Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups

    Baseline Policy: Require MFA for Admins (Preview) needs to be able to exclude groups.

    This policy does not pay attention to trusted location. Therefore, your global admin or other admin SERVICE ACCOUNTS will get blocked unless you exclude them one-by-one.

    This is very disruptive. This policy used to allow excluding groups and they changed it to only excluding users. Not all companies can move at the pace Microsoft is enforcing. We cannot make all of our service accounts into some other solution which won't get impacted and still work for us.

    Bring back group exclusion for manageability!!

    47 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Baseline policy: Require MFA for admins does not allow for any exceptions

    The guidance on your website states: During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one emergency access account should be excluded from all Conditional Access policies. If you have enabled a baseline policy, you should exclude your emergency access accounts.

    However, none of the four Baselines policies provide the ability to exclude any users. This directly contradicts the guidance on your website. The "Require MFA for Service Management" policy even states the following when we attempt to enable it:

    "Don't get locked out. This policy can potentially prevent…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Conditional Access for B2B Guest users

    For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    We’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?

  4. azure active directory role

    I have a scenario where azure active directory users login to fronend app and will be able to handle user administration using graph apis. These users will not having access to subscription/resources these users are access to only Azure AD who can update/create/delete usrs/profiles. To achieve those actions users should have user admin directory role. But the issue here is these users can login to azure portal and have admin assess to all users. For ex: if I have few applications where users are different i can manage from frontend app and business logic to show only users to related…

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Restricting Access Of Azure Service Principals – Using Conditional Access

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md
    #>
    Best possible scenario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
    Can MS look into this please.
    I had raised case with MS…

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies

    Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups

    Need exclude/include groups/users in the Azure AD baseline security policies SR-1172

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Ability to block all cloud apps except the ones for Intune enrollment (Windows 10)

    We have a Conditional Access policy which is configured to grant access to All cloud Apps only if you are Hybrid domain join or compliant.

    We would like to setup exclusions within this CA for Intune enrollment apps, because selecting Microsoft Intune and Microsoft Intune Enrollment are not encompassing enough.

    During the enrollment process (e.g. Windows10 device BYOD or during Autopilot Account setup) Microsoft Application Command Service app is used, unfortunately it can be excluded.

    I have raised and identified this issue with MS support in the case number 119091321001371

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to spe

    Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to specific devices in a device Group. 

    While Azure Conditional Access policies can be currently applied to Windows for Hybrid Azure AD Joined Devices this includes all Windows operating systems.  There is no ability to apply them to specific Windows OS versions, or to target specific devices.  Having this functionality would allow for example to block Windows 7 and 8.1 devices through CA policies, or block specific devices without an approved reason to not upgrade to Win10.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Please provide an option to enforce (repeated) MFA for app access, even if SSO token already indicates MFA completed

    We have a requirement for an application to always enforce MFA to the user. E.g. user logs in to Windows 10 with Hello for Business, then MFA is already satisfied when evaluating Conditional Access factors. But we need the user to authenticate again because this is a critical application.
    Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.
    E.g. to avoid malicious user to log in to the app when a workstation is left unlocked.
    Possible option to decrease MaxAgeMultiFactor to 0 (but this may break other things or annoy user for…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Baseline Policy: End user protection

    I realize that this conditional access policy is still in preview. Currently it only seems to allow the Microsoft authenticator app as the mfa method. However the description of the policy says it is the default method, not the only method. I suggest either changing the description to only, or enabling other authentication methods.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Block only Azure Portal using Conditional Access

    I want to block users access to Azure Portal.
    So I have Conditional Access on the "Microsoft Azure Management" application in Azure AD.
    However "Microsoft Azure Management" contains not only Azure Portal but other applications as above.

    Manage access to Azure management with Conditional Access
    https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

    Please add only Azure Portal application to Conditional Access.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add Microsoft Authenticator to Approved Client App

    Currently the "Require approved client app" list of apps does not include the Microsoft Authenticator app, thus preventing adoption of cool features such as 'passwordless sign-in' which is apparently signing in as the user and therefore getting blocked.

    47 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ask always for MFA when using Azure AD Priviledge Identity Management

    Ask always for MFA when using Azure AD Priviledge Identity Management even when you access from compliant device that are excluded from MFA for an access conditional policy

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add Office 365 Admin Mobile app as Approved Client App

    We noticed that Office 365 Admin mobile app is not listed as a Approved Client app from Microsoft. This is affecting our users who have assigned admin roles in Azure and Office 365 restricting use to Approved Client Apps. Is there plans to add Microsoft Office 365 Admin App as a Microsoft Approved client app? Conditional access is flagging this as Office 365 Management.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Make "SharePoint Online Web Client Extensibility" to be inlcude/exclude from ConditionalAccess policy when include/exclude SharePoint Online

    We have a Conditional Access policy to block all guest users from accessing all apps, but exclude Exchange Online and SharePoint Online. However the policy was not working as expected since user also need to access "SharePoint Online Web Client Extensibility" (app ID 08e18876-6177-487e-b8b5-cf950c1e598c) while visiting SharePoint Online, which is not selectable in Conditional Access policy, so this access was blocked by the policy.
    Is it possible to implement one of following:
    1. Make Conditional Access policy controls for "SharePoint Online Web Client Extensibility" to be automatically align with SharePoint Online.
    2. Make "SharePoint Online Web Client Extensibility" a seletable…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Ability to update Named Locations using PowerShell

    We have around 200 locations that use dynamic IP addresses that change frequently. We have the ability to pull the public IP addresses via REST API/PowerShell, but there is currently no way to update the Named Locations list programmatically. Without PowerShell, we are forced to manually dump the list to a CSV and upload the new file.

    We would like to have the ability to add, remove, update Named Locations and entries in the IP Ranges of a Named Location.

    117 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. All Baseline Conditional Access Policies: Allow Exclude / Include Users

    For all baseline conditional access policies, it is important to either include / exclude users to help with phasing out a rollout. There are a number of scenarios where it is not practical to dump truck a universal policy while rolling out. This was allowed at one point but is now not available.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support for Microsoft Office 365 00000006-0000-0ff1-ce00-000000000000 in conditional access

    When using "All cloud apps" in a conditional Access policy. when trying to access admin.microsoft.com, one of the URL governed by Microsoft Office 365 portal - app ID : 00000006-0000-0ff1-ce00-000000000000, a user is blocked by conditional Access. This issues is the same in some of the panes/icons in "Azure.portal.com"; this application can be found with her app ID under the Enterprise apps in the Azure portal but cannot be included or excluded in a conditional access policy.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Support Conditional Access for the Partner Portal (OCP MPN PORTAL)

    Support Conditional Access for the Partner Portal (OCP MPN PORTAL).
    Add the partner portal to Azure managed application so we can use conditional access.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 10 11
  • Don't see your idea?

Feedback and Knowledge Base