Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow for customized error messages in Azure AD Conditional Access policies

    Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional…

    234 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. RBAC for AAD

    The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.
    Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

    232 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  3. Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

    Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

    This is obviously not ideal. We currently having to perform the rollover task manually each month.

    Please look at how this process could be improved for automation.

    231 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    42 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →

    We are currently working on an approach that will allow Tenant Admins to do key rollover from the Azure AD portal; without the need for PowerShell or scripting. This will be released within the next 4-6 months. Subsequently, we will release an update that will perform key rollover automatically every 30 days

    Swaroop

  4. 230 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    63 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  5. Update UserType from portal

    Be able to see and change the userType from the portal.
    (This is only available in Powershell : example: change from Guest -> member, in order to see the directory as an external user.)

    Set-MsolUser -UserPrincipalName xxxhotmail.com#EXT#@xxxhotmail.onmicrosoft.com -UserType Member

    222 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

    Updating the status to indicate that this is a valid suggestion and in our backlog for the future. Please keep the comments/votes coming, knowing more about how you intend to use this helps us prioritize and design better features.

    /Elisabeth

  6. Add Japan region to data residency location of Azure AD B2C

    Lots of Japanese customers would like to use Azure AD B2C. But they can not decide to adopt B2C because we do not have Japan region as data residency location.

    217 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  7. AzureAD Role Delegation to Groups

    Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
    Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation…

    216 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    31 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  8. AADB2C: Force password reset

    Add the ability to force user's to reset password at next login. It would be ideal if this was available for both individual users as well as in bulk. This is necessary for situations such as credential leaks, etc.

    212 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    26 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We have started the planning for this feature and hope to have a preview by the end of the calendar year. In the meantime, could you respond to aadb2cpreview@microsoft.com with the answers to the following questions:
    - In which scenarios do you plan to force the user to change his/her password?
    - What kind of information (if any) would you like to get back if the user goes through the reset flow?
    - Do you currently or plan to track which users have reset their password?

  9. Support NPS/RADIUS for Azure AD Domain Services

    Add support for Microsoft NPS/RADIUS in Azure AD Domain Services

    208 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  34 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support Remote Desktop Web Client HTML5 on Azure AD App Proxy

    Microsoft doesn't support the Azure AD Application Proxy on RD WebClient (HTML5). Like this MFA and Condintional Access would be possible.
    Another benefit is that HTML5 works on all Webbrowsers without downloading software.
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin

    206 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers

    Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?

    193 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    35 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?

    BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…

    We look forward to your feedback

    /Jose Rojas

  12. Azure Domain Services Support for LAPS

    Allow (or automatically install) LAPS within Azure Domain Services since this is the Microsoft supported standard for local administrator accounts.

    LAPS: https://technet.microsoft.com/en-us/library/security/3062591.aspx

    191 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    34 comments  ·  Azure AD Join  ·  Flag idea as inappropriate…  ·  Admin →
  13. Azure AD B2C Data Residency in Australia

    Although Azure AD B2C is available for use in Australia, there is not option to create a directiry for which the user data resides in Australia. We would like to be able to ensure that our Azure AD B2C user data remains in Australia.

    187 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    45 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add support for the Microsoft Authenticator app in B2C

    Enable the Microsoft Authenticator app to be used for 2FA in Azure B2C.

    183 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are looking to add additional MFA options for Azure AD B2C in the next few months. As part of the investigation, we want to learn more about your requirements. Email your feedback to aadb2cpreview@microsoft.com.

    When you say “support for Microsoft Authenticator”, which feature are you referring to?
    1. The ability to see the codes in the authenticator app
    2. The ability to receive push notifications for MFA

    If both, which do you prefer more?

    Again, please email your feedback to aadb2cpreview@microsoft.com. Feel free to include more details about your scenarios/requirements!

  15. Support Azure AD domain join for Windows Server 2016

    Microsoft should strongly consider implementing support for Azure AD join in future builds of Windows Server 2016. I how a couple of customers that have nearly finished the transition to all cloud and is left with a couple of servers due to legacy software. They are currently left with the option to deploy Azure AD Domain Services for supporting a couple (2-5) servers.

    https://windowsserver.uservoice.com/forums/295047-general-feedback/suggestions/32995450-support-azure-ad-domain-join-for-windows-server-20

    168 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  16. B2C Support for client credential flow.

    To enable APIs to use authentication from another application with separate security credentials (clientId+secret). Needed for APIs to make graph calls.

    (This is not the same as on-behalf-of flow, which represents the ability to exchange an access token intended for one audience for an access token intended for a different audience)

    160 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  17. MFA: remember device permanently (& remember per device, not per app)

    Please:
    1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
    2. Make it so that MFA is remembered once per *device* (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).

    Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or…

    147 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Programmatically register B2C applications

    I want to be able to call a Graph API to register new B2C applications

    147 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow Conversion of AD Synced Accounts to "In Cloud Only"

    Up until recently, we were able to convert a user which was AD Synced to a cloud account by moving it to an OU in AD which was not synced.
    After the next sync, Office 365 would move it into the deleted folder. If you recover it, it goes into a cloud account. As of a few weeks ago, Microsoft disabled this.

    Looking at countless threads around the internet, and speaking with representatives from Microsoft Office 365 support, everyone is frustrated with this change, and wants it changed back to the way it was.

    145 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    51 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  20. group naming policy using extension attributes

    Please implement additional functionality to allow the use of Extension Attributes as part of a Group Naming Policy. This is required as the Department name is too large and many organisations have a shortened department code which they apply via an Extension Attribute. Using a long department name in a Group Naming POlicy creates names that are too long to be useful, but using a shortened department code plus group name means that the group can be easily identified and attributed to a department without cluttering the name space.

    e.g. Information and Communication Technology has a short code of ICT…

    135 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base