Help me keep Passwordless sign-in as my default method

Passwordless sign-in with the Microsoft Authenticator app is a great solution for signing in with MFA, while removing our reliance on passwords – as per: Do you use MFA instead of typing a password?

However, occasionally something goes wrong with Passwordless sign-in, and a password needs to be entered. When this happens, the default sign-in method switches to using a password and the Authenticator app, and users don’t bother to (or don’t know how to) change it back.

There should be a way to set Passwordless as the default sign-in method, so that even if a password is entered once, the next time a sign-in happens it goes back to using Passwordless.

Figure: Nowhere to set a default sign-in method

Help me customize Azure Access Review emails

SysAdmins find it a lot of work to keep giving people permissions to resources like Azure.

I wanted to say that we’re now really enjoying using Azure Access Reviews. We’ve written about how we use it on ssw.com.au/rules/entra-group-access-reviews.


At SSW we have so many Teams and Groups – almost all set to public. Since people can join so many, they poke around, join a group, and never leave. That means they are included in every calendar appointment and every team email and the noise was reported as an employee dissatisfaction.

Access Review has been invaluable because it effortlessly removes users when they no longer need access. We have set it to run every 3 months and they need to say they are still a member.

❌ The Access Review email does not look like anything SSW SysAdmins would send, so it gets deleted mistakenly by many people in our company.

Having the ability to customize the email is important.

Suggestion:

  • Email subject – Give the ability to edit
  • Email body – Give the ability to edit text
  • Email body – Give the ability to add an image
  • Email body – Having placeholders for significant fields, like Group, would be ideal (see ‘SSW SugarLearning’ in the image)
  • From address – Currently employees think it is ⚠️spam from Microsoft, not from SSW SysAdmins. So it would be a big bonus if we could send the notifications from our own email address to prevent any confusion.
Figure: ❌ Bad example – Email shows limited context and looks just like a lot of other notifications that we get

Azure DevOps – Show Display Name from Azure AD

We have Azure DevOps connected to Azure AD so that our users can log in with their Azure AD credentials.
Currently, DevOps does not show our users’ Display Name that is set in Azure AD.

Users can change their own name here, but this is not a fix. For the sake of consistency, display names should match the display names used in Azure AD.

Figure: Display Name in Azure AD (with [SSW])
Figure: Display Name in Azure Devops (missing [SSW])

Azure – app registration secret/certificate logs cannot be forwarded to Azure Monitor

Azure AD Audit Logs are very helpful when diagnosing issues. Similarly, sending these logs to Azure Monitor is very useful for storing logs, and for setting up alerts on certain events.

In Audit Logs, we can see when an app registration secret or certificate is created or deleted.

Figure: Azure AD | Audit Logs app registration secret/certificate logs

However, there is no way to send these logs through to Azure Monitor so that we can set up alerts on these events.

Figure: no option for app registration secret/certificate logs

Help me know instantly what Tracing Mode is via a rename

Today I showed at NDC Oslo how to build a bot manually with C# and Blazor using the Azure OpenAI GPT services.

Then I showed how to do the same thing automatically with the new PVAs.

At the end I did a poll of the audience (about 300 people) – the Norwegians vote was about 80% saying they preferred the PVA solution.

Well done – the 1st impression is awesome ⭐

Keep the $ attainable please… it is the danger point for adoption.

Little UX suggestion… Regarding this “Tracing Mode” screen.
I reckon I would rename it to “Query Execution Plan” or maybe just “Execution Plan”

Then you keep the same name as you have in SQL Server:

Help me see changes in the Audit logs for distribution groups

Say you add user to a group… you should be able to see this change in the Azure AD Audit logs.

Figure: New user added to a distribution group

The Audit log details work great for users. For example, when you make a change to a user in AD and sync with Azure AD (using AAD Connect), you get great visibility of what was changed.

✅ Figure: Good example: Azure AD | [user] | Audit logs | Audit Log Details with Old Value & New Value

Sadly you can’t see who changed it.

When you make a change to a distribution group in AD (e.g. add a new member) and sync, there are no details at all

❌ Figure: Bad example – Azure AD | [group] | Audit logs | Audit Log Details shows no details (you can’t see that a new user was added to the distribution group)

Suggestion: Please add the details of who changed what for both users and distribution groups in the Audit logs.

Help me see the history for each dashboard widget

It would be awesome if we could see who added or configured a widget on an Application Insights dashboard.

When a widget has appeared on the page and you would like to speak to the person about the purpose of it, it would be nice to see an “Activity Log” or “Dashboard History” page.

Who added this widget? The Application Insights Dashboard should have an “Activity Log”