Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. 6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Conditional Access Condition for MFA

    Users need to be able to manage their second verification factor when MFA is assigned through a Conditional Access Condition.
    Currently they are not able to change the phone number or add additional phone numbers unless MFA for Office 365 is enabled.
    The default action for Enabled MFA for Office 365 is to change to Enforced when the user logs in. This creates complications for end-users who do not understand the process and strains the support systems trying to deal with end-users as we try to encourage MFA usage.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. AAD CA Require approved app list schould include all Microsoft apps

    The AAD CA require approved app list should include all Microsoft apps. StaffHub, Flow and so on. The idea to restrict iOS and Android to just a few is an incomplete solution. With App protection policies we can protect all Microsoft apps so this is the right combination when combined with CA. Please extend trusted app list to all MS app protection policy apps.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Effective Conditional Access Policies for users and groups

    Consider adding an option within Azure Active Directory Conditional Access that allow security administrators to with whether the companies conditional access rules are applied effectively for all users and groups.


    • The solution should list all users and groups that is targeted a specific conditional access policy and also does who are not hit by the policy

    • The solution should also be able to be used for troubleshooting which policies that a user is getting applied.

    This request is also listed on the Intune Feedback uservoice: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/19152421-effective-conditional-access-policies-for-users-an

    Related request: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/17623162-display-summary-of-conditional-access-assignments

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks.
    Some of this is now possible using the conditional access whatIf tool. It can be used to troubleshoot which policies apply to a specific user.
    The second part of the request; listing impact of a policy on all users is something we’ll consider. We’re continuing to invest in tools that help with understanding impact policies and will make sure it is easy to assess policy coverage.

  5. All the required resources to be capable of being included and excluded from conditional access

    How to correlate sign-ins to ALL applications to add in our CA policies. How do we do that? This isn’t documented anywhere seemingly.

    For example, attached listed apps we found to be in our sign-in logs that cannot be individually selected. Worked with support, but it's apparently not possible as-is.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Custom Controls

    Please add the ability to use Custom Controls under Conditional Access policies in Azure Government. Need this to utilize 3rd part MFA providers as is able to be done on the commercial side.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make "SharePoint Online Web Client Extensibility" to be inlcude/exclude from ConditionalAccess policy when include/exclude SharePoint Online

    We have a Conditional Access policy to block all guest users from accessing all apps, but exclude Exchange Online and SharePoint Online. However the policy was not working as expected since user also need to access "SharePoint Online Web Client Extensibility" (app ID 08e18876-6177-487e-b8b5-cf950c1e598c) while visiting SharePoint Online, which is not selectable in Conditional Access policy, so this access was blocked by the policy.
    Is it possible to implement one of following:
    1. Make Conditional Access policy controls for "SharePoint Online Web Client Extensibility" to be automatically align with SharePoint Online.
    2. Make "SharePoint Online Web Client Extensibility" a seletable…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Provide API (or Powershell cmdlet) to feed use cases to Conditional Access "What If"

    My policy configuration is driven by Use Cases (I have almost 100). It would be really awesome if I could take my use cases and be able to feed them to an API\PowerShell cmdlet that would return the same output that the WhatIf tool returns. The idea being when I want to make some design changes I can quickly determine how that change might impact\interact with other existing policies.

    For example, in Excel I have a column for each possible field in the WhatIf tool. I'd like to take that Excel document (or CSV) and feed it to an automated…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Provide more granular conditional access to apps than just "Office 365 SharePoint Online" or "Microsoft Azure Management".

