Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Set conditional access to a specific instance of Dynamics 365

    Within CA, you can use Conditional Access to restrict access to Dynamics 365 generally. However, it would be more beneficial if you restrict access to Dynamics 365 instances/environments.

    The main reason for this is because once a CA policy is enabled for Dynamics 365, you cannot perform a build within DevOps, so the workaround is for the policy to be temporarily disabled. (user or app exclusions do not work in this scenario)

    If the policy is set per environment, this reduces the risk to any production environments when CA is disabled.

    Furthermore,organisations may have different CRM solutions for different business…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Changes to Conditional Access Policies should not get reported as changes to a Default Policy

    Currently, when an admin makes a change to a Conditional Access Policy, changes are also reported for a Default Policy that Administrators have neither visibility nor access to. These changes are shown as being made by a Global Admin., causing confusion and alarms for compliance teams.

    If possible, either hide/filter the events in the logs for the Default Policy, or change the user that is making the change to a Microsoft System account.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add MFA Challenge type to Conditional Access ruleset.

    We experienced a spear phishing attack where the user routinely approved an MFA challenge for an attacker signing in outside of the country via the Authenticator Approve/Deny challenge.

    If there were an option to require a one-time passcode on a non-company device when outside of the country, this attack would have failed. Or the new passwordless "match the pin on the screen" logon option would have also failed the attack.

    I would like to suggest being able to select the MFA challenge type as an option when creating a new conditional access policy.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Use Conditional Access with the Dynamics 365 Unified Ops app

    At the moment it is not possible to use the Dynamics 365 Unified Ops app when there are policies set up which only allow compliant devices (managed by InTune) to connect to the Dynamics 365 Finance and Operations System.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Pre-Authentication evaluation of conditional access.

    We have several apps and web services on premise that we would like to be evaluated for location and other factors without any authentication provided by the user. In other words we want to be able to prevent access from non-us locations to some of our web services where the caller is unable to authenticate.

    Example: https://webservice.domain,com on premise where there is no authentication required we still want to use azure ad proxy to reach that application and prevent any access from a non-us location using conditional access. Since this is a web service, the calling server will be unable…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Enable conditional access for oauth flows

    It would be great to apply conditional access policies to oauth token flows. Currently, when I add a policy to a certain user/ip/app, I can still use the oauth2 code flow to get a valid code and (in the next step) a valid token.

    Maybe you could add an option to select whether a policy should be applied to these auth flows.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Conditional Access : possibility to exclude Azure AD Joined devices

    today, we can exclude in Devcie state : Devices Hybrid Azure AD Joined or devices marked as (Intune) compliant, but we cannot exclude devices which are only Azure AD Joined.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Rename - 'Require multi-factor authentication'

    https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/

    Per the custom controls, we’re allowing 3rd party MFA providers to be included in a CA policy. (assuming it will be more than MFA providers in the future).

    Can the term ‘Require Multi-factor authentication’ be re-worded to simply ‘Azure MFA / Federated MFA’ or similar.

    Assumption:
    The ‘Require multi-factor authentication’ implies strictly the Azure MFA service (or on-premises federated MFA provider)

    Justification:
    If multiple MFA providers are added to CA (via custom controls), the Customer may mis-interpret that the ‘Require multi-factor authentication’ applies to ANY successful MFA auth from any in-scope provider when in reality it only applies to…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Resolve gaps in Conditional Access policy enformcement

    We have several questions related to the information contained in the following portion of the KB article related to Conditional Access (e.g. "when is a location evaluated"):

    docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations#when-is-a-location-evaluated

    Question #1:
    As described in the KB article, it appears that a user logon attempt from a blacklisted location such as "China" would be blocked, but only AFTER the user's credentials (username + password) were accepted as valid.

