Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

We have a new log in experience integrated with Azure AD, and we strongly recommend you log in with your Azure AD (Office 365) account. If your UserVoice account is the same email address as your Azure AD account, your previous activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Access Reviews: Apply to new groups and/or multiple groups

    It would be VERY beneficial to apply an Access Review policy to new groups as they are created, eliminating the management overhead of creating new policies AFTER each group created.
    Also, if a Access Review Policy could be applied to multiple groups at a time, Access Reviewmanagement overhead would be reduced.

    20 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for all the feedback, we have made progress on this and the ability to apply the same policy to multiple groups (and applications) is now live! You can include multiple groups or apps in a single Azure AD access review for group membership or app assignment. Access reviews with multiple groups or apps are set up using the same settings and all included reviewers are notified at the same time. (more info in “What’s new in AAD, Feb 2019” https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new)

    We’ll be continuing to work on applying an Access Review policy to new groups as they are created, and update here when that’s done.

    /Fionna :)

  2. Add Manager Option to Reviewers in Access Reviews

    Our organization requires Managers to approve access to Applications. Please give the option to require a manager to approve application access via the Access Reviews option.

    12 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Justin, thanks for the feedback! It will definitely be helpful to have managers as the reviewers, there is a “manager” attribute in AAD’s user profile, but it’s currently a string only. We are working to improve the architecture first, then we can leverage the data to automatically assign managers to be reviewers. If you have any more feedback or questions on this, feel free to comment on this thread or email accessreviews@microsoft.com.

  3. Access review for subscription

    Expand access reviews to support Azure Subscription and Resources for explicit assigned identity.

    6 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  4. Access reviews should also apply to Directory access

    Access Reviews should let you review guest users access on the directory level. Using a dynamic group with all guest users in it, I should be able to have access reviews DELETE the user from the Azure Active Directory rather than just removing the user from a group.

    4 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  5. Access review - domain admin & Global Admin

    Hi,

    Would be great if Access Reviews could include the on-prem group Domain Admins, and the Cloud based group GLobal Admins. Right now this is not possible.

    3 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you John for the feedback! My understanding is that you are referring to access reviews of privileged roles in the PIM experience.

    In regards to reviewing on-prem group Domain Admins, historically, groups like that were blocked by AAD connecto for not sending them to AAD, so they are filtered out.

    For cloud based group Global Admins, you can review global admins in the current PIM experience, these 2 articles should help you get started –
    docs.microsoft.com/en-us/azure/active-direc..

    docs.microsoft.com/en-us/azure/active-direc..

    If you have any more questions – feel free to email accessreviews@microsoft.com

  6. Access review

    There should be a validation message to check the end date before or equal start date.

    3 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make the content of Access Review emails customizable.

    The emails sent to complete an access review have unnecessary additional content (e.g. Microsoft Address) and do not allow addition of more information to help those that receive a message.

    2 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Ben,

    Thanks for the feedback! Good news is that we are working to improve the emails to provide the reviewers the necessary information succinctly. Some of the information you see, the Microsoft logo and address, some are there because of legal reasons. We are actively working on this right now and will provide updates here.

    Follow up question for you, what else do you think is unnecessary, and what would you like to see?

    Thanks
    Fionna

  8. Ability to add exceptions to Access Reviews

    Introduce the ability to add exceptions when creating Access Reviews

    eg. This will allow us to exclude service accounts from the report of accounts that have not logged on in the last 30 days

    2 votes
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  9. Change owner of the Access Review

    Currently I am a owner of multiple Access Reviews. And my name is sent in the e-mail as owner of the Review. I would like an option to remove my name from the mail, and the option to sent the user to the service desk if they have questions about the Review.

    What would be even better is the option to customize the e-mail which is sent to the users.

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Michel,

    Thanks for the feedback and I’m glad we are thinking in the same direction! We have a plan to remove the "inviter"’s name in the email and replace it with a help desk link. Question for you, you mentioned that you prefer to have an “option” to send the users to service desk, 1) would this be an internal link specific to your organization, 2) should this be the default behavior, if not, what would you prefer? 3) another idea – would having a “friendly” description displayed to the users (different from the description the IT admin writes when creating the review), with a service desk link pasted in that description solve your problem?

    Thanks
    Fionna

  10. Access Reviews: Azure recommendations

    The recommendation given by Azure in Access Reviews is based on user's activity ONLY in Azure and not specifically based on the Admin role activity that is being reviewed. Access reviews should give you the recommendation based on user activity with the role, otherwise, any user that logs into Azure but don't activate their role, will never be catch by the Azure recommendation(inactive for 30 days), is that make sense ?

