Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
SCIM defects
The Azure AD SCIM client does not follow the SCIM Base URI properly.
As per, https://tools.ietf.org/html/rfc7644#section-1.3,
The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since…
42 votesThe first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility
OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing
Work is underway to make the authorization code grant flow available for custom apps.
Link to understand the code grant flow – https://tools.ietf.org/html/rfc6749#page-24
-
Allow for additional user profile attributes to be updated to applications beyond user name, manager, active status and language.
Currently only able to update the following from Azure AD to Cornerstone On Demand App:
cornerStoneUser.Contact.Name.Last
cornerStoneUser.Contact.Name.First
cornerStoneUser.Active
cornerStoneUser.Organization.Manager
cornerStoneUser.Language
We would greatly benefit from being able to update the Department/Division attribute as well, as we have a moderate amount of movement between Departments within our organization.
23 votesHi we are looking at how best to address this.
/Arvind
-
Azure AD - SaaS - SCIM provisioning of AD attribute thumbnailPhoto
Azure AD SCIM Provisioning should allow for the provisioning/mapping of the AD attribute thumbnailPhoto to SaaS applications. This value is already present within Azure.
19 votesWhat format would you like the pictures to be provisioned in (jpeg, PNG, GIF, etc.)?
-
serviceNow
I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.
For example, the user table within ServiceNow looks similar to the sample snippet below:
TABLE - User [sys_user]
FIELD - Username [username] - string
FIELD - Name [name] - string
FIELD - Email [email] - string
FIELD - Department [department] - references Department [cmndepartment] table
FIELD - Location [location] - references Location [cmn_location] table
FIELD - etc. etc.Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem…
17 votesThanks for the feedback. We are looking into revamping our ServiceNow connector. Will update this thread as we make progress.
/Arvind
-
Integrate site mapping for Samanage App
I am provisioning users from AAD to Samanage and I am trying to map the AD attribute "physicalDeliveryOfficeName" to the Samanage "site" attribute. This mapping is currently not supported and I would find it useful.
12 votesThanks for the feedback, we will review.
-
Allow user folder provisioning for Box upon user assignment in Azure ADP
We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.
One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.
We would like…
9 votesThank you for your feedback. Please keep voting to help us prioritize.
/Luis
-
Azure AD User provisioning service : Adding a Staging/Preview mode
Please add a Staging/Preview mode for the Azure AD User Provisioning Service.
It should be possible in an initial setup to test a new provisioning interface and receive a report on what will be changed in an end application. This gives the possibility and security that a new interface can be set up productively.
There is currently a risk that unwanted changes will be made.
As a suggestion; extension of the Scope field by
- Sync all users and groups (Preview only)
- Sync only assigned users and groups (Preview only)8 votesThis is something we are starting to design this quarter
-
Make Azure Groups PATCH remove operation SCIM v2 compliant
The request body for Update Group [Remove Members] is not compliant with the SCIM v2 specification.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups#update-group-remove-membersAzure is specifying the member value they want deleted in the "value" property. SCIM specification states that the member value that would be removed in the PATCH operation needs to be set in the "path" property, not "value". The "value" property should actually never be sent in a PATCH remove operation per specification.
https://tools.ietf.org/html/rfc7644#section-3.5.2.2If a Service Provider that implemented SCIM per specification were to receive PATCH remove request from Azure as is documented above, that request would result in ALL users being…
8 votesThank you for the feedback, we will review.
/Arvind
-
Make provision sync on demand
Make provision sync on demand for testing purpose.
User and group sync normally takes about 5~30 minutes. It is very inconvenient and inefficient for testing. Azure AD should allow on demand sync when it is testing phase and the total users are less than a numbers, for example 50.
6 votesWe have an initial version of this publicly available – aka.ms/provisionondemanddocumentation
/Arvind
-
Attribute SAMAccountName for the ServiceNow User provisioning
Would be great to to have in the supported list of attributes in the ServiceNow user provisioning app the attribute SamAccountName. This is important for example for the intgegration of legacy applications like SCCM in ServiceNow asset management. Thanks for your support
5 votes -
Push Profile Photo and Manager via scim
It appears that user's profile photo and manager are currently not pushed by Azure AD when it does a SCIM sync. Add support for pushing those attributes.
