Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. AADB2C: Send email invitation for new user to sign up

    I would like the ability to trigger an email invitation be sent to new users for our web application that I want to authenticate with AADB2C. In our multi-tenant design, each tenant will be responsible for adding their own users to their tenant. I would like the admin of the tenant to be able to send an email invitation to the new user and then that user can complete the sign-up process.

    414 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    31 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. AADB2C: Support OAuth 2.0 client credential flow

    As mentioned in the B2C limitations:

    https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-limitations/

    Our daemons / server-side applications need this feature as part of our security implementation in order to grant access to our web apis.

    394 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    38 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Currently, you can use “App Registration” blade in the Azure Portal (outside of the Azure AD B2C blades) to register an apps that define application permission and the register apps that use client credentials to request these. The caveat is that this is done using the same mechanism that you’d use in regular Azure AD.

    Ideally we’d have a first class experience for this in the Azure AD B2C blades or at least have an Azure doc that walks you through the experience I just summarized, so I’m leaving this feature ask open.

    It would be great if you guys can add comments with your feedback. What scenarios areyou trying to achieve? Does the approach above help you achieve what you want to achieve? Does the experience to do so work for you guys and if not, what would you like to see?

  3. RBAC for AAD

    The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.

    Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

    384 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    47 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    Hi folks,
    Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

    You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

    Regards,
    Vince Smith
    Azure Active Directory Team

  4. Support for Azure Dynamic Device groups for grouping ADJ & HDJ devices

    how to properly group Azure Domain Joined devices and Hybrid Azure Domain Joined devices??... there is no available support for this request.
    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices

    There are values available within an ADJ and HDJ to be filtered. I can filter them in Get-MsolDevice or in the Azure Portal too, but an Azure dynamic device group doesn't have an available attribute to filter them, there are two values that can be used to filter but none of them are available for Azure DDG:

    ADJ>
    DeviceTrustType: Azure AD Joined
    DirSyncEnabled: $null
    HDJ>
    DeviceTrustType: Domain Joined
    DirSyncEnabled: True

    Please advise how to group these two…

    380 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    32 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add support for the Microsoft Authenticator app in B2C

    Enable the Microsoft Authenticator app to be used for 2FA in Azure B2C.

    364 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    43 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are looking to add additional MFA options for Azure AD B2C in the next few months. As part of the investigation, we want to learn more about your requirements. Email your feedback to aadb2cpreview@microsoft.com.

    When you say “support for Microsoft Authenticator”, which feature are you referring to?
    1. The ability to see the codes in the authenticator app
    2. The ability to receive push notifications for MFA

    If both, which do you prefer more?

    Again, please email your feedback to aadb2cpreview@microsoft.com. Feel free to include more details about your scenarios/requirements!

  6. Support Azure AD domain join for Windows Server 2016

    Microsoft should strongly consider implementing support for Azure AD join in future builds of Windows Server 2016. I how a couple of customers that have nearly finished the transition to all cloud and is left with a couple of servers due to legacy software. They are currently left with the option to deploy Azure AD Domain Services for supporting a couple (2-5) servers.

    https://windowsserver.uservoice.com/forums/295047-general-feedback/suggestions/32995450-support-azure-ad-domain-join-for-windows-server-20

    361 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    43 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  7. AADB2C: Force password reset

    Add the ability to force user's to reset password at next login. It would be ideal if this was available for both individual users as well as in bulk. This is necessary for situations such as credential leaks, etc.

    356 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    65 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We have started the planning for this feature and hope to have a preview by the end of the calendar year. In the meantime, could you respond to aadb2cpreview@microsoft.com with the answers to the following questions:
    - In which scenarios do you plan to force the user to change his/her password?
    - What kind of information (if any) would you like to get back if the user goes through the reset flow?
    - Do you currently or plan to track which users have reset their password?

  8. Allow blocking "Sign-ins from anonymous IP addresses"

    I would like to be able to block ALL sign-ins from anonymous IP addresses.

    354 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    58 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Update UserType from portal

    Be able to see and change the userType from the portal.
    (This is only available in Powershell : example: change from Guest -> member, in order to see the directory as an external user.)

    Set-MsolUser -UserPrincipalName xxxhotmail.com#EXT#@xxxhotmail.onmicrosoft.com -UserType Member

    329 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →
  10. Authentication Phone

    Make the Authentication Phone and Authentication Email field settable with Powershell.

    319 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure AD B2C Data Residency in Australia

    Although Azure AD B2C is available for use in Australia, there is not option to create a directiry for which the user data resides in Australia. We would like to be able to ensure that our Azure AD B2C user data remains in Australia.

    313 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    82 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  12. MFA: remember device permanently (& remember per device, not per app)

    Please:
    1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
    2. Make it so that MFA is remembered once per device (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).

    Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or…

    312 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    23 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Restore Azure Active Directory Security groups

    Restore Azure Active Directory Security groups

    308 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    42 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  14. Enable User Writeback to On Premise AD from Azure AD

    We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...

    305 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow administrators to unlock locked-out users in Azure AD Domain Services

    If a users gets locked out of their account in Azure AD Domain services there is no way to unlock it. The user has to wait for 30 minutes.
    Try telling the CEO you can't unlock her account?

    296 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    41 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  16. Enable per user MFA bypass for Azure MFA (Cloud) make this both temporary and permenant based on settings

    Currently per user bypass is not capable in Azure MFA (Cloud only) this can be done using the Azure MFA on premise server. This functionality make Azure MFA more usable for a end user community that often loses or forget cell phones and need temporary bypass. Also using Azure MFA with NPS/Radius there is no way to allow services accounts that do network equipment monitoring to avoid Azure MFA if we want to enable MFA to access critical network infrastructure or VPN using radius this would help this scenario too

    295 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    42 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Disable user's ability to change password (via cloud/portals)

    We need to disable a user's ability to change their password. We need to manage password changes in our own application.

    NOTE: I am not referring to password resets (which we can easily disable). Rather I'm talking about preventing users from changing their password via a Microsoft portal when they know their existing password.

    We are looking for an equivalent of the (non Azure) AD powershell command Set-ADUser -CannotChangePassword.

    293 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    38 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Hi folks! I apologies for the delay in response and I deeply appreciate your feedback. I understand how important this feature is for your and your users. We do not yet have plans to implement this feature, but please keep voting if this is important to you to help us prioritize appropriately.

  18. Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)

    Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.

    I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.

    Aaron posted a great workaround solution:
    https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/

    We would like something built-in Active AD Connect that solves this out of the box

    287 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  19. Deploy and manage Active Directory B2C using ARM templates and RM PowerShell cmdlets.

    When building Azure-based applications intended for generalization and multiple deployment, it would simplify both the development and deployment experience if B2C directories could be configured using the standard Azure RM template and PowerShell cmdlet functionality.

    285 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Given that a Azure AD B2C tenant should only be used for configuring Azure AD B2C, would having programmatic API’s to configure all of the Azure AD B2C settings be useful or is there more that you are looking to achieve using ARM templates?

    /Parakh

  20. Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers

    Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?

    283 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    53 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?

    BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…

    We look forward to your feedback

    /Jose Rojas

  • Don't see your idea?

Feedback and Knowledge Base