Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
banned password message azure ad password protection
Add GPO or client to Windows Client for Azure AD Password protection to display the corporate password policy on login when the user's change password and it's banned. Give users on prem what they can and cannot use as feedback if they put a bad one in.
57 votesThanks for the feedback. This is something we are thinking about.
-
Show location for Azure AD sign-ins from IPv6 addresses
Please add location information to sign-ins from IPv6 addresses. Currently there is no location information associated with IPv6 so it is circumventing all the Azure AD Identity Protections you have in place.
48 votesThanks for your feedback, folks. We have been working towards resolving the locations for IPv6 logins. Currently, a subset of such logins are getting resolved for location and the % will gradually go up. Are you seeing some of your IPv6 logins with resolved location?
-
B2B User Identity Protection Status
B2B (Guest) users should show up in the "Risky Users" report if they are being blocked from your AAD tenant. I had a case where the B2B user failed to enroll in MFA within the grace period, then failed enough of their logins that Identity Protection flagged them as "High Risk", but there is nothing to indicate that in any query or report that the tenant admin has access to view. All we could find was a message that they needed to enroll in MFA, which we reset about 10 times before support checked diagnostics on the backend and found…
17 votesThis is something we are investigating.
-Sarah
-
Marking a risky sign in as "Confirmed Safe" in the ID protection blade should factor in to the algorithm for future sign ins
In the risky sign ins report or risky users report in AD Identity Protection you can mark a risky sign in as "confirmed safe." However this does not allow future sign ins from this IP. If an administrator confirms that the sign in is not risky, future sign ins for this user from this location should not be considered risky.
16 votesThank you for your feedback. We are reviewing options for integrating feedback provided by confirm safe/compromised. In the interim, if you want to mark specific IPs as safe for Identity Protection in your tenant, you can do so my marking them as trusted locations. More information is available here (make sure to check the “mark as trusted location” checkbox): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations
-
"Sign-in Risk" Policy Control Addition?
Add a "Disable account" control to the "Sign-in Risk" policy for the Azure Identity Protection service.
In addition, since Azure supports password write-back to an on-premises AD, it would be great to also disable user's on-premises AD account as well.
Currently, one of the admins has to catch an alert email from Azure Identity Protection and then take action to manually disable an account on-premises if an event happens.
16 votes -
Notify end-users when an risky sign-in (e.g. sign-in from an anonymous IP address) event is created
Can a feature be added to notify end-users by email when Azure AD detects a risky sign-in event (e.g. sign-in from an anonymous IP address) on their account, so they're able to take immediate action if their account is compromised?
14 votes -
Additional Info for Risky Users in AIP
We would like to see the reason for the Risky sign-ins. This would help us identify why AIP flagged our users. Is it because of impossible travel or anonymous IP etc in Risky Users blade under AAD.
12 votes -
Enhanced Reporting for Azure AD Password Protection
We are running Azure AD Password Protection on-premise mode. The PowerShell summary report is ok, but only works for admins. It would be better to have a report available in the Azure Portal for management to review easily. The report could allow us to see the same summary stats that exist in the PowerShell report.
Also, Individual event data is only available in the Windows Event Viewer where the user attempted to change their password. We have no way to centrally search for an event by user without checking all our DCs. In addition, the helpdesk have no privileges to…
12 votes -
Risky user email notification is confusing
Risky user email notification is confusing.
When a user click the link on an email, he/she goes to "Risky users (Preview)" page. However this page is confusing. Especially, sometimes it says "No risky sign-ins found" on "Resent risky sign-ins" tab. The link should navigate users to "Azure AD Identity Protection" page, which is intuitive and easier to understand.10 votes -
Allow the 'Users at risk detected' and 'Weekly Digest' emails to be sent to EXO Contacts or specified external addresses
As a service provider, a number of our customers consume managed AAD IP and we want to be able to receive these emails in to our SDM solution.
I am sure we could write some custom integration but it'd be super helpful if we could just use the standard UI to configure where the user notifications and weekly digest report are sent to without there needing to be an additional licensed user account in the tenant to forward them on.
5 votes -
Please extend Azure AD Identity Protection to the B2C tenant
Please extend Azure AD Identity Protection to the B2C tenant
5 votesThank you for your suggestion. We are reviewing options to extend protections to B2C users.
-
Create seperate sign in risk policies for medium and high risk events
Would like to be able to create a seperate sign-in risk policy for medium and high risk events, medium policy would enforce MFA but let user continue working, high risk policy would block user access and preferably intiate sign out of all existing logins/tokens as this is a confirmed breech/exposure of credentials.
4 votesHey folks,
We’ve started the work on this.
@MarkMorow
-
Add check box option to exclude guest users from enrolling for MFA in Azure AD Identity Protection
We want the option to exclude guest users from MFA.
There is a check box option in Conditional Access to exclude Guest users from a policy, but not in MFA registration within Azure AD Identity Protection. Therefore guest users are still prompted to enroll for MFA (but excluded from MFA actions). As a workaround we have to create a group (i.e. 'All users'), add all AD users in to that group, and choose to include that group only for MFA registration.4 votes -
Azure AD password protection - Show suggestions
Along with leveraging fuzzy match and machine learning to stop users from keeping easy-to-guess passwords, it will be great to show some password suggestions when a banned password is entered.
This will improve user experience and help make organisation more secure.
3 votes -
The 14-day grace period is not configurable
Multifactor grace period is currently a non configurable 14 days grace period. make this value configurable
3 votes -
Export risk events from Azure AD Identity to Event Hub
Azure AD Identity Protection events are currently not possible to export to an event hub.
2 votes -
Create the ability to generate email alerts for risky sign-ins by type, rather than severity
Please, add the ability to generate email alerts for specific sign-in types (e.g. log-ins from anonymous IP addresses) to enable admins to refine their procedures based on what is deemed legitimate user behaviour.
2 votes -
Ability to export Risky Sign in policies programmatically
We need a way to export/consult Risky sign in policies.
In general, a feature should be released with its associated API to allow Microsoft customers to perform automation.
Support case 119070422001895 confirmed this was not possible.
2 votesThe work to do this has started.
-Azure AD
-
Identify Anonymising VPN Services in risks/alerts differently
We are seeing an increase of traffic from Anonymising VPN services from our end user base for publicly accessible applications that is generating a lot of alerts.
Some of their are IP Addresses are listed, obviously given how they work, some of them won't be. but for the ones that are, this should display or alert differently than just the A-typical location alerts. Or at the least identify that it might be Anonymising VPN traffic in the alert.
This may not be the easiest of tasks, but given the Anonymising VPN market growth and usage, it should be considered.
2 votes -
Enable Azure Active Directory Identity Protection integration with Service Now
I consult for an Enterprise where Service Now is used to capture all DevOps work (tickets). I would like to see rather than an email alert from an Azure AD IP event the ability to raise a Service Now ticket
2 votes
- Don't see your idea?