Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Conditional access api with at least What If capability

    Create an API for conditional access that only displays the policies, but also enables you to perform 'What If' to test the them.
    It will significantly help create automations by overseeing what might get blocked. A response should be a detailed report like in the Azure Portal.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Conditional Access Condition for MFA

    Users need to be able to manage their second verification factor when MFA is assigned through a Conditional Access Condition.
    Currently they are not able to change the phone number or add additional phone numbers unless MFA for Office 365 is enabled.
    The default action for Enabled MFA for Office 365 is to change to Enforced when the user logs in. This creates complications for end-users who do not understand the process and strains the support systems trying to deal with end-users as we try to encourage MFA usage.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. AAD CA Require approved app list schould include all Microsoft apps

    The AAD CA require approved app list should include all Microsoft apps. StaffHub, Flow and so on. The idea to restrict iOS and Android to just a few is an incomplete solution. With App protection policies we can protect all Microsoft apps so this is the right combination when combined with CA. Please extend trusted app list to all MS app protection policy apps.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Effective Conditional Access Policies for users and groups

    Consider adding an option within Azure Active Directory Conditional Access that allow security administrators to with whether the companies conditional access rules are applied effectively for all users and groups.


    • The solution should list all users and groups that is targeted a specific conditional access policy and also does who are not hit by the policy

    • The solution should also be able to be used for troubleshooting which policies that a user is getting applied.

    This request is also listed on the Intune Feedback uservoice: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/19152421-effective-conditional-access-policies-for-users-an

    Related request: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/17623162-display-summary-of-conditional-access-assignments

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks.
    Some of this is now possible using the conditional access whatIf tool. It can be used to troubleshoot which policies apply to a specific user.
    The second part of the request; listing impact of a policy on all users is something we’ll consider. We’re continuing to invest in tools that help with understanding impact policies and will make sure it is easy to assess policy coverage.

  5. All the required resources to be capable of being included and excluded from conditional access

    How to correlate sign-ins to ALL applications to add in our CA policies. How do we do that? This isn’t documented anywhere seemingly.

    For example, attached listed apps we found to be in our sign-in logs that cannot be individually selected. Worked with support, but it's apparently not possible as-is.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Custom Controls

    Please add the ability to use Custom Controls under Conditional Access policies in Azure Government. Need this to utilize 3rd part MFA providers as is able to be done on the commercial side.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make "SharePoint Online Web Client Extensibility" to be inlcude/exclude from ConditionalAccess policy when include/exclude SharePoint Online

    We have a Conditional Access policy to block all guest users from accessing all apps, but exclude Exchange Online and SharePoint Online. However the policy was not working as expected since user also need to access "SharePoint Online Web Client Extensibility" (app ID 08e18876-6177-487e-b8b5-cf950c1e598c) while visiting SharePoint Online, which is not selectable in Conditional Access policy, so this access was blocked by the policy.
    Is it possible to implement one of following:
    1. Make Conditional Access policy controls for "SharePoint Online Web Client Extensibility" to be automatically align with SharePoint Online.
    2. Make "SharePoint Online Web Client Extensibility" a seletable…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Provide more granular conditional access to apps than just "Office 365 SharePoint Online" or "Microsoft Azure Management".

    Provide more granular conditional access to apps than just "Office 365 SharePoint Online" or "Microsoft Azure Management". Both of these block way too much by default, especially "Microsoft Azure Management" as it blocks powerapps portal access for developers. You have this all or nothing approach that doesn't work.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Default Block All rule in conditional access

    White List + Block All rules combination would be easy to create. In current CA, customer hate to create tons of {Access 1, Block 1} rule pairs.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Conditional Access Flow Map

    In a large BYOD hybrid cloud environment, it is very easy to have many Conditional Access policies that end up overlapping each other, and the Azure Sign-In logs state the status but not the order in which each policy was applied. It would be great if you could add a CA Flow Map like you have the networking map, that would visually show us which policies are going to apply first and which ones overlap for any of the 4 input filters; location, identity, application, device.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Named location limit

    Named location limit Limit on AAD objects like named location. We have reached to limit. auto approve good location, more AI.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Provide description when choosing Cloud Apps

    When choosing "Cloud apps" for Conditional access Policies, it is unclear what some are by the names. They should include a brief description so that we know what is being affected.

