Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Option to include Azure backbone IP addresses to Named (trusted) Locations by default

    We are seeing a maintainability issue with respect to Conditional Access rules and Named Locations. Whenever our users create a Service Endpoint on a subnet to include AAD, we need to manually update the Named (trusted) Locations. This is becoming burdensome and we are concerned by the implication of this as we look to automate more and more across all manner of services in Azure. Another example is users of Cloud Shell being rejected because they present from the Azure IP which isn't trusted by default. The request is for Named Location rules to allow trusting Azure Services in a…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Device State Condition - Need an option to include/exclude Non Hybrid Azure AD joined device (public/BYOD)

    The Device State needs to almost mimic the existing existing Grant Controls options (see below) so that the CA rule can be evaluated or skipped.

    While workers are on-prem, we can use trusted locations, but with mobile workforces now, we cannot trust their VPN IPs over split-tunnel.

    Goal is to be able to have a policies that are targeted to public devices and another policies that is targeted to only Hybrid-Joined Devices.

    Existing GRANT Options:
    
    1. Require device to be marked as compliant
    2. Require Hybrid Azure AD joined device

    Current Device State CONDITION Options are:
    Include
    1. All Device…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add support for time-based Conditional Access policies within AAD

    Add the functionality for administrators to create time-based Conditional Access policies within Azure AD, e.g. to limit the availability of services or prevent logins after a certain time, much like the LogonHours attribute applicable to users in on-premises Active Directory.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Provide "location except" feature under Location conditions of conditional access policy

    We want to block access to the app from all IP addresses except the specified one.
    I want to define the IP address or range in the named location which is possible today but when I used this named location in Location Condition there is no way to mention "location except" feature.

    Basically I want my Azure AD connected site/app to be accessible only from certain IP and from all other IPs it should not be acessible.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Enterprise Application SAML 2.0 - Prompt Sign-in always

    We are in a retail business, we have shared computers within our brick stores, used by multiple users. where store employees access some business application via AzureAD which uses SAML, we wish to force sign-in always for those applications so that previously logged in user sso session is not persisted on shared computer.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add "All Directory Roles" option when creating Conditional Access Policies

    When creating a Conditional Access Policy to require all admin roles to use MFA, there should be an "All Directory Roles" option to tick so you don't have to keep going back and checking if new roles have been added.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Mobile apps running on iPadOS should present themselves as iOS instead of MacOS for auth purposes

    We use a Conditional Access Policy to prevent access from Windows PCs and MacOS devices from outside trusted locations. However, this policy is causing issues when users attempt to authenticate from iPad devices running iPadOS as these are presented as MacOS thus are blocked from authenticating to resources, We need Microsoft to find a way or work with Apple for iPad devices to be presented as iOS, not as MacOS.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Include Token Lifetime for Azure AD SAML federated applications in Condition Access

    The "sign in frequency" control in Azure Conditional Access doesn't appy to SAML authentication. The MS documentation state that it only applies to OAuth and OIC.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. glass

    Would be great if break-glass account functionality was built-in to Azure AD somehow. Right now there's a lot of manual setup and monitoring work involved in this. Would be nice to be able to create accounts and designate them as "break-glass" accounts. Then setup is automatic after that...excluded from Conditional Access Policies, monitoring for changes, etc.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Conditional Access Policy to Support Anonymous IPs / Tor Network Sources

    In the Conditions -> Locations section of the CA policy, add the option to select 'known anonymous ips'. This would enable forcing of MFA or blocking of login based on this type of source network.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Conditional access policy by location should be standard feature

    Conditional Access policies to block access from countries should be a standard security feature and organizations should not have to upgrade to E5 or Azure P2 to use this feature. We see failed sign in attempts everyday from countries such as China and Russia. It would block out 99% of the malicious sign in attempts if we could simply implement a conditional access policy by location.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Giving options to solve specific problems

    I had a business account which was cancelled, then I created and paid for a personal account but now I cannot access to Microsoft Teams apparently because it is not linked with Outlook.
    What can I do?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow to exclude specific users when a named location is defined by country

    To have a “binary toggle”, say a checkbox, where we can specify “Disallow any access, except the following directives ☑︎” so any human would be able to just include what he or she needs to include and that’s it. With this ability the conditional access logic can be toggled from its current logic to the “positive one” I’m proposing where everything is forbidden but what’s allowed.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. JIT

    I have one question that I want to ask. With regards to setting JIT access on a VM I wanted to know if users who connect to a VM at a certain set time and from a specified IP address (because of JIT conditions set) can also be an authenticated user also? So someone else who knows all of the rules cant connect. I would like JIT conditional access to be more restrictive.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow customization of Alerts and creating our own alerts

    Allow admins to create their own alerts or customize existing alerts to include more information or add instructions to recipients.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow adding/Creating your own Risk Detection Rules and allow nested conditions

    Allow admins to create their own correlation rules for risk based on different attribute like user department and access levels. Also allow for nested conditions like if member of x department and logon from China = high risk.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Conditional access templates for best practice in securing microsoft apps

    Provide templates for each application for best practice in fully securing the application listing in Conditional Access. Make it a requirement for the product owners for each app.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Conditional access

    Allow the ability to "Add all applications" that are listed in select apps in Conditional access without choosing "All Cloud Apps" which appears to be not 100% .

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Conditional access

    Failure on conditional access logs do not show device information, need more sign-in information on the device that is failing to trackdown/troubleshoot issues.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. If an org has not enabled modern auth, offer to enable it for them when turning on security defaults or cond access. If not feasable, at le

    If an org has not enabled modern auth, offer to enable it for them when turning on security defaults or cond access. If not feasible, at least warn them

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 10 11
  • Don't see your idea?

Feedback and Knowledge Base