Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Block only Azure Portal using Conditional Access

    I want to block users access to Azure Portal.
    So I have Conditional Access on the "Microsoft Azure Management" application in Azure AD.
    However "Microsoft Azure Management" contains not only Azure Portal but other applications as above.

    Manage access to Azure management with Conditional Access
    https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

    Please add only Azure Portal application to Conditional Access.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Baseline

    Need to get the dates as well as the option for exclusion in the baseline Policy.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Baseline policy

    119072424003997 Baseline Policy blocked Global admin , So being the CSP partner, Got email to Implement it. Please do update us for the same and also I will update in the Microsoft Feedback too , related to this Service Request

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Exclude "register security info (preview)" from Conditional Access

    We need to exclude "register security info (preview)" from conditional access policies.

    We use Azure MFA for RADIUS (non azure / o365 services) Authentication and our user have to self register their authentication method.

    This registration is not possible from private workstations, because our Conditional Access Policies says User needs MFA and combpiant device. Result: User tries to register his secuirty info from non compliant device --> fail

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add MFA Challenge type to Conditional Access ruleset.

    We experienced a spear phishing attack where the user routinely approved an MFA challenge for an attacker signing in outside of the country via the Authenticator Approve/Deny challenge.

    If there were an option to require a one-time passcode on a non-company device when outside of the country, this attack would have failed. Or the new passwordless "match the pin on the screen" logon option would have also failed the attack.

    I would like to suggest being able to select the MFA challenge type as an option when creating a new conditional access policy.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Default Block All rule in conditional access

    White List + Block All rules combination would be easy to create. In current CA, customer hate to create tons of {Access 1, Block 1} rule pairs.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Conditional Access Audit Details

    I would like to see the details of what was changed when searching for conditional access policy changes. I can see which administrator made the change, when the change was and and which CA policy was modified but I can't see how the policy was modified.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Conditional Access Poicies do not have a COPY button?

    When working with production policies for Conditional Access, if changes are needed, it is most reasonable to duplicate the production rule, apply it to a smaller test group, and make changes from there. At this time there is no copy/duplicate button for Conditional Access policies, so, the only method for replicating policies is to stare-and-compare in side-by-side windows.

    This increases capacity for error, or misconfiguration. Also, since the "block all" apps over-blocks many Azure services that cannot be exempted, it complicates the policy creation process needing to manually re-select all apps that need to be included/excluded from the policy.

    The…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. O365 admin portal access from untrusted network

    O365 admin portal is accessible from untrusted networks. It requires MFA (as it should) but should not allow access even with MFA, from an untrusted network. The desired state is for access to the O365 admin portal to be blocked from any untrusted network. There does not appear to be an app registration to add to Conditional Access policies to accomplish this like we have done for the Azure Portal.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add another column to clarify how CA Policy was satisfied

    Please add another column that would indicate whether the Conditional Access Policy was satisfied by either an existing AccessToken or RefreshToken, as opposed to the user actually performing 3rd party MFA.

    Our Security Analyst identified gaps in our SIEM log when correlating the Azure AD Log and DUO Security Log. Users have dozens of AAD logins reflecting the DUO MFA CA Policy was successfully fulfilled, yet in DUO Security Log, there is no indication the login occurred. We now know this is related to the use of AccessTokens and RefreshTokens to enable Keep Me Signed In feature. Adding another column…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Provide Conditional Access to Azure AD Free

    With constant fishing of user accounts, conditional access should be free to all Office 365 users to improve security for all. MFA is not practical for large numbers of office based users who do not have work provided phones and additional paid security options like Advanced Protection are not working well enough to prevent the fishing emails getting through.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Create a low/no-cost conditional access policy for "US Only" to prevent international brute-force sign-in attacks

    The Azure AD that comes with Office 365 should include a conditional access policy that can be enabled to prevent international sign-in attempts. It currently lets you see users flagged for risk but doesn't let you do anything about it.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Conditional Access alert for blocked countires

    Generate an email alert to ADMINS if any sign-in is FAILED\SUCCESS due to Conditional Access policy.

    We do have a conditional access policy to block sign-in from specific set of countries, in case if some one tries to access from the blocked countries, we would like to get an email alert for both FAILURE and SUCCESS (As CA policy cannot be linked with Active sync, we need to Successful login from blocked countries too )

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    I recommend taking a look at Log Analytics and how to use them with the Azure AD sign in reports :

    https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-Activity-logs-in-Azure-Log-Analytics-now/ba-p/274843

    You can use Log Analytics to send notification on detail in the sign in report, like blocked policies.

    We’ll also keep this in mind as we look at further reporting and notification improvements.

    Thanks

  14. Word Online Open New Document

    Users should be able to open Office Online new documents directly from www.office.com and should not be advised to open them from the OneDrive for Business, when Conditional Access is in place

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Named location limit

    Named location limit Limit on AAD objects like named location. We have reached to limit. auto approve good location, more AI.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Pre-Authentication evaluation of conditional access.

    We have several apps and web services on premise that we would like to be evaluated for location and other factors without any authentication provided by the user. In other words we want to be able to prevent access from non-us locations to some of our web services where the caller is unable to authenticate.

    Example: https://webservice.domain,com on premise where there is no authentication required we still want to use azure ad proxy to reach that application and prevent any access from a non-us location using conditional access. Since this is a web service, the calling server will be unable…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add Azure AD Group to the list of Exclude users

    Using Azure AD Conditional Access : "Baseline policy: Require MFA for admins" Can you please add the ability to include an Azure AD Group to the exclusion list? Currently only allows for individual users

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Indicate when conditional access policy was not applied due to lack of license

    When viewing the details of an individual entry in the sign-in log within the Azure AD Portal, the "Conditional Access" tab allows you to see which conditional access policies were applied to the sign-in attempt and the result for each.

    In the case where the user in question does not have a license assigned that includes conditional access functionality, the tab simply says "No policies". Support have advised me in the past that CA policies will not be applied to users who do not have the appropriate license applied, which is presumably why the list is empty in such situations.…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Conditional Access : possibility to exclude Azure AD Joined devices

    today, we can exclude in Devcie state : Devices Hybrid Azure AD Joined or devices marked as (Intune) compliant, but we cannot exclude devices which are only Azure AD Joined.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. restrict azure ad join by device limit

    Intune have a restriction by device limit. If you enable this to a user, and the limit is reached, new devices will not be enrolled into Intune by that user. But, the user can still Azure AD join a Windows 10 device and access the Windows desktop and all its functions. It would be nice to stop the Azure AD join completely. There is a global limit for Azure AD join, but not per user group limit. It is not possible to set a limit of only 1 device to one Company department and then a limit of 2 devices…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base