Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Pre-Authentication evaluation of conditional access.

    We have several apps and web services on premise that we would like to be evaluated for location and other factors without any authentication provided by the user. In other words we want to be able to prevent access from non-us locations to some of our web services where the caller is unable to authenticate.

    Example: https://webservice.domain,com on premise where there is no authentication required we still want to use azure ad proxy to reach that application and prevent any access from a non-us location using conditional access. Since this is a web service, the calling server will be unable…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Enable conditional access for oauth flows

    It would be great to apply conditional access policies to oauth token flows. Currently, when I add a policy to a certain user/ip/app, I can still use the oauth2 code flow to get a valid code and (in the next step) a valid token.

    Maybe you could add an option to select whether a policy should be applied to these auth flows.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Conditional Access : possibility to exclude Azure AD Joined devices

    today, we can exclude in Devcie state : Devices Hybrid Azure AD Joined or devices marked as (Intune) compliant, but we cannot exclude devices which are only Azure AD Joined.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Rename - 'Require multi-factor authentication'

    https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/

    Per the custom controls, we’re allowing 3rd party MFA providers to be included in a CA policy. (assuming it will be more than MFA providers in the future).

    Can the term ‘Require Multi-factor authentication’ be re-worded to simply ‘Azure MFA / Federated MFA’ or similar.

    Assumption:
    The ‘Require multi-factor authentication’ implies strictly the Azure MFA service (or on-premises federated MFA provider)

    Justification:
    If multiple MFA providers are added to CA (via custom controls), the Customer may mis-interpret that the ‘Require multi-factor authentication’ applies to ANY successful MFA auth from any in-scope provider when in reality it only applies to…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Enable configuration of how long MFA can be remembered within a Conditional Access Policy.

    A configuration option to how long an MFA can be remembered within a conditional access policy.
    Would enable a longer window for MFA challenges on registered devices (eg Outlook on Mobile devices)
    While allowing a narrow window when signing on with browser access to from an unknown device.

    Being able to configure how long MFA is remembered per policy would provide more flexibility to protecting the user identity but account for more known and unknown device scenarios.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Resolve gaps in Conditional Access policy enformcement

    We have several questions related to the information contained in the following portion of the KB article related to Conditional Access (e.g. "when is a location evaluated"):

    docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations#when-is-a-location-evaluated

    Question #1:
    As described in the KB article, it appears that a user logon attempt from a blacklisted location such as "China" would be blocked, but only AFTER the user's credentials (username + password) were accepted as valid.

    How is this an acceptable control considering the following scenario?:

    A user's Azure account originates from an on-premises Active Directory. Their password is synchronized to Azure, providing SSO for the user. A bad-actor from…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Separating Office 365 admin via conditionals access

    Is it possible to control web access to Office Admin portal separately from the rest of portal.office.com

    Use case: we want to enforce MFA for office admin but not other office services

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. AAD CA Reqire approved client app setting enabled

    when AAD CA require approved client app enabled, end user will be prevented using other apps accessing data, but will not be prompted to use outlook. End user cannot know only outlook app can access the data. Will this behavior be modified to remained the end user to use outlook when message displayed on other apps access is prevented?

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Provide "location except" feature under Location conditions of conditional access policy

    We want to block access to the app from all IP addresses except the specified one.
    I want to define the IP address or range in the named location which is possible today but when I used this named location in Location Condition there is no way to mention "location except" feature.

    Basically I want my Azure AD connected site/app to be accessible only from certain IP and from all other IPs it should not be acessible.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow to exclude specific users when a named location is defined by country

    To have a “binary toggle”, say a checkbox, where we can specify “Disallow any access, except the following directives ☑︎” so any human would be able to just include what he or she needs to include and that’s it. With this ability the conditional access logic can be toggled from its current logic to the “positive one” I’m proposing where everything is forbidden but what’s allowed.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Apply Conditional Access to shared links

    Please allow us to apply (some) Conditional Access rules to users accessing sharing links.

    Use case:
    We want to force external users to acknowledge a Terms of Use document even if they only received a "named user" link (SP Admin Center Sharing config is set to "New and existing guests").

    The current Conditional Access rules only apply to existing users, but as a user that received a shared file is not an AAD user, they are not prompted to accept the Terms of Use. In our use case, this is more important than for already existing guest accounts how (normally)…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Replace Oauth tokens admin role from GA to authentication admin

    MS suggest that limiting GA role should be done, but without GA role you cannot assign Oauth tokens.
    Can you please replace this role with something else? example authentication admin role.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow hostname as conditional access trusted location

    We have some offices with dynamic public IP addresses. We obviously can't use these IP addresses as conditional access trusted locations as the IP's may change. We do have dynamic DNS for these IP's however, so we would like to be able to add the dynamic DNS hostnames as trusted locations to reduce MFA prompts.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Please allow Education to be an exception for Conditional Access Policy blocking Azure management portal

    Please allow Education (Azure dev tools for teaching, Education- software downloads) to be an exception for Conditional Access Policy blocking Azure management portal. We want students to be able to download software they are entitled to, but not to have access to azure AD management or other azure portal functionality.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Apply Conditional Access blocks before authentication

    Conditional Access policies that completely block access should be applied before allowing the user to attempt authentication, because otherwise an attacker can still crack a user's password (e.g. using a botnet) even though Conditional Access prevents them from actually using the account. This cracked password can then be used to access the account under different circumstances in which Conditional Access allows access.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add support for conditional access rules to secure Salesforce Mobile

    We want our users to be able to access our Salesforce instances using the Salesforce Mobile app, authenticated using AzureAD single sign-on, and subject to conditional access rules which require their mobile device to be compliant and company-managed. This doesn't seem to be possible. It seems conditional access policies only apply to apps accessed through a browser.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Block only Azure Portal using Conditional Access not the all management endpoints

    We created conditional access policy to block sign-in to Azure management portal, and we are getting reports from users that are accessing Visual Studio subscriptions administrator portal that they are getting the error "Your sign-in was successful but you don't have permission to access this resource."? How can block sign in to https://portal.azure.com only? I don't want to block sign in to Visual Studio subscriptions administrator portal

    We have a use case, where we want to block sign in to the Azure portal for All users except a group of users. And there are few users to whom we want…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Set conditional access to a specific instance of Dynamics 365

    Within CA, you can use Conditional Access to restrict access to Dynamics 365 generally. However, it would be more beneficial if you restrict access to Dynamics 365 instances/environments.

    The main reason for this is because once a CA policy is enabled for Dynamics 365, you cannot perform a build within DevOps, so the workaround is for the policy to be temporarily disabled. (user or app exclusions do not work in this scenario)

    If the policy is set per environment, this reduces the risk to any production environments when CA is disabled.

    Furthermore,organisations may have different CRM solutions for different business…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Baseline Policy: End user protection

    I realize that this conditional access policy is still in preview. Currently it only seems to allow the Microsoft authenticator app as the mfa method. However the description of the policy says it is the default method, not the only method. I suggest either changing the description to only, or enabling other authentication methods.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. User sign-in frequency is way too coarse

    We have a need for to always enforce MFA when accessing an Enterprise app. (make sure nobody is making use of a left-alone computer with an unlocked screen). Therefore, instead of hours/days for sign-in frequency we would like to have a checkbox 'always have user sign in'

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base