    How is this an acceptable control considering the following scenario?:

    A user's Azure account originates from an on-premises Active Directory. Their password is synchronized to Azure, providing SSO for the user. A bad-actor from…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Separating Office 365 admin via conditionals access

    Is it possible to control web access to Office Admin portal separately from the rest of portal.office.com

    Use case: we want to enforce MFA for office admin but not other office services

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. AAD CA Reqire approved client app setting enabled

    when AAD CA require approved client app enabled, end user will be prevented using other apps accessing data, but will not be prompted to use outlook. End user cannot know only outlook app can access the data. Will this behavior be modified to remained the end user to use outlook when message displayed on other apps access is prevented?

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. “My access” and ” my profile” support in conditional access policies.

    Add support for the applications “My access” and ” my profile” in conditional access policies.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. App Microsoft 365 Security and Compliance Center is not supported by conditional access policy

    App Microsoft 365 Security and Compliance Center is not supported by conditional access policy. This is to add the App ID 80ccca67-54bd-44ab-8625-4b79c4dc7775 be supported by the CA policies.

    Impact : Users are not able to review "end user spam notification" in https://protection.office.com/quarantine via mobile device.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Device State Condition - Need an option to include/exclude Non Hybrid Azure AD joined device (public/BYOD)

    The Device State needs to almost mimic the existing existing Grant Controls options (see below) so that the CA rule can be evaluated or skipped.

    While workers are on-prem, we can use trusted locations, but with mobile workforces now, we cannot trust their VPN IPs over split-tunnel.

    Goal is to be able to have a policies that are targeted to public devices and another policies that is targeted to only Hybrid-Joined Devices.

    Existing GRANT Options:
    
    1. Require device to be marked as compliant
    2. Require Hybrid Azure AD joined device

    Current Device State CONDITION Options are:
    Include
    1. All Device…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Provide "location except" feature under Location conditions of conditional access policy

    We want to block access to the app from all IP addresses except the specified one.
    I want to define the IP address or range in the named location which is possible today but when I used this named location in Location Condition there is no way to mention "location except" feature.

    Basically I want my Azure AD connected site/app to be accessible only from certain IP and from all other IPs it should not be acessible.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow to exclude specific users when a named location is defined by country

    To have a “binary toggle”, say a checkbox, where we can specify “Disallow any access, except the following directives ☑︎” so any human would be able to just include what he or she needs to include and that’s it. With this ability the conditional access logic can be toggled from its current logic to the “positive one” I’m proposing where everything is forbidden but what’s allowed.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Apply Conditional Access to shared links

    Please allow us to apply (some) Conditional Access rules to users accessing sharing links.

    Use case:
    We want to force external users to acknowledge a Terms of Use document even if they only received a "named user" link (SP Admin Center Sharing config is set to "New and existing guests").

    The current Conditional Access rules only apply to existing users, but as a user that received a shared file is not an AAD user, they are not prompted to accept the Terms of Use. In our use case, this is more important than for already existing guest accounts how (normally)…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow hostname as conditional access trusted location

    We have some offices with dynamic public IP addresses. We obviously can't use these IP addresses as conditional access trusted locations as the IP's may change. We do have dynamic DNS for these IP's however, so we would like to be able to add the dynamic DNS hostnames as trusted locations to reduce MFA prompts.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add support for conditional access rules to secure Salesforce Mobile

    We want our users to be able to access our Salesforce instances using the Salesforce Mobile app, authenticated using AzureAD single sign-on, and subject to conditional access rules which require their mobile device to be compliant and company-managed. This doesn't seem to be possible. It seems conditional access policies only apply to apps accessed through a browser.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add the Microsoft Azure mobile app (iOS) as an approved client app for conditional access

    The official Microsoft Azure iOS app (https://apps.apple.com/us/app/microsoft-azure/id1219013620) is not listed in the approved client apps for conditional access.
    It makes it impossible for us to use it as a monitoring tool when using our secured mobile devices, as the login flow is denied by the conditional access setup on our organisational AD.

    Could you work with the team in charge of that app and make sure it is added to the approved list ?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base