Allow for customized error messages in Azure AD Conditional Access policies
Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional access policy.
Just a quick update. This is still on the roadmap, but not work that has started. The comments here are useful as we start the design. Thanks
Steinar Mollan commented
The AADSTS50105 is not very intuitive to end user. Customizing the error message or altering the standard text is needed.
A MUST have feature. No brainer.. don't forget end users are not technical. And they want to read something that makes sense
We badly need customized error messages in Azure AD conditional Access policies. Please make this feature available soon.
Dave Draffin's comment from 2017 +1! - we do much the same thing. Would be excellent to have this feature.
We have conditional access policies blocking phishy countries that effectively say: "Almost there! You got the password right, just use a VPN endpointing somewhere not in the 3rd world and you're in!"
Absurd!!! I want a 'blocked' message regardless of whether the password is correct. If they aren't allowed to login from a blocked country then don't bother checking the password.
George Morris The product Manager has probably left MS.
George Morris commented
It has been a year. Has this been added yet? :-)
any update on this problem?
any update on this?
Yes, please implement this ASAP! The fact the message provides validation to a possible attacker that the combination of username and password was successful is a major issue for security.
Please also check this new request:
Please work with the entire Azure AD team to make a unified strategy for error messages in Azure Active Directory. We also have issues with Azure B2B and would really like the option to have custom error message depending on the SaaS app the user is trying to access.
@Jose & @Sarat from the B2B team.
Ok it has been about 4 months and I still do not see the feature to customize such notifications. I do see this under Compliance , but not under Conditional Access.
This is making our users crazy and the helpdesk as well.
Dominic Corso commented
Awesome! We are patiently waiting for this. When a user is blocked from access in most cases we can direct them to some basics for help and prevent a helpdesk call all together. Can't wait!
We are really looking for this feature.
David Kropman commented
+1, don't want to scare the users and point them to a help page.
Dave Draffin commented
We have an account re-verification web app that if guest users have not accessed for more than 30 days, removes their access. The removal of access is enforced via a Conditional access rule (as they are dynamically moved out of a group)
What would be great would be to customise the Conditional access error, to give the user better information about why their access has been blocked. And even more importantly a 'call to action' in this case a link to the re-verification web app such that they can re-attest their account access.
As it stands the standard error message is #lessthanhelpfull
Also vote for this idea under the Intune feedback site: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/19197133-custom-text-for-block-access-option-in-conditional
Jeff Lawrence commented
I would add the ability to customize the message per CA rule would also be nice, that way if you have a number of block rules defined in CA the message could be more specific. For example if you have a CA rule that blocks GA accounts from external sources defining on the CA rule the error "Administrative Accounts are not allowed external Access" while a separate rule that applies to hourly employees could be "Hourly employees not allowed off hour external access"