Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Active Directory?

← Azure Active Directory

Allow for customized error messages in Azure AD Conditional Access policies

Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional access policy.

536 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Steve shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

44 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Kingsley, Paula commented  ·   ·  Flag as inappropriate

    The last update from the Azure AD team seems to be from October 2020. This request is reasonable as administrators need to communicate with end users in clear, non-technical, company-specific language.

    This should be also relatively simple to implement as it is just allowing administrators to update text fields.

    What is the reason for the delay?

  • Peter commented  ·   ·  Flag as inappropriate

    Anon May 14, 2021 12:17 is correct.
    Displaying anything other than normal login rejection provides an attacker with a method to verify credentials are correct even if conditional access prevents accessibility.

    Removing "Your sign-in was successful," would be a start. Offer options.

  • Anon commented  ·   ·  Flag as inappropriate

    Any update on this, the current notification provides an attacker with a method to verify credentials are correct even if conditional access prevents accessibility.

    Removing "Your sign-in was successful," would be a start

    You cannot access this right now

    Your sign-in was successful, but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app or location that is restricted by your admin.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Any update on this? This would reduce a lot of user frustration and also reduce phone calls to the IT help desk. Has this been planned for release?

  • Sri Arumugam commented  ·   ·  Flag as inappropriate

    Please include options for modifying the landing page to include our company logo, a link to reach our IT support teams and also the message to include the conditions to be met for a successful login.

  • Jonathan commented  ·   ·  Flag as inappropriate

    Any updates? This is sorely needed to drive more self service and reduce user frustration.

  • Karl Wallin commented  ·   ·  Flag as inappropriate

    I guess this can easily also cover custom error messages for lets say end-user consents for apps?
    So apps / sign-ins that we don't use Azure to manage can provide a helpful error to the end-users such as "This service has a separate login and you shouldn't use your Azure/AD-account" etc.

    Any updates on this since the last one was over one year ago?

  • Anonymous commented  ·   ·  Flag as inappropriate

    any plan to support the custom error message not using the Conditional Access Policies but Application registration metadata.

  • Roseanne Jones commented  ·   ·  Flag as inappropriate

    Same thought as @Brennen about being able to customize the message. And a really good point made by @Daniel McAuley on another reason why the current message as it is, is not worded thoughtfully enough to be the default message.

  • Matthew Roulston commented  ·   ·  Flag as inappropriate

    Same comment as @Swaranjit. Why tell the hacker, you just successfully guessed/cracked a PW, but you have to VPN to X country/browser/OS to continue hacking me?

  • Brennen commented  ·   ·  Flag as inappropriate

    You can't get there from here.... It would be helpful to be able to customize this message with a link to each companies Service Desk website (request form) where they could evaluate un-blocking the requested site. Without the link, we leave our clients hanging.... wondering what do I do next?

  • Daniel McAuley commented  ·   ·  Flag as inappropriate

    We would like the ability to granularly modify the failure notices which are shown to users when they do not meet conditional access requirements.

    For example, with COVID19, we have made changes to conditional access policies to only allow authentication from North America. However, when an employee logs in from outside of this region, they are presented with the following notice: "Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location which is not support by your admin".

    This is a wealth of information for a threat actor as they would now know they have valid credentials and they may attempt to log in from different geographies to circumvent conditional access.

    We would love the ability to granularly modify the notification for conditional access policies to provide a much simpler answer with less details. For example, "Authentication failure. Please contact your administrator".

  • John R. commented  ·   ·  Flag as inappropriate

    Same comment as @Swaranjit. Why tell the hacker, you just successfully guessed/cracked a PW, but you have to VPN to X country/browser/OS to continue hacking me?

    I want a 'blocked' generic message regardless of whether the password is correct. I would prefer if they aren't allowed to login from a blocked country then don't bother checking the password. Do I honestly have to go to a competitor to get this level of security?

  • Amit Sood commented  ·   ·  Flag as inappropriate

    Agreed with other comments, that we need option to customize error message that can be more descriptive to end users based on the context.
    Or Is there way to send to a different End Point (Url) on authorization failure.

  • Swaranjit commented  ·   ·  Flag as inappropriate

    We are also looking to submit a feature request to change the “access denied” or support customized message when a user successfully authenticates to AzureAD but do not get permission to the resource when attempt to access it due to a conditional access policy.

    We do not want any indication if the authentication was successful or not.

  • Steinar Mollan commented  ·   ·  Flag as inappropriate

    The AADSTS50105 is not very intuitive to end user. Customizing the error message or altering the standard text is needed.

← Previous 1 3

Azure Active Directory: Conditional Access

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice