Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Display Summary of Conditional Access Assignments

    Instead of requiring admins to click every Assignment to see the details of the CA rule they created, show a summary of what the policy does, in the users native language.

    See attached file to get an idea of what I'm saying.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Ability to block all cloud apps except the ones for Intune enrollment (Windows 10)

    We have a Conditional Access policy which is configured to grant access to All cloud Apps only if you are Hybrid domain join or compliant.

    We would like to setup exclusions within this CA for Intune enrollment apps, because selecting Microsoft Intune and Microsoft Intune Enrollment are not encompassing enough.

    During the enrollment process (e.g. Windows10 device BYOD or during Autopilot Account setup) Microsoft Application Command Service app is used, unfortunately it can be excluded.

    I have raised and identified this issue with MS support in the case number 119091321001371

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Conditional Access must fully block access to portal.office.com if conditions are not met

    After enabling Conditional Access, and confirming that our policies were correct and comprehensive with Microsoft, I noticed that users that did not meet the CA policy could still authenticate to portal.office.com successfully and *see* available apps and recent documents. If the user clicks on anything (apps or docs) access is correctly blocked via Conditional Access.

    However, if a user does not meet the Conditional Access criteria, that user should *not* be allowed to see *any* content and should instead be greeted by the message, "your login was successful but..." that usually accompanies a conditional access denial.

    It is not good…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Conditional Access Flow Map

    In a large BYOD hybrid cloud environment, it is very easy to have many Conditional Access policies that end up overlapping each other, and the Azure Sign-In logs state the status but not the order in which each policy was applied. It would be great if you could add a CA Flow Map like you have the networking map, that would visually show us which policies are going to apply first and which ones overlap for any of the 4 input filters; location, identity, application, device.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. 5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Ability to customize email messages that are auto-generated

    Whenever admin uses Azure Conditional Access policy to either:

    1. Block Exchange ActiveSync (Legacy Auth)
    or
    2. Enforce MFA on Exchange ActiveSync

    End user would receive the following email notification on their IOS/Android devices when trying to login Outlook email using ActiveSync with Legacy Auth (IOS and Android Native Mail Client, Gmail App).

    Please see attachments for email message details. When end users click on "Learn More" link, it would direct them www.microsoft.com that contains Microsoft Ads which is unacceptable. It would be ideal if i directs to MFA article or the company's internal link.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide description when choosing Cloud Apps

    When choosing "Cloud apps" for Conditional access Policies, it is unclear what some are by the names. They should include a brief description so that we know what is being affected.

    For example, what does "Microsoft Azure Management" mean? (Is this this just Azure Portal? Does it include OMS? Does it include O365 Admin Portal? Is PowerShell included?)

    Choosing an application should open another blade with a summary or at least link to an article with descriptions for each.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Trace logs Conditional Access sign in Logs

    Introduction:
    1-my environment using approved trusted (by Microsoft) third party application as MFA
    2- Created a custom control for that provider
    3- Created a CA policy so that once a username and password is validated by Azure Active Directory, the condition is to push (redirect) request to get Third Party MFA acceptance (get the security token)
    4- CA policy is to include all cloud apps (knowing that online exchange app need separate rule to disable legacy Auth.)
    5- if approved by step 3 sign in is completed successfully, or denied accordingly

    (*note Microsoft MFA is not enabled nor forced as…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. AAD CA Require approved app list schould include all Microsoft apps

    The AAD CA require approved app list should include all Microsoft apps. StaffHub, Flow and so on. The idea to restrict iOS and Android to just a few is an incomplete solution. With App protection policies we can protect all Microsoft apps so this is the right combination when combined with CA. Please extend trusted app list to all MS app protection policy apps.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Please provide an option to enforce (repeated) MFA for app access, even if SSO token already indicates MFA completed

    We have a requirement for an application to always enforce MFA to the user. E.g. user logs in to Windows 10 with Hello for Business, then MFA is already satisfied when evaluating Conditional Access factors. But we need the user to authenticate again because this is a critical application.
    Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.
    E.g. to avoid malicious user to log in to the app when a workstation is left unlocked.
    Possible option to decrease MaxAgeMultiFactor to 0 (but this may break other things or annoy user for…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Provide more granular conditional access to apps than just "Office 365 SharePoint Online" or "Microsoft Azure Management".

    Provide more granular conditional access to apps than just "Office 365 SharePoint Online" or "Microsoft Azure Management". Both of these block way too much by default, especially "Microsoft Azure Management" as it blocks powerapps portal access for developers. You have this all or nothing approach that doesn't work.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Use Conditional Access with the Dynamics 365 Unified Ops app

    At the moment it is not possible to use the Dynamics 365 Unified Ops app when there are policies set up which only allow compliant devices (managed by InTune) to connect to the Dynamics 365 Finance and Operations System.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Rename - 'Require multi-factor authentication'

    https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/

    Per the custom controls, we’re allowing 3rd party MFA providers to be included in a CA policy. (assuming it will be more than MFA providers in the future).

    Can the term ‘Require Multi-factor authentication’ be re-worded to simply ‘Azure MFA / Federated MFA’ or similar.

    Assumption:
    The ‘Require multi-factor authentication’ implies strictly the Azure MFA service (or on-premises federated MFA provider)

    Justification:
    If multiple MFA providers are added to CA (via custom controls), the Customer may mis-interpret that the ‘Require multi-factor authentication’ applies to ANY successful MFA auth from any in-scope provider when in reality it only applies to…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Resolve gaps in Conditional Access policy enformcement

    We have several questions related to the information contained in the following portion of the KB article related to Conditional Access (e.g. "when is a location evaluated"):

    docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations#when-is-a-location-evaluated

    Question #1:
    As described in the KB article, it appears that a user logon attempt from a blacklisted location such as "China" would be blocked, but only AFTER the user's credentials (username + password) were accepted as valid.

    How is this an acceptable control considering the following scenario?:

    A user's Azure account originates from an on-premises Active Directory. Their password is synchronized to Azure, providing SSO for the user. A bad-actor from…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Separating Office 365 admin via conditionals access

    Is it possible to control web access to Office Admin portal separately from the rest of portal.office.com

    Use case: we want to enforce MFA for office admin but not other office services

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. AAD CA Reqire approved client app setting enabled

    when AAD CA require approved client app enabled, end user will be prevented using other apps accessing data, but will not be prompted to use outlook. End user cannot know only outlook app can access the data. Will this behavior be modified to remained the end user to use outlook when message displayed on other apps access is prevented?

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Support cloning of CA policies

    Support cloning of existing policies in the UI

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. All Baseline Conditional Access Policies: Allow Exclude / Include Users

    For all baseline conditional access policies, it is important to either include / exclude users to help with phasing out a rollout. There are a number of scenarios where it is not practical to dump truck a universal policy while rolling out. This was allowed at one point but is now not available.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Ask always for MFA when using Azure AD Priviledge Identity Management

    Ask always for MFA when using Azure AD Priviledge Identity Management even when you access from compliant device that are excluded from MFA for an access conditional policy

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add Office 365 Admin Mobile app as Approved Client App

    We noticed that Office 365 Admin mobile app is not listed as a Approved Client app from Microsoft. This is affecting our users who have assigned admin roles in Azure and Office 365 restricting use to Approved Client Apps. Is there plans to add Microsoft Office 365 Admin App as a Microsoft Approved client app? Conditional access is flagging this as Office 365 Management.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base