Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

Enter your idea

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

SCIM defects
The Azure AD SCIM client does not follow the SCIM Base URI properly.
As per, https://tools.ietf.org/html/rfc7644#section-1.3,
The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.

The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since bearer tokens need to expire for security reasons. The SCIM client should instead implement the OAuth2 client credentials grant or password grant to a configurable OAuth2 token endpoint.
The Azure AD SCIM client does not follow the SCIM Base URI properly.
As per, https://tools.ietf.org/html/rfc7644#section-1.3,
The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.

The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since…
44 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

11 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

The first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility

OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing

Work is underway to make the authorization code grant flow available for custom apps.

Link to understand the code grant flow – https://tools.ietf.org/html/rfc6749#page-24
Allow for additional user profile attributes to be updated to applications beyond user name, manager, active status and language.

Currently only able to update the following from Azure AD to Cornerstone On Demand App:

cornerStoneUser.Contact.Name.Last

cornerStoneUser.Contact.Name.First

cornerStoneUser.Active

cornerStoneUser.Organization.Manager

cornerStoneUser.Language

We would greatly benefit from being able to update the Department/Division attribute as well, as we have a moderate amount of movement between Departments within our organization.

23 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

2 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

unplanned · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

We would like to support these attributes, but our focus currently is on SCIM applications and Cornerstone currently does not SCIM. We will reevaluate this once SCIM is supported.
Azure AD - SaaS - SCIM provisioning of AD attribute thumbnailPhoto

Azure AD SCIM Provisioning should allow for the provisioning/mapping of the AD attribute thumbnailPhoto to SaaS applications. This value is already present within Azure.

20 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

9 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

need-feedback · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

What format would you like the pictures to be provisioned in (jpeg, PNG, GIF, etc.)?
serviceNow

I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.

For example, the user table within ServiceNow looks similar to the sample snippet below:

TABLE - User [sys_user]

FIELD - Username [username] - string
FIELD - Name [name] - string
FIELD - Email [email] - string
FIELD - Department [department] - references Department [cmndepartment] table
FIELD - Location [location] - references Location [cmn_location] table
FIELD - etc. etc.

Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem AD via LDAP/LDAPs/MID server/etc. because both Authentication and Provisioning can happen from the same source.

One limitation is the ability for Azure to create new values within tables that are referenced from the user table (such as Department and Location in the example above). The value has to already exist within ServiceNow for Azure to properly map it.

Given the following use case... it is tough to fully transition from on-prem configuration to a fully automated cloud configuration without the need for additional “swivel-chair” work.

Example:

I have and am mapping all of my users into ServiceNow from Azure, with the exception of service accounts, etc.

Those users are spread across 4 locations and 8 departments for example.

Departments:
Finance, IT, DevOps, HR, Facilities, Engineering, Sales, Marketing

Locations:
Baltimore, Philadelphia, D.C., Boston

If I know all of this information when initially setting up my ServiceNow environment, there isn't too much of an issue. I can create the 4 location records in the Location table and 8 records on the Department table. Then, I set up the provisioning integration with Azure and users will get assigned to those locations as long as the string value in physicalDeliveryOfficeName or city (whatever I have mapped to that attribute) something of the sort contains the same value as the record in my referencing table.

The situations where this becomes an issue, is for example... if I want to create 10 new Locations and 40 new departments for my users. Not only do I have to update users accounts in Azure to list them in the new locations, I also have to make sure to create every value (as it exists on the users’ record – no differences in spelling – example “D.C.” vs “DC”) within ServiceNow as well (within the corresponding tables)

So, when I add the location of "Chicago" I also need to make sure that the location table within ServiceNow contains a location called "Chicago" that we can reference. If not, that user will exist in ServiceNow with no location.

This isn’t so bad for the small example that I mentioned above, but when you apply this concept to a large enterprise with 100s of Locations and 100s of Departments changing regularly… it is really hard to manage user provisioning entirely from Azure into ServiceNow.

