Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups
Baseline Policy: Require MFA for Admins (Preview) needs to be able to exclude groups.
This policy does not pay attention to trusted location. Therefore, your global admin or other admin SERVICE ACCOUNTS will get blocked unless you exclude them one-by-one.
This is very disruptive. This policy used to allow excluding groups and they changed it to only excluding users. Not all companies can move at the pace Microsoft is enforcing. We cannot make all of our service accounts into some other solution which won't get impacted and still work for us.
Bring back group exclusion for manageability!!
47 votes -
Baseline policy: Require MFA for admins does not allow for any exceptions
The guidance on your website states: During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one emergency access account should be excluded from all Conditional Access policies. If you have enabled a baseline policy, you should exclude your emergency access accounts.
However, none of the four Baselines policies provide the ability to exclude any users. This directly contradicts the guidance on your website. The "Require MFA for Service Management" policy even states the following when we attempt to enable it:
"Don't get locked out. This policy can potentially prevent…
15 votes -
Conditional Access for B2B Guest users
For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?
22 votesWe’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?
-
azure active directory role
I have a scenario where azure active directory users login to fronend app and will be able to handle user administration using graph apis. These users will not having access to subscription/resources these users are access to only Azure AD who can update/create/delete usrs/profiles. To achieve those actions users should have user admin directory role. But the issue here is these users can login to azure portal and have admin assess to all users. For ex: if I have few applications where users are different i can manage from frontend app and business logic to show only users to related…
25 votesValid feedback. Open for customer upvotes
-
Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
<#
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
MS Link
https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md
#>
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS…15 votes -
Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies
Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies
16 votes -
Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups
Need exclude/include groups/users in the Azure AD baseline security policies SR-1172
7 votes -
Ability to block all cloud apps except the ones for Intune enrollment (Windows 10)
We have a Conditional Access policy which is configured to grant access to All cloud Apps only if you are Hybrid domain join or compliant.
We would like to setup exclusions within this CA for Intune enrollment apps, because selecting Microsoft Intune and Microsoft Intune Enrollment are not encompassing enough.
During the enrollment process (e.g. Windows10 device BYOD or during Autopilot Account setup) Microsoft Application Command Service app is used, unfortunately it can be excluded.
I have raised and identified this issue with MS support in the case number 119091321001371
5 votes -
Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to spe
Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to specific devices in a device Group.
While Azure Conditional Access policies can be currently applied to Windows for Hybrid Azure AD Joined Devices this includes all Windows operating systems. There is no ability to apply them to specific Windows OS versions, or to target specific devices. Having this functionality would allow for example to block Windows 7 and 8.1 devices through CA policies, or block specific devices without an approved reason to not upgrade to Win10.
21 votes -
Please provide an option to enforce (repeated) MFA for app access, even if SSO token already indicates MFA completed
We have a requirement for an application to always enforce MFA to the user. E.g. user logs in to Windows 10 with Hello for Business, then MFA is already satisfied when evaluating Conditional Access factors. But we need the user to authenticate again because this is a critical application.
Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.
E.g. to avoid malicious user to log in to the app when a workstation is left unlocked.
Possible option to decrease MaxAgeMultiFactor to 0 (but this may break other things or annoy user for…4 votes -
Baseline Policy: End user protection
I realize that this conditional access policy is still in preview. Currently it only seems to allow the Microsoft authenticator app as the mfa method. However the description of the policy says it is the default method, not the only method. I suggest either changing the description to only, or enabling other authentication methods.
2 votes -
Block only Azure Portal using Conditional Access
I want to block users access to Azure Portal.
So I have Conditional Access on the "Microsoft Azure Management" application in Azure AD.
However "Microsoft Azure Management" contains not only Azure Portal but other applications as above.Manage access to Azure management with Conditional Access
https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-managementPlease add only Azure Portal application to Conditional Access.
3 votes -
Add Microsoft Authenticator to Approved Client App
Currently the "Require approved client app" list of apps does not include the Microsoft Authenticator app, thus preventing adoption of cool features such as 'passwordless sign-in' which is apparently signing in as the user and therefore getting blocked.
47 votesThis is a problem we’re aware of and working on how best to address this use case.
Thanks
-
Ask always for MFA when using Azure AD Priviledge Identity Management
Ask always for MFA when using Azure AD Priviledge Identity Management even when you access from compliant device that are excluded from MFA for an access conditional policy
3 votes -
Add Office 365 Admin Mobile app as Approved Client App
We noticed that Office 365 Admin mobile app is not listed as a Approved Client app from Microsoft. This is affecting our users who have assigned admin roles in Azure and Office 365 restricting use to Approved Client Apps. Is there plans to add Microsoft Office 365 Admin App as a Microsoft Approved client app? Conditional access is flagging this as Office 365 Management.
3 votes -
Make "SharePoint Online Web Client Extensibility" to be inlcude/exclude from ConditionalAccess policy when include/exclude SharePoint Online
We have a Conditional Access policy to block all guest users from accessing all apps, but exclude Exchange Online and SharePoint Online. However the policy was not working as expected since user also need to access "SharePoint Online Web Client Extensibility" (app ID 08e18876-6177-487e-b8b5-cf950c1e598c) while visiting SharePoint Online, which is not selectable in Conditional Access policy, so this access was blocked by the policy.
Is it possible to implement one of following:
1. Make Conditional Access policy controls for "SharePoint Online Web Client Extensibility" to be automatically align with SharePoint Online.
2. Make "SharePoint Online Web Client Extensibility" a seletable…2 votes -
Ability to update Named Locations using PowerShell
We have around 200 locations that use dynamic IP addresses that change frequently. We have the ability to pull the public IP addresses via REST API/PowerShell, but there is currently no way to update the Named Locations list programmatically. Without PowerShell, we are forced to manually dump the list to a CSV and upload the new file.
We would like to have the ability to add, remove, update Named Locations and entries in the IP Ranges of a Named Location.
117 votesWe’ve begun this work.
-
All Baseline Conditional Access Policies: Allow Exclude / Include Users
For all baseline conditional access policies, it is important to either include / exclude users to help with phasing out a rollout. There are a number of scenarios where it is not practical to dump truck a universal policy while rolling out. This was allowed at one point but is now not available.
2 votes -
Support for Microsoft Office 365 00000006-0000-0ff1-ce00-000000000000 in conditional access
When using "All cloud apps" in a conditional Access policy. when trying to access admin.microsoft.com, one of the URL governed by Microsoft Office 365 portal - app ID : 00000006-0000-0ff1-ce00-000000000000, a user is blocked by conditional Access. This issues is the same in some of the panes/icons in "Azure.portal.com"; this application can be found with her app ID under the Enterprise apps in the Azure portal but cannot be included or excluded in a conditional access policy.
17 votes -
Support Conditional Access for the Partner Portal (OCP MPN PORTAL)
Support Conditional Access for the Partner Portal (OCP MPN PORTAL).
Add the partner portal to Azure managed application so we can use conditional access.13 votes
- Don't see your idea?