Azure Active Directory Room for Improvement

Martijn Verbrugge
Manager Infrastructure & Architecture at BDO Global

We have a custom solution now running to tie all those Azure ADs together. We use the B2B functionality for that. Improvements are already on the roadmap for Azure AD in that area. I think they will make it easier to work together between two different tenants in Azure AD, because normally one tenant is a security boundary. For example, company one has a tenant and company two has a tenant, and then you can do B2B collaboration between those, but it is still quite limited. For our use case, it is enough currently. However, if we want to extend the collaboration even further, then we need an easier way to collaborate between two tenants, but I think that is already on the roadmap of Azure AD anyway.

View full review »
Tom Aafloen
IT Security Consultant at Onevinn AB

The Azure AD Application Proxy, which helps you publish applications in a secure way, is really good, but has room for improvement. We are moving from another solution into the Application Proxy and the other one has features that the App Proxy doesn't have. An example is where the the role you're signing in as will send you to different URLs, a feature that App Proxy doesn't have (yet).

With Azure AD, if you look in detail on any of the features, you will see 20 good things but it can be missing one thing. All over the place there are small features that could be improved, but these improvement is coming out all the time. It's not like, "Oh, it's been a year since new features came out." Features are coming out all the time and I've even contacted Microsoft and requested some changes and they've been implemented as well.

View full review »
Product Manager/Architect at a consumer goods company with 5,001-10,000 employees

The thing that is a bit annoying is the inability to nest groups. Because we run an Azure hybrid model, we have nested groups on-premise which does not translate well. So, we have written some scripts to kind of work around that. This is a feature request that we have put in previously to be able to use a group that is nested in Active Directory on-premise and have it handled the same way in Azure. That is something that is actively being worked on. 

One of the other things that we felt could be improved upon is from an Application Proxy perspective. We have applications native to SSH, and we want to be able to do app proxy to TCP/IP. It sounds like that is actively on the roadmap now, which was amazing. It makes us very excited that it is coming, because we do have use cases with that as well.

View full review »
Learn what your peers think about Azure Active Directory. Get advice and tips from experienced pros sharing their opinions. Updated: May 2021.
501,499 professionals have used our research since 2012.
Bharat Halai
Global Head of Identity and Access Management at Adecco

The one area that we are working on at the moment is the business-to-consumer (B2C) element. It is not as rich as some of the other competitors out there. The B2C element of Azure AD is quite niche. Some of the features that they offer, e.g., customized emails, are not available with B2C. You are stuck with whatever email template they give you, and it is not the best user experience. For B2C, that is a bit of a negative thing.

In my previous role, there would have been a few things that I would have liked added, but they have already introduced them. Those are already in the roadmap. 

View full review »
Principal Service Engineer at a energy/utilities company with 10,001+ employees

One of the areas where Microsoft is very actively working on enhancing is the capabilities around the B2B and B2C areas.

Microsoft is actively pursuing and building new capabilities around identity governance.

There is a concept of cross-tenant trust relationships, which I believe Microsoft is actively pursuing. That is something which in the coming days and years to come by will be very key to the success of Azure Active Directory, because many organizations are going into mergers and acquisitions or spinning off new companies. They will still have to access the old tenant information because of multiple legal reasons, compliance reasons, and all those things. So, there should be some level of tenant-level trust functionality, where you can bring people from other tenants to access some part of your tenant application. So, that is an area which is growing. I believe Microsoft is actively pursuing this, and it will be an interesting piece.

View full review »
IAM / IT Security Technical Consultant at a retailer with 10,001+ employees

An area where there is room for improvement is the ease of use of the dashboards.

Also, if a user is working in India, and we suddenly see a login from the US, Australia, or New Zealand, we should be alerted, because we wouldn't expect that application would be used by that user in those locations at that time.

An area for improvement is that there is so much dependence on on-premises databases, in the on-premises directory services.

In terms of features we would like to see, we don't have domain controllers in Azure AD. We are also looking at how we can best migrate users from on-premises to Azure AD, and how we can welcome B2B users. We would like to see improvement in the B2B functionality. We hope that is already in the roadmap. We'd also like to see some functionality for how we can set boundaries for tenants. We have multiple tenants that we're trying to consolidate. It's definitely going to be a big challenge to consolidate two tenants, so we're looking for help in that area.

View full review »
Deliver Practice Director at a computer software company with 201-500 employees

The licensing could be improved. There are premium one, premium two or P1, P2 licensing right now and a lot of organizations are a little bit confused about the licensing information that they have. They want to know how much they're spending. It's not really clear cut. 

Transitioning to the cloud is very difficult. They need the training to make it easier. They should probably put in more training or even include it on the licensing so that there are people that manage their environment have somewhere to come to learn on their own. Maybe there could be some workshop or training within Azure. 

