Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Make refreshing SSO sessions an option

    Currently, an SSO session has a fixed lifetime as configured by the SsoLifetime parameter, i.e., a user logs in, and once [SsoLifetime] minutes have passed, their SSO session ends, even if they were still active until minutes before.
    This is because a new SSO session is only created when an authentciation is performed, but as long as an SSO session is active, (of course) no authentication is performed.

    There are use cases, however, where we want the user to be able to extend their SSO session whenever they are active, provided that their current SSO session is still valid.

    It…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. All Privileged Authentication user to Block and Unblock MFA

    It is logical that an Administrator that can force new MFA registration should also be able to Unblock MFA users. At this point it seems this still requires GA level access.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add Support to Azure AD Connect PTA for Integrated Windows Authentication

    We moved from AD FS to Pass Through Authentication which turned out to not support IWA. We have several SQL jobs and users connecting to Azure Servers/DB's using IWA in SSMS which no longer works as it is supported only in a federation flow. Unfortunately due to this we had to back out of our PTA implementation. While there is a workaround in SSMS using an alternative authentication method, there isn't anything for a our SQL jobs. We confirmed this with Microsoft when we opened a support case.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Skipping account selection page in Azure AD v2 on consent

    Hello,
    We are using AD v2 implicit flow to authenticate a user from within SharePoint.
    The base url is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?responsetype=idtoken&scope=<>&clientid=<>&redirecturi=<>&state=<>&nonce=<>&clientinfo=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.1&client-request-id=<>&responsemode=fragment

    Prompt consent in combination with domain hint for an organization does not seem to work correctly.
    Here are our observations with the following parameters:

    A. &amp;prompt=none&amp;domain_hint=organizations | Works correctly and uses the organisational account
    
    B. &amp;prompt=consent&amp;domain_hint=organizations | Does not work and restarts the user login process incl. re-entering email address
    C. &amp;prompt=consent | Works correctly and gives the user selection of logged-in accounts

    We would like if scenario B would work the same…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for filing this. I cannot reproduce this under any variety of circumstances. prompt=consent & domain_hint=organizations drops me on the account picker as expected.

    Please reach out if this still happens for you, and we’ll help debug the issue.

    Thanks,
    Azure Identity AuthN team.

  5. Allow HTTP Redirect URIs from private address spaces as well as localhost

    localhost is currently the only host allowed for non-SSL Redirect URIs in OAuth2 authentications. This prevents HTTP development testing among various computers within an organization, since any "localhost" setting in a Windows 10 hosts file is ignored.

    I therefore suggest that hosts for HTTP Redirect URIs be also allowed to be a non-public IP address: 192.168.x.x or 10.x.x.x.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Direct federation with OpenID Connect IdPs

    At this time, direct federation in preview can be set up with any organization whose identity provider (IdP) that supports the SAML 2.0 or WS-Fed protocol. Please extend this to OpenID Connect IdPs.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. We need the ability to disable the “Show option to remain signed in” for specific users

    At this moment the only workaround for this issue is to hide the prompt for users by using the “Show option to remain signed in” setting in company branding, which would hide it for our whole tenant, and thus hide it from ALL users. We want to hide this just for specific users.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. have SAML AuthnRequest to include the username/email specified in Azure login forms

    when using any 3rd-party SAML IdP to federate Azure AD authentication, why don't you include the typed email(userID) from Azure portal into the SAML authnRequest so that forms-based IdPs can prefill the username to streamline and simplify authentication? the specs allow a <saml:Subject> being an optional part of the authnRequest.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Document a full list of the opaque AAD error codes for OAuth dance failure

    The simple OAuth codes are documented here:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-protocols-oauth-code#error-codes-for-authorization-endpoint-errors

    ...however, there is no single resource which lists all the possible error codes given in the error description such as AADSTS65005 & AADSTS65004

    Such a resource would allow developers to handle OAuth dance failures in an elegant manner and give end users a better UX.