The (old “non-cloud”) alternate of have ServiceNow pull AD users via LDAP allows for the following concept when dealing with reference fields.
“The ‘department’ attribute is mapping to the Department table within ServiceNow”
Is a match found for this department (eg. “Maintenance”)?
Yes – associate that user to the “Maintenance” related record.
No – you can choose how you would like it to proceed
1. Create – meaning if I find a value that doesn’t exist yet while pulling in new users, create the record on the referencing table
2. Ignore – meaning if I find a value that doesn’t exist yet while pulling in users, don’t create the new record just skip over assigning the user’s department
3. Reject – meaning if I find a value that doesn’t exist yet while pulling in users, reject the users insert/update entirely… move on to the next object in the list of users

This is one disadvantage of pulling the “logic” of user provisioning out of ServiceNow and having it handled from with Azure

I think there is significant area for improvement of the Auto Provisioning functionality when dealing with referenced fields.

For example, the user table within ServiceNow looks similar to the sample snippet below:

TABLE - User [sys_user]

FIELD - Username [username] - string
FIELD - Name [name] - string
FIELD - Email [email] - string
FIELD - Department [department] - references Department [cmndepartment] table
FIELD - Location [location] - references Location [cmn_location] table
FIELD - etc. etc.

Provisioning from Azure - in the cloud - is an awesome alternative to the previous configuration of having ServiceNow communicate with on-prem…

16 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

2 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Thanks for the feedback. We are looking into revamping our ServiceNow connector. Will update this thread as we make progress.

/Arvind
Integrate site mapping for Samanage App

I am provisioning users from AAD to Samanage and I am trying to map the AD attribute "physicalDeliveryOfficeName" to the Samanage "site" attribute. This mapping is currently not supported and I would find it useful.

12 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

2 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Thanks for the feedback, we will review.
Attribute SAMAccountName for the ServiceNow User provisioning

Would be great to to have in the supported list of attributes in the ServiceNow user provisioning app the attribute SamAccountName. This is important for example for the intgegration of legacy applications like SCCM in ServiceNow asset management. Thanks for your support

10 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

under review · 2 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →
Allow dynamic permission set assignment in Salesforce provisioning

Right now AAD supports a "Permission Sets"attribute, however this is not usable. Salesforce users have multiple Permission Sets, which are dependent on their O365 groups. For example, members of the O365 group "IT Services Team" would get the permission set "IT Services" in Salesforce. Until AAD's Salesforce connector supports mapping Permission Sets based on group membership in AAD, most organizations will not be able to use AAD for Salesforce provisioning.

9 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

under review · 0 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →
Make Azure Groups PATCH remove operation SCIM v2 compliant

The request body for Update Group [Remove Members] is not compliant with the SCIM v2 specification.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups#update-group-remove-members

Azure is specifying the member value they want deleted in the "value" property. SCIM specification states that the member value that would be removed in the PATCH operation needs to be set in the "path" property, not "value". The "value" property should actually never be sent in a PATCH remove operation per specification.
https://tools.ietf.org/html/rfc7644#section-3.5.2.2

If a Service Provider that implemented SCIM per specification were to receive PATCH remove request from Azure as is documented above, that request would result in ALL users being removed from the group.

Azure should to be corrected to be SCIM compliant for this request type.

The request body for Update Group [Remove Members] is not compliant with the SCIM v2 specification.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups#update-group-remove-members

Azure is specifying the member value they want deleted in the "value" property. SCIM specification states that the member value that would be removed in the PATCH operation needs to be set in the "path" property, not "value". The "value" property should actually never be sent in a PATCH remove operation per specification.
https://tools.ietf.org/html/rfc7644#section-3.5.2.2

If a Service Provider that implemented SCIM per specification were to receive PATCH remove request from Azure as is documented above, that request would result in ALL users being…

9 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

2 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Thank you for the feedback, we will review.

/Arvind
Allow user folder provisioning for Box upon user assignment in Azure ADP

We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.

One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.

We would like to see similar functionality enabled for Azure AD to allow us to automatically create the user folder in Box, once we assign a user (or group of users) to the Box Application rather than having to create a folder in Box after provisioning a user in Azure , & then having to link the user to the folder & set permissions.

