Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support for accessing SharePoint onprem files through Application Proxy from Android and IOS Office Apps

    Problem:
    - Access are blocked (You cannot open the document) when Approved Client App is a requirement in the CA policy (You cannot get there from here message)
    - After trying to authenticate (and being blocked) the Office app needs to be restarted to be responsive again.

    Possible solutions:
    - rewrite the authentication flow to use the auth token saved on the device - instead of trying to reauthenticate with webkit browser
    - use Edge browser inside the apps to reauthenticate
    - Treat webkit as an approved app when inside an office app

    Since all the users recent documents are…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Provide API (or Powershell cmdlet) to feed use cases to Conditional Access "What If"

    My policy configuration is driven by Use Cases (I have almost 100). It would be really awesome if I could take my use cases and be able to feed them to an API\PowerShell cmdlet that would return the same output that the WhatIf tool returns. The idea being when I want to make some design changes I can quickly determine how that change might impact\interact with other existing policies.

    For example, in Excel I have a column for each possible field in the WhatIf tool. I'd like to take that Excel document (or CSV) and feed it to an automated…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Documentation about Conditional Access Policy Limits

    Currently, there is no documentation stating there is a silent limit of 100 Conditional Access policies that can be queried. This is causing frustration and unnecessary man-hours for customers to understand why their policies aren't evaluating even though they are passing the "What-If" query. My understanding is that limit is currently 100 and is being raised to 195 with code put in to limit the customers' abilities to create more than 195 conditional access policies so this issue does not occur. We would like to recommend that this limitation be added to customer facing documentation regarding Conditional Access policies in…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. 6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Conditional Access Condition for MFA

    Users need to be able to manage their second verification factor when MFA is assigned through a Conditional Access Condition.
    Currently they are not able to change the phone number or add additional phone numbers unless MFA for Office 365 is enabled.
    The default action for Enabled MFA for Office 365 is to change to Enforced when the user logs in. This creates complications for end-users who do not understand the process and strains the support systems trying to deal with end-users as we try to encourage MFA usage.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. AAD CA Require approved app list schould include all Microsoft apps

    The AAD CA require approved app list should include all Microsoft apps. StaffHub, Flow and so on. The idea to restrict iOS and Android to just a few is an incomplete solution. With App protection policies we can protect all Microsoft apps so this is the right combination when combined with CA. Please extend trusted app list to all MS app protection policy apps.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Assignment of Conditional Access policy to eligible member of directory roles

    Conditional Access Policies can be assigned to members of a directory role. But It's limited to users with permanent or active role assignment (after PIM activation of requesting eligible role).

    It would be a useful security option to protect those groups of users at an early stage (even without standing permissions). The assignment in CA Policies should be configured on their eligible role.

    Currently you have to create and manage CA assignment for eligible roles separately from your configuration in PIM. Otherwise policies will be only affected at next CA evaluation after activation of PIM role.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. All the required resources to be capable of being included and excluded from conditional access

    How to correlate sign-ins to ALL applications to add in our CA policies. How do we do that? This isn’t documented anywhere seemingly.

    For example, attached listed apps we found to be in our sign-in logs that cannot be individually selected. Worked with support, but it's apparently not possible as-is.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Please allow Education to be an exception for Conditional Access Policy blocking Azure management portal

    Please allow Education (Azure dev tools for teaching, Education- software downloads) to be an exception for Conditional Access Policy blocking Azure management portal. We want students to be able to download software they are entitled to, but not to have access to azure AD management or other azure portal functionality.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Make "SharePoint Online Web Client Extensibility" to be inlcude/exclude from ConditionalAccess policy when include/exclude SharePoint Online

    We have a Conditional Access policy to block all guest users from accessing all apps, but exclude Exchange Online and SharePoint Online. However the policy was not working as expected since user also need to access "SharePoint Online Web Client Extensibility" (app ID 08e18876-6177-487e-b8b5-cf950c1e598c) while visiting SharePoint Online, which is not selectable in Conditional Access policy, so this access was blocked by the policy.
    Is it possible to implement one of following:
    1. Make Conditional Access policy controls for "SharePoint Online Web Client Extensibility" to be automatically align with SharePoint Online.
    2. Make "SharePoint Online Web Client Extensibility" a seletable…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Provide more granular conditional access to apps than just "Office 365 SharePoint Online" or "Microsoft Azure Management".

