How can we improve Azure Active Directory?

Allow for customized error messages in Azure AD Conditional Access policies

Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional access policy.

169 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Steve shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    planned  ·  AdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    Hi,

    I wanted to give a quick update on this. We agree this makes a lot of sense and is useful in many different cases, so have added it to our backlog. I don’t have a date to share yet, but will post updates here. Thanks for the interest.

    -Caleb Baker

    15 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • db commented  ·   ·  Flag as inappropriate

        Yes, please implement this ASAP! The fact the message provides validation to a possible attacker that the combination of username and password was successful is a major issue for security.

      • Peter Selch Dahl commented  ·   ·  Flag as inappropriate

        Hi Caleb,

        Please work with the entire Azure AD team to make a unified strategy for error messages in Azure Active Directory. We also have issues with Azure B2B and would really like the option to have custom error message depending on the SaaS app the user is trying to access.

        B2B issue

        https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34736548-
        customize-error-message

        @Jose & @Sarat from the B2B team.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Ok it has been about 4 months and I still do not see the feature to customize such notifications. I do see this under Compliance , but not under Conditional Access.

      • Dominic Corso commented  ·   ·  Flag as inappropriate

        Awesome! We are patiently waiting for this. When a user is blocked from access in most cases we can direct them to some basics for help and prevent a helpdesk call all together. Can't wait!

      • Dave Draffin commented  ·   ·  Flag as inappropriate

        We have an account re-verification web app that if guest users have not accessed for more than 30 days, removes their access. The removal of access is enforced via a Conditional access rule (as they are dynamically moved out of a group)

        What would be great would be to customise the Conditional access error, to give the user better information about why their access has been blocked. And even more importantly a 'call to action' in this case a link to the re-verification web app such that they can re-attest their account access.

        As it stands the standard error message is #lessthanhelpfull

      • Jeff Lawrence commented  ·   ·  Flag as inappropriate

        I would add the ability to customize the message per CA rule would also be nice, that way if you have a number of block rules defined in CA the message could be more specific. For example if you have a CA rule that blocks GA accounts from external sources defining on the CA rule the error "Administrative Accounts are not allowed external Access" while a separate rule that applies to hourly employees could be "Hourly employees not allowed off hour external access"

      • Adam Ladd commented  ·   ·  Flag as inappropriate

        Heartily agree. The message we get today with the new 2016 Conditional Access Preview enabled is scaring the pants of our users: "Your account is blocked. We've detected suspicious activity on your account. Please contact your admin" I would rather it simply say "Your access is blocked because it does not meet company requirements, please contact the Help Desk"

      • Peter Selch Dahl commented  ·   ·  Flag as inappropriate

        It is not currently possible for to customize the "Access Denied" error message the end users receive when Conditional Access is enforced. Many companies would like support for this feature.

      Feedback and Knowledge Base