771 votes65 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
For requiring additional factors with Windows Hello for Business, please see – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
For why PIN is better than a password, please see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
For Authenticator app sign in to Azure AD, please see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in
As always, other feedback is welcome
1,047 votes80 comments · Azure Active Directory » Groups/Dynamic groups · Flag idea as inappropriate… · Admin →
Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.
1,277 votes245 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.
We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.
Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups
821 votes122 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
We’re really pleased to let you know that we’ve released the first authentication method APIs to public preview:
So far there are APIs for managing phone numbers and password resets. When phone numbers are set with the API, the user can use that number for MFA and SSPR (as allowed by your tenant’s policy).
The team is hard at work at building out APIs for all of the other authentication methods, and we’ll update the response here as they’re released.
An error occurred while saving the commentJoe commented
This would also be great for large orgs where a central group manages Office 365 (and thus users' primary identities), but other business orgs mange their team's endpoints.
We are aware of the requirement to be able to convert a synced user to cloud only and are designing that feature, but we have no timelines to share right now.
We reverted the change that would block the “hack” to delete and restore a user to change a user to “Cloud Only”.
This is currently in planning for enabling it for Azure AD joined devices, NOT for AAD DS
Multiple scenarios are still being investigated.
(We changed the status to because Started implied we were working on the feature and we did not want to represent it inaccurately. We are investigating and therefore, we are marking it under review.
546 votes71 comments · Azure Active Directory » Role-based Access Control · Flag idea as inappropriate… · Admin →
We are working on it. There is an elevation of privilege concern associated with this feature. If a group is assigned a role, any IT admin who can manage group membership can manage that group’s membership and indirectly manage who gets the role. So, we have to ensure that the feature is secure.
We are taking a staged approach to execute this feature –
Stage 1: Supporting cloud groups to be assigned to roles
Stage 2: Supporting on-prem groups to be assigned to roles
Abhijeet Kumar Sinha
Azure Active Directory Team
319 votes35 comments · Azure Active Directory » Role-based Access Control · Flag idea as inappropriate… · Admin →
Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.
You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.
Azure Active Directory Team
Just a quick update. This is still on the roadmap, but not work that has started. The comments here are useful as we start the design. Thanks
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!
Principal Program Manager
698 votes81 comments · Azure Active Directory » User Creation, Deletion, and Profile Management · Flag idea as inappropriate… · Admin →
We’re working on a solution and will update you when we know more.
We’ll be wrapping up work soon, after making updates from feedback we’ve received so far. We should have a public date soon.
Due to various technical limitations, the first iteration of the customer-owned domains functionality will not be available for a few more months. We will provide an update as soon as we can get a more specific ETA.