Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Authenticating wireless access points \ RADIUS through Azure AD

    I would like to see Authenticating wireless access points \ RADIUS servers through Azure AD , not having to store user accounts in local active directory

    684 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    68 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Microsoft Authenticator support for Tizen Samsung Gear S3 needed

    Pls ADD autenticator to Samsung gear s3 (tizen)

    69 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Certificate-Based Authentication (CBA) without Federation

    I would like to be able to use certificate-based authentication without the need for federation so users don’t have to enter username/password for the numerous Office mobile apps.

    We use Pass Through Authentication (PTA) to authenticate our Azure AD uses against our on-premises AD, and we’d prefer not to have to implement a fault tolerant ADFS infrastructure for our 200 users. We have a Certificate Authority and have implemented Intune to push user certificates to staff mobile devices.

    The article below indicates CBA does work without federation for Exchange ActiveSync (EAS), so can this be expanded to work with Microsoft…

    49 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. OAuth 2.0 Dynamic Client Registration Protocol For Microservices scenarios

    Please add support for For OAuth 2.0 Dynamic Client Registration Protocol in AzureAD suppoting Microservices based architecture and managing their identity dynamically.

    34 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. The seamless SSO feature does not work with Windows 10 and Edge browser. Can this be enabled?

    The seamless SSO feature we have enabled through AAD Sync does not work with Windows 10 and Edge browser. Can this be fixed? It only works in IE and Chrome. Thank you.

    33 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support for OAuth 2.0 SAML Bearer Assertion Flow

    I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.

    Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccess_oauth_SAML_bearer_flow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.

    I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the identity provider in exchange…

    31 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Reposting so that folks get a notification – from Paul:

    Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

    We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

  7. Scoring password in Azure AD password protection

    Today, Azure AD Password Protection scores the normalized new password with this rules:
    1. Each banned password that is found in a user’s password is given one point.
    2. Each remaining unique character is given one point.
    3. A password must be at least five (5) points for it to be accepted.

    If you use a banned word like "contoso", the score of the password grows with +1. A new password with 5 banned password(s), you will have an accepted password.

    If you choose one of the following password as a new password, it will be accepted:

    "contosocontosocontosocontosocontoso" --> [contoso]…

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support "Hub-and-spoke Federation with Centralised Login" SAML2.0 architecture

    Currently AzureAd only support unique SAML2.0 IssuerUri's.

    http://community.office365.com/en-us/f/613/t/295163.aspx

    In federation architecture "Hub-and-spoke Federation with Centralised Login" will each tenant/company/organization/root-domain/educational institution share/reference the same IDP SAML2.0 IssuerUri.

    https://wiki.edugain.org/Federation_Architecture

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Optionable Automatic Fallback from PTA to PHS

    If last PTA agent fail and sync group has only invalid agents, there should be a optionable configuration to start Password Sync automatically if admin choose this for trully HA with local disaster (or internet connectivity fail down). And also, send notification when authentication endpoint will fail will be great.

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. NIST 800-63B Digital Identity Guidelines

    Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.

    Also the ability to build a password blacklist.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We’re well aware of the NIST 800-63B guidelines (and it’s my team that wrote that password whitepaper!). We’re currently making some foundational changes that should subsequently let us implement many or most of the password composition guidelines.

    As for a password blacklist, today we have a banned password list in place that prevents users from using known-bad words, phrases, and passwords. We also have a custom list feature that lets you define your own words and patterns. That’s in private preview today and we’re working to get it to public preview over the next few months.

  11. Sign-in to SharePoint 2016 with Guest accounts is challenging

    I have a custom enterprise application for SharePoint 2016, which has "Unique User Identifier" set to "user.userprincipalname" (default configuration), but the experience with Guest accounts is bad:
    - MSA Guest accounts identity set by AAD looks like "user_mail.com#EXT#@Tenant.onmicrosoft.com", which is counter intuitive. When granting permissions to those accounts in SharePoint, we expect to type UserUPN@Tenant.onmicrosoft.com, not user_mail.com#EXT#@Tenant.onmicrosoft.com
    - B2B Guest accounts identity set by AAD looks like "mail@Tenant.onmicrosoft.com", which is great and what we want, but it's inconsistent with the MSA Guest accounts and causes a lot of confusion.