As such we would like to suggest this as a feature enhancement to help us reduce support cycles & also help Microsoft integrate better with many gallery applications where this may be a desirable benefit.

Here is a publicly available article from Okta showing how their product can do this.

https://support.okta.com/help/Documentation/Knowledge_Article/36802318-Configuring-Box-to-Create-a-Personal-Shared-Folder

I'm quite sure there are other professionals out there that will run into this & make or desire a request like this.

Thanks,

Aimmune Team

We made the choice to use Azure AD Premium as the main IdP platform for our organization despite being a newer product in the IdP market space. Unfortunately due to the newness we understand it hasn't quite caught up with others like Okta, etc. as far as being able to extend certain items to the Box cloud space.

One feature we observed when aligning Okta & Box is that when a user gets assigned or provisioned to the Box Application, they also have the ability to provision a user folder at the time the account is provisioned.

We would like…

9 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

1 comment · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

Thank you for your feedback. Please keep voting to help us prioritize.

/Luis
Azure AD User provisioning service : Adding a Staging/Preview mode

Please add a Staging/Preview mode for the Azure AD User Provisioning Service.
It should be possible in an initial setup to test a new provisioning interface and receive a report on what will be changed in an end application. This gives the possibility and security that a new interface can be set up productively.
There is currently a risk that unwanted changes will be made.
As a suggestion; extension of the Scope field by
- Sync all users and groups (Preview only)
- Sync only assigned users and groups (Preview only)

8 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

2 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

This is something we are starting to design this quarter
Push Profile Photo and Manager via scim

It appears that user's profile photo and manager are currently not pushed by Azure AD when it does a SCIM sync. Add support for pushing those attributes.

8 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

3 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

need-feedback · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

Hi we are currently designing this feature. What format does your application support for photos (Jpeg, PNG, GIF)?
Make provision sync on demand

Make provision sync on demand for testing purpose.

User and group sync normally takes about 5~30 minutes. It is very inconvenient and inefficient for testing. Azure AD should allow on demand sync when it is testing phase and the total users are less than a numbers, for example 50.

7 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

3 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

started · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

We have an initial version of this publicly available – aka.ms/provisionondemanddocumentation

/Arvind
(Provision null attributes) Add option to have properties be emptied after clearing them in Azure AD

Right now, I can set a phone number and clear it again in Azure. Azure will update the phonenumber in the application but will never clear it. This is by design I understand that, but our customers would like the option to also clear this information as they consider AAD the source/leading system and it's primary task is to make sure all other applications have the same data, which currently is not the case as the data is never removed from applications after it is removed from AAD

4 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

under review · 0 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →
Support for Salesforce Permission Set Group in the Salesforce Connector

Would be great to add the support for Salesforce Permission Set Group in the Salesforce Connector.

4 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

under review · 1 comment · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →
Get group membership as an attribute of the user when provisioning with SCIM

When mapping Azure AD attributes to application attributes, I would to know the group membership in order to set properly the values of the target attributes.

Imagine the licence is an attribute of the user object. It can be "premium"/"silver"/etc.
On-premises, in AD, I manage my group membership by adding the user to groups like "MyApplicationPremium", "MyApplicationSilver", etc.
By leveveraging the group membership in the mapping, I can set the proper licence.
There is no other way to manage this as I will not have an attribute for each application to hold the licence for instance.

3 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

under review · 0 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →
Support filtering = false | ServiceProviderConfig

Azure AD SCIM client is not compatible with applications, which do not support "filtering".

If “filtering” is not supported by 3rd party app, do not ignore that.
Use the “matching” attribute defined in mappings during the initial cycle to check, if the resource exists.
If resource exists (HTTP-200), save “ID” persistently.
Use “ID” in every subsequent request

cf. RFC7644 section 4: https://tools.ietf.org/html/rfc7644#section-4

3 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

under review · 1 comment · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →
Additional User Entitlement in Salesforce Provisioning

At the moment, AFAIK, the Salesforce Connector provisions a Salesforce Profile to a User based on the Security Group they belong to in a 1 to 1 mapping.

