How can we improve Azure Active Directory?

← Azure Active Directory

Allow for customized error messages in Azure AD Conditional Access policies

Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional access policy.

459 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Steve shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

39 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Sri Arumugam commented  ·   ·  Flag as inappropriate

    Please include options for modifying the landing page to include our company logo, a link to reach our IT support teams and also the message to include the conditions to be met for a successful login.

  • Jonathan commented  ·   ·  Flag as inappropriate

    Any updates? This is sorely needed to drive more self service and reduce user frustration.

  • Karl Wallin commented  ·   ·  Flag as inappropriate

    I guess this can easily also cover custom error messages for lets say end-user consents for apps?
    So apps / sign-ins that we don't use Azure to manage can provide a helpful error to the end-users such as "This service has a separate login and you shouldn't use your Azure/AD-account" etc.

    Any updates on this since the last one was over one year ago?

  • Anonymous commented  ·   ·  Flag as inappropriate

    any plan to support the custom error message not using the Conditional Access Policies but Application registration metadata.

  • Roseanne Jones commented  ·   ·  Flag as inappropriate

    Same thought as @Brennen about being able to customize the message. And a really good point made by @Daniel McAuley on another reason why the current message as it is, is not worded thoughtfully enough to be the default message.

  • Matthew Roulston commented  ·   ·  Flag as inappropriate

    Same comment as @Swaranjit. Why tell the hacker, you just successfully guessed/cracked a PW, but you have to VPN to X country/browser/OS to continue hacking me?

  • Brennen commented  ·   ·  Flag as inappropriate

    You can't get there from here.... It would be helpful to be able to customize this message with a link to each companies Service Desk website (request form) where they could evaluate un-blocking the requested site. Without the link, we leave our clients hanging.... wondering what do I do next?

  • Daniel McAuley commented  ·   ·  Flag as inappropriate

    We would like the ability to granularly modify the failure notices which are shown to users when they do not meet conditional access requirements.

    For example, with COVID19, we have made changes to conditional access policies to only allow authentication from North America. However, when an employee logs in from outside of this region, they are presented with the following notice: "Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location which is not support by your admin".

    This is a wealth of information for a threat actor as they would now know they have valid credentials and they may attempt to log in from different geographies to circumvent conditional access.

    We would love the ability to granularly modify the notification for conditional access policies to provide a much simpler answer with less details. For example, "Authentication failure. Please contact your administrator".

  • John R. commented  ·   ·  Flag as inappropriate

    Same comment as @Swaranjit. Why tell the hacker, you just successfully guessed/cracked a PW, but you have to VPN to X country/browser/OS to continue hacking me?

    I want a 'blocked' generic message regardless of whether the password is correct. I would prefer if they aren't allowed to login from a blocked country then don't bother checking the password. Do I honestly have to go to a competitor to get this level of security?

  • Amit Sood commented  ·   ·  Flag as inappropriate

    Agreed with other comments, that we need option to customize error message that can be more descriptive to end users based on the context.
    Or Is there way to send to a different End Point (Url) on authorization failure.

  • Swaranjit commented  ·   ·  Flag as inappropriate

    We are also looking to submit a feature request to change the “access denied” or support customized message when a user successfully authenticates to AzureAD but do not get permission to the resource when attempt to access it due to a conditional access policy.

    We do not want any indication if the authentication was successful or not.

  • Steinar Mollan commented  ·   ·  Flag as inappropriate

    The AADSTS50105 is not very intuitive to end user. Customizing the error message or altering the standard text is needed.

  • shreyance commented  ·   ·  Flag as inappropriate

    A MUST have feature. No brainer.. don't forget end users are not technical. And they want to read something that makes sense

  • Moe commented  ·   ·  Flag as inappropriate

    We badly need customized error messages in Azure AD conditional Access policies. Please make this feature available soon.

  • Gareth commented  ·   ·  Flag as inappropriate

    Dave Draffin's comment from 2017 +1! - we do much the same thing. Would be excellent to have this feature.

  • Anonymous commented  ·   ·  Flag as inappropriate

    +1
    We have conditional access policies blocking phishy countries that effectively say: "Almost there! You got the password right, just use a VPN endpointing somewhere not in the 3rd world and you're in!"

    Absurd!!! I want a 'blocked' message regardless of whether the password is correct. If they aren't allowed to login from a blocked country then don't bother checking the password.

← Previous 1

Azure Active Directory: Conditional Access

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice