Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support for multi-valued attributes synchronized from on premises AD

    AD Connect supports synchronizing multi-valued attributes to AAD.
    However, AAD doesn't support multi-valued attributes synchronized from on premises AD.

    Would be great to have this supported so that for example Dynamic Groups can use multi-value attributes for group membership rules.

    84 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  2. Flutter / Dart Support

    We need a native Flutter / Dart plugin. Flutter is the top trending respository on GitHub! https://github.com/trending

    It's a very bad decision not to write any plugin's for Flutter / Dart. Once again Microsoft will be left out and will be forced to play catch up at a later date. There are many plugins for AWS, but NONE for Azure!

    As of today:

    Xamarin Forms has 2k likes
    Flutter has over 28k likes!

    83 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow User Account Administrator to enable MFA for users, not require global admin

    A best practice is to limit the number of global admins, yet a global admin is required to enable MFA for users. This should be allowed in the User Account Administrator role to enable MFA for users.

    83 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA.

  4. Password expiry notification for Azure AD joined devices?

    It would be great if a Password Expiry notification could be implement for full Windows 10 Azure AD-joined clients in the same way as the domain joined clients receive them. A notification that pops up at bottom-right corner of the screen. At the moment I wasn't able to find any way of enabling that.
    We use Azure Directory Sync - no ADFS.

    83 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support logout and single logout with SAML 2.0 claims provider

    Support for logout and single logout with SAML 2.0 IdP configured as claims provider on B2C.

    The logout and single logout os both requested in some customer cases and in relation to the Danish governments IdP called "NemLog-in". In relation to the Danish governments IdP it is a requirement to support logout and single logout to connect to the central federation.

    80 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  6. Set MFA using Azure Active Directory Powershell Module

    Add support in Azure Active Directory PowerShell module to set Multi-Factor Authentication (MFA).

    Thanks

    79 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable app password creation when MFA is enforced using Azure Conditional Access

    I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.

    I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that…

    78 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Deny Access Control in the RBAC

    Please add the options below to RBAC.
    Disable inheritance.
    Deny.

    76 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    We recently added deny capability to Azure’s RBAC system, in the form of deny assignments that can be set by the system only. The first Azure feature to use deny is BluePrint. We intend to add a configurable deny capability in the future, but have not yet announced any details.

    Cheers,
    /Stuart and Balaji

  9. All Powershell/BASH/script Azure AD join

    For converting BOYD to Azure AD in the field w/o user intervention, we need a way for elevated accounts to be able to perform an Azure AD join of devices via script.... come on, this is the basics...

    Think of it as MDM self-enrollment... if not that, then give us a one-click way for users to self-enroll the device.

    75 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback on this. There are several ways to do Azure AD join (OOBE, bulk enrollment and Autopilot) which provide a richer experience to join devices to Azure AD. We’re continuously working to enhance those, so currently this is unplanned for the near future. Please continue to vote to help us prioritize


    Ravi

  10. Automatically enable MFA for all members of an Azure AD Group.

    Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

    75 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

  11. Passwordless authentication

    Add support for phone- and email-based passwordless authentication - using OTPs (one time passwords).

    75 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  12. Introduce account 'unlock' feature when an account gets locked out during passthrough authentication. (instead of waiting for 30 minutes)

    It will be very helpful if we have the ability to unlock on demand when an O365 user's account is locked (self service), without waiting for the account lockout duration. Currently this feature was confirmed by MS tech that it does not exist and that the end user has to wait for the account lockout duration period. This specially is very useful for accounts that are sync'd via AAD Connect and pwd reset in O365 does not apply because the account is a sync'd account.

    74 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  13. User Opt-In to Azure MFA with Office 365

    We have enabled MFA at our Office 365 tenant, but requires Admins to enable users. For organizations that would like to phase MFA in for their users, it would be nice for users to self opt-in sort of like they do with personal email accounts. Then over time, administrators can "require" MFA by a certain date for users holding out. One way to handle this is to include a link for the end user under user settings to "Sign up for Multi-Factor Authentication". Right now, nothing appears under a users security settings until they are enabled by an administrator. Thx!

    72 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Device-level authentication as primary authentication like ADFS 4.0 (Windows 2016) in Azure AD

    It would be AWESOME, if Azure Active Directory would provide device-level authentication as primary authentication like ADFS 4.0 (Windows 2016)

    We need this please!

    71 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add support for Kerberos AES and drop RC4_HMAC_MD5

    Per "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature" the "Seamless SSO uses the RC4_HMAC_MD5 encryption type for Kerberos."
    Please add support for modern ciphers and drop that obsolete RC4_MD5!

    69 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  16. Microsoft Authenticator support for Tizen Samsung Gear S3 needed

    Pls ADD autenticator to Samsung gear s3 (tizen)

    69 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Enable synchronized AD groups (or AAD groups) to map to PIM.

    Rather than adding single accounts from AAD (which may be synched from AD), it would be great to map AAD (or synched AD) groups to eligibility rules. E.g. AAD group A is eligible for Role Exchange Admin. That way, one could administer AD groups for privileged access like in RBAC and use PIM to activate the privileges. Adding single users may be difficult to handle in large environments.

    67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  6 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Change user's primary email address (primary email) through "Profile editing policies" in Azure B2C.

    If we could change email address, that is used to receive verification code, through "Profile editing policies" in Azure B2C, It would be great.When user name is selected as Identity provider, the email is used to receive verification code while signing up. If Email is selected as identity provider, the same email should be changed through "Profile editing policies".
    It will be useful to the situation when end users forget the email address with the one they have created account with.

    63 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. 63 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  20. Enable PIM role assignment by Group membership.

    It would be nice to enable PIM roles to be linked not only to direct assignment to users but also to groups. This enables integration with on-premise IAM solutions that have not been extended to support the Graph API calls to PIM for role management.

    62 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  9 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base