Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Enable conditional access rules to enforce MFA when users access Powershell

    Conditional access provides a great way to enforce additional checks when users access sensitive services in Azure, It is already possible to enforce MFA when users (e.g. with contributor rights) access the Azure portal. However there is no way to explicitly require the same users to Authenticate with MFA when accessing the same privileges in Powershell. Please add Powershell, in the list of cloud applications such that it can be included in an rule that enforces MFA for privileged functions

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Today you can set a conditional access policy on “Microsoft Azure Management”, which will apply to any client requesting access tokens to the Azure Management API. This includes the Azure portal (https://portal.azure.com) and Azure PowerShell (e.g. Login-AzureRmAccount).

    It does not apply to Azure AD PowerShell. To apply a conditional access policy to Azure AD PowerShell (e.g. Connect-MsolService and Connect-AzureAD, for the MSOnline and AzureAD modules, repsectively), you must target the “All cloud apps”, which means all sign-ins for the targeted users must satisfy the MFA requirement. The main reason for this is that the AzureAD PowerShell module is a thin wrapper around the Azure AD Graph API, which is also used by the vast majority of Azure AD-integrated apps (e.g. Office 365, Azure, etc.) out there.

    Thus, even if there was a way to set a policy on “Azure AD Graph API” (there isn’t), the…

  2. conditional access rules should be searchable instead of waiting for load

    Conditional Access policy cannot be searched. If you have a lot of CA, you have to click load more, wait, wash, rinse, repeat.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable conditional access for registered native apps

    Enable the use of Conditional Access when using AAD Interactive login in native desktop apps. For example RDM in this scenario: https://help.remotedesktopmanager.com/index.html?datasources_advanced_sqlazure_configuresqlazureforadconnections.htm

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support Azure Conditional Access for Azure SQL Server

    Allow clients with a Azure Conditional Access compliant device to access the Azure SQL database independently of the IP location.

    Basically great a just-in-time access for Azure AD compliant devices that are able to authenticate using some kind of PKAuth (Public Key Authentication Protocol) against the Microsoft Azure SQL server that allows access for that specific client.

    @Caleb

    https://feedback.azure.com/forums/908035-sql-server/suggestions/35919877-support-azure-conditional-access-for-sql-connectiv

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the suggestion Peter. Can you give a bit more detail on the use case? You can apply conditional access policy to Azure SQL today. Is the additional requirement here to lock down access to specific devices (for example: not all compliant devices)?

    -Caleb

  5. Conditional access policy - Cloud Apps - All 3rd Party Applications

    Provide a simple radio buttons for

    "All Non-Microsoft Applications" ("All 3rd Party Applications")
    "All Microsoft Applications"
    "All Cloud Applications"

    to be used in Inclusion and Exclusion rules under Cloud App for Conditional Access Policies.

    Currently does not seem to be possible to block just 3rd party apps. It is not possible to select all of the Microsoft applications in the Exclusion rules as they are not presented for selection unless registered with a URL.

    And if it _were_ possible to select everything required for Microsoft applications, it would still be an administration burden to continue to update the whitelist with…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Can you give a bit more detail about why you would want to block 3rd party apps? Why are there 3rd party apps registered in your directory, that you want to block? I’m just wondering if there is a bigger issue here. Please add any feedback to the Azure feedback item.

    Thanks

  6. Conditional access reporting

    It would be great to get reporting on conditional access policies .i.e. you have a conditional access policy to block a specific country and to generate a report to show the number of blocks from that policy

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Document conditional access supportability matrix

    The supportability matrix on which operating systems and web browsers (including full-mode vs. in-private mode) are supported by conditional access should be publicly available.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups

    Need exclude/include groups/users in the Azure AD baseline security policies SR-1172

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow the persistent browser session(preview) in the Conditional Access to be applied on some Applications not all Cloud Apps

    Allow the persistent browser session(preview) in the Conditional Access to be applied on some Applications not all Cloud Apps specially with the on-premises Applications that published through Azure Application Proxy.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow access to specific O365 portals (Teams call queue site for example) but restrict access to all others

    We would like the ability to restrict access to all online O365 services but be able to exclude access to the Teams call queue site (https://aka.ms/cqsettings) so that users can opt in/out of call queues during their day to day activities. At the moment it appears to be only an all or nothing policy. Thx!

