Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
SCIM defects
The Azure AD SCIM client does not follow the SCIM Base URI properly.
As per, https://tools.ietf.org/html/rfc7644#section-1.3,
The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since…
48 votesThe first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility
OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing
Work to support the code grant as well as client credentials on the non-gallery app is currently in our backlog. It’s intended to be done, but not yet funded.
In the meantime, the 1KB token limitation has been lifted.
-
Add Provision on demand for Groups
There is a provision on demand option which has provided the ability to provision user on demand, but as I'm currently trying to troubleshoot a group provisioning issue to ServiceNow, I could really do with a provision group on demand rather than have to wait the three days the logs indicate it will be before this specific group is retried
33 votesWork is in progress to support on-demand provisioning for groups.
-
Azure AD - SaaS - SCIM provisioning of AD attribute thumbnailPhoto
Azure AD SCIM Provisioning should allow for the provisioning/mapping of the AD attribute thumbnailPhoto to SaaS applications. This value is already present within Azure.
25 votes -
Allow for additional user profile attributes to be updated to applications beyond user name, manager, active status and language.
Currently only able to update the following from Azure AD to Cornerstone On Demand App:
cornerStoneUser.Contact.Name.Last
cornerStoneUser.Contact.Name.First
cornerStoneUser.Active
cornerStoneUser.Organization.Manager
cornerStoneUser.Language
We would greatly benefit from being able to update the Department/Division attribute as well, as we have a moderate amount of movement between Departments within our organization.
23 votesWe would like to support these attributes, but our focus currently is on SCIM applications and Cornerstone currently does not SCIM. We will reevaluate this once SCIM is supported.
-
serviceNow
I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.
For example, the user table within ServiceNow looks similar to the sample snippet below:
TABLE - User [sys_user]
FIELD - Username [username] - string
FIELD - Name [name] - string
FIELD - Email [email] - string
FIELD - Department [department] - references Department [cmndepartment] table
FIELD - Location [location] - references Location [cmn_location] table
FIELD - etc. etc.Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem…
17 votesThanks for the feedback. We are looking into revamping our ServiceNow connector. Will update this thread as we make progress.
/Arvind
-
Allow dynamic permission set assignment in Salesforce provisioning
Right now AAD supports a "Permission Sets"attribute, however this is not usable. Salesforce users have multiple Permission Sets, which are dependent on their O365 groups. For example, members of the O365 group "IT Services Team" would get the permission set "IT Services" in Salesforce. Until AAD's Salesforce connector supports mapping Permission Sets based on group membership in AAD, most organizations will not be able to use AAD for Salesforce provisioning.
13 votes -
Support for Salesforce Permission Set Group in the Salesforce Connector
Would be great to add the support for Salesforce Permission Set Group in the Salesforce Connector.
12 votes -
Push Profile Photo and Manager via scim
It appears that user's profile photo and manager are currently not pushed by Azure AD when it does a SCIM sync. Add support for pushing those attributes.
12 votesHi we are currently designing this feature. What format does your application support for photos (Jpeg, PNG, GIF)?
-
Integrate site mapping for Samanage App
I am provisioning users from AAD to Samanage and I am trying to map the AD attribute "physicalDeliveryOfficeName" to the Samanage "site" attribute. This mapping is currently not supported and I would find it useful.
12 votesThanks for the feedback, we will review.
-
Allow user folder provisioning for Box upon user assignment in Azure ADP
We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.
One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.
We would like…
11 votesThank you for your feedback. Please keep voting to help us prioritize.
/Luis
-
Attribute SAMAccountName for the ServiceNow User provisioning
Would be great to to have in the supported list of attributes in the ServiceNow user provisioning app the attribute SamAccountName. This is important for example for the intgegration of legacy applications like SCCM in ServiceNow asset management. Thanks for your support
10 votes -
Azure AD User provisioning service : Adding a Staging/Preview mode
Please add a Staging/Preview mode for the Azure AD User Provisioning Service.
