Your comments

We'd like this as well; just switching to LDAP authentication instead of Active Directory unfortunately isn't an option for us because the LDAP authentication setup doesn't seem to support filter extensions such as LDAP_MATCHING_RULE_IN_CHAIN.

We have this issue, two years later. This seriously hampers our ability to assist our users outside the region the Relay server is in.