    Can you fix this to always…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback.

    For “Name” or other claims, you can now select “user.localuserprincipalname” as a source attribute. This will use UPN stored in the tenant for the guest user.

    This isn’t currently available for “NameID” but we’re working on that.

    Also, we’re working on a experience that will let you specify the source attribute based on the user type (AAD, AAD Guest, External Guest, All Guest).

    Let me know if you would be interesting to provide early feedback on what we’re thinking to release.

    \Luis

  12. On premise Linux to Azure AD authentication and device enrollment

    Join On premise Linux to Azure AD
    Authentication On premise Linux must be against Azure AD
    Device enrollment in Azure AD

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. About early adopted Azure Portal for new function

    Hope to choose Azure tenant type to adopt new function.
    For example, Azure AD is deploying LinkedIn integration currently, but some tenants have done and others are not and the implementation period is not unclear.
    so, require to choose adopting new function which Office 365 has already been configured.
    https://docs.microsoft.com/en-us/office365/admin/manage/release-options-in-office-365?view=o365-worldwide

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Android Enterprise Kerberos Support for MS Authenticator and Company Portal

    On Android Enterprise there is a way to enable Kerberos/SPNEGO based SSO for all WebViews out of the box without any change of code. Since MS Authenticator and Company Portal are used for SSO authentication of native Office Android Apps, it would be beneficial to activate this option. This would allow an enterprise user to have seamless/login-free SSO.

    The scenario is that in the enterprise context the Office 365 login is often federated to an on-premise idP. That idP usually is kerberized and understands SPENGO. I can see that in MS Authenticator I get redirected to the idP but Kerberos…

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Exclude certain AD Groups from the policies of Azure AD Password Protection (MAB Devices)

    When using MAB authetication in a Domain, one has often to provide the Mac-address as UserName and as Password. Examples can be IP-telephones, computers that are being installed with SCCM, printer,...…

    AAD PPM does not allow names to be equal to passwords, which ist basically correct, but MAB is a common way of registering certain hardware.

    It would be a good idea to make AAD PPM configurable meant to exempt specific accounts from AAD PP on AD-Group Basis or by some other means.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Azure Active Directory Seamless Single Sign-On - Multi-tenants in a single forest hosting environment.

    We have multi-tenants in a single forest hosting environment synchronizing different customers (each in a different OU) to their own O365/Azure AD tenant account. At the current moment, Seamless Single Sign-On only supports one O365/Azure AD tenant for sign on in the current setup we have. This is due to a computer created called AZUREADSSOACC in Windows AD. We want to adopt the Seamless Single Sign-On but as it only supports one O365/Azure AD tenant for sign on we cannot use it.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add Shibboleth to the set of authentication protocols

    At present Azure AD can authenticate to SaaS using SAML, OAuth etc. Many academic institutions use Shibboleth which is based on SAML. Currently this means that they have to maintain a separate Shibboleth service in addition to AD FS (if using that for authentication). If a Shibboleth service could be added to Azure AD this would reduce the hardware/software complexity on-site and allow more Universities to take advantage of the Cloud Identity provided by Azure. Shibboleth is generally used to access shared education services, journals and other shared services.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. OpenID Connect id_token is missing email claim

    The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow Custom Token Lifetime

    For web applications that are not implemented as a SPA using Azure AD for a line-of-business application with a token lifetime of an hour not enough in some scenarios.

    Can we please have the ability to customise when the token will expire?

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Configuration of SAML 2.0 responses - hash algorithm (SHA1 v SHA256), message signing

    Are there any plans to add further configuration options to the AAD SAML 2.0 functionality.

    When acting as an IdP in a SAML 2.0 federation, unlike ADFS, there does not appear to be any options to customize the SAMLResponse which is returned to the Relying Party.

    The options that I'm particularly interested in are:

    - The ability to define the "Secure Hash algorithm" to be either SHA1 or SHA256 - as per this previous post - http://feedback.azure.com/forums/169401-azure-active-directory/suggestions/4762132-customizable-token-signing-hash-algorithm-sha256- many Service Providers only support SHA1 - meaning it is not currently possible to federate with these systems.

    - Message & Assertion signing…

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 16 17
  • Don't see your idea?

Feedback and Knowledge Base