Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add ability to select Microsoft Adresses in Named Locations
I'm trying to limit our service accounts access to Azure services, so they are only allowed to logon to Azure services from the actual location they are used.
I also have a number of service accounts used in Azure ´to login to another azure service (Think it's some click dimentions, used to login to some CRM/Dynamics). These service accounts login from Microsoft IP Adresses.
It would be nice if it was possible to select Microsoft IP addresses as a named location, and maybe also other cloud providers amazon, google ect.
I have downloaded a lidt of all Microsofts public IP…26 votesThank you for sharing your feedback. This is planned and in Azure Active Directory product backlog.
-
Add support for User-Agent Client Hints
User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.
Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/
Need to have the new User-Agent information available in the audit log and the APIs.
83 votes -
Implement ability to only allow users to login to 1 session at a time.
We're able to set the idle time and force an account to logout after a specific time. There should also be the ability to only allow 1 user to login to Office 365, browser, application etc at a time. This will assist customer's that may have requirements for shared account and need to ensure only 1 user is logged in at a time.
6 votesThank you for reaching out to feedback suggestion forum. Please share more information around your scenario/use-case that you are trying and challenges that you are running into. This will help us in design consideration.
-
Change message details for users block by CA policy when signing into O365
When a user is blocked by a conditional access policy set in Azure Active Directory, the message validates that the username and password was successful but failed due to certain criteria not being meet (CA Policy). The premise being that a bad actor with stolen creds is able to confirm that those credentials are valid, despite not being on a device capable of logon. This would allow the actor to attempt to use the same credentials in other places and is a major security risk.
Please allow for this message to be editable or change it so that it doesn't…
11 votes -
App grouping
Currently conditional access policies can be scoped only to individual applications.
This has strong limitations:
* No more than hundreds of applications per policy
* In large environments with lots of applications, this gets very complex and unmanageable
* Changes to Conditional Access policies are always risky and should be minimized
* Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automationAll these issues can be solved by the following set of features:
* Provide a mechanism to group apps
* Allow CA policies to be scoped to these app groupsDepending…
25 votes -
48 votes
-
Conditional access policy by location should be standard feature
Conditional Access policies to block access from countries should be a standard security feature and organizations should not have to upgrade to E5 or Azure P2 to use this feature. We see failed sign in attempts everyday from countries such as China and Russia. It would block out 99% of the malicious sign in attempts if we could simply implement a conditional access policy by location.
9 votes -
App Microsoft 365 Security and Compliance Center is not supported by conditional access policy
App Microsoft 365 Security and Compliance Center is not supported by conditional access policy. This is to add the App ID 80ccca67-54bd-44ab-8625-4b79c4dc7775 be supported by the CA policies.
Impact : Users are not able to review "end user spam notification" in https://protection.office.com/quarantine via mobile device.
3 votes -
Programmatic option for the CA “what if” tool? (e.g. PowerShell or MSFT Graph API)
We provide lots of good documentation around common CA policies, best practices, and how-to's guiding customers how to set up these policies. At this time, the only way to test [at least to knowledge] is using the "what if" tool, but this must be performed from the Azure AD portal and requires manual interaction. This limits testing to one-off scenarios or very manual one-at-a-time effort.
It would be extremely helpful to have a programmatic interface for performing "what if" testing such as PowerShell or via the Microsoft Graph API. For example, a theoretical endpoint method such as the following that…
2 votes -
Sort Azure AD Conditional Access policies in alphabetic order
Would it be possible to sort the policies under Conditional Access in alphabetic order? When the number of policies grow, it would be nice to have them sorted.
1 vote -
Give the option to provide a 'grace period' before accepting Terms of Use
We are currently working towards some certifications, which requires us to make our employees 'sign' a lot of documents (anti-bribery etc.). To do this, we use conditional access' Terms of Use feature.
However, when we push a new Terms of Use, this blocks the whole flow for all of our users. Most users just click 'accept' without reading the document because they have eg. an important meeting to get to.
I would like an option so that the end-user can 'snooze' the ToU (eg. max 10 days), and approve it later.
1 vote -
Allow all {Application ID} to be blocked/allowed using conditional access
Example:
Application Microsoft Invitation Acceptance Portal
Application ID 4660504c-45b3-4674-a709-71951a6b0763Allow all {Application ID} to be blocked/allowed using conditional access, currently you cannot apply conditional access policies to Microsoft Invitation Acceptance Portal.
guid
1 vote -
Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
<#
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
MS Link
https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md>
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS…112 votesWe’ve started work on this, focused on policy based on IP range.
-
Get rid of the two factor verification method.
For the rest of us, post a telephone number to call.
1 vote -
Allow users to remove/suppress conditional access messages
We have conditional access policies set for accessing O365 resources. When accessing those resources on a mobile devices, the message from conditional access policies take up lot of real estate than accessing on a PC. There should be a way for users to remove or suppress these messages specifically on mobile devices
1 vote -
Assignment of Conditional Access policy to eligible member of directory roles
Conditional Access Policies can be assigned to members of a directory role. But It's limited to users with permanent or active role assignment (after PIM activation of requesting eligible role).
It would be a useful security option to protect those groups of users at an early stage (even without standing permissions). The assignment in CA Policies should be configured on their eligible role.
Currently you have to create and manage CA assignment for eligible roles separately from your configuration in PIM. Otherwise policies will be only affected at next CA evaluation after activation of PIM role.
5 votes -
Support for Microsoft Teams Web Client 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 in conditional access
When using "All cloud apps" in a conditional Access policy. when trying to access teams.microsoft.com, one of the URL governed by Microsoft Teams Web Client - app ID : 5e3ce6c0-2b1f-4285-8d4b-75ee78787346, a user is blocked by conditional Access.
this application can be found with her app ID under the Enterprise apps in the Azure portal but cannot be included or excluded in a conditional access policy.1 vote -
Conditional Access location support whitelisting of Microsoft data center ranges
It would be great if Microsoft offered an option to select say "Microsoft Datacenter Ranges - Australia East". Similar to how its possible to create a location with Australian IP addresses. It would reduce the amount of administration clients need to do to keep things secure in Azure
2 votes -
“My access” and ” my profile” support in conditional access policies.
Add support for the applications “My access” and ” my profile” in conditional access policies.
3 votes -
All admin portals need to be listed individually
Microsoft has left gapping holes in their ability to secure elevated access to many of the management portals individually. Azure, Office365, Endpoint MGR, etc. Yes, there is a selection that includes some of the portals, but only a few. Missing are Compliance (or security & compliance or whatever it's being called this week). This is MFA 101. As it is today you can not create an individual compliance access policy that triggers an MFA prompt when trying to connect to the compliance portal(s). Basing it on a role doesn't work either because most of the permissions in compliance center are…
1 vote
- Don't see your idea?