Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for User-Agent Client Hints

    User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.

    Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/

    Need to have the new User-Agent information available in the audit log and the APIs.

    82 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Conditional access policy by location should be standard feature

    Conditional Access policies to block access from countries should be a standard security feature and organizations should not have to upgrade to E5 or Azure P2 to use this feature. We see failed sign in attempts everyday from countries such as China and Russia. It would block out 99% of the malicious sign in attempts if we could simply implement a conditional access policy by location.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. App grouping

    Currently conditional access policies can be scoped only to individual applications.
    This has strong limitations:
    * No more than hundreds of applications per policy
    * In large environments with lots of applications, this gets very complex and unmanageable
    * Changes to Conditional Access policies are always risky and should be minimized
    * Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automation

    All these issues can be solved by the following set of features:
    * Provide a mechanism to group apps
    * Allow CA policies to be scoped to these app groups

    Depending…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Block access to Azure at subscription-level based on device state

    Many companies would like the ability to enforce Azure Conditional Access on a Azure subscription-level, which should require the user to have a managed device (Hybrid Azure AD Join / Intune managed device).

    The reason for the ask is that some companies have highly sensitive information in some Azure subscription and other subscriptions is used for agile collaboration with partner (Azure B2B) with reduced security requirements for sign-in to Azure subscription.

    Basically the same feature that is provided by the SharePoint team.

    Provide "Conditional Access" on a SharePoint Online Site Collection Level:
    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/11125038-provide-conditional-access-on-a-sharepoint-onlin

    Control access from unmanaged devices:
    https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Please provide an option to enforce (repeated) MFA for app access, even if SSO token already indicates MFA completed

    We have a requirement for an application to always enforce MFA to the user. E.g. user logs in to Windows 10 with Hello for Business, then MFA is already satisfied when evaluating Conditional Access factors. But we need the user to authenticate again because this is a critical application.
    Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.
    E.g. to avoid malicious user to log in to the app when a workstation is left unlocked.
    Possible option to decrease MaxAgeMultiFactor to 0 (but this may break other things or annoy user for…

    37 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Restricting Access Of Azure Service Principals – Using Conditional Access

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md

    >

    Best possible scenario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
    Can MS look into this please.
    I had raised case with MS…

    55 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow to exclude specific users when a named location is defined by country

    To have a “binary toggle”, say a checkbox, where we can specify “Disallow any access, except the following directives ☑︎” so any human would be able to just include what he or she needs to include and that’s it. With this ability the conditional access logic can be toggled from its current logic to the “positive one” I’m proposing where everything is forbidden but what’s allowed.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. All the required resources to be capable of being included and excluded from conditional access

    How to correlate sign-ins to ALL applications to add in our CA policies. How do we do that? This isn’t documented anywhere seemingly.

    For example, attached listed apps we found to be in our sign-in logs that cannot be individually selected. Worked with support, but it's apparently not possible as-is.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies

    Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies

    46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. 10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Giving options to solve specific problems

    I had a business account which was cancelled, then I created and paid for a personal account but now I cannot access to Microsoft Teams apparently because it is not linked with Outlook.
    What can I do?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Apply Conditional Access to shared links

    Please allow us to apply (some) Conditional Access rules to users accessing sharing links.

    Use case:
    We want to force external users to acknowledge a Terms of Use document even if they only received a "named user" link (SP Admin Center Sharing config is set to "New and existing guests").

    The current Conditional Access rules only apply to existing users, but as a user that received a shared file is not an AAD user, they are not prompted to accept the Terms of Use. In our use case, this is more important than for already existing guest accounts how (normally)…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Replace Oauth tokens admin role from GA to authentication admin

    MS suggest that limiting GA role should be done, but without GA role you cannot assign Oauth tokens.
    Can you please replace this role with something else? example authentication admin role.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Block only Azure Portal using Conditional Access

    I want to block users access to Azure Portal.
    So I have Conditional Access on the "Microsoft Azure Management" application in Azure AD.
    However "Microsoft Azure Management" contains not only Azure Portal but other applications as above.

    Manage access to Azure management with Conditional Access
    https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

    Please add only Azure Portal application to Conditional Access.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Conditional Access Policy to Support Anonymous IPs / Tor Network Sources

    In the Conditions -> Locations section of the CA policy, add the option to select 'known anonymous ips'. This would enable forcing of MFA or blocking of login based on this type of source network.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support for accessing SharePoint onprem files through Application Proxy from Android and IOS Office Apps

    Problem:
    - Access are blocked (You cannot open the document) when Approved Client App is a requirement in the CA policy (You cannot get there from here message)
    - After trying to authenticate (and being blocked) the Office app needs to be restarted to be responsive again.

    Possible solutions:
    - rewrite the authentication flow to use the auth token saved on the device - instead of trying to reauthenticate with webkit browser
    - use Edge browser inside the apps to reauthenticate
    - Treat webkit as an approved app when inside an office app

    Since all the users recent documents are…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. JIT

    I have one question that I want to ask. With regards to setting JIT access on a VM I wanted to know if users who connect to a VM at a certain set time and from a specified IP address (because of JIT conditions set) can also be an authenticated user also? So someone else who knows all of the rules cant connect. I would like JIT conditional access to be more restrictive.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow customization of Alerts and creating our own alerts

    Allow admins to create their own alerts or customize existing alerts to include more information or add instructions to recipients.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow adding/Creating your own Risk Detection Rules and allow nested conditions

    Allow admins to create their own correlation rules for risk based on different attribute like user department and access levels. Also allow for nested conditions like if member of x department and logon from China = high risk.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. azure active directory role

    I have a scenario where azure active directory users login to fronend app and will be able to handle user administration using graph apis. These users will not having access to subscription/resources these users are access to only Azure AD who can update/create/delete usrs/profiles. To achieve those actions users should have user admin directory role. But the issue here is these users can login to azure portal and have admin assess to all users. For ex: if I have few applications where users are different i can manage from frontend app and business logic to show only users to related…

    30 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 9 10
  • Don't see your idea?

Feedback and Knowledge Base