Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SCIM defects


    1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
      As per, https://tools.ietf.org/html/rfc7644#section-1.3,
      The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
      Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.


    2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since…

    42 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    The first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility

    OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing

    Work is underway to make the authorization code grant flow available for custom apps.

    Link to understand the code grant flow – https://tools.ietf.org/html/rfc6749#page-24

  2. Allow for additional user profile attributes to be updated to applications beyond user name, manager, active status and language.

    Currently only able to update the following from Azure AD to Cornerstone On Demand App:

    cornerStoneUser.Contact.Name.Last

    cornerStoneUser.Contact.Name.First

    cornerStoneUser.Active

    cornerStoneUser.Organization.Manager

    cornerStoneUser.Language

    We would greatly benefit from being able to update the Department/Division attribute as well, as we have a moderate amount of movement between Departments within our organization.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. serviceNow

    I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.

    For example, the user table within ServiceNow looks similar to the sample snippet below:

    TABLE - User [sys_user]

    FIELD - Username [username] - string
    FIELD - Name [name] - string
    FIELD - Email [email] - string
    FIELD - Department [department] - references Department [cmn
    department] table
    FIELD - Location [location] - references Location [cmn_location] table
    FIELD - etc. etc.

    Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem…

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure AD - SaaS - SCIM provisioning of AD attribute thumbnailPhoto

    Azure AD SCIM Provisioning should allow for the provisioning/mapping of the AD attribute thumbnailPhoto to SaaS applications. This value is already present within Azure.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  5. Integrate site mapping for Samanage App

    I am provisioning users from AAD to Samanage and I am trying to map the AD attribute "physicalDeliveryOfficeName" to the Samanage "site" attribute. This mapping is currently not supported and I would find it useful.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow user folder provisioning for Box upon user assignment in Azure ADP

    We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.

    One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.

    We would like…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make Azure Groups PATCH remove operation SCIM v2 compliant

    The request body for Update Group [Remove Members] is not compliant with the SCIM v2 specification.
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups#update-group-remove-members

    Azure is specifying the member value they want deleted in the "value" property. SCIM specification states that the member value that would be removed in the PATCH operation needs to be set in the "path" property, not "value". The "value" property should actually never be sent in a PATCH remove operation per specification.
    https://tools.ietf.org/html/rfc7644#section-3.5.2.2

    If a Service Provider that implemented SCIM per specification were to receive PATCH remove request from Azure as is documented above, that request would result in ALL users being…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure AD User provisioning service : Adding a Staging/Preview mode

    Please add a Staging/Preview mode for the Azure AD User Provisioning Service.
    It should be possible in an initial setup to test a new provisioning interface and receive a report on what will be changed in an end application. This gives the possibility and security that a new interface can be set up productively.
    There is currently a risk that unwanted changes will be made.
    As a suggestion; extension of the Scope field by
    - Sync all users and groups (Preview only)
    - Sync only assigned users and groups (Preview only)

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. Make provision sync on demand

    Make provision sync on demand for testing purpose.

    User and group sync normally takes about 5~30 minutes. It is very inconvenient and inefficient for testing. Azure AD should allow on demand sync when it is testing phase and the total users are less than a numbers, for example 50.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow Attribute Mapping to be Re-enabled without a Reset After Being Disabled for SCIM and ServiceNow, etc. User Provisioning Syncs

    To reproduce this, set up a ServiceNow sync with an Enterprise Application by putting in admin credentials and disabled the Group attribute mapping and save. There is no way to re-enable this via the UI without resetting your attribute mappings to default, which causes you to lose your customization work to the user attribute mapping.

    (I'm assuming this applies to other SCIM provisioning UI's as well beyond just the ServiceNow one.)

    It should be easier to re-enable a group or user object type attribute mapping without losing your customization for the other when it's disabled.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    This is a bug on our side and we will fix it. As a workaround you can use the Microsoft graph to enable the object again. You will need to update schema and set enabled = true and sourceName = “user” or “Group” based on which option you’re trying to bring back. Apologies for having to use the workaround. https://docs.microsoft.com/en-us/graph/api/synchronization-synchronizationschema-update?view=graph-rest-beta&tabs=http

    /Arvind

  11. Push Profile Photo and Manager via scim

    It appears that user's profile photo and manager are currently not pushed by Azure AD when it does a SCIM sync. Add support for pushing those attributes.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow dynamic permission set assignment in Salesforce provisioning

    Right now AAD supports a "Permission Sets"attribute, however this is not usable. Salesforce users have multiple Permission Sets, which are dependent on their O365 groups. For example, members of the O365 group "IT Services Team" would get the permission set "IT Services" in Salesforce. Until AAD's Salesforce connector supports mapping Permission Sets based on group membership in AAD, most organizations will not be able to use AAD for Salesforce provisioning.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support for Salesforce Permission Set Group in the Salesforce Connector

    Would be great to add the support for Salesforce Permission Set Group in the Salesforce Connector.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support filtering = false | ServiceProviderConfig

    Azure AD SCIM client is not compatible with applications, which do not support "filtering".

