Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

We have a new log in experience integrated with Azure AD, and we strongly recommend you log in with your Azure AD (Office 365) account. If your UserVoice account is the same email address as your Azure AD account, your previous activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Authenticating wireless access points \ RADIUS through Azure AD

    I would like to see Authenticating wireless access points \ RADIUS servers through Azure AD , not having to store user accounts in local active directory

    580 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    57 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Microsoft Authenticator support for Tizen Samsung Gear S3 needed

    Pls ADD autenticator to Samsung gear s3 (tizen)

    53 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Certificate-Based Authentication (CBA) without Federation

    I would like to be able to use certificate-based authentication without the need for federation so users don’t have to enter username/password for the numerous Office mobile apps.

    We use Pass Through Authentication (PTA) to authenticate our Azure AD uses against our on-premises AD, and we’d prefer not to have to implement a fault tolerant ADFS infrastructure for our 200 users. We have a Certificate Authority and have implemented Intune to push user certificates to staff mobile devices.

    The article below indicates CBA does work without federation for Exchange ActiveSync (EAS), so can this be expanded to work with Microsoft…

    43 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. OAuth 2.0 Dynamic Client Registration Protocol For Microservices scenarios

    Please add support for For OAuth 2.0 Dynamic Client Registration Protocol in AzureAD suppoting Microservices based architecture and managing their identity dynamically.

    30 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support for OAuth 2.0 SAML Bearer Assertion Flow

    I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.

    Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccess_oauth_SAML_bearer_flow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.

    I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the identity provider in exchange…

    28 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Reposting so that folks get a notification – from Paul:

    Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

    We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

  6. Support "Hub-and-spoke Federation with Centralised Login" SAML2.0 architecture

    Currently AzureAd only support unique SAML2.0 IssuerUri's.

    http://community.office365.com/en-us/f/613/t/295163.aspx

    In federation architecture "Hub-and-spoke Federation with Centralised Login" will each tenant/company/organization/root-domain/educational institution share/reference the same IDP SAML2.0 IssuerUri.

    https://wiki.edugain.org/Federation_Architecture

    23 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. NIST 800-63B Digital Identity Guidelines

    Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.

    Also the ability to build a password blacklist.

    18 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We’re well aware of the NIST 800-63B guidelines (and it’s my team that wrote that password whitepaper!). We’re currently making some foundational changes that should subsequently let us implement many or most of the password composition guidelines.

    As for a password blacklist, today we have a banned password list in place that prevents users from using known-bad words, phrases, and passwords. We also have a custom list feature that lets you define your own words and patterns. That’s in private preview today and we’re working to get it to public preview over the next few months.

  8. Sign-in to SharePoint 2016 with Guest accounts is challenging

    I have a custom enterprise application for SharePoint 2016, which has "Unique User Identifier" set to "user.userprincipalname" (default configuration), but the experience with Guest accounts is bad:
    - MSA Guest accounts identity set by AAD looks like "user_mail.com#EXT#@Tenant.onmicrosoft.com", which is counter intuitive. When granting permissions to those accounts in SharePoint, we expect to type UserUPN@Tenant.onmicrosoft.com, not user_mail.com#EXT#@Tenant.onmicrosoft.com
    - B2B Guest accounts identity set by AAD looks like "mail@Tenant.onmicrosoft.com", which is great and what we want, but it's inconsistent with the MSA Guest accounts and causes a lot of confusion.

    Can you fix this to always…

    16 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback.

    For “Name” or other claims, you can now select “user.localuserprincipalname” as a source attribute. This will use UPN stored in the tenant for the guest user.

    This isn’t currently available for “NameID” but we’re working on that.

    Also, we’re working on a experience that will let you specify the source attribute based on the user type (AAD, AAD Guest, External Guest, All Guest).

    Let me know if you would be interesting to provide early feedback on what we’re thinking to release.

    \Luis

  9. About early adopted Azure Portal for new function

    Hope to choose Azure tenant type to adopt new function.
    For example, Azure AD is deploying LinkedIn integration currently, but some tenants have done and others are not and the implementation period is not unclear.
    so, require to choose adopting new function which Office 365 has already been configured.
    https://docs.microsoft.com/en-us/office365/admin/manage/release-options-in-office-365?view=o365-worldwide

    13 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Android Enterprise Kerberos Support for MS Authenticator and Company Portal

    On Android Enterprise there is a way to enable Kerberos/SPNEGO based SSO for all WebViews out of the box without any change of code. Since MS Authenticator and Company Portal are used for SSO authentication of native Office Android Apps, it would be beneficial to activate this option. This would allow an enterprise user to have seamless/login-free SSO.

