Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Change message details for users block by CA policy when signing into O365

    When a user is blocked by a conditional access policy set in Azure Active Directory, the message validates that the username and password was successful but failed due to certain criteria not being meet (CA Policy). The premise being that a bad actor with stolen creds is able to confirm that those credentials are valid, despite not being on a device capable of logon. This would allow the actor to attempt to use the same credentials in other places and is a major security risk.

    Please allow for this message to be editable or change it so that it doesn't…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure audit logs that show 'PolicyDetail' data being changed and who changed it on a conditional access policy

    Azure audit logs that show 'PolicyDetail' data being changed and who changed it on a conditional access policy

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Conditional Access granularity -- We need support for "and/or" scenarios for conditions, and more granularity for client/device types.

    We are in the process of moving to Exchange Online from an on-prem environment, with the following assumptions:

    A) We are already a Duo shop for MFA and management does not want to have a second MFA strategy (Azure AD MFA)

    B) We use Passthrough Authentication for authentication into Azure AD. We do not wish to deploy ADFS for only O365.

    With these assumptions, our way of adding MFA to our logins in O365 is with Conditional Access and a custom control for our Duo 2FA.

    We have created policies that only allow connections from clients that support Modern Authentication,…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Conditional access policy - Cloud Apps - All 3rd Party Applications

    Provide a simple radio buttons for

    "All Non-Microsoft Applications" ("All 3rd Party Applications")
    "All Microsoft Applications"
    "All Cloud Applications"

    to be used in Inclusion and Exclusion rules under Cloud App for Conditional Access Policies.

    Currently does not seem to be possible to block just 3rd party apps. It is not possible to select all of the Microsoft applications in the Exclusion rules as they are not presented for selection unless registered with a URL.

    And if it were possible to select everything required for Microsoft applications, it would still be an administration burden to continue to update the whitelist with…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Can you give a bit more detail about why you would want to block 3rd party apps? Why are there 3rd party apps registered in your directory, that you want to block? I’m just wondering if there is a bigger issue here. Please add any feedback to the Azure feedback item.

    Thanks

  5. Conditional access policy by location should be standard feature

    Conditional Access policies to block access from countries should be a standard security feature and organizations should not have to upgrade to E5 or Azure P2 to use this feature. We see failed sign in attempts everyday from countries such as China and Russia. It would block out 99% of the malicious sign in attempts if we could simply implement a conditional access policy by location.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. conditional access rules should be searchable instead of waiting for load

    Conditional Access policy cannot be searched. If you have a lot of CA, you have to click load more, wait, wash, rinse, repeat.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable conditional access for registered native apps

    Enable the use of Conditional Access when using AAD Interactive login in native desktop apps. For example RDM in this scenario: https://help.remotedesktopmanager.com/index.html?datasourcesadvancedsqlazure_configuresqlazureforadconnections.htm

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support Azure Conditional Access for Azure SQL Server

    Allow clients with a Azure Conditional Access compliant device to access the Azure SQL database independently of the IP location.

    Basically great a just-in-time access for Azure AD compliant devices that are able to authenticate using some kind of PKAuth (Public Key Authentication Protocol) against the Microsoft Azure SQL server that allows access for that specific client.

    @Caleb

    https://feedback.azure.com/forums/908035-sql-server/suggestions/35919877-support-azure-conditional-access-for-sql-connectiv

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the suggestion Peter. Can you give a bit more detail on the use case? You can apply conditional access policy to Azure SQL today. Is the additional requirement here to lock down access to specific devices (for example: not all compliant devices)?

    -Caleb

  9. 8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Conditional access api with at least What If capability

    Create an API for conditional access that only displays the policies, but also enables you to perform 'What If' to test the them.
    It will significantly help create automations by overseeing what might get blocked. A response should be a detailed report like in the Azure Portal.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Document conditional access supportability matrix

    The supportability matrix on which operating systems and web browsers (including full-mode vs. in-private mode) are supported by conditional access should be publicly available.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Display Summary of Conditional Access Assignments

    Instead of requiring admins to click every Assignment to see the details of the CA rule they created, show a summary of what the policy does, in the users native language.

    See attached file to get an idea of what I'm saying.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Custom Controls

    Please add the ability to use Custom Controls under Conditional Access policies in Azure Government. Need this to utilize 3rd part MFA providers as is able to be done on the commercial side.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow access to specific O365 portals (Teams call queue site for example) but restrict access to all others

    We would like the ability to restrict access to all online O365 services but be able to exclude access to the Teams call queue site (https://aka.ms/cqsettings) so that users can opt in/out of call queues during their day to day activities. At the moment it appears to be only an all or nothing policy. Thx!

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Indicate when conditional access policy was not applied due to lack of license

    When viewing the details of an individual entry in the sign-in log within the Azure AD Portal, the "Conditional Access" tab allows you to see which conditional access policies were applied to the sign-in attempt and the result for each.

    In the case where the user in question does not have a license assigned that includes conditional access functionality, the tab simply says "No policies". Support have advised me in the past that CA policies will not be applied to users who do not have the appropriate license applied, which is presumably why the list is empty in such situations.…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Merge the IP Adress range page in Cloud App Security and Conditional access - Named locations IP Ranges

    Currently we have to maintaine the same IP address ranges on two different Admin Centers to avoid false positive impossible traveling alerts. It would make sense to have only one page where you maintain ip address ranges and enable them for both: the Conditional Access rules and for the Cloud App Security.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Ability to customize email messages that are auto-generated

    Whenever admin uses Azure Conditional Access policy to either:


    1. Block Exchange ActiveSync (Legacy Auth)
      or

    2. Enforce MFA on Exchange ActiveSync

    End user would receive the following email notification on their IOS/Android devices when trying to login Outlook email using ActiveSync with Legacy Auth (IOS and Android Native Mail Client, Gmail App).

    Please see attachments for email message details. When end users click on "Learn More" link, it would direct them www.microsoft.com that contains Microsoft Ads which is unacceptable. It would be ideal if i directs to MFA article or the company's internal link.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. RSOP for CAPs

    Have a way to determine the net effect of ALL conditional access policies on a given user, like a resultant set of policies do with GPOs.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support for accessing SharePoint onprem files through Application Proxy from Android and IOS Office Apps

    Problem:
    - Access are blocked (You cannot open the document) when Approved Client App is a requirement in the CA policy (You cannot get there from here message)
    - After trying to authenticate (and being blocked) the Office app needs to be restarted to be responsive again.

    Possible solutions:
    - rewrite the authentication flow to use the auth token saved on the device - instead of trying to reauthenticate with webkit browser
    - use Edge browser inside the apps to reauthenticate
    - Treat webkit as an approved app when inside an office app

    Since all the users recent documents are…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Prevent password brute force by block suspicious IP address

    Conditional Access come into place after checking user and password. To have a country blocking or a block list of IPs there is too late.

    Every night there are a lot of password brute force attacks from mostly the same IP address. To protect the users from not be locked out, if they arrive in the morning, these IPs are added to a blacklist, but the request from this IP addresses are not blocked like a firewall will do this. These requests are going to Azure AD to authenticate the user, after some wrong passwords the account is locked out…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base