    If “filtering” is not supported by 3rd party app, do not ignore that.
    Use the “matching” attribute defined in mappings during the initial cycle to check, if the resource exists.
    If resource exists (HTTP-200), save “ID” persistently.
    Use “ID” in every subsequent request

    cf. RFC7644 section 4: https://tools.ietf.org/html/rfc7644#section-4

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  15. Application Provisioning Attribute Mapping Configuration Backup for last 5 changes

    During recent incident I came to know the Provisioning Configuration changes details does not get backed up. i.e. attribute changes which we make on attribute mapping. Only a text message get recorded the when changes are performed. It never record what changes were made. If Microsoft provide anyone functionality it will be helpful for all Azure customer.

    Option 1) Provide backup for provisioning application schema for the last 5 configuration changes which can be access by Admin. It will help Admin to restore from the backup if incase of any failure while updating the Schema

    Option 2) Currently Microsoft records…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  16. Get group membership as an attribute of the user when provisioning with SCIM

    When mapping Azure AD attributes to application attributes, I would to know the group membership in order to set properly the values of the target attributes.

    Imagine the licence is an attribute of the user object. It can be "premium"/"silver"/etc.
    On-premises, in AD, I manage my group membership by adding the user to groups like "MyApplicationPremium", "MyApplicationSilver", etc.
    By leveveraging the group membership in the mapping, I can set the proper licence.
    There is no other way to manage this as I will not have an attribute for each application to hold the licence for instance.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  17. (Provision null attributes) Add option to have properties be emptied after clearing them in Azure AD

    Right now, I can set a phone number and clear it again in Azure. Azure will update the phonenumber in the application but will never clear it. This is by design I understand that, but our customers would like the option to also clear this information as they consider AAD the source/leading system and it's primary task is to make sure all other applications have the same data, which currently is not the case as the data is never removed from applications after it is removed from AAD

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow re-enabling / show mappings after being disabled

    Once Group mapping is disabled from the SCIM provisioning settings, it's impossible to get back the option without resetting the entire default mappings.

    My situation is that I plan on releasing user provisioning in an initial version of the application, supporting group provisioning later. The interface in the portal does not allow the disabled mapping (for groups) to be enabled again as the option disappears.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Please request your connector to be released in the gallery. We can release it with groups first and add users back later.

    We do plan to fix the UI bug as well but unfortunately haven’t been able to complete it. The group mapping can be brought back today by using the synchronization API or schema editor. https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/export-import-provisioning-configuration

  19. AzureAD Box User Deprovisioning Transfer Files to Another Account

    Box supports the ability to specify an account to which user files are transferred. We rely on this functionality to ensure that user's files are transferred to a backup service account when a user leaves the organization. It would be very nice to have this capability too.

    Box Dev guide:
    https://www.box.dev/guides/users/deprovision/transfer-folders/

    Okta guide:
    https://help.okta.com/en/prod/Content/Topics/Provisioning/Box/configure-box.htm#Enable2

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  20. Additional User Entitlement in Salesforce Provisioning

    At the moment, AFAIK, the Salesforce Connector provisions a Salesforce Profile to a User based on the Security Group they belong to in a 1 to 1 mapping.

    User Provisioning should cover more.

    A Salesforce User can have:
    - 1 Profile
    - 0 to 1 Role
    - 0 to N Permission Sets
    - 0 to N Permission Set Groups
    - member of 0 to N Public Groups
    - member of 0 to N Queues

    How to provision the other entitlements from AD ?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Are you looking to push that data from Azure AD to Salesforce or import from Salesforce to Azure AD.

    For the former we support profiles, roles, permission sets, permissions. You can go into the attribute mappings and add new mappings for the properties you need. We are evaluating the Salesforce SCIM endpoint to see if we can move to a more standards based integration and support all the attributes that you are requesting.

    For the latter we support importing roles as an Azure AD profile.

← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base