This feature work is planned, but hasn’t started yet.
2 votesCameron Gocke shared this idea ·
20 votesneed-feedback · 5 comments · Azure Active Directory » Domain Services · Flag idea as inappropriate… · Admin →
To elaborate, with the Intune ability to integrate and issue certificates, but only from an Enterprise CA, this feature would be immensely helpful. We currently cannot use our Microsoft CA within Azure AD Domain Services b/c of the restriction on the ability to create an Enterprise CA.
CONFIRMED that NPS and Azure AD Domain Service can work with the Azure MFA NPS extension to enable MFA for RDP to virtual machines. That said, Azure Bastion Host (https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) provides the same value without the additional infrastructure of NPS. We have a doc bug created to add the nuance to our documentation, which is to 1) Skip registering the NPS server and 2) ensure your network policy has “Ignore user account dial-in properties” selected.
Leaving the topic open as we continue to investigate/validate other NPS use cases (e.g. VPN and 802.x scenarios)
Senior Program Manager
IAM Core | Domain Services
Hi Justin, thanks for the feedback! It will definitely be helpful to have managers as the reviewers, there is a “manager” attribute in AAD’s user profile, but it’s currently a string only. We are working to improve the architecture first, then we can leverage the data to automatically assign managers to be reviewers. If you have any more feedback or questions on this, feel free to comment on this thread or email email@example.com.
@Justin Long, I think the existing Access Review routine already allows for this doesn't it? You setup an Access Review for an application and schedule it to happen automatically?
Thanks for all the feedback, we have made progress on this and the ability to apply the same policy to multiple groups (and applications) is now live! You can include multiple groups or apps in a single Azure AD access review for group membership or app assignment. Access reviews with multiple groups or apps are set up using the same settings and all included reviewers are notified at the same time. (more info in “What’s new in AAD, Feb 2019” https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new)
We’ll be continuing to work on applying an Access Review policy to new groups as they are created, and update here when that’s done.
I agree with the latter statement the most. What I really want is to be able to create a single Quarterly Access Review and have it apply to all of the Groups I select and automate the whole process from one scheduled routine.