The solution could offer better notifications. They do upgrades once or twice a year. They need to do a better job of alerting users to the changes that are upcoming - especially on the portal where you manage your users and accounts. There needs to be enough time to showcase the new features so your organization is not surprised or put off by sudden changes. 

View full review »
Principal Consultant at a tech services company with 51-200 employees

The user administration has room for improvement because some parts are not available within the Azure AD portal, but they are available within the Microsoft 365 portal. When I want to assign that to a user, it would be great if that would be available within the Azure AD portal.

It would be awesome to have a feature where you can see the permissions of a user in all their Azure subscriptions. Right now, you have to select a user, then you have to select the subscription to see which permissions the user has in their selected subscriptions. Sometimes, you just want to know, "Does that user have any permissions in any subscriptions?" That would be awesome if that would be available via the portal.

View full review »
Senior Information Technology Manager at a manufacturing company with 10,001+ employees

Overall, it's not a very intuitive solution.

When you have an Office 365 enterprise subscription, it comes with Azure Active Directory. We don't have a subscription to Active Directory, but our Active Directory connector puts our credentials into the Azure Active Directory. On the Office 365 side, we're also in the GCC high 365, so it's a lot more locked down. There are a few things that aren't implemented which make things frustrating. I don't blame the product necessarily, but there are links and things within there that still point back to the .com-side and not the .us-side.

There's a security portal and a compliance portal. They're being maintained, but one's being phased in and the others are being phased out. Things continue to change. I guess that's good, but it's just been a bit of a learning curve.

Our Office 365 subscriptions are tied to our on-prem domain — I have a domain admin there. With our Active Directory connector, our on-prem credentials are being pushed to the cloud. We also have domain credentials in the cloud, but there's no Office subscription tied to it, just to do the administration stuff. I moved my sync credential to have a lot more administrative privileges. Some of the documentation I was reading clearly showed that when you have this particular ability right on the Azure side, and then you have another ability on the Office side, that intuitively, the Microsoft cloud knows to give you certain rights to be able to do stuff. They're just kind of hidden in different places.

Some things are in Exchange, and some things are in the Intune section. We had a few extra light subscriptions that weren't being used, so I gave my admin account a whole other subscription. In the big scheme of things, it's roughly $500 a year additionally — it just seems like a lot. I didn't create a mailbox for that and I was trying to do something in Exchange online and it said I couldn't do it because I didn't have a mailbox.

You can expect a different user experience between on-prem and online. Through this cloud period, we have premiere services, we have a premiere agreement and we had an excellent engineer help us with an exchange upgrade where we needed a server. We needed an OS upgrade and we needed the exchange upgrade on the on-prem hybrid server. We asked this engineer for assistance because my CIO wanted to get rid of the on-prem exchange hybrid server, but everything that I was reading was saying that you needed to keep it as long as you had anything on-prem. We asked the engineer about it and he said, "Yeah, you want to keep that." In his opinion, it was at least going to be two years. So at least I got my CIO to stop talking about that. It's just been an interesting time in this transition between on-prem and in the cloud.

In a secure environment, a lot of this stuff is PowerShell, which is fine. It's a learning curve, but if you don't use it all time, then it's a lot of back and forth with looking at the documentation and looking at other blogs. If you're in a secure environment, the Windows RM (remote management) stuff can be blocked, and that's frustrating, too.

View full review »
Senior Information Technology Manager at a manufacturing company with 10,001+ employees

It's not intuitive and we use it mainly for our hybrid capability now and are expanding our footprint in Microsoft 365. The integration between on-prem and Online is interesting. However, the learning curve is high.

When you have an Office 365 enterprise subscription, it comes with Azure Active Directory, however, you don't have an Azure subscription. Yet, all of our active directory connectors put our credentials into the Azure Active Directory. 

There are enough things that aren't implemented on our side and we are in the middle of this transition.  I don't blame the product necessarily for that. However, there are links and items within Microsoft 365 that still point back to the .com side.

Items seem to continue to move, such as security and compliance. Now there's a security portal and a compliance portal, and all three are still being maintained, however, one's being phased in and the others are being phased out. Things continue to change. It's just been a bit to learn. There's a lot to keep track of. There should be a bit more transparency.

The Office 365 subscriptions are a bit confusing with a hybrid environment with what credential has an Microsoft 365 subscription.  However, then some of the documentation I was reading this week was where I ran into a wall. This particular document clearly showed that when you have a particular ability on the Azure side, and then you have another ability on the Office side, intuitively the Microsoft cloud knows to give you certain other rights, to be able to do stuff. This settings and configurations are in different places. Some things are then in the Exchange Online, some things are in the Intune section, etc.

I am not sure if the intent is to have an Microsoft 365 administrator with a second subscription for a cloud admin account or not.  I was trying to do something in Exchange online and received a message that I couldn't do it because I didn't have a mailbox. It's frustrating and confusing at times. There are things like that just are a different user experience between on-prem and online.

