Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow the possibility to assign Dynamics Device Groups to Conditional Access policies

    I'd like to enforce enrollment for Corporate devices but not for Personal devices; for the same user account. So I can create Dynamics Device Groups but I if I assign these groups to Conditional Access policies, it doesn't work.

    34 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Abilty to sort Conditional Access Policies alphabetically

    It would be usefull to be able to sort Conditional Access Policies alphabetically.

    So, for example if the naming conventon starts with ALLOW: or BLOCK: then when you create new ones and sort alphabetically they will all be in the right order. Right now they are listed in the order of creation.

    33 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Delete old Classic Policies that have been Disabled

    After replacing and disabling Classic Policies migrated from Intune, you cannot remove them. The old policies are stuck there forever and cause warnings in other areas that Classic Policies exist. We should be able to remove them somehow.

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. azure active directory role

    I have a scenario where azure active directory users login to fronend app and will be able to handle user administration using graph apis. These users will not having access to subscription/resources these users are access to only Azure AD who can update/create/delete usrs/profiles. To achieve those actions users should have user admin directory role. But the issue here is these users can login to azure portal and have admin assess to all users. For ex: if I have few applications where users are different i can manage from frontend app and business logic to show only users to related…

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to spe

    Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to specific devices in a device Group. 

    While Azure Conditional Access policies can be currently applied to Windows for Hybrid Azure AD Joined Devices this includes all Windows operating systems.  There is no ability to apply them to specific Windows OS versions, or to target specific devices.  Having this functionality would allow for example to block Windows 7 and 8.1 devices through CA policies, or block specific devices without an approved reason to not upgrade to Win10.

    29 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add Microsoft/Office portals as Cloud Apps so Conditional Access policies can target them

    With the change of separating the conditional access of the Office/Microsoft 365 portals from Exchange Online, we can no longer target office.com or the admin centers with conditional access.

    This has lowered security, as Sharepoint file names/Outlook email previews on office.com are visible.

    We can also not target MFA just for the admin portals, and instead must targeting users with an "admin role" which would cover all apps, which is not a good user experience.

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Conditional Access support for ADFS CBA

    When federated identities are authenticated using CBA (Certificate Based Authentication) against ADFS, it would be nice to be able to have Azure AD recognize this in Azure AD Conditional Access rules and allow or deny access access to apps based on this.

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Conditional Access for B2B Guest users

    For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    We’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?

  9. Enable conditional access rules to enforce MFA when users access Powershell

    Conditional access provides a great way to enforce additional checks when users access sensitive services in Azure, It is already possible to enforce MFA when users (e.g. with contributor rights) access the Azure portal. However there is no way to explicitly require the same users to Authenticate with MFA when accessing the same privileges in Powershell. Please add Powershell, in the list of cloud applications such that it can be included in an rule that enforces MFA for privileged functions

    24 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Today you can set a conditional access policy on “Microsoft Azure Management”, which will apply to any client requesting access tokens to the Azure Management API. This includes the Azure portal (https://portal.azure.com) and Azure PowerShell (e.g. Login-AzureRmAccount).

    It does not apply to Azure AD PowerShell. To apply a conditional access policy to Azure AD PowerShell (e.g. Connect-MsolService and Connect-AzureAD, for the MSOnline and AzureAD modules, repsectively), you must target the “All cloud apps”, which means all sign-ins for the targeted users must satisfy the MFA requirement. The main reason for this is that the AzureAD PowerShell module is a thin wrapper around the Azure AD Graph API, which is also used by the vast majority of Azure AD-integrated apps (e.g. Office 365, Azure, etc.) out there.

    Thus, even if there was a way to set a policy on “Azure AD Graph API” (there isn’t), the…

  10. Conditional Access blocking Microsoft Store for Business apps deployed through Intune

    When a Conditional Access Policy is configured to block All cloud Apps if the Win10 device is NOT compliant, this significantly delays installations from the Microsoft Store for apps like 'Company Portal'. In addition, if the compliance also requires Bitlocker to be in place, at least one reboot is required, further delaying initial machine setup.

