Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Resolve gaps in Conditional Access policy enformcement

    We have several questions related to the information contained in the following portion of the KB article related to Conditional Access (e.g. "when is a location evaluated"):

    docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations#when-is-a-location-evaluated

    Question #1:
    As described in the KB article, it appears that a user logon attempt from a blacklisted location such as "China" would be blocked, but only AFTER the user's credentials (username + password) were accepted as valid.

    How is this an acceptable control considering the following scenario?:

    A user's Azure account originates from an on-premises Active Directory. Their password is synchronized to Azure, providing SSO for the user. A bad-actor from…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Separating Office 365 admin via conditionals access

    Is it possible to control web access to Office Admin portal separately from the rest of portal.office.com

    Use case: we want to enforce MFA for office admin but not other office services

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. AAD CA Reqire approved client app setting enabled

    when AAD CA require approved client app enabled, end user will be prevented using other apps accessing data, but will not be prompted to use outlook. End user cannot know only outlook app can access the data. Will this behavior be modified to remained the end user to use outlook when message displayed on other apps access is prevented?

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Apply Conditional Access to shared links

    Please allow us to apply (some) Conditional Access rules to users accessing sharing links.

    Use case:
    We want to force external users to acknowledge a Terms of Use document even if they only received a "named user" link (SP Admin Center Sharing config is set to "New and existing guests").

    The current Conditional Access rules only apply to existing users, but as a user that received a shared file is not an AAD user, they are not prompted to accept the Terms of Use. In our use case, this is more important than for already existing guest accounts how (normally)…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Replace Oauth tokens admin role from GA to authentication admin

    MS suggest that limiting GA role should be done, but without GA role you cannot assign Oauth tokens.
    Can you please replace this role with something else? example authentication admin role.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow Dynamics 365 Sales as Cloud app in Conditional Access Policy

    Please implement so we can select in conditional access policies under "Cloud App" also "Dynamics 365 Customer Engagement " / CRM / Sales module.
    Also for Business Central ...

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Set conditional access to a specific instance of Dynamics 365

    Within CA, you can use Conditional Access to restrict access to Dynamics 365 generally. However, it would be more beneficial if you restrict access to Dynamics 365 instances/environments.

    The main reason for this is because once a CA policy is enabled for Dynamics 365, you cannot perform a build within DevOps, so the workaround is for the policy to be temporarily disabled. (user or app exclusions do not work in this scenario)

    If the policy is set per environment, this reduces the risk to any production environments when CA is disabled.

    Furthermore,organisations may have different CRM solutions for different business…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Baseline Policy: End user protection

    I realize that this conditional access policy is still in preview. Currently it only seems to allow the Microsoft authenticator app as the mfa method. However the description of the policy says it is the default method, not the only method. I suggest either changing the description to only, or enabling other authentication methods.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. User sign-in frequency is way too coarse

    We have a need for to always enforce MFA when accessing an Enterprise app. (make sure nobody is making use of a left-alone computer with an unlocked screen). Therefore, instead of hours/days for sign-in frequency we would like to have a checkbox 'always have user sign in'

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add Office 365 Admin Mobile app as Approved Client App

    We noticed that Office 365 Admin mobile app is not listed as a Approved Client app from Microsoft. This is affecting our users who have assigned admin roles in Azure and Office 365 restricting use to Approved Client Apps. Is there plans to add Microsoft Office 365 Admin App as a Microsoft Approved client app? Conditional access is flagging this as Office 365 Management.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. O365 admin portal access from untrusted network

    O365 admin portal is accessible from untrusted networks. It requires MFA (as it should) but should not allow access even with MFA, from an untrusted network. The desired state is for access to the O365 admin portal to be blocked from any untrusted network. There does not appear to be an app registration to add to Conditional Access policies to accomplish this like we have done for the Azure Portal.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Conditional Access alert for blocked countires

    Generate an email alert to ADMINS if any sign-in is FAILED\SUCCESS due to Conditional Access policy.

    We do have a conditional access policy to block sign-in from specific set of countries, in case if some one tries to access from the blocked countries, we would like to get an email alert for both FAILURE and SUCCESS (As CA policy cannot be linked with Active sync, we need to Successful login from blocked countries too )

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    I recommend taking a look at Log Analytics and how to use them with the Azure AD sign in reports :

    https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-Activity-logs-in-Azure-Log-Analytics-now/ba-p/274843

    You can use Log Analytics to send notification on detail in the sign in report, like blocked policies.

    We’ll also keep this in mind as we look at further reporting and notification improvements.

    Thanks

  13. Enable conditional access for oauth flows

    It would be great to apply conditional access policies to oauth token flows. Currently, when I add a policy to a certain user/ip/app, I can still use the oauth2 code flow to get a valid code and (in the next step) a valid token.

    Maybe you could add an option to select whether a policy should be applied to these auth flows.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Addition of In-Blade "New Location" for Named Locations when creating CA Policy

    When creating Conditional Access Policies, users are forced to exit the creation process and define Named Locations, the addition of the New Location button while in blade would decrease the number of steps required for those already in the creation process

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Discover Available Applications

    When creating Conditional Access rules and choosing "Cloud apps", it only displays a limited number of applications. You can search for other applications but you need to already know their name. There is no other way to get a larger list of applications or more pages.

    We need a way to discover what applications are available for us to secure.

    Having applications that we could better secure without being able to know what these applications are sounds like a big security risk.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Fix the Apps list in Conditional Access Policy creation to contain only Apps and Service endpoints that are relevant

    Remove the Office 365 Mail, Office 365 Calendar and other things that are just Azure app shortcuts to OWA and Calendar in OWA etc, as they are not service endpoints or SaaS apps or on-premises apps, they just confuse admins as to what are the applicable Apps for a Conditional Access Policy (CAP) and what are just shortcuts, essentially.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Microsoft To Do

    How can we get "Microsoft To Do" added as an approved app for Conditional Access?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Not able to monitor if conditionla access work or not

    We find that it is not possible for IT to monitor if the polices work or not unless we test with non-compliant devices to access the cloud services.
    We ran into problem that when we randomly tested on non-compliant devices, the conditional access just not work, having no ideas when this issue occurred. Now issue is gone after the reassignment.
    But this will bring security risks for company data. Could there be any method or any monitor report that for IT to check the policy status?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. AzureAD Conditional Access Conditions with changing locations

    AzureAD Conditional Access Conditions should not check IP address change but only if a client is located in the internet or intranet. Otherwise it comes to an issue when "Keep me SignIn" is activated. Conditional access is not working as expected anymore after changing the location. The workaround is to delete the cookies, afterwards it's working again.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. AAD CA Reqiure approved client app list does not have Microsoft Staff Hub included

    The Require approved client app setting, the list does not have Microsoft Staff Hub included. Is it ok to add this app to the approved client app list?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base