Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

We have a new log in experience integrated with Azure AD, and we strongly recommend you log in with your Azure AD (Office 365) account. If your UserVoice account is the same email address as your Azure AD account, your previous activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow Long Passwords

    the current max password is 16 chars, please make it larger

    https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

    Longer is (Usually) Stronger section

    source of current max length: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy

    450 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      51 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

      We are aware of the importance of this feature and are working on it. I don’t have an ETA to share at this point but will update you once we are closer to preview.

      Eliza (via Chen)

    • Set an AzureAD account to expire on a specified date

      Just like in active directory allow accounts to be set to expire on a specified date. Our company policy is to set network accounts for non-employees (consultants, contractors, temporary employees, interns) to expire at a certain interval after they are created. We want the same functionality within Office 365.

      256 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        28 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
      • Microsoft Authenticator support for Tizen Samsung Gear S3 needed

        Pls ADD autenticator to Samsung gear s3 (tizen)

        47 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          8 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
        • Certificate-Based Authentication (CBA) without Federation

          I would like to be able to use certificate-based authentication without the need for federation so users don’t have to enter username/password for the numerous Office mobile apps.

          We use Pass Through Authentication (PTA) to authenticate our Azure AD uses against our on-premises AD, and we’d prefer not to have to implement a fault tolerant ADFS infrastructure for our 200 users. We have a Certificate Authority and have implemented Intune to push user certificates to staff mobile devices.

          The article below indicates CBA does work without federation for Exchange ActiveSync (EAS), so can this be expanded to work with Microsoft…

          38 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            5 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
          • OAuth 2.0 Dynamic Client Registration Protocol For Microservices scenarios

            Please add support for For OAuth 2.0 Dynamic Client Registration Protocol in AzureAD suppoting Microservices based architecture and managing their identity dynamically.

            30 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
            • Support smart card login on windows 10 devices which are Azure AD joined

              We have increasing demand from clients to use smart cards or MFA for desktop login on windows 10 devices that are only using Azure AD.

              26 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
              • Support for OAuth 2.0 SAML Bearer Assertion Flow

                I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.

                Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccess_oauth_SAML_bearer_flow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.

                I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the identity provider in exchange…

                26 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                  Reposting so that folks get a notification – from Paul:

                  Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

                  We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

                • Support "Hub-and-spoke Federation with Centralised Login" SAML2.0 architecture

                  Currently AzureAd only support unique SAML2.0 IssuerUri's.

                  http://community.office365.com/en-us/f/613/t/295163.aspx

                  In federation architecture "Hub-and-spoke Federation with Centralised Login" will each tenant/company/organization/root-domain/educational institution share/reference the same IDP SAML2.0 IssuerUri.

                  https://wiki.edugain.org/Federation_Architecture

                  23 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                  • The seamless SSO feature does not work with Windows 10 and Edge browser. Can this be enabled?

                    The seamless SSO feature we have enabled through AAD Sync does not work with Windows 10 and Edge browser. Can this be fixed? It only works in IE and Chrome. Thank you.

                    22 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                    • NIST 800-63B Digital Identity Guidelines

                      Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.

                      Also the ability to build a password blacklist.

                      18 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                        We’re well aware of the NIST 800-63B guidelines (and it’s my team that wrote that password whitepaper!). We’re currently making some foundational changes that should subsequently let us implement many or most of the password composition guidelines.

                        As for a password blacklist, today we have a banned password list in place that prevents users from using known-bad words, phrases, and passwords. We also have a custom list feature that lets you define your own words and patterns. That’s in private preview today and we’re working to get it to public preview over the next few months.

                      • Sign-in to SharePoint 2016 with Guest accounts is challenging

                        I have a custom enterprise application for SharePoint 2016, which has "Unique User Identifier" set to "user.userprincipalname" (default configuration), but the experience with Guest accounts is bad:
                        - MSA Guest accounts identity set by AAD looks like "user_mail.com#EXT#@Tenant.onmicrosoft.com", which is counter intuitive. When granting permissions to those accounts in SharePoint, we expect to type UserUPN@Tenant.onmicrosoft.com, not user_mail.com#EXT#@Tenant.onmicrosoft.com
                        - B2B Guest accounts identity set by AAD looks like "mail@Tenant.onmicrosoft.com", which is great and what we want, but it's inconsistent with the MSA Guest accounts and causes a lot of confusion.