    Provide more granular conditional access to apps than just "Office 365 SharePoint Online" or "Microsoft Azure Management". Both of these block way too much by default, especially "Microsoft Azure Management" as it blocks powerapps portal access for developers. You have this all or nothing approach that doesn't work.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Default Block All rule in conditional access

    White List + Block All rules combination would be easy to create. In current CA, customer hate to create tons of {Access 1, Block 1} rule pairs.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Conditional Access Flow Map

    In a large BYOD hybrid cloud environment, it is very easy to have many Conditional Access policies that end up overlapping each other, and the Azure Sign-In logs state the status but not the order in which each policy was applied. It would be great if you could add a CA Flow Map like you have the networking map, that would visually show us which policies are going to apply first and which ones overlap for any of the 4 input filters; location, identity, application, device.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide description when choosing Cloud Apps

    When choosing "Cloud apps" for Conditional access Policies, it is unclear what some are by the names. They should include a brief description so that we know what is being affected.

    For example, what does "Microsoft Azure Management" mean? (Is this this just Azure Portal? Does it include OMS? Does it include O365 Admin Portal? Is PowerShell included?)

    Choosing an application should open another blade with a summary or at least link to an article with descriptions for each.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enable configuration of how long MFA can be remembered within a Conditional Access Policy.

    A configuration option to how long an MFA can be remembered within a conditional access policy.
    Would enable a longer window for MFA challenges on registered devices (eg Outlook on Mobile devices)
    While allowing a narrow window when signing on with browser access to from an unknown device.

    Being able to configure how long MFA is remembered per policy would provide more flexibility to protecting the user identity but account for more known and unknown device scenarios.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Trace logs Conditional Access sign in Logs

    Introduction:
    1-my environment using approved trusted (by Microsoft) third party application as MFA
    2- Created a custom control for that provider
    3- Created a CA policy so that once a username and password is validated by Azure Active Directory, the condition is to push (redirect) request to get Third Party MFA acceptance (get the security token)
    4- CA policy is to include all cloud apps (knowing that online exchange app need separate rule to disable legacy Auth.)
    5- if approved by step 3 sign in is completed successfully, or denied accordingly

    (*note Microsoft MFA is not enabled nor forced as…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Replace Oauth tokens admin role from GA to authentication admin

    MS suggest that limiting GA role should be done, but without GA role you cannot assign Oauth tokens.
    Can you please replace this role with something else? example authentication admin role.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Apply Conditional Access blocks before authentication

    Conditional Access policies that completely block access should be applied before allowing the user to attempt authentication, because otherwise an attacker can still crack a user's password (e.g. using a botnet) even though Conditional Access prevents them from actually using the account. This cracked password can then be used to access the account under different circumstances in which Conditional Access allows access.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow Dynamics 365 Sales as Cloud app in Conditional Access Policy

    Please implement so we can select in conditional access policies under "Cloud App" also "Dynamics 365 Customer Engagement " / CRM / Sales module.
    Also for Business Central ...

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Block only Azure Portal using Conditional Access not the all management endpoints

    We created conditional access policy to block sign-in to Azure management portal, and we are getting reports from users that are accessing Visual Studio subscriptions administrator portal that they are getting the error "Your sign-in was successful but you don't have permission to access this resource."? How can block sign in to https://portal.azure.com only? I don't want to block sign in to Visual Studio subscriptions administrator portal

    We have a use case, where we want to block sign in to the Azure portal for All users except a group of users. And there are few users to whom we want…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base