    I believe the cloud app in question is called 'Universal Store Service APIs and Web Application'. I have raised and identified this issue with MS support in the case number 118070218497552.

    Ask: Please flight the cloud app(s) in question for Conditional Access. Currently it cannot…

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support Conditional Access for the Partner Portal (OCP MPN PORTAL)

    Support Conditional Access for the Partner Portal (OCP MPN PORTAL).
    Add the partner portal to Azure managed application so we can use conditional access.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Block access to Azure at subscription-level based on device state

    Many companies would like the ability to enforce Azure Conditional Access on a Azure subscription-level, which should require the user to have a managed device (Hybrid Azure AD Join / Intune managed device).

    The reason for the ask is that some companies have highly sensitive information in some Azure subscription and other subscriptions is used for agile collaboration with partner (Azure B2B) with reduced security requirements for sign-in to Azure subscription.

    Basically the same feature that is provided by the SharePoint team.

    Provide "Conditional Access" on a SharePoint Online Site Collection Level:
    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/11125038-provide-conditional-access-on-a-sharepoint-onlin

    Control access from unmanaged devices:
    https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support for Microsoft Office 365 00000006-0000-0ff1-ce00-000000000000 in conditional access

    When using "All cloud apps" in a conditional Access policy. when trying to access admin.microsoft.com, one of the URL governed by Microsoft Office 365 portal - app ID : 00000006-0000-0ff1-ce00-000000000000, a user is blocked by conditional Access. This issues is the same in some of the panes/icons in "Azure.portal.com"; this application can be found with her app ID under the Enterprise apps in the Azure portal but cannot be included or excluded in a conditional access policy.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Block only Azure Portal using Conditional Access

    I want to block users access to Azure Portal.
    So I have Conditional Access on the "Microsoft Azure Management" application in Azure AD.
    However "Microsoft Azure Management" contains not only Azure Portal but other applications as above.

    Manage access to Azure management with Conditional Access
    https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

    Please add only Azure Portal application to Conditional Access.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity

    Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.

    It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.

    Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"

    Att.: Caleb and Dhanyah

    /Peter Selch Dahl

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Create Policy differentiation from a BYOD vs CYOD device both PC and Mobile devices.

    Many organizations would like to specify certain applications can only be accessed via corporate owned assets but would still like to take advantage of BYOD scenarios for other applications. To that end a differentiation of devices from BYOD and CYOD through to PC's would be great.

    Also there should be a process to move devices between the two groups.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Conditional Access to Data based on Classification Labels

    Conditional Access to Data based on Classification Labels

    As part of a regulated industry, we require more in depth controls while allowing other part of the business to halve flexible access.

    Sensitive data is tagged by Classification Labels based to meet regulatory and business requirements.
    DLP is configured to used to protect against sharing of data.

    We are looking for the capability of allowing sensitive data to be only accessed from compliant device, approved client app, or domain joined device while allowing other data types to meet less stringent rules.

    Additionally, be able to create policies to configure DLP like…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. App grouping

    Currently conditional access policies can be scoped only to individual applications.
    This has strong limitations:
    * No more than hundreds of applications per policy
    * In large environments with lots of applications, this gets very complex and unmanageable
    * Changes to Conditional Access policies are always risky and should be minimized
    * Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automation

    All these issues can be solved by the following set of features:
    * Provide a mechanism to group apps
    * Allow CA policies to be scoped to these app groups

    Depending…

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. 13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow the persistent browser session(preview) in the Conditional Access to be applied on some Applications not all Cloud Apps

    Allow the persistent browser session(preview) in the Conditional Access to be applied on some Applications not all Cloud Apps specially with the on-premises Applications that published through Azure Application Proxy.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base