Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. We definitely need to have support for userinfo endpoint

    Given that Userinfo is a part of the OpenID Standard AAD B2C should support this end point

    86 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  2. Password expiry reminder email notification

    Most people are having separate accounts for accessing Azure AD. It will be good if there is an email to remind users to change their passwords as the users may not login to their cloud accounts frequently.

    86 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow the use of all user attributes for SAML token attributes

    We are developing a POC to have Cisco WebEx and Jabber integrate directly with Azure AD. Authentication works just fine. However, when there is a change to a user's profile in Active Directory, say title or phone number, in order for that change to update in WebEx or Jabber the "whenChanged" attribute needs to be sent as "updateTimeStamp" in the SAML token. "whenChanged" cannot be extended as a Directory Extension so maybe use of the "LastDirSyncTime" attribute in Azure would be a suitable replacement. Also, it would be beneficial to also allow the use of the "mobilePhone" Azure attribute in…

    85 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
  4. Group-based Licensing for Nested Groups

    Nested groups have been around for a VERY long time. It is ridiculous that group-based licensing doesn't support nested groups. Please add support for nested groups ASAP!

    84 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  5. Find all users with app passwords

    We think that it's necessary to have a command for PowerShell to show app passwords per user. It would also need to show what app the password is being used for. MFA is pointless with thousands of app passwords. Not every user we've enforced has set up app passwords. this is what me and many other admins would like to know.

    83 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add support for User-Agent Client Hints

    User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.

    Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/

    Need to have the new User-Agent information available in the audit log and the APIs.

    82 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure AD Password Policy

    Azure AD should provide more parameters to configure as per the users need.
    For example as per my organisation's Security policy, the minimum password length required is 12. But there is no way to configure this parameter from 8.
    The Azure AD platform should provide the ability for users to configure the below password policy at least.
    1. Password history
    2. Password complexity of temporary password generated by Azure
    3. Password length

    82 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  8. Query Azure AD Devices BitLocker recovery key via PowerShell

    Please allow query Azure AD Devices BitLocker recovery key via PowerShell

    82 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
  9. Change user's primary email address (primary email) through "Profile editing policies" in Azure B2C.

    If we could change email address, that is used to receive verification code, through "Profile editing policies" in Azure B2C, It would be great.When user name is selected as Identity provider, the email is used to receive verification code while signing up. If Email is selected as identity provider, the same email should be changed through "Profile editing policies".
    It will be useful to the situation when end users forget the email address with the one they have created account with.

    81 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  10. Passwordless authentication

    Add support for phone- and email-based passwordless authentication - using OTPs (one time passwords).

    81 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  11. remove b2b user when host account is removed

    We use Azure B2B extensively. However where B2B users have been into our directory and the user has left the third party organisation and thus had their account removed does not clean up the guest account records in our directory.

    Over time this leaves thousands of 'orphaned' guest accounts in our directory, with no ability for our administrators to identify which accounts are orphaned. and thus numbers of guest users in our our directory expands over time infinity

    Azure AD should automatically in the in the event of a user object being removed from the third party directory remove the…

    80 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  B2B  ·  Flag idea as inappropriate…  ·  Admin →

    This is in our backlog, but votes and comments about how you would expect this to work are very helpful to our planning/designing the feature so please keep them coming.

    Also, for some scenarios in this space Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) can be a good way of removing users who no longer need access, including those who don’t have accounts anymore. (Thanks Shawn for pointing that out for everyone!)

    /Elisabeth

  12. Azure Authenticator (MFA) Desktop App

    SUMMARY:
    Due to limited capability to use the Microsoft Authenticator Mobile app on a mobile device, there is a requirement to get a desktop version of the app that has the same functionality.

    BUSINESS CASE/BACKGROUND:
    We make use of MFA for all remote users who are connecting to our network from a non-managed device (i.e not a company laptop/desktop). These remote users would then be expected to use the Microsoft Authenticator app on a mobile device with the following Authentication options;
    - Text Code to my authentication phone number
    - Notify me through app
    - Use verification code from app

    78 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. MFA Remembering Device

    Have the configuration option to remember a device for MFA, like with non-B2C tenants, instead of requiring MFA each time a user logs in.

    77 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  14. Backup Codes for Azure MFA

    Please add support for "Backup Codes" to Azure MFA as soon as possible. Many popular MFA services already support Backup Codes, basically a list of 10 valid authentication codes that a user can print off and use in situations where there regular authentication method is not available.

    Use cases for backup codes include:


    • User's mobile phone is lost, stolen, or damaged.

    • User will be in an area with out good mobile phone service or consistent access to a land line.

    • Users let's mobile phone battery drain..

    77 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.

    Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.

    Richard

  15. Azure AD Smart Lockout unlock capability for admins

    I'm blown away by the lack of options once your account gets locked out by the Azure AD Smart Lockout feature. Not having the ability to monitor the account lockout duration or have the option to unlock an account using this feature is insane.

    76 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add group as owner on Azure AD Application and Service Principal

    When managing Application and Service Principal objects in Azure Active Directory, it's difficult to provide granular access controls.

    Azure currently supports adding "Users" as Owners through the Azure Portal, and we can also assign other "Service Principals" as Owners using PowerShell (or by creating the new SPN with an existing SPN), however it's not possible to add a Group.

    When you try to do this, you get the following error message:

    #

    PS C:&gt; Add-AzureADApplicationOwner -ObjectId <removed> -RefObjectId <removed>
    Add-AzureADApplicationOwner : Error occurred while executing AddApplicationOwner
    Code: RequestBadRequest
    Message: The reference target 'Group
    <removed>' of type 'Group' is invalid…

    75 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Groups/Dynamic groups  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow B2B users to logon to VMs using Azure AD domain services

    Currently B2B users cannot login to a Azure AD Domain Services joined virtual machine. In this scenario we do not have AAD Connect, only Azure AD directory with domain services running. We can join the VMs to the AAD DS domain and sign on with member accounts but cannot sign in with B2B guest accounts.

    74 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    triaged  ·  12 comments  ·  Domain Services  ·  Flag idea as inappropriate…  ·  Admin →
  18. Fully Support WebSocket protocol in Azure AD Application Proxy

    The current Application Proxy does not support rewriting ws:// or wss:// URLS from my testing.

    We have an application that has it's content (HTML, JavaScript, images ...) hosted by IIS and a standalone service that provides data through websockets.

    I created an app proxy for the IIS component requesting content rewriting and created a second app proxy for the websocket service. However, it seems that the first app proxy doesn't know to rewrite the embedded ws:// URLS to point them to the second app proxy.

    Also, running a websocket tester against the second app proxy external URL fails as it…

    72 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  19. to introduces priorities for Azure AD Conditional Access policies

    Hello all,

    can you please introduce the possibility to set priorities for Conditional Access policies.

    In complex environments (with different CA policies for different use cases) it's very hard to create CA polices without any open doors. Therefore it would be fantastic if you can create a catch all CA policy and allow selective one service after another (like on a firewall).

    Many Thanks

    72 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow Azure AD App Proxy Apps to use the Azure Web Application Firewall (WAF)

    Applications published with the Azure AD Application Proxy should be allowed to be configured to have traffic go through the Azure Web Application Firewall (WAF). We currently have to purchase a 3rd party WAF instead of using the Azure WAF when publishing applications.

    This should be built-in functionality that can be added onto the Azure AD App Proxy configuration.

    72 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base