Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Please allow MS Graph in the cloud App list

    pleae allow MS graph in the cloud app list to allow us to seltect it.
    We want to selcet all application and exclude the MS graph api.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Use Conditional Access What-If tool programmatically

    It would be nice to be able to test conditional access policies with a multiple test scenarios in a programmatically way instead of using the portal and testing with a single set of data.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. The ability to generate a PRT from a user based certificate would be extremely helpful

    I am currently using Citrix ADC and Storefront with Single Signon using AzureAD. The system uses a server called FAS (federated Authentication Service) that issues a virtual smart card based on the user ID that is used to authenticate the user when a published application is launched. The issue is that since no actual user ID or password is sent to the backend, the PRT is not created, so using a conditional access policy based on a hybrid joined device's compliancy is completely ignored so being able to log into office applications or one drive is unavailable because you will…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Conditional Access - Persistent Browser – Never Persistent

    Worked on an Issue with Session termination for browser, and found that the Conditional Access - Persistant Browser - Never Persistent is override by the Sign in Frequency settings. And if you uncheck Sign In Frequency it still gets overridden with the 90 day default.

    IS there a plane to fix this.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Apply Conditional Access for Mobile Apps and Desktop Clients

    Under AAD, I created an App Registration which would allow "Mobile and desktop applications" to authenticate. Next I then added the created App as a selected app on a Conditional Access that will trigger a DUO MFA. But for some reason, (as seen on the screenshot of the "Sign Ins") Conditional Access are not being applied when I am testing the login using mobile. But, when I tried setting a specific user on the Conditional Access, CA is being applied.

    Is there a way for CA to work for App Registration specifically for "Mobile Apps and Desktop Clients" authentication? Or…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. conditional access

    Searching for Terms of Use consents only works with case sensitivity, this seems to be poor design, when trying to find any user that has consented. Additionally, its not described in the documentation or the page for the search that its case sensitive. This makes use difficult for sure, and required a case with Microsoft to discover.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Apply conditional access to included apps regardless of Graph scope

    Currently if an app uses graph when the conditional access policy is evaluated the policies applied will be based on the underlying data the app is requesting from the graph. This means including only the App as a policy target will result in the policy not applying.

    Conditional access should be updated to apply both considerations, the app itself or the underlying data being requested via graph, apply all policies that match either condition.

    With the existing behaviour an app that only uses graph for signin cannot be scoped.

    There is also an inconsistency in the application of policy in…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add a conditional access option to require MFA on every authentication

    In order to protect further sensitive applications in a zero trust architecture, it could be interesting to be able to prompt users for a second factor on every authentication to the application specified in a conditional access rule

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Exclude should override Include

    Use of the Microsoft Azure Management (ID 797f4846-ba00-4fd7-ba43-dac1f8f63013) includes multiple applications. Ensure that having one of them excluded prevents the application from being caught by the CA rule. In particular, Azure DevOps (ID 499b84ac-1321-427f-aa17-267ca6975798) is available in the portal, but isn't excluded from the rule when include of Microsoft Azure Management and exclude of Azure DevOps is configured.

    This behavior already exists with the Office365 Apps application group, not sure why it doesn't work with Microsoft Azure Management.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. MAM policies for Power Apps

    Support Application restrictions through MAM and conditional access for Power Apps Published via the Azure AD Gallery

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Handle Conditional Access policies with Preview conditions

    As described here:
    https://dirteam.com/sander/2020/11/17/knowledgebase-the-conditional-access-apis-do-not-currently-support-preview-conditions/

    If you have a policy that references a Preview condition the policy is not returned. This is not great. Either raise an exception or returned the policy.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Powershell cmdlet to get terms of use

    When you have a conditional access policy that references a terms of use Get-AzureADMSConditionalAccessPolicy returns an id for the terms of use. Currently there is now way of using the id to get the terms of use via Powershell. It would be great if there were a way to get Name, DisplayName etc. via Powershell.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Conditional Access based on Device Certificate

    Some of your devices might have received an device certificate trough your NDES or PFX connector in Endpoint Manager. Add the ability to create a conditional access rule based on that certificate.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Completely block signins from blocked countries

    Every day I get numerous sign in failure logs and "impossible travel activity" alerts with sign-in attempts from suspicious countries even though I have conditional access policies to block logins from those countries. For instance, if we will never have anyone working in or traveling to Azerbajian, I never EVER want to see a sign in attempt from Azerbajian, using basic auth or any protocol.

    Support just told me that even blocking basic auth at the tenant level will still show the failed signins and the impossible travel alerts will still show up. I want them blocked somehow and thus…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Conditional access for hours loggins

    How can I implement conditional access to azure SQL database to block out of office time.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Support "Require approved client app" Grant Access Control for Windows 10

    Would really like Windows 10 support for the "Require approved client app" Grant Access Control in Conditional Access Policies.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Give the option to provide a 'grace period' before accepting Terms of Use

    We are currently working towards some certifications, which requires us to make our employees 'sign' a lot of documents (anti-bribery etc.). To do this, we use conditional access' Terms of Use feature.

    However, when we push a new Terms of Use, this blocks the whole flow for all of our users. Most users just click 'accept' without reading the document because they have eg. an important meeting to get to.

    I would like an option so that the end-user can 'snooze' the ToU (eg. max 10 days), and approve it later.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow all {Application ID} to be blocked/allowed using conditional access

    Example:
    Application Microsoft Invitation Acceptance Portal
    Application ID 4660504c-45b3-4674-a709-71951a6b0763

    Allow all {Application ID} to be blocked/allowed using conditional access, currently you cannot apply conditional access policies to Microsoft Invitation Acceptance Portal.

    guid

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Get rid of the two factor verification method.

    For the rest of us, post a telephone number to call.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base