                        Can you fix this to always…

                        16 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                        • About early adopted Azure Portal for new function

                          Hope to choose Azure tenant type to adopt new function.
                          For example, Azure AD is deploying LinkedIn integration currently, but some tenants have done and others are not and the implementation period is not unclear.
                          so, require to choose adopting new function which Office 365 has already been configured.
                          https://docs.microsoft.com/en-us/office365/admin/manage/release-options-in-office-365?view=o365-worldwide

                          13 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                          • Android Enterprise Kerberos Support for MS Authenticator and Company Portal

                            On Android Enterprise there is a way to enable Kerberos/SPNEGO based SSO for all WebViews out of the box without any change of code. Since MS Authenticator and Company Portal are used for SSO authentication of native Office Android Apps, it would be beneficial to activate this option. This would allow an enterprise user to have seamless/login-free SSO.

                            The scenario is that in the enterprise context the Office 365 login is often federated to an on-premise idP. That idP usually is kerberized and understands SPENGO. I can see that in MS Authenticator I get redirected to the idP but Kerberos…

                            12 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                            • Add Shibboleth to the set of authentication protocols

                              At present Azure AD can authenticate to SaaS using SAML, OAuth etc. Many academic institutions use Shibboleth which is based on SAML. Currently this means that they have to maintain a separate Shibboleth service in addition to AD FS (if using that for authentication). If a Shibboleth service could be added to Azure AD this would reduce the hardware/software complexity on-site and allow more Universities to take advantage of the Cloud Identity provided by Azure. Shibboleth is generally used to access shared education services, journals and other shared services.

                              12 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                under review  ·  1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                              • Configuration of SAML 2.0 responses - hash algorithm (SHA1 v SHA256), message signing

                                Are there any plans to add further configuration options to the AAD SAML 2.0 functionality.

                                When acting as an IdP in a SAML 2.0 federation, unlike ADFS, there does not appear to be any options to customize the SAMLResponse which is returned to the Relying Party.

                                The options that I'm particularly interested in are:

                                - The ability to define the "Secure Hash algorithm" to be either SHA1 or SHA256 - as per this previous post - http://feedback.azure.com/forums/169401-azure-active-directory/suggestions/4762132-customizable-token-signing-hash-algorithm-sha256- many Service Providers only support SHA1 - meaning it is not currently possible to federate with these systems.

                                - Message & Assertion signing…

                                12 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                • Azure AD v2.0 OAuth2 Account Consent Page always lists "Access your data anytime" even though offline_access is not specified in scope

                                  When using either OpenID Connect or OAuth2 authorization code flow, the Account Consent page always displays "Access your data anytime".

                                  According to the documentation this should only be displayed if the offline_access scope is requested.

                                  11 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    6 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

                                    This current behavior is as described, due to the refresh token issuance behavior of the v1.0 endpoint. However, we’re planning to fix this to require the developer to request `offline_access` within the next 3 months. Keep an eye on our release notes and this Uservoice entry for when this is fixed.

                                    In the interim, we’re changing the text of the offline_access scope to be more accurate and less alarming.

                                  • OpenID Connect id_token is missing email claim

                                    The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?

                                    11 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Azure Active Directory Seamless Single Sign-On - Multi-tenants in a single forest hosting environment.

                                      We have multi-tenants in a single forest hosting environment synchronizing different customers (each in a different OU) to their own O365/Azure AD tenant account. At the current moment, Seamless Single Sign-On only supports one O365/Azure AD tenant for sign on in the current setup we have. This is due to a computer created called AZUREADSSOACC in Windows AD. We want to adopt the Seamless Single Sign-On but as it only supports one O365/Azure AD tenant for sign on we cannot use it.

                                      10 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        under review  ·  2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Synology DiskStation

                                        SSO integration with Synology DiskStation products.

                                        9 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Allow Custom Token Lifetime

                                          For web applications that are not implemented as a SPA using Azure AD for a line-of-business application with a token lifetime of an hour not enough in some scenarios.

                                          Can we please have the ability to customise when the token will expire?

                                          9 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 13 14
                                          • Don't see your idea?

                                          Feedback and Knowledge Base