Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Pass Through Auth in ADconnect for Azure Government

    Support of PTA in Azure Gov meeting HSPD-12 mandates.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow more than 150 groups to be returned in the SAML assertion

    As part of the SAML assertion of a user we get the groups from the Azure AD. But for some users that are in many groups (> 150) Azure AD does not send the list of groups.
    Please allow either more than 150 groups or enable an easy way to get all groups of a user.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Android Enterprise Kerberos Support for MS Authenticator and Company Portal

    On Android Enterprise there is a way to enable Kerberos/SPNEGO based SSO for all WebViews out of the box without any change of code. Since MS Authenticator and Company Portal are used for SSO authentication of native Office Android Apps, it would be beneficial to activate this option. This would allow an enterprise user to have seamless/login-free SSO.

    The scenario is that in the enterprise context the Office 365 login is often federated to an on-premise idP. That idP usually is kerberized and understands SPENGO. I can see that in MS Authenticator I get redirected to the idP but Kerberos…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure AD v2.0 OAuth2 Account Consent Page always lists "Access your data anytime" even though offline_access is not specified in scope

    When using either OpenID Connect or OAuth2 authorization code flow, the Account Consent page always displays "Access your data anytime".

    According to the documentation this should only be displayed if the offline_access scope is requested.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    This current behavior is as described, due to the refresh token issuance behavior of the v1.0 endpoint. However, we’re planning to fix this to require the developer to request `offline_access` within the next 3 months. Keep an eye on our release notes and this Uservoice entry for when this is fixed.

    In the interim, we’re changing the text of the offline_access scope to be more accurate and less alarming.

  5. OpenID Connect id_token is missing email claim

    The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow RADIUS attributes to be sent to RADIUS Client when using Azure AD MFA for NPS Extension

    Azure AD MFA Extension for NPS works really well, however it wipes out RADIUS attributes configured on a network policy to send back to a RADIUS client. Specifically, we want to pass through the name of an ASA group policy to apply to a logged in VPN user. This doesn't get sent to the RADIUS client when the Azure AD MFA extension is in use.

    This occurs on Server 2016 and Server 2019. An NPS server without Azure AD MFA Extension this works as expected.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Exclude certain AD Groups from the policies of Azure AD Password Protection (MAB Devices)

    When using MAB authetication in a Domain, one has often to provide the Mac-address as UserName and as Password. Examples can be IP-telephones, computers that are being installed with SCCM, printer,...…

    AAD PPM does not allow names to be equal to passwords, which ist basically correct, but MAB is a common way of registering certain hardware.

    It would be a good idea to make AAD PPM configurable meant to exempt specific accounts from AAD PP on AD-Group Basis or by some other means.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. About early adopted Azure Portal for new function

    Hope to choose Azure tenant type to adopt new function.
    For example, Azure AD is deploying LinkedIn integration currently, but some tenants have done and others are not and the implementation period is not unclear.
    so, require to choose adopting new function which Office 365 has already been configured.
    https://docs.microsoft.com/en-us/office365/admin/manage/release-options-in-office-365?view=o365-worldwide

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. password policy

    For Cloud Only Accounts, the current Password Policy in Azure AD restricts the use of last used password ONLY. In my organization the general Password policy guideline is to prevent use of last 10 Passwords. This would be a great feature if this can be configurable. Would love to see this

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Configuration of SAML 2.0 responses - hash algorithm (SHA1 v SHA256), message signing

    Are there any plans to add further configuration options to the AAD SAML 2.0 functionality.

    When acting as an IdP in a SAML 2.0 federation, unlike ADFS, there does not appear to be any options to customize the SAMLResponse which is returned to the Relying Party.

    The options that I'm particularly interested in are:

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. HAve the ability to use all Azure AD user attributes for Customize claims available for Azure AD SAML token.

    Allow the use of all Azure AD User attributes in a claim, currently we have a requirement to add Azure AD synced attributes to be sent as a claim for SAML authentication. for example, attributes such as 'Manager' or 'immutable ID' are not supported. Can we have the option to use all available attributes as part of the claim.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Verification without a cell phone

    There should be a way to verify w/o a phone. I was recently working remote and my phone died. I was unable to work. Seems like an alternative should be available for such occasions.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Expose all the attributes available for dynamic device groups.

    This would allow easy separation between internal managed devices and BYO devices. Attributes such as IsManaged or DirSyncEnabled are not available even when creating advanced rules.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure AD SAML Claims Rules and import Service Provider metadata

    Most customers of o365 have an on premise AD to connect ADFS to... we don't. We only have our Azure AD. We would really like to have the ability to use more full featured ADFS services from Azure AD, for instance some applications we want to connect to can only receive NameID so the ability to transform SAM Account Name to NameID would be very helpful. Further - importing the metadata from a SAML service provider would complete the circle and allow a more complete set of Azure AD app SSO services.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. post_logout_redirect_uri Error Stuck On Office365 Azure OAuth2 Logout Event

    I have application on MS Azure that use office365 authentication.
    When my App access logout protocol like this below:
    https://login.microsoftonline.com/common/oauth2/logout?postlogoutredirecturi={myredirect_uri}

    It should be normally logout all users MS Login Session then redirect me to {postlogoutredirect_uri} when the session is there and I go logout.
    The case happen when I already logout my account from other MS Apps (ex.Outlook) the Session is already destroyed now and then My Application access the uri above (line 3):
    The bug is it doesn't redirect me, and stuck at a page that said "You signed out of your account,…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Make the My Apps Secure Sign-in Extension available in Safari

    It works well in Chrome, Edge and Firefox but 50% of our users are using Safari as their preferred browser. This is currently preventing us from deploying Password-Based SSO for some of our apps.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow use of the 'Keep Me Signed In' prompt when Azure Sealess SSO is enabled.

    If a user had selected the 'Keep Me Signed In' option after login, prior to Azure Seamless SSO being enabled - the experience is great. They are seamlessly signed in with no need to verify their email address.

    If a user had not selected 'Keep Me Signed In' option after login, prior to Azure Seamless SSO being enabled - the experience is poor. Any time they access a web app they are prompted to pick an account, after which there is no prompt or opportunity to select 'Keep Me Signed In'.

    Please bring this feature on-board when Azure Seamless SSO…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enable more granular password policy

    The options for configuring the password policy is currently not very flexible.
    Many organisations have security policies that are more complex than what can be enforced with on-prem AD, necessitating 3rd party software.
    Within Azure, the password policy options are even less flexible than on-prem AD.
    For example, allow the valid character set with a regular expression.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. V2.0 Client Credentials Implement Scopes

    The current Azure AD v2.0 Client Credentials Grant doesn't formally support scopes.

    You have to pass in your application ID appended with .default (Not a scope) which then forces you down the permissions route. You also end up with roles in your token instead of scopes.

    In order to conform to the OAuth standard, scopes should be supported like they are in other grants/flows.

    It also makes it difficult to implement in our services as we have to support two completely different models.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. allow fido2 or oauth device to be the default authentication factor instead of the mobile app

    when testing the FIDO2 authentication key , i remarked that most of webservice redirected to mobile app
    even no authenticator has been configured.
    Rending logon impossible on aka.ms/mfasetup for example ....

    So therefore it’s not usable for corporate users that don’t want to use their mobile....

    i tried to put it as default but only the authenticator app could be selected . i call the support that told me to open a request feature.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base