Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add ability to select Microsoft Adresses in Named Locations

    I'm trying to limit our service accounts access to Azure services, so they are only allowed to logon to Azure services from the actual location they are used.

    I also have a number of service accounts used in Azure ´to login to another azure service (Think it's some click dimentions, used to login to some CRM/Dynamics). These service accounts login from Microsoft IP Adresses.
    It would be nice if it was possible to select Microsoft IP addresses as a named location, and maybe also other cloud providers amazon, google ect.
    I have downloaded a lidt of all Microsofts public IP…

    26 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add support for User-Agent Client Hints

    User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.

    Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/

    Need to have the new User-Agent information available in the audit log and the APIs.

    83 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Implement ability to only allow users to login to 1 session at a time.

    We're able to set the idle time and force an account to logout after a specific time. There should also be the ability to only allow 1 user to login to Office 365, browser, application etc at a time. This will assist customer's that may have requirements for shared account and need to ensure only 1 user is logged in at a time.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Change message details for users block by CA policy when signing into O365

    When a user is blocked by a conditional access policy set in Azure Active Directory, the message validates that the username and password was successful but failed due to certain criteria not being meet (CA Policy). The premise being that a bad actor with stolen creds is able to confirm that those credentials are valid, despite not being on a device capable of logon. This would allow the actor to attempt to use the same credentials in other places and is a major security risk.

    Please allow for this message to be editable or change it so that it doesn't…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. App grouping

    Currently conditional access policies can be scoped only to individual applications.
    This has strong limitations:
    * No more than hundreds of applications per policy
    * In large environments with lots of applications, this gets very complex and unmanageable
    * Changes to Conditional Access policies are always risky and should be minimized
    * Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automation

    All these issues can be solved by the following set of features:
    * Provide a mechanism to group apps
    * Allow CA policies to be scoped to these app groups

    Depending…

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. 48 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  9 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Conditional access policy by location should be standard feature

    Conditional Access policies to block access from countries should be a standard security feature and organizations should not have to upgrade to E5 or Azure P2 to use this feature. We see failed sign in attempts everyday from countries such as China and Russia. It would block out 99% of the malicious sign in attempts if we could simply implement a conditional access policy by location.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. App Microsoft 365 Security and Compliance Center is not supported by conditional access policy

    App Microsoft 365 Security and Compliance Center is not supported by conditional access policy. This is to add the App ID 80ccca67-54bd-44ab-8625-4b79c4dc7775 be supported by the CA policies.

    Impact : Users are not able to review "end user spam notification" in https://protection.office.com/quarantine via mobile device.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Programmatic option for the CA “what if” tool? (e.g. PowerShell or MSFT Graph API)

    We provide lots of good documentation around common CA policies, best practices, and how-to's guiding customers how to set up these policies. At this time, the only way to test [at least to knowledge] is using the "what if" tool, but this must be performed from the Azure AD portal and requires manual interaction. This limits testing to one-off scenarios or very manual one-at-a-time effort.

    It would be extremely helpful to have a programmatic interface for performing "what if" testing such as PowerShell or via the Microsoft Graph API. For example, a theoretical endpoint method such as the following that…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Sort Azure AD Conditional Access policies in alphabetic order

    Would it be possible to sort the policies under Conditional Access in alphabetic order? When the number of policies grow, it would be nice to have them sorted.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Give the option to provide a 'grace period' before accepting Terms of Use

    We are currently working towards some certifications, which requires us to make our employees 'sign' a lot of documents (anti-bribery etc.). To do this, we use conditional access' Terms of Use feature.

    However, when we push a new Terms of Use, this blocks the whole flow for all of our users. Most users just click 'accept' without reading the document because they have eg. an important meeting to get to.

    I would like an option so that the end-user can 'snooze' the ToU (eg. max 10 days), and approve it later.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow all {Application ID} to be blocked/allowed using conditional access

    Example:
    Application Microsoft Invitation Acceptance Portal
    Application ID 4660504c-45b3-4674-a709-71951a6b0763

    Allow all {Application ID} to be blocked/allowed using conditional access, currently you cannot apply conditional access policies to Microsoft Invitation Acceptance Portal.

    guid

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Restricting Access Of Azure Service Principals – Using Conditional Access

    If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
    <#
    Display Name : MS-PoC-ServicePrincipal
    APP ID : XXXXXXXXXXXX
    Tenant ID : YYYYYYYYYYY
    Object ID : ZZZZZZZZZZZZZ
    Key : oooooooooo
    MS Link
    https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md

    >

    Best possible scenario is to restrict is using RBAC. Agreed.
    An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
    Can MS look into this please.
    I had raised case with MS…

    112 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Get rid of the two factor verification method.

    For the rest of us, post a telephone number to call.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow users to remove/suppress conditional access messages

    We have conditional access policies set for accessing O365 resources. When accessing those resources on a mobile devices, the message from conditional access policies take up lot of real estate than accessing on a PC. There should be a way for users to remove or suppress these messages specifically on mobile devices

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Assignment of Conditional Access policy to eligible member of directory roles

    Conditional Access Policies can be assigned to members of a directory role. But It's limited to users with permanent or active role assignment (after PIM activation of requesting eligible role).

    It would be a useful security option to protect those groups of users at an early stage (even without standing permissions). The assignment in CA Policies should be configured on their eligible role.

    Currently you have to create and manage CA assignment for eligible roles separately from your configuration in PIM. Otherwise policies will be only affected at next CA evaluation after activation of PIM role.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Support for Microsoft Teams Web Client 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 in conditional access

    When using "All cloud apps" in a conditional Access policy. when trying to access teams.microsoft.com, one of the URL governed by Microsoft Teams Web Client - app ID : 5e3ce6c0-2b1f-4285-8d4b-75ee78787346, a user is blocked by conditional Access.
    this application can be found with her app ID under the Enterprise apps in the Azure portal but cannot be included or excluded in a conditional access policy.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Conditional Access location support whitelisting of Microsoft data center ranges

    It would be great if Microsoft offered an option to select say "Microsoft Datacenter Ranges - Australia East". Similar to how its possible to create a location with Australian IP addresses. It would reduce the amount of administration clients need to do to keep things secure in Azure

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. “My access” and ” my profile” support in conditional access policies.

    Add support for the applications “My access” and ” my profile” in conditional access policies.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. All admin portals need to be listed individually

    Microsoft has left gapping holes in their ability to secure elevated access to many of the management portals individually. Azure, Office365, Endpoint MGR, etc. Yes, there is a selection that includes some of the portals, but only a few. Missing are Compliance (or security & compliance or whatever it's being called this week). This is MFA 101. As it is today you can not create an individual compliance access policy that triggers an MFA prompt when trying to connect to the compliance portal(s). Basing it on a role doesn't work either because most of the permissions in compliance center are…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 11 12
  • Don't see your idea?

Feedback and Knowledge Base