Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Azure Domain Services Support for LAPS
Allow (or automatically install) LAPS within Azure Domain Services since this is the Microsoft supported standard for local administrator accounts.
LAPS: https://technet.microsoft.com/en-us/library/security/3062591.aspx
375 votesThis is currently in planning for enabling it for Azure AD joined devices, NOT for AAD DS
-
AADB2C: Support OAuth 2.0 client credential flow
As mentioned in the B2C limitations:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-limitations/
Our daemons / server-side applications need this feature as part of our security implementation in order to grant access to our web apis.
334 votesCurrently, you can use “App Registration” blade in the Azure Portal (outside of the Azure AD B2C blades) to register an apps that define application permission and the register apps that use client credentials to request these. The caveat is that this is done using the same mechanism that you’d use in regular Azure AD.
Ideally we’d have a first class experience for this in the Azure AD B2C blades or at least have an Azure doc that walks you through the experience I just summarized, so I’m leaving this feature ask open.
It would be great if you guys can add comments with your feedback. What scenarios areyou trying to achieve? Does the approach above help you achieve what you want to achieve? Does the experience to do so work for you guys and if not, what would you like to see?
-
RBAC for AAD
The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.
Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.323 votesHi folks,
Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.
Regards,
Vince Smith
Azure Active Directory Team -
Support Azure AD domain join for Windows Server 2016
Microsoft should strongly consider implementing support for Azure AD join in future builds of Windows Server 2016. I how a couple of customers that have nearly finished the transition to all cloud and is left with a couple of servers due to legacy software. They are currently left with the option to deploy Azure AD Domain Services for supporting a couple (2-5) servers.
316 votesCurrently, we are not aware of any plans from Windows Server for this capability. We’ll continue to work with Windows Server to revisit this in the near future
-
Enable support for dynamic mail-enabled security groups
Dynamic security groups are great, mail-enabled groups are great too wouldn't it be great to have both. We have a requirement to create security groups (or distribution groups) based on employee attributes (i.e. Active Full-time, Active Parttime, etc...). These attributes live in Azure AD but aren't accessible in Exchange Online so I cannot create a dynamic distribution group. I am able to create a mail-enabled security group but the membership cannot be dynamic. And any dynamic group I create can't be mail-enabled unless it's a unified group but for the purposes we need the groups for Unified groups aren't appropriate.…
311 votesThank you for your feedback! We have heard you and are considering future implementation options. There is no timeline yet for implementation. If this feature matters to you, keep voting as it will help us prioritize.
-
Update UserType from portal
Be able to see and change the userType from the portal.
(This is only available in Powershell : example: change from Guest -> member, in order to see the directory as an external user.)Set-MsolUser -UserPrincipalName xxxhotmail.com#EXT#@xxxhotmail.onmicrosoft.com -UserType Member
309 votesUpdating the status to indicate that this is a valid suggestion and in our backlog for the future. Please keep the comments/votes coming, knowing more about how you intend to use this helps us prioritize and design better features.
/Elisabeth
-
AADB2C: Force password reset
Add the ability to force user's to reset password at next login. It would be ideal if this was available for both individual users as well as in bulk. This is necessary for situations such as credential leaks, etc.
305 votesWe have started the planning for this feature and hope to have a preview by the end of the calendar year. In the meantime, could you respond to aadb2cpreview@microsoft.com with the answers to the following questions:
- In which scenarios do you plan to force the user to change his/her password?
- What kind of information (if any) would you like to get back if the user goes through the reset flow?
- Do you currently or plan to track which users have reset their password? -
Enable SSPR to reset Windows cached credentials
In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows
Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we…
288 votesHey folks! Thank you for your feedback. We are reviewing this ask and will keep you up to date on our findings. We have also added information about this limitation in our documentation. Thank you!
-
MFA: remember device permanently (& remember per device, not per app)
Please:
1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
2. Make it so that MFA is remembered once per device (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or…
286 votesWe are currently considering updating the Remember MFA settings. You can use Conditional Access Sign-in frequency policy to extend the session lifetime up 365 days.
-
Authentication Phone
Make the Authentication Phone and Authentication Email field settable with Powershell.
284 votesHi folks – apologies for the lack of updates here. This work is still in progress but unfortunately we don’t have an ETA that we can share yet. We will update as soon as we do. Thanks!
-
Add support for the Microsoft Authenticator app in B2C
Enable the Microsoft Authenticator app to be used for 2FA in Azure B2C.
276 votesWe are looking to add additional MFA options for Azure AD B2C in the next few months. As part of the investigation, we want to learn more about your requirements. Email your feedback to aadb2cpreview@microsoft.com.
When you say “support for Microsoft Authenticator”, which feature are you referring to?
1. The ability to see the codes in the authenticator app
2. The ability to receive push notifications for MFAIf both, which do you prefer more?
Again, please email your feedback to aadb2cpreview@microsoft.com. Feel free to include more details about your scenarios/requirements!
-
Azure AD B2C Data Residency in Australia
Although Azure AD B2C is available for use in Australia, there is not option to create a directiry for which the user data resides in Australia. We would like to be able to ensure that our Azure AD B2C user data remains in Australia.
263 votesWe plan to start work on this in the next 6 months. Please note we don’t have timing on when it would be available for customers.
-
Need email alert option when keys are about to expire
Need email alert option when keys are about to expire
247 votes -
244 votes
You can remove directories by contacting the organization that owns the directory and asking them to remove you.
We can add the ability to hide them, if this is a popular request.
-
Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers
Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?
244 votesThank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?
BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…
We look forward to your feedback
/Jose Rojas
-
Allow blocking "Sign-ins from anonymous IP addresses"
I would like to be able to block ALL sign-ins from anonymous IP addresses.
237 votesThis feature work is planned, but hasn’t started yet.
-
Enable User Writeback to On Premise AD from Azure AD
We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...
233 votesWe are aware of this requirement but have no timelines to share at this moment.
-
Add Japan region to data residency location of Azure AD B2C
Lots of Japanese customers would like to use Azure AD B2C. But they can not decide to adopt B2C because we do not have Japan region as data residency location.
222 votesWe are hoping to support more datacenters in the future, especially in the Asia/Pacific region, but it is not currently planned for the short term.
/Parakh
-
Programmatically register B2C applications
I want to be able to call a Graph API to register new B2C applications
210 votesWe have restarted work on this feature. However, we don’t have a date for public preview yet.
-
Enable per user MFA bypass for Azure MFA (Cloud) make this both temporary and permenant based on settings
Currently per user bypass is not capable in Azure MFA (Cloud only) this can be done using the Azure MFA on premise server. This functionality make Azure MFA more usable for a end user community that often loses or forget cell phones and need temporary bypass. Also using Azure MFA with NPS/Radius there is no way to allow services accounts that do network equipment monitoring to avoid Azure MFA if we want to enable MFA to access critical network infrastructure or VPN using radius this would help this scenario too
210 votesWe are currently working on a method to allow users to sign in while their authentication methods are temporarily unavailable.
- Don't see your idea?