Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Grant Azure AD Identity Protection access by group or role instead of just user

    Currently Azure AD Identity Protection access is granted by user. (In addition to overall tenant admins.)

    Should be possible to grant access using groups. This should include both Azure AD groups as well as groups sync'd from on-premises AD.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. AzureAD Roles can be used as groups

    Please make it posible to make a dynamic AzureAD group from the MsolRole.
    Ex. make et posible to create a dynymatic group from the MsolRole "Company Administrator" - then we can use this group in Azure Identity Protection.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Idea

    Ring quiet rule

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Drop Risky Sign-In Attempts

    Add an option for Identity Protection Risk events to drop traffic that comes from risky attempts, rather than block/lockout. For example, if someone attempts to log in with an anonymous IP address, drop the traffic but do not lock the account out. This would still prevent the access attempt, but it would also prevent the legitimate user from being locked out of their account just because someone attempted to access the account (and failed).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Export risk events from Azure AD Identity to Event Hub

    Azure AD Identity Protection events are currently not possible to export to an event hub.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Managing a tree structure for Azure Active Directory Users

    It would be good to have a tree structure while viewing the users in azure active directory.

    For example, to have a clear distinction between two colleagues who belong to two different departments. This will also help to manage the third-party developers.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide a prompt when using azure MFA with RDP

    Currently if you use Azure MFA and remote desktop with the NPS doing the authentication the user receives no prompt that the server is waiting for MFA to be approved on the devic. As per your own article on it the RDP connection will just sit at initiating remote connection until it fails so if the users phone is in another room they just call help desk asking why they cant login.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#verify-configuration

    A simple "please approve the MFA prompt on your MFA device" notification on this screen would make it a 1000% more useful and cut down a heap…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure AD Identity Protection alerts should only send to users that are chosen.

    Currently email alerts are sent to all global admins, security admins and security readers. There is no way to remove those users from receiving alerts. Only users that are selected to be included should receive the email alerts.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow Azure AD Identity Protection alerts to be disabled.

    Currently all global administrators are alerted when user risk level is at high, but there is no way to turn off the alerts.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Additional Info for Risky Users in AIP

    We would like to see the reason for the Risky sign-ins. This would help us identify why AIP flagged our users. Is it because of impossible travel or anonymous IP etc in Risky Users blade under AAD.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Prevent password brute force by block suspicious IP address

    Conditional Access come into place after checking user and password. To have a country blocking or a block list of IPs there is too late.

    Every night there are a lot of password brute force attacks from mostly the same IP address. To protect the users from not be locked out, if they arrive in the morning, these IPs are added to a blacklist, but the request from this IP addresses are not blocked like a firewall will do this. These requests are going to Azure AD to authenticate the user, after some wrong passwords the account is locked out…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. alerte , la france est irradié, par des radiations,l'eau du robinet est contaminé, et 6,4 millions de français sont touchés, par tritium,un

    Mrs alertez,le monde entier, la france est irradié,et 6,4 millions de français sont contaminés, par l'eau du robinet, par du tritium,un isotope radioactif, mangez du sel, pour protéger votre glande thyroïdienne, et faites une analyse de sang, qui s'appelle, TSH, et c'est pas une blague !!!!! Et il n'ont rien dit a la télévision, pour pas paniquer la population française !

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. There is no telephone number or email to contact you!!!! You claim to be phoning my

    Your customer support is terrible. No tel. no or email.
    No two-party phone verification was received to the telephone number I have used repeatedly in the past.

    My idea is to fire your service!!!!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Respect exclusions for MFA registration vulnerability assessment

    Azure AD Identity Protection may show a medium risk vulnerability, "Users without multi-factor authentication registration", even though all in scope users are registered for MFA. The issue here is that excluded users appear to be factored into this vulnerability assessment.

    In our case, the only users not enabled for MFA are service accounts which shouldn't have MFA enabled (e.g. Azure AD Connect), and are thus explicitly excluded from our MFA registration policy in Azure AD Identity Protection.

    Apart from the warning on the Azure AD Identity Protection dashboard, this also results in getting a warning every week in our security…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Implement Access Review for Exchange Online

    Allow to do an Access Review directly on Mailboxes and their Full or Send As Permission (Others Settings would also be interesting).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Reduce False positives on risky sign-ins

    Reduce False positives on risky sign-ins like impossible to travel with office access and cell towers and unknown location that is a little then 15 mil (in same state)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. AAD Risky Management clearing Risks more options

    I do not want to reset risks on users that should be blocked, we need a controlled reset. Like older then 30/90 days reset all. Or reset all exclude unsuccessful MFA or reset all exclude unsuccessful SSPR or password changed since risk or reset all exclude a ad groups like services accounts that don’t have AADIP risk policy.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Risky IP report preview

    We have installed the Azure AD Connect Health agent for ADFS in order to test the new "risky IP" functionality to detect against password spray attacks.

    It would be useful for additional information to be included in this report, such as which users were attempted. At the moment you are only given a count of the number of unique users attempted, but you are not able to determine from this whether it was simply a case of misspelling the UPN or not. It would be useful to see this in order to determine false positives.

    Thanks

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. DCR - AAD legacy auth flow can’t handle the risk, handle the risk on modern flow for the legacy auth flow.

    User with Aadip politics all applies and user with risks will be automatically remediate via modern flow, with basic legacy auth flow no automatically remediation. The DCR is if a user gets a risk on basic legacy auth flow, remediate via next modern flow. Detect the risk and automatically remediate with next modern flow.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base