Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Programmatically register B2C applications

    I want to be able to call a Graph API to register new B2C applications

    203 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. Ability to Grant Permissions via API or Powershell

    Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

    Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your…

    203 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thank you for the feedback! This is in the backlog and we are looking into this. We don’t have an ETA yet, but we will share once we have one. Please keep voting if this feature matters to you.

  3. Deploy and manage Active Directory B2C using ARM templates and RM PowerShell cmdlets.

    When building Azure-based applications intended for generalization and multiple deployment, it would simplify both the development and deployment experience if B2C directories could be configured using the standard Azure RM template and PowerShell cmdlet functionality.

    197 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    Given that a Azure AD B2C tenant should only be used for configuring Azure AD B2C, would having programmatic API’s to configure all of the Azure AD B2C settings be useful or is there more that you are looking to achieve using ARM templates?

    /Parakh

  4. B2C Support for client credential flow.

    To enable APIs to use authentication from another application with separate security credentials (clientId+secret). Needed for APIs to make graph calls.

    (This is not the same as on-behalf-of flow, which represents the ability to exchange an access token intended for one audience for an access token intended for a different audience)

    195 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  5. Enable per user MFA bypass for Azure MFA (Cloud) make this both temporary and permenant based on settings

    Currently per user bypass is not capable in Azure MFA (Cloud only) this can be done using the Azure MFA on premise server. This functionality make Azure MFA more usable for a end user community that often loses or forget cell phones and need temporary bypass. Also using Azure MFA with NPS/Radius there is no way to allow services accounts that do network equipment monitoring to avoid Azure MFA if we want to enable MFA to access critical network infrastructure or VPN using radius this would help this scenario too

    193 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    28 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. group naming policy using extension attributes

    Please implement additional functionality to allow the use of Extension Attributes as part of a Group Naming Policy. This is required as the Department name is too large and many organisations have a shortened department code which they apply via an Extension Attribute. Using a long department name in a Group Naming POlicy creates names that are too long to be useful, but using a shortened department code plus group name means that the group can be easily identified and attributed to a department without cluttering the name space.

    e.g. Information and Communication Technology has a short code of ICT…

    186 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
    unplanned  ·  Azure AD Team responded

    Thank you for your feedback! We have heard you and are considering future implementation options. There is no timeline yet for implementation. If this feature matters to you, keep voting as it will help us prioritize.

  7. Allow Azure AD Sync to Prepopulate the Authentication Phone Number from an Onpremise AD Object, and prevent users from entering their own.

    Allowing a User to set their own mobile number in MFA, completely negates the purpose of the Technology, in an Azure AD Connect environment.

    For a Secure environment, The Administrator would set the Mobile Number as the source of Truth in Active Directory, and it should prevent a potential attacker, from changing the mobile number as they see fit.

    If a user, who has not registered for Azure MFA yet, credentials are compromised, then an attacker could supply their own Authentication Number, and Azure MFA becomes ineffective.

    We should have the ability to set the Authentication Number in AD, and…

    186 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Disable user's ability to change password (via cloud/portals)

    We need to disable a user's ability to change their password. We need to manage password changes in our own application.

    NOTE: I am not referring to password resets (which we can easily disable). Rather I'm talking about preventing users from changing their password via a Microsoft portal when they know their existing password.

    We are looking for an equivalent of the (non Azure) AD powershell command Set-ADUser -CannotChangePassword.

    184 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    23 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →

    Hi folks! I apologies for the delay in response and I deeply appreciate your feedback. I understand how important this feature is for your and your users. We do not yet have plans to implement this feature, but please keep voting if this is important to you to help us prioritize appropriately.

  9. B2B Guest User Expiration

    Looking for the functionality where you can schedule Azure B2B users to exist in your tenant for a predetermined period of time. This would operate similarly to the O365 Groups expiration functionality that exist today. Additionally, managers would be allowed to extend these periods of time and automated reminders would be sent to the manager of these users.

    179 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

    We do have some capabilities in this space by using either Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) or the newly-released-to-preview Entitlement Management feature (https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview).

    If neither of those fulfill your requirements, please add a comment with your scenario for the feature to help us prioritize and design it better.

    /Elisabeth

  10. Allow different login branding customizations per-domain

    We have a number of subdomains in our tenant which are used for various purposes - clients, partners, staff etc.
    It would be great to be able to customise the login branding customisation settings on a per-domain basis rather than globally across the tenant.

    176 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  11. Fix Error AADSTS50020 when logged in user doesn't have permissions to selected Application.

    Currently if the logged in users doesnt exist in the Tenant Directory for a given application. The user is shown a very unhelpful page with the following:

    Sorry, but we’re having trouble signing you in.
    We received a bad request.

    The debug error is :
    AADSTS50020: User account 'some email address' from external identity provider 'https://sts.windows.net/someguid/' is not supported for application 'https://someappurl'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

    176 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  56 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  12. 171 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    This is in the works, hoping to be able to release a new version in the next couple of weeks that supports running on Linux (and Mac)

  13. Restore Azure Active Directory Security groups

    Restore Azure Active Directory Security groups

    167 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ability to update Named Locations using PowerShell

    We have around 200 locations that use dynamic IP addresses that change frequently. We have the ability to pull the public IP addresses via REST API/PowerShell, but there is currently no way to update the Named Locations list programmatically. Without PowerShell, we are forced to manually dump the list to a CSV and upload the new file.

    We would like to have the ability to add, remove, update Named Locations and entries in the IP Ranges of a Named Location.

    165 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support for 3rd party EMM solutions when requiring device compliance

    We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.

    Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.

    159 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    34 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for your feedback. Microsoft is currently working with third party MDM providers to enable this scenario. We will update this thread once we have more information to share.

  16. Enable app password creation when MFA is enforced using Azure Conditional Access

    I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.

    I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that…

    156 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Provide support for YubiKey / FIDO as the MFA

    Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.

    https://www.yubico.com/about/background/fido/

    156 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Azure MFA is currently designing the experience for FIDO 2.0. This is the next iteration of the FIDO U2F standard that the link references.

    Richard

  18. Allow password expiration policy to sync from on-prem AD to Azure AD

    Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.

    156 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  19. Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)

    Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.

    I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.

    Aaron posted a great workaround solution:
    https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/

    We would like something built-in Active AD Connect that solves this out of the box

    155 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  20. Change tracking for Conditional Access Policies

    Support some kind of change tracking or auditing in regards to changes made for Conditional Access Policies?

    155 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  23 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base