Active Directory

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Build ADFS 2019 Plug-in to allow user authentication requiring Azure MFA to be bypassed when internet access is down

    My company uses O365, AD FS 2016 and Azure AD, recently our internet provider had repeated outages where the AD FS servers access to the internet was compromised. This was a unavoidable outage for users on our internal network but since O365 leveraged Azure MFA in a CA policy external users could not get to O365 resources because they could not do MFA at ADFS. I want to create a plugin that checks for access to Azure MFA if it fails it places a default hardcoded claim in the token package validating MFA but raising a RIsk factor whtich will…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  2. Change Get-ADFSAccountActivity to return all users in ADFS Activity database

    Change Get-ADFSAccountActivity to return all users in ADFS Activity database, like supporting a -All parameter. Then users can be searched using powershell of users that have triggered lockout or failed given amount of times. Currently users have to be retrieved one by one which is tedious at best

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support User preferences for using MFA as primary authentication method

    Support other methods using MFA for Primary Authentication, based on what the user's preferences are (as setup in aka.ms/mfasetup)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  4. Specify primary authentication method per relying party

    Not being able to specify primary authentication method per relying party is something I run into all the time. Can you please fix this? More and more vendors support SAML-based authentication and ADFS but none of them have a way of requesting Certificate Authentication as a primary authentication method. I do not want to change this on a global level, because we have other relying parties which use WIA. I'm guessing you have everything you need for this already, please fix!

    20 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  5. ADFS + Azure SQL Managed Instances Supportability

    ADFS + Azure SQL Managed Instances Supportability

    Add supportability for extend AD FS in Azure using Azure SQL Managed Instance to host the database.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  6. pay pal 25BSKLIM TOW KADDOURI CHOUAIB

    compte 0005859947 63 touggourt30002 algeria ccp

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add Alert before Token Signing and Token Decryption auto renewed

    My customer experienced several outage during ADFS Toke Signing and Token Decryption certificates automatically renewing. Thus , they really hope that Microsoft PG can add alert functionality , if AutoCertificateRollover is true , when those two certificates are issued automatically by system and before promoted to Primary Certificates , will send alerts

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  8. Have ADFS display 'last login' information when users log in using FBA

    When logging in through ADFS forms-based authentication, the user is only prompted to enter their credentials, they aren't given any way to know when the last time they did so was was. Many web sites offer this feature to allow a user to know when, from where, and from which device they last logged in to they can report any anomalies to the powers that be. ADFS should have such a feature.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow AD FS to fall back to Forms-based authentication if Windows Integrated Authentication fails

    Currently, if a browser-based user comes to the AD FS sign-in page, AD FS can only decide whether to use integrated authentication by looking at the browser's user agent string. However, t

    There are cases where not all users arriving at the AD FS sign-in page can perform a Kerberos login - they might be within the IP range of the "internal" part of AD FS (in a split-brain DNS configuration) but the client may not be domain joined for various reasons, for example wireless users using BYOD. For these users Kerberos fails and it falls back to NTLM/Basic auth…

    60 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  10. AD FS support for inline registration for Azure MFA

    Would improve user experience a lot if AD FS would support inline user provisioning for Azure MFA. This is so inconvenient that users should do this separately, and not in app.
    E.g. Microsoft Intune has this integrated in provision process.

    Also error message for this is not provisioned users is too general and not informative at all.

    More info in paragraph "Registering users for Azure MFA with AD FS 2016"
    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  11. ADFS and Claims Rule Language Reference

    we need a comprehensive syntax and semantics reference for Claims Rule Language. I know there are operators besides == ~= EXIST and such, which are not covered here. and this link is by far the most comprehensive which is available:
    http://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  12. AD FS should not require Domain Admin privileges

    Right now in Windows Server 2012 R2 you are required to run present Domain Admin credentials while installing. This is not an option when AD FS and AD DS are supported by separate teams - it exposes domain admin credentials to persons which are not allowed to know them.
    This was not a case for AD FS 2.0 - please remove the need of DA privileges to be entered at AD FS server.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  13. ADFS should support SQL Azure

    Please add support to use SQL Azure as DB. Would open up some easy HA scenario deployments for ADFS.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add selection of specific MFA Adapter as condition

    It would be incredibly helpful if Access Authorization Rules would allow the selection of a specific MFA Adapter or mechanism as a part of a ruleset.

    For example, if a user was authenticating from a managed device, use certificate authentication, otherwise prompt for second factor using the Azure MFA adapter, or, if a user belongs to a specific group, always use certificate authentication forst, then attempt for Azure MFA, otherwsie if a user belongs to group "B", always prompt for the Azure MFA Adapter (or any other MFA provider integrated with ADFS)

    At the moment it's an all-or-nothing option. If…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow token signing and decryption on a per-relying party basis

    Currently ADFS only signs tokens with the primary token-signing certificate. This makes renewing the certificate difficult if an organization has many relying party trusts configured, as the swap has to be coordinated with multiple vendors.

    Please allow the signing certificate to be configured on a per-relying party basis. This would allow each relying party to migrate to the new certificate on their own schedules, as opposed to a single "big bang" approach.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  16. Saml <Subject> from AuthnRequest

    Allow rps to specify a saml <Subject>. When the rp knows the user adfs could then pre populate the username field on the login page.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  17. join domain

    Add the setting of ACL for domain join to "New-ADComputer" cmdlet.

    In MMC it is possible to create an Computer AD Account and set "The following user or group can join this computer to a domain"

    Would be nice to have it in New-ADComputer

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  18. Bug - TP5 Device Auth breaks Firefox & iOS

    In Build 14300.rs1releasesvc.160415-2143 Device Authentication in ADFS breaks Firefox on Windows and Safari on iOS. This has always been an issue with Safari on OS X as it has always been broken if Device Auth is enabled. This is a huge problem though if this latest problem makes it into RTM.

    If this is by design and iOS/Firefox/OSX aren't compatible, then please add an option to disable Device Authentication by platform easily.

    If a fix for this is already known or planned then it would be greatly appreciate if this thread could be updated.

    Thank you,
    Aaron

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  19. ADFS Custom Branding of "Password Changed" page

    It would be nice, if we cound put some custom text/links on the password change page that is shown to the users after they change their password.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  20. AD FS should support user consent options

    AD FS should support a user consent option besides the now provided admin consent only.
    We'd like to use AD FS as a Federation Service with external parties, which is possible for single external targets, but not for bigger federations like InCommon, SWITCH or similar, since an admin cannot decide, which attributes a user wants to release to an service provider. Especially not, when the users (as in our case) are students and employees.
    Other implementations of federatet authentication such as Shibboleth 3 or Thinktecture Identity Server 3 do support user consent. Online Authentication providers (Facebook, Live, Google, etc.) also…

    22 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base