Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Change user's primary email address (primary email) through "Profile editing policies" in Azure B2C.

    If we could change email address, that is used to receive verification code, through "Profile editing policies" in Azure B2C, It would be great.When user name is selected as Identity provider, the email is used to receive verification code while signing up. If Email is selected as identity provider, the same email should be changed through "Profile editing policies".
    It will be useful to the situation when end users forget the email address with the one they have created account with.

    61 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. MFA Remembering Device

    Have the configuration option to remember a device for MFA, like with non-B2C tenants, instead of requiring MFA each time a user logs in.

    61 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add support for webhooks when users are invited, added, removed from Azure AD + Azure AD B2B Collaboration

    Currently it is not possible to receive a notification from Azure AD when a user has been invited (through B2B Collaboration) or added directly through Graph API or the portal.

    61 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add AAD B2C to CSP

    B2C is currently available on the CSP pricing calculator, it can be found in the CSP portal, but it is not actually activated for CSP. Why isn't it available yet, and how do I get on the list to be an early user?

    60 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    23 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure B2C custom user attribute validation like using regex, range etc. e.g. postcode, date of birth

    Ability to validate custom attributes like postcode, date of birth etc. On the user sign-up page / edit profile pages, either by providing a validation choice like "RegEx/Range" or by allowing JS.

    59 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  6. Set Default Country Code in Azure MFA

    When importing users from AD, if the country code isn't included in attribute Azure MFA will set the country code to +1(USA).
    Can a feature be added to allow the default country code to be set a the global level. So that in our case we could set all number to default to +44(Great Britain) .

    59 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Backup Codes for Azure MFA

    Please add support for "Backup Codes" to Azure MFA as soon as possible. Many popular MFA services already support Backup Codes, basically a list of 10 valid authentication codes that a user can print off and use in situations where there regular authentication method is not available.

    Use cases for backup codes include:

    - User's mobile phone is lost, stolen, or damaged.
    - User will be in an area with out good mobile phone service or consistent access to a land line.
    - Users let's mobile phone battery drain..

    58 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.

    Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.

    Richard

  8. Block Azure MFA (cloud) Enrollment from External Networks

    I feel like I have been to the end of Google and back and thought I'd just reach out to this feedback hub.

    We would love the ability to block Azure MFA (cloud) enrollment from external networks with Azure Conditional Access Policies or another method.

    It doesn't look like the "MFA Setup" page is a "Cloud App" to build conditions on...

    My other thought is the ability to build out a dynamic group based on if a user has enrolled, but the Azure Dynamic group queries seem limited at this point.

    55 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Conditional Access blocking Office Activation and signin.

    When the Conditional Access Policy is configured with All cloud Apps option, Office activation is also blocked, although there isn´t any cloud app dedicated for Office activation exclusion. Please create one dedicated cloud app for Office activation.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. RBAC roles for Viewing/Modifying Authentication Info (MFA)

    Currently, only Global Admins can view and modify the information in a user's account in the Authentication Info fields. This is problematic as we have people performing B2C support that are User Administrators and can't see or update the user's info in these fields to help troubleshoot access issues/MFA issues.

    For users assigned the User Administrator role, allow them to view and modify the Authentication Info fields. They currently see grey fields that are empty.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    20 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  11. Introspection endpoint for Azure Active Directory

    Hi,
    Times, there will be cases when the user logs out but the token associated with the user on the client doesn't expire and so when the Resource Servers/APIs invoked with these tokens gets serviced/honored. It would be great to have an introspection endpoint with AAD to check the validatity of the token (as mentioned in RFC 7662 https://tools.ietf.org/html/rfc7662) so that all APIs/Resources can leverage it and accept or reject the token instead of creating a custom repository at our end to blacklist these tokens.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  12. Modern end-user portal

    One of the main blockers to deploy MIM is lack of a modern end-user facing portal. One doesn't need to port all the functionalities to such a portal straight away and MPRs, Workflows etc can stay within an old portal for admins, but users should see responsive and simple interface (not based on SharePoint)

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add Powershell module for MIM Service and Synchronziation service

    Provide an efficient way for FIM/MIM admins to automate some daily tasks and troubleshooting as well.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow extensibility of portal through the use of custom controls

    There are some business scenarios which currently cannot be built in the FIM portal due to the limited set of Uoc controls available, and their lack of customization. This leads to external tools needing to be made, fracturing the experience for FIM users. Allowing the Uoc base control to be made public and inheritable opens up scenarios for controls with extended validations, external lookups, code behind, and much more.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Microsoft Identity Manager  ·  Flag idea as inappropriate…  ·  Admin →
  15. Spring Security Support

    Storm Path is an example of an API/Service that provides all the same functionality as Azure AD B2C, and actually integrates with Spring Security very easily.

    https://stormpath.com/

    They provide code samples too:

    https://docs.stormpath.com/java/

    It would be fantastic, and ensure a much wider adoption market, if you were to create an open source project that provided the same easy integration and adoption.

    54 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  16. Custom Roles at the Management Group Level

    Please add the ability to define custom roles for Azure RBAC at the new Management Group level. Would like to be able to create custom roles and set the assignable scope to our root management group so that the role definition is available throughout our tenant.

    https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

    53 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Role-based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  17. Span AADDS domain across multi regions

    Span the same AADDS domain to multi regions - currently only possible with vnet pairing and VPN gateways. Would also add redundancy to the domain if say a region were to go down or the AADDS service were to stop within a region.

    53 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  18. Request for registration of OATH token and connection to user:

    We would like you to allow end users to register OATH token by themselves as well as other multi-factor authentication notifications (i.e. telephone and SMS)

    If our request above is not permitted, please consider the following to reduce the time and effort of the administrator:
    - Registering OATH token information prior to registration of associated user information
    - Connecting the user and OATH token by GUI operation from Azure portal instead of importing CSV
    - No entering authentication code when activating OATH token

    52 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow Azure AD App Proxy Apps to use the Azure Web Application Firewall (WAF)

    Applications published with the Azure AD Application Proxy should be allowed to be configured to have traffic go through the Azure Web Application Firewall (WAF). We currently have to purchase a 3rd party WAF instead of using the Azure WAF when publishing applications.

    This should be built-in functionality that can be added onto the Azure AD App Proxy configuration.

    52 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Enable PIM role assignment by Group membership.

    It would be nice to enable PIM roles to be linked not only to direct assignment to users but also to groups. This enables integration with on-premise IAM solutions that have not been extended to support the Graph API calls to PIM for role management.

    52 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  9 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base