Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow the possibility to assign Dynamics Device Groups to Conditional Access policies

    I'd like to enforce enrollment for Corporate devices but not for Personal devices; for the same user account. So I can create Dynamics Device Groups but I if I assign these groups to Conditional Access policies, it doesn't work.

    23 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to spe

    Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to specific devices in a device Group. 

    While Azure Conditional Access policies can be currently applied to Windows for Hybrid Azure AD Joined Devices this includes all Windows operating systems.  There is no ability to apply them to specific Windows OS versions, or to target specific devices.  Having this functionality would allow for example to block Windows 7 and 8.1 devices through CA policies, or block specific devices without an approved reason to not upgrade to Win10.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add the option to block only one drive and not the hole sharepoint

    Many large organizations that move to Office 365 have the need to block One Drive for certain users, but leave them the ability to use Sharepoint Online. After opening a support case, the responce was that it is currently not supported and the only option is to block both One Drive and Sharepoint Online.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Conditional Access support for ADFS CBA

    When federated identities are authenticated using CBA (Certificate Based Authentication) against ADFS, it would be nice to be able to have Azure AD recognize this in Azure AD Conditional Access rules and allow or deny access access to apps based on this.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Restricting Access Of Azure Service Principals – Using Conditional Access

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md
    #>
    Best possible scenario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
    Can MS look into this please.
    I had raised case with MS…

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies

    Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support for Microsoft Office 365 00000006-0000-0ff1-ce00-000000000000 in conditional access

    When using "All cloud apps" in a conditional Access policy. when trying to access admin.microsoft.com, one of the URL governed by Microsoft Office 365 portal - app ID : 00000006-0000-0ff1-ce00-000000000000, a user is blocked by conditional Access. This issues is the same in some of the panes/icons in "Azure.portal.com"; this application can be found with her app ID under the Enterprise apps in the Azure portal but cannot be included or excluded in a conditional access policy.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Baseline policy: Require MFA for admins does not allow for any exceptions

    The guidance on your website states: During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one emergency access account should be excluded from all Conditional Access policies. If you have enabled a baseline policy, you should exclude your emergency access accounts.

    However, none of the four Baselines policies provide the ability to exclude any users. This directly contradicts the guidance on your website. The "Require MFA for Service Management" policy even states the following when we attempt to enable it:

    "Don't get locked out. This policy can potentially prevent…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Option to enforce authentication every time you access a SSO app (e.g. SaaS app)

    Add a option to enforce authentication every time you access a SSO app (e.g. SaaS):
    - Option could be possible per app
    - Option could be 1) re-enter password (ignore SSO) 2) guaranteed MFA prompt (ignore MFA token)

    Use case:
    Shared PCs, Personal Logins, SaaS App has sensitive payroll data, Concern: People don't log off -> anyone can walk to the PC and get into SaaS app via SSO. As of now even MFA doesn't help due to MFA token or Windows Hello strong auth. You could only play with token life-time.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add Microsoft/Office portals as Cloud Apps so Conditional Access policies can target them

    With the change of separating the conditional access of the Office/Microsoft 365 portals from Exchange Online, we can no longer target office.com or the admin centers with conditional access.

    This has lowered security, as Sharepoint file names/Outlook email previews on office.com are visible.

    We can also not target MFA just for the admin portals, and instead must targeting users with an "admin role" which would cover all apps, which is not a good user experience.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support Conditional Access for the Partner Portal (OCP MPN PORTAL)

    Support Conditional Access for the Partner Portal (OCP MPN PORTAL).
    Add the partner portal to Azure managed application so we can use conditional access.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Abilty to sort Conditional Access Policies alphabetically

    It would be usefull to be able to sort Conditional Access Policies alphabetically.

