Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SCIM defects

    1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
    As per, https://tools.ietf.org/html/rfc7644#section-1.3,
    The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
    Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.

    2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no…

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  2. serviceNow

    I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.

    For example, the user table within ServiceNow looks similar to the sample snippet below:

    TABLE - User [sys_user]
    -----------------------------
    FIELD - Username [user_name] - string
    FIELD - Name [name] - string
    FIELD - Email [email] - string
    FIELD - Department [department] - references Department [cmn_department] table
    FIELD - Location [location] - references Location [cmn_location] table
    FIELD - etc. etc.

    Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem AD…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  3. Integrate site mapping for Samanage App

    I am provisioning users from AAD to Samanage and I am trying to map the AD attribute "physicalDeliveryOfficeName" to the Samanage "site" attribute. This mapping is currently not supported and I would find it useful.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow Attribute Mapping to be Re-enabled without a Reset After Being Disabled for SCIM and ServiceNow, etc. User Provisioning Syncs

    To reproduce this, set up a ServiceNow sync with an Enterprise Application by putting in admin credentials and disabled the Group attribute mapping and save. There is no way to re-enable this via the UI without resetting your attribute mappings to default, which causes you to lose your customization work to the user attribute mapping.

    (I'm assuming this applies to other SCIM provisioning UI's as well beyond just the ServiceNow one.)

    It should be easier to re-enable a group or user object type attribute mapping without losing your customization for the other when it's disabled.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    This is a bug on our side and we will fix it. As a workaround you can use the Microsoft graph to enable the object again. You will need to update schema and set enabled = true and sourceName = “user” or “Group” based on which option you’re trying to bring back. Apologies for having to use the workaround. https://docs.microsoft.com/en-us/graph/api/synchronization-synchronizationschema-update?view=graph-rest-beta&tabs=http

    /Arvind

  5. Azure AD User provisioning service : Adding a Staging/Preview mode

    Please add a Staging/Preview mode for the Azure AD User Provisioning Service.
    It should be possible in an initial setup to test a new provisioning interface and receive a report on what will be changed in an end application. This gives the possibility and security that a new interface can be set up productively.
    There is currently a risk that unwanted changes will be made.
    As a suggestion; extension of the Scope field by
    - Sync all users and groups (Preview only)
    - Sync only assigned users and groups (Preview only)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  6. Make provision sync on demand

    Make provision sync on demand for testing purpose.

    User and group sync normally takes about 5~30 minutes. It is very inconvenient and inefficient for testing. Azure AD should allow on demand sync when it is testing phase and the total users are less than a numbers, for example 50.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enterprise App provisioning needs more detailed Quarantine errors

    I have a customer who sees a couple of their Enterprise applications are Quarantined due to high number of errors. For some reason they don't see the errors in the audit logs. When I researched the errors on the backend I found they had the following error code: DiceCredentialValidationFailure. Here is the most recent error message: Credentials passed are invalid for applicationId=

    Once armed with that knowledge, I was able to work with the customer to create a new Admin credential for the application.

    We would like to see that level of error reporting in the customer viewable audit logs…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure AD User provisioning service : Support Contains Function in Attribut Flow Expression

    Adding a new Expression for https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/functions-for-customizing-application-data called Contains(source[Multivalue], ValueRule).

    This allowes multiple AppRoleAssignments and to set the correct Roles in the SaaS application.

    As a reference SAP Concur with Roles like:
    - Travel user
    - Expense user

    instead of
    - Travel user
    - Expense user
    - Travel and Expense user

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure AD User provisioning service : Allow accessing diagnostic logs

    It should be possible to get diagnostic logs, like API calls from the Azure Portal in case of an exception, so that a troubleshooting is possible without contacting the MS support.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  10. Make Azure Groups PATCH remove operation SCIM v2 compliant

    The request body for Update Group [Remove Members] is not compliant with the SCIM v2 specification.
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups#update-group-remove-members

    Azure is specifying the member value they want deleted in the "value" property. SCIM specification states that the member value that would be removed in the PATCH operation needs to be set in the "path" property, not "value". The "value" property should actually never be sent in a PATCH remove operation per specification.
    https://tools.ietf.org/html/rfc7644#section-3.5.2.2

    If a Service Provider that implemented SCIM per specification were to receive PATCH remove request from Azure as is documented above, that request would result in ALL users being…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. Push Profile Photo and Manager via scim

    It appears that user's profile photo and manager are currently not pushed by Azure AD when it does a SCIM sync. Add support for pushing those attributes.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure connector sync issues

    We are trying to auto provision Salesforce users using Azure AD connector. We want certain attributes like ManagerId and Department to be in sync with AD always. So we had set that to "Always" in the set up. But our observation says that, when these values are changed in AD, it is updating to the new values in Salesforce. But if these values are changed in Salesforce, they are not getting overwritten with the values from AD in Salesforce. Which means, now they are out of sync.
    Since we have set that to "Always", we expect these attributes to be…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Provisioning to Applications  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the input. The way the service works today we leverage the delta query API provided by AD graph to constantly check for changes and apply them to the target application. We are aware of changes in Azure AD and have a way of reflecting them in the target application. We don’t have a way today of getting changes directly from Salesforce but are looking at how we can make this possible.

  • Don't see your idea?

Feedback and Knowledge Base