    Also, the Azure PIM alerts gives you very little possibilities. We can't export, store the information, would be great having more option on that, or at least exposing via…

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Johnny,

    Thanks for the detailed feedback! Yes, it makes a lot of sense to scope the recommendations to user’s activity in the role being reviewed, and we are working to collect more insights on user’s activity in addition to signing in. It’s in our roadmap and we will update here when we have a preview to share!

    Regarding your comment on PIM alerts, I have directed your feedback to our PIM team, if you any more questions on the development of the alerts, please don’t hesitate to email pim_preview@microsoft.com!

    - Fionna

  11. Implement our own logic on trigger Access Review

    Only a timer based Access Review is not enough for us.
    We have multiple situation we need to trigger review again, including:
    1. Based on some user's attributes update, e.g. Manager reporting line changes, Department changes, job role changes
    2. Based on usage pattern, e.g. a user haven't use a certain app/resource for last X days.

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Gordon!

    Thanks for the feedback! We are working on adding more triggers to kick off access reviews like what you listed in 1!

    For 2. we do show user’s sign-in data to the reviewers to help them make the decisions. If a user hasn’t signed in to the tenant in the last 30 days, then the system will recommend denying that user’s continued access. Are you referring to automatically triggering a review on users who have not accessed an app/resource in the last X days?

    - Fionna

  12. Support to choose another "Group" as reviewer

    We have two scenario:
    1. For internal organization users, we need FTE manager as reviewer
    2. For external organization users, we need to have "sponsor" as reviewer.

    I already saw there is a feedback on supporting Manager as reviewer which should be fulfill our requirement 1. above.

    For requirement 2 above, we need to assign different "sponsor group" as reviewers (instead of individual users hardcode in Access Review)

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Gordon,

    Thanks for the detailed feedback! Yes we are working on adding both manager and sponsor groups as reviewers, will update here when we have a preview ready. In the mean time, if you have any more questions or more requirements, please let us know by commenting here!

    - Fionna

  13. Access Reviews - Select Line Manager As Reviewer

    Access for some applications/groups should be approved by the users manager. As the functionality is not available we cannot utilise the promising Access Review tool.

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Keith,

    Thanks for taking the time to give feedback! We have the work to add managers as reviewers in our backlog, will update here once we have a preview to share!

    Currently, we do support group owners as the reviewers, would that help with your scenario?

    Would this functionality be your only blocker to use access reviews? I would love to know how you review access right now, any timelines you have. Thanks!

    - Fionna

  14. mas amigable

    Debería ser mas fácil de utilizar.

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  15. Group Owner is Inactive and disabled

    We have a challenging situation to manage group owners in Azure Active Directory. If a person leaves organization, his/her identity will be set to "disabled" state. Is there a way automatic emails can be sent to admins notifying Group Owner ID is disabled for all the managed groups?

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Jaya, thanks for the feedback! I’d love to understand your scenario a bit more and loop in the team working on Groups. To clarify your concern – Is the disabling of group owners when they leave the organization affecting the completion of your existing access reviews? Feel free to comment here or email accessreviews@microsoft.com directly. Thanks!

    - Fionna

    - Fionna

  16. Integrate with Microsoft Flow for Customizing Emails and Approvers

    Right now, you can only do out of the box emails and approvals. Integrating as an application from flow will allow you to create different approval processes as needed; and customize email messages as needed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Justin, thanks so much for the feedback! We currently use AEO (Azure email orchestrator) for sending emails, I can see how Flow can be helpful here, will look into it with the team, thanks for the suggestion! Do you know any services customizing their emails using Flow? I would love to know!

    /Fionna

  17. PIM Access Reviews Emails Alerts

    Would be great having the opportunity to edit or add a message into the Email sent by Azure.
    Eg. When someone has the role membership denied by a role owner, the user should get the email WITH the reason and not just the email saying that the has been removed.

    Also would be great allowing the GA's to add a message or create the reminders by themselves AND schedule it.

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  18. Access Reviews: Skip review if no members are eligable for review

    If a group is empty the owner still get's an email to complete a review, this is confusing as they don't know what to do when they click the link to the review as there are no actions to complete. Access Review should be smart enough to know that an email to the manager is not necessary if there are no members to review.

    1 vote
    Sign in
    (thinking…)
    Sign in with: oidc
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base