Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Flutter / Dart Support

    We need a native Flutter / Dart plugin. Flutter is the top trending respository on GitHub! https://github.com/trending

    It's a very bad decision not to write any plugin's for Flutter / Dart. Once again Microsoft will be left out and will be forced to play catch up at a later date. There are many plugins for AWS, but NONE for Azure!

    As of today:

    Xamarin Forms has 2k likes
    Flutter has over 28k likes!

    74 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. Passwordless authentication

    Add support for phone- and email-based passwordless authentication - using OTPs (one time passwords).

    74 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  3. Go Direct to Password Reset from Sign-In/Sign-Up

    The Sign-in only policy allows the user to go directly to the password reset.

    The Sign-in/Sign-Up does not allow this. The user gets redirected back and you have to handle AADB2C90118.

    Reference: https://stackoverflow.com/questions/41497158/azure-ad-b2c-self-service-password-reset-link-doesnt-work

    While this flow is useful for some people the opposite is also true. Please allow me to specify the password reset policy in my sign-in/sign-up policy so the round trip is not required if I don't want it.

    73 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support for multi-valued attributes synchronized from on premises AD

    AD Connect supports synchronizing multi-valued attributes to AAD.
    However, AAD doesn't support multi-valued attributes synchronized from on premises AD.

    Would be great to have this supported so that for example Dynamic Groups can use multi-value attributes for group membership rules.

    73 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  5. Automatically enable MFA for all members of an Azure AD Group.

    Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

    71 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

  6. Device-level authentication as primary authentication like ADFS 4.0 (Windows 2016) in Azure AD

    It would be AWESOME, if Azure Active Directory would provide device-level authentication as primary authentication like ADFS 4.0 (Windows 2016)

    We need this please!

    71 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  7. Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)

    Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.

    I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.

    Aaron posted a great workaround solution:
    https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/

    We would like something built-in Active AD Connect that solves this out of the box

    69 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow blocking "Sign-ins from anonymous IP addresses"

    I would like to be able to block ALL sign-ins from anonymous IP addresses.

    68 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Update UPN-Suffix Change from one federated UPN Suffix to another federated UPN Suffix

    According to Support Article 2669550 (https://support.microsoft.com/en-us/help/2669550), AzureAD Connect doesn't update a user’s userPrincipalName in AzureAD when we change the users UPN-Suffix from one federated Domain to another federated Domain. So we need to fix such changes manually or by a custom script.
    I understand that preventing such updates by AzureAD Connect is a good choice for many customers. But for customers with several dozens or hundreds of federated domains, I would like to have a choice whether to sync such changes using AzureAD Connect or leave it on the default behavior of not allowing upn-changes form one federated…

    68 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Azure AD Connect  ·  Flag idea as inappropriate…  ·  Admin →
  10. SSO / Sign in to Azure via Google Apps IDP

    We'd like to enable our users for lots of Azure services (incrementally), starting with some RemoteApp services. We do *not* want to move user authentication to Azure AD (users have lots of complex Google Apps logins, with 2-Factor and U2F Keys).

    Is there an easy way for us to enable Google Apps as an IdP in Azure AD?

    Like, can we copy user profiles from Google Apps -> Azure, and on login attempt, redirect to the Google Apps sign in screen?

    68 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support for 3rd party EMM solutions when requiring device compliance

    We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.

    Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.

    66 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Pre-Provision MFA "StrongAuthenticationUserDetails" via PowerShell?

    We have over 12,000 users we need to provision for MFA.

    I know we can enable MFA via PowerShell, but there doesn't seem to be a way to update the "StrongAuthenticationUserDetails" attribute (Alt. Phone, Email, etc.) programmatically.

    This is turning out to be a huge pain for us. Does anyone have a timeline for when we'll be able to do this?

    66 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. All Powershell/BASH/script Azure AD join

    For converting BOYD to Azure AD in the field w/o user intervention, we need a way for elevated accounts to be able to perform an Azure AD join of devices via script.... come on, this is the basics...

    Think of it as MDM self-enrollment... if not that, then give us a one-click way for users to self-enroll the device.

    65 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback on this. There are several ways to do Azure AD join (OOBE, bulk enrollment and Autopilot) which provide a richer experience to join devices to Azure AD. We’re continuously working to enhance those, so currently this is unplanned for the near future. Please continue to vote to help us prioritize


    Ravi

  14. Enable app password creation when MFA is enforced using Azure Conditional Access

    I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.

    I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that…

    64 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Deny Access Control in the RBAC

    Please add the options below to RBAC.
    Disable inheritance.
    Deny.

    64 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

    We recently added deny capability to Azure’s RBAC system, in the form of deny assignments that can be set by the system only. The first Azure feature to use deny is BluePrint. We intend to add a configurable deny capability in the future, but have not yet announced any details.

    Cheers,
    /Stuart and Balaji

  16. 63 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  17. Delegate permissions to remove devices

    The user role User administrator is not able to remove users registered device objekts in Azure AD. I think that roles should be granted that permisson.
    Or create an addiotional role that have the permission to remove device objects in Azure AD.

    62 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
  18. MFA Remembering Device

    Have the configuration option to remember a device for MFA, like with non-B2C tenants, instead of requiring MFA each time a user logs in.

    61 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  19. Microsoft Authenticator support for Tizen Samsung Gear S3 needed

    Pls ADD autenticator to Samsung gear s3 (tizen)

    60 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add AAD B2C to CSP

    B2C is currently available on the CSP pricing calculator, it can be found in the CSP portal, but it is not actually activated for CSP. Why isn't it available yet, and how do I get on the list to be an early user?

    60 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    23 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base