Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. RBAC permissions to see Application Gateway Backend Health

    RBAC permissions to see Application Gateway Backend Health
    The RBAC reader' and 'monitoring reader' roles do not allow users of those permissions to see the backend health.
    Error is the client 'user' does not have authorisation to perform action '/Microsoft.Network/applicationGateways/backendhealth/action' over scope 'subscription...resourceGroups/providers/Microsoft.Network/applicationGateways/applicationgatewayane'
    Is it possible to modify the reader / monitoring reader permissions so that viewings the backend health status is allowed for those roles, and/or advise of a read only role that allows this as don't want to grant users modify access to the application gateways just so to enable them to see backend health.

    43 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  2. Users must not delete resource groups if they are not allowed to delete the resources.

    We created custom roles to allow another team to operate our environment. To avoid accidental deletion of data, we removed the delete action for several storage components, for example Data Lake Store Gen1.

    Unfortunately when deleting a resource group, it completely ignores the permissions on resource level. For example, I do not have deletion rights on ADLS, but I can still remove it, by deleting the whole resource group.

    Resource Groups are simple containers and restricting people on managing them on their own will have a huge impact. We will waste a lot of time to define processes and executing…

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  3. Service Principal RBAC simulator

    When handling shared subscriptions and deploying certain third party services we require to have a Service Principal that follows the principle of least privilege.
    Nevertheless, after creating this intricate granular Service Principal, there is no proper way to test out it's functionality. The only way to see if your SP works is by actually deploying your service and see where it fails, update the SP and repeat.

    AWS offers IAM policy simulator that does the job in their case. Something similar would be very helpful to have to improve the deployment experience.

    29 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  4. Improve custom roles assgignable scope options

    Add the option to set all ressource groups of a(/multiple) subscription as valid assignable scope. Something like:

    “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/*”

    Currently it is only possible to make a role assignable to specific RGs. A wildcard option would be much more flexible.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  5. Manage Owner of groups through Az CLI

    Would be really convenient for Az CLI or Linux users to implement this feature request.

    Same feature that could be done through the PowerShell module « azuread version 2.0.0.115», associated « how to » is available here : https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-v2-cmdlets#manage-owners-of-groups

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  6. Make a user or group based policy for UsersPermissionToReadOtherUsersEnabled

    Middle and Higher Education organizations prefer a scenario which they can deny only students permissions to read profile information.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Thank you for taking the time to provide feedback! We are thinking through how to support a more granular way of restricting read permissions in Azure AD, but we don’t yet have a timeline.

    Regards,
    Vince Smith
    Azure Active Directory Team

  7. Create Custom RBAC- Role with link to Build-In-Role

    When I create a custom Role from a Build-In-Role, this new rule is no longer updated by Microsoft. Because it is custom. I would like to have a way that I can set a delta on a Build-In-Role and create a new Role from it. So I have a custom rule that always receives updates from Microsoft.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Thank you for taking the time to submit feedback! This is an interesting request, we certainly have customers who want it one way or the other. We’ll consider a mechanism to specify a role is ‘inherited’ from a parent role and thus gets updates based on that role. However, we don’t have a timeline for that just yet.

    Thanks again,
    Vince Smith
    Azure Active Directory Team

  8. Provide us with option of create role or duplicate them from built-in roles via Azure Portal

    Provide us with the option of creating a role or duplicate them from built-in roles via Azure Portal

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    Thank you for taking the time to submit feedback! We are working on support for custom roles in Azure AD, and over time as we increase the number of supported permissions we will add the ability to duplicate built-in roles.

    Regards,
    Vince Smith
    Azure Active Directory team

  9. Enable Groups (AAD or Synchronized) to be members of AAD Roles

    For AAD roels, ie Security Admin, allow Groups to be added. Currently only Users can be added through the portal.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure AD Directory Roles modified date | PowerShell

    Hello,
    Please allow query Azure AD Directory Roles modified date,
    So if we run PS: Get-AzureADDirectoryRole
    We could see when role modified and use this as monitoring parameter, as example we can set current date as non-modified, any older date will be triggered.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base