Allow for customized error messages in Azure AD Conditional Access policies
Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional access policy.

Thanks for the continued feedback on this. We’re in planning.
39 comments
-
Sri Arumugam commented
Please include options for modifying the landing page to include our company logo, a link to reach our IT support teams and also the message to include the conditions to be met for a successful login.
-
Jonathan commented
Any updates? This is sorely needed to drive more self service and reduce user frustration.
-
Anonymous commented
Any news about this feature?
-
Anonymous commented
a must feature sooner than later
-
Karl Wallin commented
I guess this can easily also cover custom error messages for lets say end-user consents for apps?
So apps / sign-ins that we don't use Azure to manage can provide a helpful error to the end-users such as "This service has a separate login and you shouldn't use your Azure/AD-account" etc.Any updates on this since the last one was over one year ago?
-
Anonymous commented
any plan to support the custom error message not using the Conditional Access Policies but Application registration metadata.
-
Oliver Lüthi commented
Would be a great feature.
-
Roseanne Jones commented
Same thought as @Brennen about being able to customize the message. And a really good point made by @Daniel McAuley on another reason why the current message as it is, is not worded thoughtfully enough to be the default message.
-
Matthew Roulston commented
Same comment as @Swaranjit. Why tell the hacker, you just successfully guessed/cracked a PW, but you have to VPN to X country/browser/OS to continue hacking me?
-
Brennen commented
You can't get there from here.... It would be helpful to be able to customize this message with a link to each companies Service Desk website (request form) where they could evaluate un-blocking the requested site. Without the link, we leave our clients hanging.... wondering what do I do next?
-
Daniel McAuley commented
We would like the ability to granularly modify the failure notices which are shown to users when they do not meet conditional access requirements.
For example, with COVID19, we have made changes to conditional access policies to only allow authentication from North America. However, when an employee logs in from outside of this region, they are presented with the following notice: "Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location which is not support by your admin".
This is a wealth of information for a threat actor as they would now know they have valid credentials and they may attempt to log in from different geographies to circumvent conditional access.
We would love the ability to granularly modify the notification for conditional access policies to provide a much simpler answer with less details. For example, "Authentication failure. Please contact your administrator".
-
John R. commented
Same comment as @Swaranjit. Why tell the hacker, you just successfully guessed/cracked a PW, but you have to VPN to X country/browser/OS to continue hacking me?
I want a 'blocked' generic message regardless of whether the password is correct. I would prefer if they aren't allowed to login from a blocked country then don't bother checking the password. Do I honestly have to go to a competitor to get this level of security?
-
Amit Sood commented
Agreed with other comments, that we need option to customize error message that can be more descriptive to end users based on the context.
Or Is there way to send to a different End Point (Url) on authorization failure. -
Swaranjit commented
We are also looking to submit a feature request to change the “access denied” or support customized message when a user successfully authenticates to AzureAD but do not get permission to the resource when attempt to access it due to a conditional access policy.
We do not want any indication if the authentication was successful or not.
-
Steinar Mollan commented
The AADSTS50105 is not very intuitive to end user. Customizing the error message or altering the standard text is needed.
-
shreyance commented
A MUST have feature. No brainer.. don't forget end users are not technical. And they want to read something that makes sense
-
Moe commented
We badly need customized error messages in Azure AD conditional Access policies. Please make this feature available soon.
-
Gareth commented
Dave Draffin's comment from 2017 +1! - we do much the same thing. Would be excellent to have this feature.
-
Anonymous commented
+1
We have conditional access policies blocking phishy countries that effectively say: "Almost there! You got the password right, just use a VPN endpointing somewhere not in the 3rd world and you're in!"Absurd!!! I want a 'blocked' message regardless of whether the password is correct. If they aren't allowed to login from a blocked country then don't bother checking the password.
-
JP commented
George Morris The product Manager has probably left MS.