    So, for example if the naming conventon starts with ALLOW: or BLOCK: then when you create new ones and sort alphabetically they will all be in the right order. Right now they are listed in the order of creation.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support Chrome in Server 2016 for compliant/hybrid join (using "Windows 10 Accounts" extension)

    This has been listed as "Coming Soon" for six months? A year? Because Server 2016 isn't supported, we have to assign public IPs to Azure VMs and then exempt those IPs from CA rules. We didn't have to do this with Server 2012 R2, yet here in October 2018 we have to do it with Server 2016!

    I am sure backporting the fixes and improvements to hybrid join in Win 10 v1703 is work MS does not care to do and that is why this is not supported yet. Remember we have no Edge on Server 2016 so we must…

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Create Policy differentiation from a BYOD vs CYOD device both PC and Mobile devices.

    Many organizations would like to specify certain applications can only be accessed via corporate owned assets but would still like to take advantage of BYOD scenarios for other applications. To that end a differentiation of devices from BYOD and CYOD through to PC's would be great.

    Also there should be a process to move devices between the two groups.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity

    Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.

    It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.

    Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"

    Att.: Caleb and Dhanyah

    /Peter Selch Dahl

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. OneDrive client in Conditonal Access

    The only way to set up Conditional Access for OneDrive Client is to use "Sharepoint Online".
    It is not possible to create a rule that affects only the OneDrive sync client.
    We want the opportunity to create a Conditional Access rule only for OneDrive client.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Conditional Access blocking Microsoft Store for Business apps deployed through Intune

    When a Conditional Access Policy is configured to block All cloud Apps if the Win10 device is NOT compliant, this significantly delays installations from the Microsoft Store for apps like 'Company Portal'. In addition, if the compliance also requires Bitlocker to be in place, at least one reboot is required, further delaying initial machine setup.

    I believe the cloud app in question is called 'Universal Store Service APIs and Web Application'. I have raised and identified this issue with MS support in the case number 118070218497552.

    Ask: Please flight the cloud app(s) in question for Conditional Access. Currently it cannot…

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Conditional Access to Data based on Classification Labels

    Conditional Access to Data based on Classification Labels

    As part of a regulated industry, we require more in depth controls while allowing other part of the business to halve flexible access.

    Sensitive data is tagged by Classification Labels based to meet regulatory and business requirements.
    DLP is configured to used to protect against sharing of data.

    We are looking for the capability of allowing sensitive data to be only accessed from compliant device, approved client app, or domain joined device while allowing other data types to meet less stringent rules.

    Additionally, be able to create policies to configure DLP like…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable conditional access rules to enforce MFA when users access Powershell

    Conditional access provides a great way to enforce additional checks when users access sensitive services in Azure, It is already possible to enforce MFA when users (e.g. with contributor rights) access the Azure portal. However there is no way to explicitly require the same users to Authenticate with MFA when accessing the same privileges in Powershell. Please add Powershell, in the list of cloud applications such that it can be included in an rule that enforces MFA for privileged functions

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Today you can set a conditional access policy on “Microsoft Azure Management”, which will apply to any client requesting access tokens to the Azure Management API. This includes the Azure portal (https://portal.azure.com) and Azure PowerShell (e.g. Login-AzureRmAccount).

    It does not apply to Azure AD PowerShell. To apply a conditional access policy to Azure AD PowerShell (e.g. Connect-MsolService and Connect-AzureAD, for the MSOnline and AzureAD modules, repsectively), you must target the “All cloud apps”, which means all sign-ins for the targeted users must satisfy the MFA requirement. The main reason for this is that the AzureAD PowerShell module is a thin wrapper around the Azure AD Graph API, which is also used by the vast majority of Azure AD-integrated apps (e.g. Office 365, Azure, etc.) out there.

    Thus, even if there was a way to set a policy on “Azure AD Graph API” (there isn’t), the…

  20. Add filtering option for the conditional access policies

    Currently there is no option to reorder, search or filter conditional access policies and it is hard to find/manage conditional access policies. Especially if you have more than 30 policies defined. Please add filtering option for the conditional access policies also. Similar as it is right now for the "App", "App Protection policies" and "App Configuration policies".

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base