Change Get-ADFSAccountActivity to return all users in ADFS Activity database, like supporting a -All parameter. Then users can be searched using powershell of users that have triggered lockout or failed given amount of times. Currently users have to be retrieved one by one which is tedious at best

Support other methods using MFA for Primary Authentication, based on what the user's preferences are (as setup in aka.ms/mfasetup)

Not being able to specify primary authentication method per relying party is something I run into all the time. Can you please fix this? More and more vendors support SAML-based authentication and ADFS but none of them have a way of requesting Certificate Authentication as a primary authentication method. I do not want to change this on a global level, because we have other relying parties which use WIA. I'm guessing you have everything you need for this already, please fix!

ADFS + Azure SQL Managed Instances Supportability

Add supportability for extend AD FS in Azure using Azure SQL Managed Instance to host the database.

compte 0005859947 63 touggourt30002 algeria ccp

My customer experienced several outage during ADFS Toke Signing and Token Decryption certificates automatically renewing. Thus , they really hope that Microsoft PG can add alert functionality , if AutoCertificateRollover is true , when those two certificates are issued automatically by system and before promoted to Primary Certificates , will send alerts

When logging in through ADFS forms-based authentication, the user is only prompted to enter their credentials, they aren't given any way to know when the last time they did so was was. Many web sites offer this feature to allow a user to know when, from where, and from which device they last logged in to they can report any anomalies to the powers that be. ADFS should have such a feature.

Would improve user experience a lot if AD FS would support inline user provisioning for Azure MFA. This is so inconvenient that users should do this separately, and not in app.
E.g. Microsoft Intune has this integrated in provision process.

Also error message for this is not provisioned users is too general and not informative at all.

More info in paragraph "Registering users for Azure MFA with AD FS 2016"
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

we need a comprehensive syntax and semantics reference for Claims Rule Language. I know there are operators besides == ~= EXIST and such, which are not covered here. and this link is by far the most comprehensive which is available:
http://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx

Right now in Windows Server 2012 R2 you are required to run present Domain Admin credentials while installing. This is not an option when AD FS and AD DS are supported by separate teams - it exposes domain admin credentials to persons which are not allowed to know them.
This was not a case for AD FS 2.0 - please remove the need of DA privileges to be entered at AD FS server.

Please add support to use SQL Azure as DB. Would open up some easy HA scenario deployments for ADFS.

Currently ADFS only signs tokens with the primary token-signing certificate. This makes renewing the certificate difficult if an organization has many relying party trusts configured, as the swap has to be coordinated with multiple vendors.

Please allow the signing certificate to be configured on a per-relying party basis. This would allow each relying party to migrate to the new certificate on their own schedules, as opposed to a single "big bang" approach.

Allow rps to specify a saml <Subject>. When the rp knows the user adfs could then pre populate the username field on the login page.

Add the setting of ACL for domain join to "New-ADComputer" cmdlet.

In MMC it is possible to create an Computer AD Account and set "The following user or group can join this computer to a domain"

Would be nice to have it in New-ADComputer

In Build 14300.rs1_release_svc.160415-2143 Device Authentication in ADFS breaks Firefox on Windows and Safari on iOS. This has always been an issue with Safari on OS X as it has always been broken if Device Auth is enabled. This is a huge problem though if this latest problem makes it into RTM.

If this is by design and iOS/Firefox/OSX aren't compatible, then please add an option to disable Device Authentication by platform easily.

If a fix for this is already known or planned then it would be greatly appreciate if this thread could be updated.

Thank you,
Aaron

It would be nice, if we cound put some custom text/links on the password change page that is shown to the users after they change their password.

AD FS currently only supports single Entity Metadata files, which works well for local applications, but works not for federation with InCommon, SWITCH, DFN, etc.
It would be good to see support for multi Entity Metadata files, to get a real interoperable product.