Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add ability to add child domain after MA already set up

    After you configure a manangement agent in MIM, you can't go back and select a child domain to be synced. It continues to run, but ignores the new partition and selected OUs.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  3. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  4. Graph Connector Issue: Manager update wrong HTTP method

    An issue are available on the Graph Management Agent Version 1.1.913.0.

    If you want to update the manager of a user the connector sends a POST request against graph.

    The issue is that the function Assign manager is listening on HTTP PUT.

    StackTrace below:
    Method Name : ExportContext : Export Export failed
    --------- Outer Exception Data ---------
    Message: Error during http call. HttpStatusCode: MethodNotAllowed;
    url: https://graph.microsoft.com:443/Beta/users/{GUID removed}/manager//$ref/;
    Response: {
    "error": {
    "code": "Request_BadRequest",
    "message": "Uri is invalid for a POST operation. The URI must refer to a service operation or an entity set.",
    "innerError": {
    "request-id": "{GUID removed}",
    "date": "2019-05-21T06:41:51" …

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add frontend MFA to PAM

    PAM can only MFA via CustomPhoneProvider, which has its issues:
    - Users must have a phone number (or the provider is not called)
    - In effect limits you to Back-end MFA (phone call, or push notification)
    - Frontend can be achieved, but technically much harder.

    Allow the PAM API to get tokens/inputs/other from frontend.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add logging to PAM API

    From what I have experienced, the PAM API does not log anything of value. Please make it log when it has problems, debugging running processes is not logging.

    Alternatively: If it can log, please document how to configure it.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow PAM to join MIM Sets

    The basic of PAM is that you have to activate privileges... But somehow MIM cannot do this for itself?

    (Correct me if I am wrong, but I was unable to create a Set that targets users who have activated a PAM role.. I was able to target the PAM Requests, but not extract the users)

    Alternatively: Allow Security Groups in AD to be a member of a set directly, not with Sync.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  8. Fix PAM API to not use impersonation for Active Directory

    In some patch or another the PAM API was altered to call Active Directory in the callers contexts. Which for Constrained Delegation means you have to add the SPN for LDAP for all your domain controllers.

    According to my brief read of the code it seems it only does this to... find the users expiration date.

    For AD reads, use the service accounts identity, not impersonation.

    Relevant blog post:
    https://www.steadyblog.com/microsoft-identity-manager-sp1-pam-rest-api-requests-either-fail-with-http-404-or-500-when-calling-remotely/

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support Managed Service accounts in PAM Powershell Cmdlets

    Managed service accounts cannot use (all) the PAM Cmdlets correctly.

    Get-* Works

    But creation does not work; Why:
    - The source code assumes the caller is a user when it tries to resolve its sid (to populate the creator id in MIM)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  10. open-source adconnect / mim

    ADconnect also known as MIM are the primairy tools for syncing AD or other accounts. Yet the do not seem to get much attention from Microsoft developers. I'm talking about the basic sync engine, not the portal service. It basically works, but its lacking quite a lot of features that would make the life of our customers better. Thing like alerting, and being able to manage the connectorspace when something goes wrong. Remove an outstanding delete or add one if needed without needing to delete the entire connector space. Adding a scheduler into the gui, Things usefull to fix corrupted…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  11. declared import filter function in AD LDS MA

    AFAIK and as mentioned by the documentation, the pre-import filtering (aka declared import filter function), is only working on the MIM AD MA....

    Although you can select the same function in the AD LDS MA, it doesn't work.

    Per customer demand, it would be great to have that pre-import filter on the AD LDS MA too.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  12. Declared (Import-Filter) / Pre-Import Filter

    It would be nice to have the same option to keep objects out of the AD CS in AAD Connect as MIM Sync does. We have over 300K groups and quite a few very large security groups with 50K-250K direct members. We would like to be more granular on which groups even make it to the AD CS to be processed. Right now we only need to flow 20-30 security groups. The current delta sync cycle takes from 45min-5 hours to complete. This needs to be improved.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add a comment textbox or comment # to Custom Expressions

    For the most part custom expressions can be quite hard to read in the MIM portal interface. For complex scenarios it would be helpful to be able to comment on the code, what it actually does. So a way of commenting on the code would be nice. Perhaps with # like Powershell, or a separate textbox or something.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  14. Change Double Click behaviour when selecting an Attribute in the MetaVerse Designer Tab

    When you double click an attribute on the MetaVerse Designer screen, it would be better for the Precedence list to appear, rather than the edit attribute screen.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
1 2 4 Next →
  • Don't see your idea?

Feedback and Knowledge Base