    The scenario is that in the enterprise context the Office 365 login is often federated to an on-premise idP. That idP usually is kerberized and understands SPENGO. I can see that in MS Authenticator I get redirected to the idP but Kerberos…

    12 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add Shibboleth to the set of authentication protocols

    At present Azure AD can authenticate to SaaS using SAML, OAuth etc. Many academic institutions use Shibboleth which is based on SAML. Currently this means that they have to maintain a separate Shibboleth service in addition to AD FS (if using that for authentication). If a Shibboleth service could be added to Azure AD this would reduce the hardware/software complexity on-site and allow more Universities to take advantage of the Cloud Identity provided by Azure. Shibboleth is generally used to access shared education services, journals and other shared services.

    12 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. OpenID Connect id_token is missing email claim

    The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?

    12 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Configuration of SAML 2.0 responses - hash algorithm (SHA1 v SHA256), message signing

    Are there any plans to add further configuration options to the AAD SAML 2.0 functionality.

    When acting as an IdP in a SAML 2.0 federation, unlike ADFS, there does not appear to be any options to customize the SAMLResponse which is returned to the Relying Party.

    The options that I'm particularly interested in are:

    - The ability to define the "Secure Hash algorithm" to be either SHA1 or SHA256 - as per this previous post - http://feedback.azure.com/forums/169401-azure-active-directory/suggestions/4762132-customizable-token-signing-hash-algorithm-sha256- many Service Providers only support SHA1 - meaning it is not currently possible to federate with these systems.

    - Message & Assertion signing…

    12 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. On premise Linux to Azure AD authentication and device enrollment

    Join On premise Linux to Azure AD
    Authentication On premise Linux must be against Azure AD
    Device enrollment in Azure AD

    11 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure AD v2.0 OAuth2 Account Consent Page always lists "Access your data anytime" even though offline_access is not specified in scope

    When using either OpenID Connect or OAuth2 authorization code flow, the Account Consent page always displays "Access your data anytime".

    According to the documentation this should only be displayed if the offline_access scope is requested.

    11 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    This current behavior is as described, due to the refresh token issuance behavior of the v1.0 endpoint. However, we’re planning to fix this to require the developer to request `offline_access` within the next 3 months. Keep an eye on our release notes and this Uservoice entry for when this is fixed.

    In the interim, we’re changing the text of the offline_access scope to be more accurate and less alarming.

  16. Azure Active Directory Seamless Single Sign-On - Multi-tenants in a single forest hosting environment.

    We have multi-tenants in a single forest hosting environment synchronizing different customers (each in a different OU) to their own O365/Azure AD tenant account. At the current moment, Seamless Single Sign-On only supports one O365/Azure AD tenant for sign on in the current setup we have. This is due to a computer created called AZUREADSSOACC in Windows AD. We want to adopt the Seamless Single Sign-On but as it only supports one O365/Azure AD tenant for sign on we cannot use it.

    11 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow Custom Token Lifetime

    For web applications that are not implemented as a SPA using Azure AD for a line-of-business application with a token lifetime of an hour not enough in some scenarios.

    Can we please have the ability to customise when the token will expire?

    10 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Use nested functions in SAML Token Attributes for SSO

    Please allow the capability to use nested functions join(extractmailprefix([mail]),'some string') for SAML Token Attributes.

    The above nested function is already available for "User Identifier" but is not available for all other SAML Token Attributes.

    It would be supremely beneficial to use join() and extractmailprefix([mail]) together to craft SAML responses that show possible alias email addresses for a user.

    9 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure AD SAML Claims Rules and import Service Provider metadata

    Most customers of o365 have an on premise AD to connect ADFS to... we don't. We only have our Azure AD. We would really like to have the ability to use more full featured ADFS services from Azure AD, for instance some applications we want to connect to can only receive NameID so the ability to transform SAM Account Name to NameID would be very helpful. Further - importing the metadata from a SAML service provider would complete the circle and allow a more complete set of Azure AD app SSO services.

    9 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Verification without a cell phone

    There should be a way to verify w/o a phone. I was recently working remote and my phone died. I was unable to work. Seems like an alternative should be available for such occasions.

    8 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 14 15
  • Don't see your idea?

Feedback and Knowledge Base