Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Add support for User-Agent Client Hints
User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.
Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/
Need to have the new User-Agent information available in the audit log and the APIs.
82 votes -
Conditional access policy by location should be standard feature
Conditional Access policies to block access from countries should be a standard security feature and organizations should not have to upgrade to E5 or Azure P2 to use this feature. We see failed sign in attempts everyday from countries such as China and Russia. It would block out 99% of the malicious sign in attempts if we could simply implement a conditional access policy by location.
6 votes -
App grouping
Currently conditional access policies can be scoped only to individual applications.
This has strong limitations:
* No more than hundreds of applications per policy
* In large environments with lots of applications, this gets very complex and unmanageable
* Changes to Conditional Access policies are always risky and should be minimized
* Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automationAll these issues can be solved by the following set of features:
* Provide a mechanism to group apps
* Allow CA policies to be scoped to these app groupsDepending…
11 votesThis is something we are looking to do.
-Daniel Wood
-
Block access to Azure at subscription-level based on device state
Many companies would like the ability to enforce Azure Conditional Access on a Azure subscription-level, which should require the user to have a managed device (Hybrid Azure AD Join / Intune managed device).
The reason for the ask is that some companies have highly sensitive information in some Azure subscription and other subscriptions is used for agile collaboration with partner (Azure B2B) with reduced security requirements for sign-in to Azure subscription.
Basically the same feature that is provided by the SharePoint team.
Provide "Conditional Access" on a SharePoint Online Site Collection Level:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/11125038-provide-conditional-access-on-a-sharepoint-onlinControl access from unmanaged devices:
https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices17 votes -
Please provide an option to enforce (repeated) MFA for app access, even if SSO token already indicates MFA completed
We have a requirement for an application to always enforce MFA to the user. E.g. user logs in to Windows 10 with Hello for Business, then MFA is already satisfied when evaluating Conditional Access factors. But we need the user to authenticate again because this is a critical application.
Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.
E.g. to avoid malicious user to log in to the app when a workstation is left unlocked.
Possible option to decrease MaxAgeMultiFactor to 0 (but this may break other things or annoy user for…37 votes -
Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
<#
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
MS Link
https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md>
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS…55 votes -
Allow to exclude specific users when a named location is defined by country
To have a “binary toggle”, say a checkbox, where we can specify “Disallow any access, except the following directives ☑︎” so any human would be able to just include what he or she needs to include and that’s it. With this ability the conditional access logic can be toggled from its current logic to the “positive one” I’m proposing where everything is forbidden but what’s allowed.
3 votes -
All the required resources to be capable of being included and excluded from conditional access
How to correlate sign-ins to ALL applications to add in our CA policies. How do we do that? This isn’t documented anywhere seemingly.
For example, attached listed apps we found to be in our sign-in logs that cannot be individually selected. Worked with support, but it's apparently not possible as-is.
5 votes -
Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies
Add Microsoft Intune Company Portal to Cloud apps list in Conditional Access policies
46 votes -
10 votes
-
Giving options to solve specific problems
I had a business account which was cancelled, then I created and paid for a personal account but now I cannot access to Microsoft Teams apparently because it is not linked with Outlook.
What can I do?1 vote -
Apply Conditional Access to shared links
Please allow us to apply (some) Conditional Access rules to users accessing sharing links.
Use case:
We want to force external users to acknowledge a Terms of Use document even if they only received a "named user" link (SP Admin Center Sharing config is set to "New and existing guests").The current Conditional Access rules only apply to existing users, but as a user that received a shared file is not an AAD user, they are not prompted to accept the Terms of Use. In our use case, this is more important than for already existing guest accounts how (normally)…
3 votes -
Replace Oauth tokens admin role from GA to authentication admin
MS suggest that limiting GA role should be done, but without GA role you cannot assign Oauth tokens.
Can you please replace this role with something else? example authentication admin role.3 votes -
Block only Azure Portal using Conditional Access
I want to block users access to Azure Portal.
So I have Conditional Access on the "Microsoft Azure Management" application in Azure AD.
However "Microsoft Azure Management" contains not only Azure Portal but other applications as above.Manage access to Azure management with Conditional Access
https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-managementPlease add only Azure Portal application to Conditional Access.
15 votes -
Conditional Access Policy to Support Anonymous IPs / Tor Network Sources
In the Conditions -> Locations section of the CA policy, add the option to select 'known anonymous ips'. This would enable forcing of MFA or blocking of login based on this type of source network.
1 vote -
Support for accessing SharePoint onprem files through Application Proxy from Android and IOS Office Apps
Problem:
- Access are blocked (You cannot open the document) when Approved Client App is a requirement in the CA policy (You cannot get there from here message)
- After trying to authenticate (and being blocked) the Office app needs to be restarted to be responsive again.Possible solutions:
- rewrite the authentication flow to use the auth token saved on the device - instead of trying to reauthenticate with webkit browser
- use Edge browser inside the apps to reauthenticate
- Treat webkit as an approved app when inside an office appSince all the users recent documents are…
6 votes -
JIT
I have one question that I want to ask. With regards to setting JIT access on a VM I wanted to know if users who connect to a VM at a certain set time and from a specified IP address (because of JIT conditions set) can also be an authenticated user also? So someone else who knows all of the rules cant connect. I would like JIT conditional access to be more restrictive.
1 vote -
Allow customization of Alerts and creating our own alerts
Allow admins to create their own alerts or customize existing alerts to include more information or add instructions to recipients.
1 vote -
Allow adding/Creating your own Risk Detection Rules and allow nested conditions
Allow admins to create their own correlation rules for risk based on different attribute like user department and access levels. Also allow for nested conditions like if member of x department and logon from China = high risk.
1 vote -
azure active directory role
I have a scenario where azure active directory users login to fronend app and will be able to handle user administration using graph apis. These users will not having access to subscription/resources these users are access to only Azure AD who can update/create/delete usrs/profiles. To achieve those actions users should have user admin directory role. But the issue here is these users can login to azure portal and have admin assess to all users. For ex: if I have few applications where users are different i can manage from frontend app and business logic to show only users to related…
30 votesValid feedback. Open for customer upvotes
- Don't see your idea?