Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for User-Agent Client Hints
User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.
Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/
Need to have the new User-Agent information available in the audit log and the APIs.
83 votes -
Conditional access policy by location should be standard feature
Conditional Access policies to block access from countries should be a standard security feature and organizations should not have to upgrade to E5 or Azure P2 to use this feature. We see failed sign in attempts everyday from countries such as China and Russia. It would block out 99% of the malicious sign in attempts if we could simply implement a conditional access policy by location.
8 votes -
App grouping
Currently conditional access policies can be scoped only to individual applications.
This has strong limitations:
* No more than hundreds of applications per policy
* In large environments with lots of applications, this gets very complex and unmanageable
* Changes to Conditional Access policies are always risky and should be minimized
* Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automationAll these issues can be solved by the following set of features:
* Provide a mechanism to group apps
* Allow CA policies to be scoped to these app groupsDepending…
15 votesThis is something we are looking to do.
-Daniel Wood
-
Assignment of Conditional Access policy to eligible member of directory roles
Conditional Access Policies can be assigned to members of a directory role. But It's limited to users with permanent or active role assignment (after PIM activation of requesting eligible role).
It would be a useful security option to protect those groups of users at an early stage (even without standing permissions). The assignment in CA Policies should be configured on their eligible role.
Currently you have to create and manage CA assignment for eligible roles separately from your configuration in PIM. Otherwise policies will be only affected at next CA evaluation after activation of PIM role.
4 votes -
Please provide an option to enforce (repeated) MFA for app access, even if SSO token already indicates MFA completed
We have a requirement for an application to always enforce MFA to the user. E.g. user logs in to Windows 10 with Hello for Business, then MFA is already satisfied when evaluating Conditional Access factors. But we need the user to authenticate again because this is a critical application.
Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.
E.g. to avoid malicious user to log in to the app when a workstation is left unlocked.
Possible option to decrease MaxAgeMultiFactor to 0 (but this may break other things or annoy user for…43 votes -
Block access to Azure at subscription-level based on device state
Many companies would like the ability to enforce Azure Conditional Access on a Azure subscription-level, which should require the user to have a managed device (Hybrid Azure AD Join / Intune managed device).
The reason for the ask is that some companies have highly sensitive information in some Azure subscription and other subscriptions is used for agile collaboration with partner (Azure B2B) with reduced security requirements for sign-in to Azure subscription.
Basically the same feature that is provided by the SharePoint team.
Provide "Conditional Access" on a SharePoint Online Site Collection Level:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/11125038-provide-conditional-access-on-a-sharepoint-onlinControl access from unmanaged devices:
https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices17 votes -
17 votes
-
2 votes
-
Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
<#
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
MS Link
https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md>
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS…66 votes -
Provide "location except" feature under Location conditions of conditional access policy
We want to block access to the app from all IP addresses except the specified one.
I want to define the IP address or range in the named location which is possible today but when I used this named location in Location Condition there is no way to mention "location except" feature.Basically I want my Azure AD connected site/app to be accessible only from certain IP and from all other IPs it should not be acessible.
3 votes -
Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies
Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies
51 votes -
Allow to exclude specific users when a named location is defined by country
To have a “binary toggle”, say a checkbox, where we can specify “Disallow any access, except the following directives ☑︎” so any human would be able to just include what he or she needs to include and that’s it. With this ability the conditional access logic can be toggled from its current logic to the “positive one” I’m proposing where everything is forbidden but what’s allowed.
3 votes -
All the required resources to be capable of being included and excluded from conditional access
How to correlate sign-ins to ALL applications to add in our CA policies. How do we do that? This isn’t documented anywhere seemingly.
For example, attached listed apps we found to be in our sign-in logs that cannot be individually selected. Worked with support, but it's apparently not possible as-is.
5 votes -
Bulk enable 'enable browser access' in Authenticator or Company portal on Intune managed Android device
When customer enabled device based conditional access policy for SPO requiring compliant device, Android device need to enable option 'Enable Browser Access‘ in order to avoid certificate prompt. Currently, user needs to manually enable on each of client device. It is a block for big-organization to enjoy conditional access policy and device management Intune solution.
1 vote -
Restrict access to all admin portals, Exchange, SharePoint, Teams, flow, Endpoint, etc
Would like the ability to restrict all admin portals to on-prem network or compliant\trusted devices. Similar to the azure management portal. Add SharePoint admin, Teams admin, Endpoint Manager admin, Power Automate Admin, Power BI, Security, MSDATP, etc
1 vote -
The MFA-Enabled list is inaccurate
When enforcing MFA through Conditional access, the MFA list is inaccurate as to who is registered.
https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx shows everyone as "Disabled" when in fact almost every user has MFA set up.
1 vote -
Giving options to solve specific problems
I had a business account which was cancelled, then I created and paid for a personal account but now I cannot access to Microsoft Teams apparently because it is not linked with Outlook.
What can I do?1 vote -
Apply Conditional Access to shared links
Please allow us to apply (some) Conditional Access rules to users accessing sharing links.
Use case:
We want to force external users to acknowledge a Terms of Use document even if they only received a "named user" link (SP Admin Center Sharing config is set to "New and existing guests").The current Conditional Access rules only apply to existing users, but as a user that received a shared file is not an AAD user, they are not prompted to accept the Terms of Use. In our use case, this is more important than for already existing guest accounts how (normally)…
3 votes -
Please have documentation as to which conditions and properties can be assessed by which legacy protcols.
a. From our research and my testing to date, it seems the a conditional access policy that is attempting to act specifically on legacy protocols cannot “see” the device state of the device (e.g. if it’s hybrid joined—which is unfortunate as I wanted to exclude blocking based upon that state) but, we think, can see an IP address “location” (which is good, if it can, as that will be a “must” for one of our applications). Recommendation/Request: Please have documentation as to which conditions and properties can be assessed by which legacy protcols.
b. Only the legacy “Active Sync” protocol…1 vote -
Replace Oauth tokens admin role from GA to authentication admin
MS suggest that limiting GA role should be done, but without GA role you cannot assign Oauth tokens.
Can you please replace this role with something else? example authentication admin role.3 votes
- Don't see your idea?