Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow different login branding customizations per-domain

    We have a number of subdomains in our tenant which are used for various purposes - clients, partners, staff etc.
    It would be great to be able to customise the login branding customisation settings on a per-domain basis rather than globally across the tenant.

    142 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  2. group naming policy using extension attributes

    Please implement additional functionality to allow the use of Extension Attributes as part of a Group Naming Policy. This is required as the Department name is too large and many organisations have a shortened department code which they apply via an Extension Attribute. Using a long department name in a Group Naming POlicy creates names that are too long to be useful, but using a shortened department code plus group name means that the group can be easily identified and attributed to a department without cluttering the name space.

    e.g. Information and Communication Technology has a short code of ICT…

    141 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable support for dynamic mail-enabled security groups

    Dynamic security groups are great, mail-enabled groups are great too wouldn't it be great to have both. We have a requirement to create security groups (or distribution groups) based on employee attributes (i.e. Active Full-time, Active Parttime, etc...). These attributes live in Azure AD but aren't accessible in Exchange Online so I cannot create a dynamic distribution group. I am able to create a mail-enabled security group but the membership cannot be dynamic. And any dynamic group I create can't be mail-enabled unless it's a unified group but for the purposes we need the groups for Unified groups aren't appropriate.…

    139 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    23 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Provide support for YubiKey / FIDO as the MFA

    Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.

    https://www.yubico.com/about/background/fido/

    134 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application.

    Currently if the logged in users doesnt exist in the Tenant Directory for a given application. The user is shown a very unhelpful page with the following:

    Sorry, but we’re having trouble signing you in.
    We received a bad request.

    The debug error is :
    AADSTS50020: User account 'some email address' from external identity provider 'https://sts.windows.net/someguid/'; is not supported for application 'https://someappurl'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

    134 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  36 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  6. Phone number sign-up

    Local accounts currently allows email addresses and usernames as sign-in identifiers. Add phone numbers as well.

    133 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    37 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are interested in enabling this scenario and are looking for more data.
    - Would you want to be able to use this in conjunction with email or would you only be interested in one way to sign up accounts at a time?
    - Would you like to be able to create the account without needing an email at all?

    /Sam

  7. Make https://passwordreset.microsoftonline.com responsive design or app for password reset

    It would be nice, if the passwordreset.microsoftonline.com looked great on a mobile device as well as on a PC. It isn't responsive and looks weird on a phone. You have to pinch to see the text and textboxes on the page.

    Alternative Microsoft should consider integrating "Password Reset" / "Lockout" functionality in a new app or the existing Azure Authenticator app. This will notify the user about account lockout and also provide a way for the user to do a quick password reset a device. Of cause the user will need to answer a couple of questions, enter a pin…

    133 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  8. Ability to Grant Permissions via API or Powershell

    Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

    Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your…

    129 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  9. Disable user's ability to change password (via cloud/portals)

    We need to disable a user's ability to change their password. We need to manage password changes in our own application.

    NOTE: I am not referring to password resets (which we can easily disable). Rather I'm talking about preventing users from changing their password via a Microsoft portal when they know their existing password.

    We are looking for an equivalent of the (non Azure) AD powershell command Set-ADUser -CannotChangePassword.

    127 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Hi folks! I apologies for the delay in response and I deeply appreciate your feedback. I understand how important this feature is for your and your users. We do not yet have plans to implement this feature, but please keep voting if this is important to you to help us prioritize appropriately.

  10. Enable User Writeback to On Premise AD from Azure AD

    We need to be able to sync down from Azure AD - specifically we have External Users that we need to have down on our on premise AD so that we can put them into Distribution Lists...

    126 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  11. Need email alert option when keys are about to expire

    Need email alert option when keys are about to expire

    125 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  12. Programmatically manage B2C policies

    I want to be able to call the Graph API or use PowerShell to manage Azure AD B2C policies.

    124 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow Azure AD Sync to Prepopulate the Authentication Phone Number from an Onpremise AD Object, and prevent users from entering their own.

    Allowing a User to set their own mobile number in MFA, completely negates the purpose of the Technology, in an Azure AD Connect environment.

    For a Secure environment, The Administrator would set the Mobile Number as the source of Truth in Active Directory, and it should prevent a potential attacker, from changing the mobile number as they see fit.

    If a user, who has not registered for Azure MFA yet, credentials are compromised, then an attacker could supply their own Authentication Number, and Azure MFA becomes ineffective.

    We should have the ability to set the Authentication Number in AD, and…

    123 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add IPv6 addresses/ranges in named locations

    Hi,

    we set up Named Locations in Azure ID to "avoid" risky Azure AD logins.

    I added all our IPv4 public IPs/ranges but could not enter the IPv6 IPs/ranges. I got in touch with the Azure support and they said it is not possible yet.

    As we also use IPv6 surf IPs, could you enable the feature to add IPv6 IPs/ranges as well?

    Kind regards
    André

    123 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    27 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. B2B Guest User Expiration

    Looking for the functionality where you can schedule Azure B2B users to exist in your tenant for a predetermined period of time. This would operate similarly to the O365 Groups expiration functionality that exist today. Additionally, managers would be allowed to extend these periods of time and automated reminders would be sent to the manager of these users.

    122 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

    We do have some capabilities in this space by using either Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) or the newly-released-to-preview Entitlement Management feature (https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview).

    If neither of those fulfill your requirements, please add a comment with your scenario for the feature to help us prioritize and design it better.

    /Elisabeth

  16. Deploy and manage Active Directory B2C using ARM templates and RM PowerShell cmdlets.

    When building Azure-based applications intended for generalization and multiple deployment, it would simplify both the development and deployment experience if B2C directories could be configured using the standard Azure RM template and PowerShell cmdlet functionality.

    119 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Given that a Azure AD B2C tenant should only be used for configuring Azure AD B2C, would having programmatic API’s to configure all of the Azure AD B2C settings be useful or is there more that you are looking to achieve using ARM templates?

    /Parakh

  17. "Change password" policy

    Add a new Azure AD B2C policy that allows a signed-in user to change his or her password. Not the same as password reset.

    115 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are in the process of planning this feature and hope to have a preview available by the end of november. In the meantime, could you please respond to aadb2cpreview@microsoft.com with your responses to the following questions:

    - If you had a “password change” policy, what kind of information would you like to get back once the policy has been executed?
    - Would you prefer to have a policy that forces you to sign in first, and then asks you to change the password, or one that let’s you do it all on the same page?
    - Would you want an email to get sent out to the user whenever the password is changed?

  18. AADB2C: How-to on multi-tenant applications based on B2C

    As service provider using Azure as the underlying platform, I want to create an application that allows companies to create and manage their tenants and users within my service in order to provide a public service area as well as a privately owned area for the company.

    I've read about B2C supporting multi-tenant, but I couldn't find hints within the documentation...

    114 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. Linux compatibility for AzureAD Powershell Module

    As mentioned in https://github.com/PowerShell/PowerShell/issues/5274, the AzureAD module is not compatible with Linux.

    112 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
  20. phone factor

    Surface/expose Azure MFA (Phone Factor) attribute data in GRAPH to facilitate API-based manipulation and mitigate some of the current limitations in RBAC within "cloud only" deployments of the Azure MFA service.

    111 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base