The Microsoft Premier Agreement we have has been very beneficial and we have had an excellent experience with a couple of different short cycle projects.

View full review »
Solution architect at a insurance company with 5,001-10,000 employees

We find that most of the new features are in preview for too long. It gives you the announcement that there's a new feature and yet, most of the time, it takes more than one year to have it generally available. Often we have to go and sometimes just use a preview without support. 

We cannot run all the configurations from the APIs. I would like to have something that has code and to just be able to back up and apply my configuration. Right now, we are managing more Azure tenants. It's hard to keep all of those configurations at the same level, the same value.

We would like to have more granularity in the Azure conditional access in order to be able to manage more groups for applications. That way, when adding a new applications I don't have multiple conditional access to modify. 

One of the main requests from our security team is the MFA challenge. Azure, by default, is more user-friendly. We have a lot of debates with the security team here as the MFA doesn't pop up often enough for them. From an end-user perspective, it's a better user experience, as users generally prefer fewer pop-ups, however, security doesn't like it. It's hard for security to add. 

We don't have Azure Premium P2 yet, however, most of the advanced security features are in the P2, and it costs a lot more money.

View full review »
Matt Hudson
Enterprise Solution Architect - Security at a insurance company with 10,001+ employees

On-premise capabilities for information and identity management need improvement but I know these are in pipeline.

View full review »
Praveen Raj
Software Engineer at a computer software company with 10,001+ employees

Microsoft needs to add a single setup, so whenever resources join the company or are leaving the company, all of the changes can be made with a single click.

I would like to see a secure, on-premises gateway that offers connectivity between the physical servers and the cloud. The capability already exists, but it is not secure enough when the setting is marked private.

View full review »
IT Senior Consultant and trainer at a tech vendor with 51-200 employees

The synchronization process for on-premises and Sentinel Azure AD could be easier.

The support for identification to the application environment could be improved, e.g., Active Directory Federation Services should be implemented in other applications. They need something like software development kits (SDKs) for integration with our own applications, which is not so easy to implement. We would also like synchronization of identities between identities in applications like Azure. 

View full review »
Mohamed Fekry
Service Delivery Manager Cloud & Infrastructure Solutions at Nile

Microsoft has a feedback page, in which if anyone has any suggestions or feedback, you can send them to them. They have all of the technical resources available on the internet, on their website. In case you need the support, you can easily open a ticket with them because you already have a subscription and you are eligible to open a ticket.

View full review »
Michael Ogunlade
Head of enterprise systems at Fidelity Bank Plc

Technical support could be faster.

View full review »
Pete Fotopoulos
Vice President - Network and Infrastructure at NJA LLC

It would be ideal if the solution moved to a passwordless type of environment. It's the future of authentification. It's also more secure and convenient.

View full review »
Mikael Ribring
Head of IT at a non-profit with 51-200 employees

The only issue with Azure AD is that it doesn't have control over the wifi network. You have to do something more to have a secure wifi network. To have it working, you need an active directory server on-premises to take care of the networks.

View full review »
Jeffrey Attoh
Chief Executive Officer at ZDAPT

My only pain point in this solution is creating group membership for devices. This is something that could be improved. Essentially, I want to be able to create collection groups, or organizational units and include devices in there. I should be able to add them in the same way that we can add users.

We want to be able to create members as devices in groups, without having to leverage a dynamic group membership with queries. I want to be able to just pick machines, create a group, and add them.

View full review »
Security Architect at a hospitality company with 10,001+ employees

The onboarding process for new users can be improved. It can be made simpler for people who have never registered to Azure AD previously and need to create an account and enable the MFA. The initial setup can be made simpler for non-IT people. 

It should be a bit simpler to use. Unless you get certifications, such as AZ-300 and AZ-301, it is not a simple thing to use at the enterprise scale.

View full review »
Mike Sax
Vice President, Product Engineering at Logitix

The integration between the Azure active directory and the traditional active directory could be improved upon. We have two active directories that are installed on virtual machines, which are traditional active directories. The interactions between the two are very limited. For example, I could modify users in our own private instances of AD, however, they won't propagate up to the Azure active directory and vice versa. For us, the integrations are the biggie between the on-prem or the self-hosted AD versus Azure AD.

The traditional AD instances that we maintain have UIs that are very archaic and monolithic and very difficult to navigate. They should update the UI to make it easier to navigate and make it overall more modern.

View full review »
Vice President of Technology at Ecuity Edge

I think the documentation and configuration are both areas that need improvement. 

The product changes and gets updated, but the documentation doesn't keep pace.

The initial setup could be simplified.

I would like to see a better UI tool.

View full review »
Solution Engineer at a government with 1,001-5,000 employees

The SSO MyApps interface is very basic and needs better customization capabilities.

View full review »
Learn what your peers think about Azure Active Directory. Get advice and tips from experienced pros sharing their opinions. Updated: May 2021.
501,499 professionals have used our research since 2012.