User Provisioning should cover more.

A Salesforce User can have:
- 1 Profile
- 0 to 1 Role
- 0 to N Permission Sets
- 0 to N Permission Set Groups
- member of 0 to N Public Groups
- member of 0 to N Queues

How to provision the other entitlements from AD ?

3 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

1 comment · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

need-feedback · AdminAzure AD Team (Product Manager, Microsoft Azure) responded

Are you looking to push that data from Azure AD to Salesforce or import from Salesforce to Azure AD.

For the former we support profiles, roles, permission sets, permissions. You can go into the attribute mappings and add new mappings for the properties you need. We are evaluating the Salesforce SCIM endpoint to see if we can move to a more standards based integration and support all the attributes that you are requesting.

For the latter we support importing roles as an Azure AD profile.
AAD provisioning does not show Audit logs for group membership

AAD and G suite provisioning does not show Audit logs for group membership update which is I believe quite important to know. As per MS agent :

If the user is not provisioned already on G suite, when we try to update group membership, this would obviously fail since we don't have a reference attribute to resolve on the target. Currently, by design, Azure AD doesn't retry the previously failed group membership update after the user is provisioned. Workarounds to fix this problem is to remove and re-add the user as a member of the group or trigger a clear current state from the portal.

It should try again and provide some logs for visibility that what AAD is doing. There is no logs currently and MS engineer asked me to provide feedback here.

AAD and G suite provisioning does not show Audit logs for group membership update which is I believe quite important to know. As per MS agent :

If the user is not provisioned already on G suite, when we try to update group membership, this would obviously fail since we don't have a reference attribute to resolve on the target. Currently, by design, Azure AD doesn't retry the previously failed group membership update after the user is provisioned. Workarounds to fix this problem is to remove and re-add the user as a member of the group or trigger a clear…

2 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

under review · 0 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →
Please support Join in provisioning with user groups in Azure AD.

Please support Join function in provisioning with user groups in Azure AD.

Excerpt:
Matching based on a combination of attributes is not supported: Most applications do not support querying based on two properties. Therefore, it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems

2 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

under review · 0 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →
IDCS Provisioning doesn't work

The Oracle Cloud Infrastructure Gallery app uses OracleIDCS object. But it doesn't support the attribute primary email = boolean. You cannot create a user in IDCS unless you set the email and put it as primary. so essentially, the email.primary has to be set to a boolean(true). Please include it in the OracleIDCS objectclass

2 votes

Sign in
prestine

(thinking…)

Sign in with: Microsoft

Forgot password?

Create a password

I agree to the terms of service

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Provisioning to Applications · Flag idea as inappropriate… · Delete… · Admin →

under review · AdminAzure AD Team (Product Owner, Microsoft Azure) responded

Which email would you like to set as the primary? If the work email is part of the mappings, we send that as the primary.

← Previous 1 2 Next →

Don't see your idea?

Azure Active Directory

How can we improve Azure Active Directory?

SCIM defects

Allow for additional user profile attributes to be updated to applications beyond user name, manager, active status and language.

Azure AD - SaaS - SCIM provisioning of AD attribute thumbnailPhoto

serviceNow

TABLE - User [sys_user]

TABLE - User [sys_user]

Integrate site mapping for Samanage App

Attribute SAMAccountName for the ServiceNow User provisioning

Allow dynamic permission set assignment in Salesforce provisioning

Make Azure Groups PATCH remove operation SCIM v2 compliant

Allow user folder provisioning for Box upon user assignment in Azure ADP

Azure AD User provisioning service : Adding a Staging/Preview mode

Push Profile Photo and Manager via scim

Make provision sync on demand

(Provision null attributes) Add option to have properties be emptied after clearing them in Azure AD

Support for Salesforce Permission Set Group in the Salesforce Connector

Get group membership as an attribute of the user when provisioning with SCIM

Support filtering = false | ServiceProviderConfig

Additional User Entitlement in Salesforce Provisioning

AAD provisioning does not show Audit logs for group membership

Please support Join in provisioning with user groups in Azure AD.

IDCS Provisioning doesn't work

Feedback