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Azure audit logs that show 'PolicyDetail' data being changed and who changed it on a conditional access policy

    Azure audit logs that show 'PolicyDetail' data being changed and who changed it on a conditional access policy

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. 7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Create Custom Controls for Azure AD conditional policies without offline process

    First of all thank you very much for the Custom Controls functionality for Azure AD.
    I just found through an Azure Support channel that today, you need to contact Microsoft to become a "valid" provider for custom controls.
    It would be great if you could make the registration process online and automated as I see a lot of potential for customers to want to implement their own validation logic during the authentication pipeline.

    Having to offline register with Microsoft in order to have a compatible service will make it much harder to push this feature forward.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Merge the IP Adress range page in Cloud App Security and Conditional access - Named locations IP Ranges

    Currently we have to maintaine the same IP address ranges on two different Admin Centers to avoid false positive impossible traveling alerts. It would make sense to have only one page where you maintain ip address ranges and enable them for both: the Conditional Access rules and for the Cloud App Security.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Temporary bypass MFA for a specific period of time in conditional access

    For MFA on-premise, there is an option to bypass MFA for a certain period of time in case an employee forget or don't have access to their mobile device (one-time bypass option). In conditonal access, it's possible to bypass MFA for a specific group but there is no option to set a maximum period of time which cause a security risk.

    We would like to have a option to let the IT department to configure a temporary bypass (e.g. 24 hours) to employee that cannot used their second factor login (e.g. mobile device)

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. conditional access with defined hours

    Allow/Deny the access to cloud resources through conditional access in a defined timeslot.
    In some areas its mandatory to deny access to email during non-office hours. Conditional access should add this capabilities.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. RSOP for CAPs

    Have a way to determine the net effect of ALL conditional access policies on a given user, like a resultant set of policies do with GPOs.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Conditional Access Condition for MFA

    Users need to be able to manage their second verification factor when MFA is assigned through a Conditional Access Condition.
    Currently they are not able to change the phone number or add additional phone numbers unless MFA for Office 365 is enabled.
    The default action for Enabled MFA for Office 365 is to change to Enforced when the user logs in. This creates complications for end-users who do not understand the process and strains the support systems trying to deal with end-users as we try to encourage MFA usage.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. disabled device

    In Azure AD, each tenant can set User Device limits. In most cases the limit is 20 or unlimited. But in cases where the limit is restricted by Risk Management teams, and conditional access is enforced, we finding that when a user removes a device, or the device state changes, in Azure AD, that device stays on the account in a "Disabled" status. Now we have scripted this to cleanup, but this feels like a product gap in Azure AD, and I'd like to suggest a disabled Device cleanup workflow process to remove these devices from the directory on either…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Effective Conditional Access Policies for users and groups

    Consider adding an option within Azure Active Directory Conditional Access that allow security administrators to with whether the companies conditional access rules are applied effectively for all users and groups.

    - The solution should list all users and groups that is targeted a specific conditional access policy and also does who are not hit by the policy
    - The solution should also be able to be used for troubleshooting which policies that a user is getting applied.

    This request is also listed on the Intune Feedback uservoice: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/19152421-effective-conditional-access-policies-for-users-an

    Related request: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/17623162-display-summary-of-conditional-access-assignments

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks.
    Some of this is now possible using the conditional access whatIf tool. It can be used to troubleshoot which policies apply to a specific user.
    The second part of the request; listing impact of a policy on all users is something we’ll consider. We’re continuing to invest in tools that help with understanding impact policies and will make sure it is easy to assess policy coverage.

  • Don't see your idea?

Feedback and Knowledge Base