    For example, what does "Microsoft Azure Management" mean? (Is this this just Azure Portal? Does it include OMS? Does it include O365 Admin Portal? Is PowerShell included?)

    Choosing an application should open another blade with a summary or at least link to an article with descriptions for each.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Trace logs Conditional Access sign in Logs

    Introduction:
    1-my environment using approved trusted (by Microsoft) third party application as MFA
    2- Created a custom control for that provider
    3- Created a CA policy so that once a username and password is validated by Azure Active Directory, the condition is to push (redirect) request to get Third Party MFA acceptance (get the security token)
    4- CA policy is to include all cloud apps (knowing that online exchange app need separate rule to disable legacy Auth.)
    5- if approved by step 3 sign in is completed successfully, or denied accordingly

    (*note Microsoft MFA is not enabled nor forced as…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ask always for MFA when using Azure AD Priviledge Identity Management

    Ask always for MFA when using Azure AD Priviledge Identity Management even when you access from compliant device that are excluded from MFA for an access conditional policy

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Changes to Conditional Access Policies should not get reported as changes to a Default Policy

    Currently, when an admin makes a change to a Conditional Access Policy, changes are also reported for a Default Policy that Administrators have neither visibility nor access to. These changes are shown as being made by a Global Admin., causing confusion and alarms for compliance teams.

    If possible, either hide/filter the events in the logs for the Default Policy, or change the user that is making the change to a Microsoft System account.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add MFA Challenge type to Conditional Access ruleset.

    We experienced a spear phishing attack where the user routinely approved an MFA challenge for an attacker signing in outside of the country via the Authenticator Approve/Deny challenge.

    If there were an option to require a one-time passcode on a non-company device when outside of the country, this attack would have failed. Or the new passwordless "match the pin on the screen" logon option would have also failed the attack.

    I would like to suggest being able to select the MFA challenge type as an option when creating a new conditional access policy.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Use Conditional Access with the Dynamics 365 Unified Ops app

    At the moment it is not possible to use the Dynamics 365 Unified Ops app when there are policies set up which only allow compliant devices (managed by InTune) to connect to the Dynamics 365 Finance and Operations System.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Pre-Authentication evaluation of conditional access.

    We have several apps and web services on premise that we would like to be evaluated for location and other factors without any authentication provided by the user. In other words we want to be able to prevent access from non-us locations to some of our web services where the caller is unable to authenticate.

    Example: https://webservice.domain,com on premise where there is no authentication required we still want to use azure ad proxy to reach that application and prevent any access from a non-us location using conditional access. Since this is a web service, the calling server will be unable…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Conditional Access : possibility to exclude Azure AD Joined devices

    today, we can exclude in Devcie state : Devices Hybrid Azure AD Joined or devices marked as (Intune) compliant, but we cannot exclude devices which are only Azure AD Joined.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Rename - 'Require multi-factor authentication'

    https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/

    Per the custom controls, we’re allowing 3rd party MFA providers to be included in a CA policy. (assuming it will be more than MFA providers in the future).

    Can the term ‘Require Multi-factor authentication’ be re-worded to simply ‘Azure MFA / Federated MFA’ or similar.

    Assumption:
    The ‘Require multi-factor authentication’ implies strictly the Azure MFA service (or on-premises federated MFA provider)

    Justification:
    If multiple MFA providers are added to CA (via custom controls), the Customer may mis-interpret that the ‘Require multi-factor authentication’ applies to ANY successful MFA auth from any in-scope provider when in reality it only applies to…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base