It should be possible in an initial setup to test a new provisioning interface and receive a report on what will be changed in an end application. This gives the possibility and security that a new interface can be set up productively.
There is currently a risk that unwanted changes will be made.
As a suggestion; extension of the Scope field by
- Sync all users and groups (Preview only)
- Sync only assigned users and groups (Preview only)10 votesThis is something we are starting to design this quarter
-
Make Azure Groups PATCH remove operation SCIM v2 compliant
The request body for Update Group [Remove Members] is not compliant with the SCIM v2 specification.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups#update-group-remove-membersAzure is specifying the member value they want deleted in the "value" property. SCIM specification states that the member value that would be removed in the PATCH operation needs to be set in the "path" property, not "value". The "value" property should actually never be sent in a PATCH remove operation per specification.
https://tools.ietf.org/html/rfc7644#section-3.5.2.2If a Service Provider that implemented SCIM per specification were to receive PATCH remove request from Azure as is documented above, that request would result in ALL users being…
10 votesThe SCIM client now supports the compliant behavior, when using a feature flag as described here – https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior
For apps in the gallery, you can request a connector update to change the behavior. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing#step-6---submit-your-app
We’re working to make this the default behavior on all new SCIM jobs, without having to use the feature flag.
-
9 votes
-
Let Azure AD retry failed exports with 429 response code as soon as the Retry-After has passed
We have implemented our own SCIM (2.0) Service with a rate limiting feature.
The Azure AD user provisioning application does not recognize 429 responses from our services when requests are sent to rapidly and just logs failures. These failures will be retried 40 minutes later, but this is a very long delay making an intial sync take way longer than needed. (especialy when the retries run into the rate limit again and again)
I suggest to retry requests that received a 429 response soon after the Retry-After header value ( has passed) to optimize the duration of a sync cycle.
…
8 votesHi we are actively working on honoring the retry-after header
-
Make provision sync on demand
Make provision sync on demand for testing purpose.
User and group sync normally takes about 5~30 minutes. It is very inconvenient and inefficient for testing. Azure AD should allow on demand sync when it is testing phase and the total users are less than a numbers, for example 50.
8 votesWe have an initial version of this publicly available – aka.ms/provisionondemanddocumentation
/Arvind
-
reduce and configure the provisioning interval time
The provisioning takes place in a 40-minute interval. We want the ability to control and set our interval time. For example, if we want to reduce the time to 2 min it will be possible.
6 votesHi we are planning to reduce the interval over the next few months. Changes are planned.
/Arvind
-
Support null or empty values
As per the documentation under this section https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#what-you-should-know it states that null values are not supported, however this is a business requirement for keeping data accurate in Service Provider applications.
For example, if a user has a landline number that is currently synchronised with a Service Provider, the user may subsequently move to a part of the business that doesn't support landlines. The AD administrator rightfully changes their landline attribute to a blank value, and the provisioning service will then never PATCH this change to the Service Provider meaning they are now out of sync.
6 votesThanks for the feedback, we have work that’s being done to support this, although no ETA that we can share publicly.
/Arvind
-
Get group membership as an attribute of the user when provisioning with SCIM
When mapping Azure AD attributes to application attributes, I would to know the group membership in order to set properly the values of the target attributes.
Imagine the licence is an attribute of the user object. It can be "premium"/"silver"/etc.
On-premises, in AD, I manage my group membership by adding the user to groups like "MyApplicationPremium", "MyApplicationSilver", etc.
By leveveraging the group membership in the mapping, I can set the proper licence.
There is no other way to manage this as I will not have an attribute for each application to hold the licence for instance.5 votes -
(Provision null attributes) Add option to have properties be emptied after clearing them in Azure AD
Right now, I can set a phone number and clear it again in Azure. Azure will update the phonenumber in the application but will never clear it. This is by design I understand that, but our customers would like the option to also clear this information as they consider AAD the source/leading system and it's primary task is to make sure all other applications have the same data, which currently is not the case as the data is never removed from applications after it is removed from AAD
5 votes
- Don't see your idea?