Support exporting and importing conditional access policies using PowerShell. This would be handy for backup purposes, but also for re-use of the same policy rules between test and production tenants.
The Microsoft Graph API currently do not have any REST APIs for accessing and creating conditional access policies: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview276 votes
We’ve begun work on exposing policies through MS Graph and PowerShell. I can’t give a date yet, but I’m it is in the pipeline.
Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional access policy.
Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional…178 votes
I wanted to give a quick update on this. We agree this makes a lot of sense and is useful in many different cases, so have added it to our backlog. I don’t have a date to share yet, but will post updates here. Thanks for the interest.
Today, it's possible to setup Conditional Access logon rules in ADFS3 and ADFS4 based on Device Authentication. We've found this to be widely applauded by end-users in MFA scenarios.
it would be great if Azure AD authentication without federation could also support Device Authentication for Conditional Access.
We would like to be able to create a rule that says that Azure AD Registered Devices don't need to MFA.110 votes
we set up Named Locations in Azure ID to "avoid" risky Azure AD logins.
I added all our IPv4 public IPs/ranges but could not enter the IPv6 IPs/ranges. I got in touch with the Azure support and they said it is not possible yet.
As we also use IPv6 surf IPs, could you enable the feature to add IPv6 IPs/ranges as well?
This is high on our list. Thanks
We have around 200 locations that use dynamic IP addresses that change frequently. We have the ability to pull the public IP addresses via REST API/PowerShell, but there is currently no way to update the Named Locations list programmatically. Without PowerShell, we are forced to manually dump the list to a CSV and upload the new file.
We would like to have the ability to add, remove, update Named Locations and entries in the IP Ranges of a Named Location.49 votes
Thanks for the suggestion. We have API/PowerShell support for named locations as well as full conditional access policy management planned.
When the Conditional Access Policy is configured with All cloud Apps option, Office activation is also blocked, although there isn´t any cloud app dedicated for Office activation exclusion. Please create one dedicated cloud app for Office activation.40 votes
I would like to be able to block ALL sign-ins from anonymous IP addresses.36 votes
We’re currently looking into this. Would you want this to include Tor and anonymous VPN, or do you view these differently?
can you please introduce the possibility to set priorities for Conditional Access policies.
In complex environments (with different CA policies for different use cases) it's very hard to create CA polices without any open doors. Therefore it would be fantastic if you can create a catch all CA policy and allow selective one service after another (like on a firewall).
Many Thanks34 votes
We’re looking at how to make it easier to ensure all access paths are protected. Thanks for the feedback.
We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.
Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.31 votes
This is a scenario that we want to support in the future. No date as of now, but definitely something we are planning to enable.
It would be great, if any future "Conditional Access" provided for SharePoint Online could be done on a per. Site Collection Level.
Talk to the SharePoint Online team regarding this29 votes
We need myapps.microsoft.com (Access Panel) to support conditional access. Currently it is a quit bad user experience when accepting an Azure B2B invite in a tenant that have implemented Azure Conditional Access that does not have the option to exclude "myapps.microsoft.com (Access Panel)"
@Adam Steenwyk25 votes
Currently the "Require approved client app" list of apps does not include the Microsoft Authenticator app, thus preventing adoption of cool features such as 'passwordless sign-in' which is apparently signing in as the user and therefore getting blocked.21 votes
This is a problem we’re aware of and working on how best to address this use case.
Support some kind of change tracking or auditing in regards to changes made for Conditional Access Policies?20 votes
After replacing and disabling Classic Policies migrated from Intune, you cannot remove them. The old policies are stuck there forever and cause warnings in other areas that Classic Policies exist. We should be able to remove them somehow.19 votes
Support sorting of conditional access policy by name and if policy is enabled18 votes
Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to spe
Ability to apply Azure Conditional Access policies to specific Windows OS versions (7, 8.1,10) for Hybrid Azure AD Joined Devices, or to specific devices in a device Group.
While Azure Conditional Access policies can be currently applied to Windows for Hybrid Azure AD Joined Devices this includes all Windows operating systems. There is no ability to apply them to specific Windows OS versions, or to target specific devices. Having this functionality would allow for example to block Windows 7 and 8.1 devices through CA policies, or block specific devices without an approved reason to not upgrade to Win10.17 votes
Support comments/description for Conditional Access policies16 votes
When federated identities are authenticated using CBA (Certificate Based Authentication) against ADFS, it would be nice to be able to have Azure AD recognize this in Azure AD Conditional Access rules and allow or deny access access to apps based on this.16 votes
We’ve continued to hear this feedback and have cert auth support on the roadmap. The main use case will be to allow certs to be used for strong user auth.
Many large organizations that move to Office 365 have the need to block One Drive for certain users, but leave them the ability to use Sharepoint Online. After opening a support case, the responce was that it is currently not supported and the only option is to block both One Drive and Sharepoint Online.15 votes
- Don't see your idea?