5 votesHi we are currently designing this feature. What format does your application support for photos (Jpeg, PNG, GIF)?
-
Allow dynamic permission set assignment in Salesforce provisioning
Right now AAD supports a "Permission Sets"attribute, however this is not usable. Salesforce users have multiple Permission Sets, which are dependent on their O365 groups. For example, members of the O365 group "IT Services Team" would get the permission set "IT Services" in Salesforce. Until AAD's Salesforce connector supports mapping Permission Sets based on group membership in AAD, most organizations will not be able to use AAD for Salesforce provisioning.
4 votes -
Support for Salesforce Permission Set Group in the Salesforce Connector
Would be great to add the support for Salesforce Permission Set Group in the Salesforce Connector.
4 votes -
Allow Attribute Mapping to be Re-enabled without a Reset After Being Disabled for SCIM and ServiceNow, etc. User Provisioning Syncs
To reproduce this, set up a ServiceNow sync with an Enterprise Application by putting in admin credentials and disabled the Group attribute mapping and save. There is no way to re-enable this via the UI without resetting your attribute mappings to default, which causes you to lose your customization work to the user attribute mapping.
(I'm assuming this applies to other SCIM provisioning UI's as well beyond just the ServiceNow one.)
It should be easier to re-enable a group or user object type attribute mapping without losing your customization for the other when it's disabled.
4 votesApologies for the delay in fixing this. It was a more complicated change than expected. The fix is complete and pending deployment. Should be deployed fully by end of month.
-
Changing AppRoleAssignment should cause provisioning update
Currently with automatic provisioning for Zoom or DocuSign (probably all applications) if you update the role someone is assigned for the application in Azure AD it does not trigger updating the user at Zoom or DocuSign.
When changing the AppRoleAssignment it should trigger provisioning update. Only way to do this currently is to restart provisioning.
2 votesThis is something we’re working on addressing right now.
/Arvind
-
Support filtering = false | ServiceProviderConfig
Azure AD SCIM client is not compatible with applications, which do not support "filtering".
If “filtering” is not supported by 3rd party app, do not ignore that.
Use the “matching” attribute defined in mappings during the initial cycle to check, if the resource exists.
If resource exists (HTTP-200), save “ID” persistently.
Use “ID” in every subsequent requestcf. RFC7644 section 4: https://tools.ietf.org/html/rfc7644#section-4
2 votes -
Application Provisioning Attribute Mapping Configuration Backup for last 5 changes
During recent incident I came to know the Provisioning Configuration changes details does not get backed up. i.e. attribute changes which we make on attribute mapping. Only a text message get recorded the when changes are performed. It never record what changes were made. If Microsoft provide anyone functionality it will be helpful for all Azure customer.
Option 1) Provide backup for provisioning application schema for the last 5 configuration changes which can be access by Admin. It will help Admin to restore from the backup if incase of any failure while updating the Schema
Option 2) Currently Microsoft records…
2 votesThanks for the feedback. We are looking to add more detail to our audit logs. This is good feedback.
-
Please support Join in provisioning with user groups in Azure AD.
Please support Join function in provisioning with user groups in Azure AD.
Excerpt:
Matching based on a combination of attributes is not supported: Most applications do not support querying based on two properties. Therefore, it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems1 vote -
Azure AD to on-premises application user provisioning
Support provisioning users from Azure AD to on-premises applications such as SQL, PowerShell, and LDAP.
1 vote -
IDCS Provisioning doesn't work
The Oracle Cloud Infrastructure Gallery app uses OracleIDCS object. But it doesn't support the attribute primary email = boolean. You cannot create a user in IDCS unless you set the email and put it as primary. so essentially, the email.primary has to be set to a boolean(true). Please include it in the OracleIDCS objectclass
1 voteWhich email would you like to set as the primary? If the work email is part of the mappings, we send that as the primary.
- Don't see your idea?