    Some background on this question:
    https://twitter.com/dvdsmpsn/status/811537895542624256
    https://social.msdn.microsoft.com/Forums/en-US/6e4e16f1-7f37-431d-ac10-a94ca9a04ae4/document-a-full-list-of-the-opaque-aad-error-codes-for-oauth-dance-failure?forum=WindowsAzureAD

    I've started a list of error codes here:
    https://gist.github.com/dvdsmpsn/1d6569bcd9197a08707ae6d443f554e2

    Feel free to add to these in the comments :)

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support query parameters in Reply urls with Azure AD endpoint v2.0

    Azure AD endpoint 2.0 does not seem to support query parameters in the reply url.
    This is really useful to perform post login/logout action.

    http://stackoverflow.com/questions/37489964/custom-parameter-with-microsoft-owin-security-openidconnect-and-azuread-v-2-0-en

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make Enterprise Apps searchable by Reply URL

    We have a ton of SSO'ed apps. If an app is misspelled/mislabeled during creation, the vendor changes product names, or you have multiple similar apps with the same company it can be very difficult to identify the appropriate enterprise app. I think it would be very helpful if we could also search by reply URL.

    I love the new Enterprise Apps experience. You guys rock - thanks for being awesome!

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. allow fido2 or oauth device to be the default authentication factor instead of the mobile app

    when testing the FIDO2 authentication key , i remarked that most of webservice redirected to mobile app
    even no authenticator has been configured.
    Rending logon impossible on aka.ms/mfasetup for example ....

    So therefore it’s not usable for corporate users that don’t want to use their mobile....

    i tried to put it as default but only the authenticator app could be selected . i call the support that told me to open a request feature.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Azure SSO SAML Token to support selective attributes encryption

    Support selective attributes(firstname, lastname, unique ID etc) encryption in SAML token for SSO. This is requirement for all applications to whom the user identity information is to be NOT sent in clear text and rather be in encrypted.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Bug: Malformed OAuth 2.0 access token response

    Steps to reproduce

    Request an access token by following the instructions at Request an access token.

    Expected

    expires_in is a number, as in the example and RFC 6749:

    &quot;expires_in&quot;: 3599,
    

    Actual

    expires_in is a string:

    &quot;expires_in&quot;: &quot;3599&quot;,
    

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. worst system ever

    worst system ever. this is ridiculous

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Access Panel Extension for Edge Browser

    Edge supports browser extensions now. We should have an Access Panel browser extension for Edge!

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Avoid Sign-in prompt on iOS by adding Redirect URI scheme for Apple device in Safe List

    When adding a new Microsoft Exchange account under Settings / Password & Accounts on an Apple iOS device to access O365, after authentication a consent page is displayed (see screenshot). This page is not clear to users, and we have seen cases where the device would be stuck on it (Continue or Cancel wouldn’t work)
    Looking at AAD logs and after opening a case, we found out that this page is displayed because the redirect URI that the iOS device sends back to AAD is not in the “Safe List” (http://, https://, msauth:// (iOS only), msauthv2:// (iOS only)…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. More Granularity in Conditional Access: Session Controls for Sign-In Frequency

    The Sign-In Frequency Session Control can only be set in hours and days. I would like to see minutes as an available option as well. There could be a situation where a user closes a sensitive application but does not close the browser and walks away where someone else could tailgate in on that session.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. azure ad domain services SAM account

    Voor Single Sign On with Azure AD as source for users to Azure AD Domain Services, is it possible to rewrite the SAM account to Azure AD. So the Azure AD joined only devices do not genereate a Netbioname/sam account by login of a user, but get this information from AzureAd as well.
    Now we have issues with AADDS joined servers and application with SSO.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Support more SAML SSO wildcard Reply URL patterns

    If I have an app that sends a SAML AuthnRequest with an ACS URL of https://foo.bar.someapp.com/portal/login, then the follwing configued Reply URLs currently work:

    https://foo.bar.someapp.com/portal/login
    https://foo.bar.someapp.com/
    https://
    .bar.someapp.com/*

    I need this to work (which does not work today):
    https://.someapp.com/
    https://.someapp.com/portal/login
    https://foo..someapp.com/portal/login

    Thanks!

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base