Allow for customized error messages in Azure AD Conditional Access policies
Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional access policy.
Steve
shared this idea
Hi,
Just a quick update. This is still on the roadmap, but not work that has started. The comments here are useful as we start the design. Thanks
33 comments
-
Oliver Lüthi
commented
Would be a great feature.
-
Roseanne Jones
commented
Same thought as @Brennen about being able to customize the message. And a really good point made by @Daniel McAuley on another reason why the current message as it is, is not worded thoughtfully enough to be the default message.
-
Matthew Roulston
commented
Same comment as @Swaranjit. Why tell the hacker, you just successfully guessed/cracked a PW, but you have to VPN to X country/browser/OS to continue hacking me?
-
Brennen
commented
You can't get there from here.... It would be helpful to be able to customize this message with a link to each companies Service Desk website (request form) where they could evaluate un-blocking the requested site. Without the link, we leave our clients hanging.... wondering what do I do next?
-
Daniel McAuley
commented
We would like the ability to granularly modify the failure notices which are shown to users when they do not meet conditional access requirements.
For example, with COVID19, we have made changes to conditional access policies to only allow authentication from North America. However, when an employee logs in from outside of this region, they are presented with the following notice: "Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location which is not support by your admin".
This is a wealth of information for a threat actor as they would now know they have valid credentials and they may attempt to log in from different geographies to circumvent conditional access.
We would love the ability to granularly modify the notification for conditional access policies to provide a much simpler answer with less details. For example, "Authentication failure. Please contact your administrator".
-
John R.
commented
Same comment as @Swaranjit. Why tell the hacker, you just successfully guessed/cracked a PW, but you have to VPN to X country/browser/OS to continue hacking me?
I want a 'blocked' generic message regardless of whether the password is correct. I would prefer if they aren't allowed to login from a blocked country then don't bother checking the password. Do I honestly have to go to a competitor to get this level of security?
-
Amit Sood
commented
Agreed with other comments, that we need option to customize error message that can be more descriptive to end users based on the context.
Or Is there way to send to a different End Point (Url) on authorization failure. -
Swaranjit
commented
We are also looking to submit a feature request to change the “access denied” or support customized message when a user successfully authenticates to AzureAD but do not get permission to the resource when attempt to access it due to a conditional access policy.
We do not want any indication if the authentication was successful or not.
-
Steinar Mollan
commented
The AADSTS50105 is not very intuitive to end user. Customizing the error message or altering the standard text is needed.
-
shreyance
commented
A MUST have feature. No brainer.. don't forget end users are not technical. And they want to read something that makes sense
-
Moe
commented
We badly need customized error messages in Azure AD conditional Access policies. Please make this feature available soon.
-
Gareth
commented
Dave Draffin's comment from 2017 +1! - we do much the same thing. Would be excellent to have this feature.
-
Anonymous
commented
+1
We have conditional access policies blocking phishy countries that effectively say: "Almost there! You got the password right, just use a VPN endpointing somewhere not in the 3rd world and you're in!"Absurd!!! I want a 'blocked' message regardless of whether the password is correct. If they aren't allowed to login from a blocked country then don't bother checking the password.
-
JP
commented
George Morris The product Manager has probably left MS.
-
George Morris
commented
It has been a year. Has this been added yet? :-)
-
Anonymous
commented
any update on this problem?
-
JP
commented
any update on this?
-
db
commented
Yes, please implement this ASAP! The fact the message provides validation to a possible attacker that the combination of username and password was successful is a major issue for security.
-
Peter Selch Dahl commented
@Caleb:
Please also check this new request:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35327623-custom-error-messages-per-saas-app-and-tenant-wide -
Hi Caleb,
Please work with the entire Azure AD team to make a unified strategy for error messages in Azure Active Directory. We also have issues with Azure B2B and would really like the option to have custom error message depending on the SaaS app the user is trying to access.
B2B issue
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34736548-
customize-error-message@Jose & @Sarat from the B2B team.