Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Multiple Active UPNs - One User Active in Multiple Disconnected On Prem Forests

    Some organizations are federated for purposes of identity/branding only. Multiple disconnected on-prem forests ma exist with a single joined attribute such as email/samaccountname. Password synchronization may also already exist. Users then may exist and be active in multiple on premise forests. Allowing for Multiple Active UPNs in one Azure AD would allow better allocation of entitlements in these organizations. SSO could be directed to the appropriate Azure AD connect agents for seamless SSO. Hopefully, features such as WHfB and Hybrid device join could fit into this paradigm. Since Azure AD is modern and more flexible, this would negate a need…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  2. 14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  3. "hybrid" groups - Static + Dynamic membership

    Allow for both static and dynamic membership of groups at the same time.

    allow the static membership of groups to be delegated, but the dynamic membership rules locked.

    For example, include all teachers at test elementary school with dynamic rules. I want to then use static to add the principal of the school. Also, some teachers who work at multiple schools, where we cannot set multiple locations in AD. Then be able to delegate the static group membership to the school secretary.

    include and exclude ability for dynamic rules.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  4. onmicrosoft.com

    Allow shortening of the default "username.onmicrosoft.com" username to something else which isn't 20+ characters long.

    Maybe even have this as a benefit to upsell licenses?

    Maybe "username.on.ms"?

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  5. show computer membership

    Possibility to display membership on device object like we can do on user object.
    Without that, it's very hard to find out which group a device is member.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  6. Capture the actor "Change Tenant Name"

    Currently when you make the operation rename your Azure AD Tenant, from properties. Such operation does not register who is the actor of this operation.

    These are the details in the AAD Audit Logs so you can filter it after you have repro this.

    --ACTIVITY TYPE: Update company
    --CATEGORY: DirectoryManagement
    --TYPE: Directory

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  7. Give Global Reader true Global Read Permissions

    Global reader still has gaps reading certain blades that require global admin. For example:

    Microsoft _ AAD _ ERM
    -TermsOfUseSummaryBlade
    -AccessReviewsSummaryPart

    Microsoft _ Azure _ ELMAdmin
    -EntitlementListBlade
    -CatalogListBlade
    -PartnerListBlade
    -UserScopeListBlade
    -UserResourceListBlade
    -CommonSettingsBlade

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  8. Limit who can create security groups

    While AAD gives the ability to stop non-admins from creating security groups via the portal, they can still create security groups via PowerShell. There should be a setting which disallows non-admins from creating security groups via any means.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add a service principal as an owner of another service principal

    My issue has to do with the behavior of "az aks update --attach-acr". The account that runs this needs to either be an owner of the AKS SP or have the Application Owner directory role. We don't want to grant too many things the app owner and we deploy AKS via ADO. I'd like to either be able to make an SP an owner on another SP or know what the technical limitation is.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  10. Validate if new username@AzureADCustomDomain already in use as private Microsoft account

    Private Microsoft accounts must be not in use in Microsoft Azure subscription, while domain name can be attached as “custom domain”.
    My scenario: Domain name which is already in use for private Microsoft account linked as
    custom domain to Azure AD. I am still able to create duplicate of Microsoft account login name
    in Azure AD, which cause multiple login issues. Moreover, in my case I receive as extra
    #EXT#@domain.onmicrosoft.com “Work” account type.
    Best practice to register Azure subscription on unique
    @domain.onmicrosoft.com accounts instead of any login with custom domain name, especially private
    Microsoft account.
    Azure account admin mailbox –…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  11. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  12. When user added as member of AD Group, User should receive email notification with custom configured message.

    If AD Tenant is having users A, B, C and having group XYZ. If any user A, B, C has been added as member of the group, then added user should need to receive email notification with custom configured message of the group.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  13. The Add ADFS farm wizard, needs to cater to when the SQL browser service is off and also for custom SQL ports.

    The Add ADFS farm wizard, needs to cater to when the SQL browser service is off and also for custom SQL ports.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add support for manage Proxyaddress Azure Attribute in GUI and Powershell

    Add support for manage Proxyaddress Azure Attribute in GUI and Powershell, currently it is only possible through set-mailbox command.
    But we need to remove some proxyaddresses from Azure users, because we have to move the Domain to another tenant, and the users do not have a mailbox, so we cannot change proxyaddresses through set-mailbox command.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  15. time service

    Publish a Windows Time Service function you can configure to use defaults or external (custom) time sources

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow multiple accounts with the same MAIL attribute and don't send email to UserPrincipalNames

    We use separate accounts for user and administrative activities. For our admin accounts we don't provision separate mailboxes, so we would want emails to our admin accounts to go to our "user" accounts, but Azure AD Connect reports that Azure AD requires that the mail attribute be unique (i.e. can't be the same on the admin and user accounts). Because of this our administrative accounts don't have a populated mail attribute. Unfortunately, Azure AD's reaction to this is to email alerts intended for those admin accounts to their UPN - which isn't an email address and does not have any…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  17. Offer ability to perform a forced removal of an AAD user with a 'Windows Server AD' source

    In the particular case I am describing, we had setup ADSync with an on-prem AD on a previous domain controller. Over time our domain controllers have gone through upgrades and changes and the old domain controller no longer exists. ADSync was setup again on a new DC and as expected it created it's Sync[ServerName][UID]@[company].onmicrosoft.com account in AAD however the old Sync account is still present for a server that no longer exists and it does not seem possible to remove that user from AAD (the 'Delete user' button is disabled).

    Perhaps there is a way to do it…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  18. OUs in portal.azure.com

    Can you add OUs to the management interface in portal.azure.com. I know we have smart groups etc, but with OUs we can really drill down and makes life a little easier moving from on-prem to cloud directory.

    We could then have rules to let us pick an OUs that all groups, device and guest accounts are made in. This would make group and user write back to Active Directory a dream!

    Also when syncing to Google G Suite we would have directory parity between both platforms.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add data to the Manager field

    Microsoft Azure INTUNE Portal:
    When exporting - Dashboard>User - All users >Download Users, the 'Manger' information is not data is not included in the report. This is key for our internal review. Is the a way to export the 'Manager" data as it relates to each user?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  20. create new AAD - region is unclear

    When creating a new "Azure AD", the wizard asks to select a region or country - but the products page states that Azure AD is non-regional. it is not clear why a region must be selected

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Directory  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base