    Provide more granular conditional access to apps than just "Office 365 SharePoint Online" or "Microsoft Azure Management". Both of these block way too much by default, especially "Microsoft Azure Management" as it blocks powerapps portal access for developers. You have this all or nothing approach that doesn't work.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Default Block All rule in conditional access

    White List + Block All rules combination would be easy to create. In current CA, customer hate to create tons of {Access 1, Block 1} rule pairs.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Conditional Access Flow Map

    In a large BYOD hybrid cloud environment, it is very easy to have many Conditional Access policies that end up overlapping each other, and the Azure Sign-In logs state the status but not the order in which each policy was applied. It would be great if you could add a CA Flow Map like you have the networking map, that would visually show us which policies are going to apply first and which ones overlap for any of the 4 input filters; location, identity, application, device.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Provide description when choosing Cloud Apps

    When choosing "Cloud apps" for Conditional access Policies, it is unclear what some are by the names. They should include a brief description so that we know what is being affected.

    For example, what does "Microsoft Azure Management" mean? (Is this this just Azure Portal? Does it include OMS? Does it include O365 Admin Portal? Is PowerShell included?)

    Choosing an application should open another blade with a summary or at least link to an article with descriptions for each.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Trace logs Conditional Access sign in Logs

    Introduction:
    1-my environment using approved trusted (by Microsoft) third party application as MFA
    2- Created a custom control for that provider
    3- Created a CA policy so that once a username and password is validated by Azure Active Directory, the condition is to push (redirect) request to get Third Party MFA acceptance (get the security token)
    4- CA policy is to include all cloud apps (knowing that online exchange app need separate rule to disable legacy Auth.)
    5- if approved by step 3 sign in is completed successfully, or denied accordingly

    (*note Microsoft MFA is not enabled nor forced as…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Assignment of Conditional Access policy to eligible member of directory roles

    Conditional Access Policies can be assigned to members of a directory role. But It's limited to users with permanent or active role assignment (after PIM activation of requesting eligible role).

    It would be a useful security option to protect those groups of users at an early stage (even without standing permissions). The assignment in CA Policies should be configured on their eligible role.

    Currently you have to create and manage CA assignment for eligible roles separately from your configuration in PIM. Otherwise policies will be only affected at next CA evaluation after activation of PIM role.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow Dynamics 365 Sales as Cloud app in Conditional Access Policy

    Please implement so we can select in conditional access policies under "Cloud App" also "Dynamics 365 Customer Engagement " / CRM / Sales module.
    Also for Business Central ...

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Prevent password brute force by block suspicious IP address

    Conditional Access come into place after checking user and password. To have a country blocking or a block list of IPs there is too late.

    Every night there are a lot of password brute force attacks from mostly the same IP address. To protect the users from not be locked out, if they arrive in the morning, these IPs are added to a blacklist, but the request from this IP addresses are not blocked like a firewall will do this. These requests are going to Azure AD to authenticate the user, after some wrong passwords the account is locked out…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Ask always for MFA when using Azure AD Priviledge Identity Management

    Ask always for MFA when using Azure AD Priviledge Identity Management even when you access from compliant device that are excluded from MFA for an access conditional policy

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Changes to Conditional Access Policies should not get reported as changes to a Default Policy

    Currently, when an admin makes a change to a Conditional Access Policy, changes are also reported for a Default Policy that Administrators have neither visibility nor access to. These changes are shown as being made by a Global Admin., causing confusion and alarms for compliance teams.

    If possible, either hide/filter the events in the logs for the Default Policy, or change the user that is making the change to a Microsoft System account.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add MFA Challenge type to Conditional Access ruleset.

    We experienced a spear phishing attack where the user routinely approved an MFA challenge for an attacker signing in outside of the country via the Authenticator Approve/Deny challenge.

    If there were an option to require a one-time passcode on a non-company device when outside of the country, this attack would have failed. Or the new passwordless "match the pin on the screen" logon option would have also failed the attack.

    I would like to suggest being able to select the MFA challenge type as an option when creating a new conditional access policy.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Use Conditional Access with the Dynamics 365 Unified Ops app

    At the moment it is not possible to use the Dynamics 365 Unified Ops app when there are policies set up which only allow compliant devices (managed by InTune) to connect to the Dynamics 365 Finance and Operations System.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base