely on the /write permission of the resource provider operation.
                                    We need separate provider operations for create (new resource) & modify (existing resource), or different applicable scopes of effect, like /write only on resources contained in the azure resources group.

                                    8 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                                    • aad custom roles

                                      Would be nice if we could create custom aad roles, might be wrong but the concept of creator/owner and being able to assign permissions to the owner role would be nice.

                                      7 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Service Principal RBAC simulator

                                        When handling shared subscriptions and deploying certain third party services we require to have a Service Principal that follows the principle of least privilege.
                                        Nevertheless, after creating this intricate granular Service Principal, there is no proper way to test out it's functionality. The only way to see if your SP works is by actually deploying your service and see where it fails, update the SP and repeat.

                                        AWS offers IAM policy simulator that does the job in their case. Something similar would be very helpful to have to improve the deployment experience.

                                        7 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Improve AADLoginForLinux security model

                                          It seems that currently the AAD user role is only checked during the authentication phase. If for example I create a .ssh/authorized_keys file with my key, I can login to the VM, even after my "Virtual Machine Administrator Login" role has been removed.

                                          I think that the pam_aad should check as "account" module whether a given user has access to the host, independently of how the user has authenticated.

                                          If that is implemented, I can be sure an administrator that if a user doesn't appear in the IAM role list, the user certainly has no access.

                                          6 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4
                                          • Don't see your idea?

                                          Feedback and Knowledge Base