Support exporting and importing conditional access policies using PowerShell. This would be handy for backup purposes, but also for re-use of the same policy rules between test and production tenants.
The Microsoft Graph API currently do not have any REST APIs for accessing and creating conditional access policies: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview434 votes
We’ll be wrapping up work soon, after making updates from feedback we’ve received so far. We should have a public date soon.
Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional access policy.
Allow for an administrator to create customized error messages to replace the generic AAD conditional access "you do not meet the criteria." For example, if I have a conditional access policy that blocks access for Windows devices based on a specific criteria, I could display a custom error message that would offer links to support sites, or IT support #. In addition, allow for multiple custom error messages to be defined, and linked to specific policies that block access. For example, we could display a different error message on PC, iOS, or Android devices that are blocked via a conditional…235 votes
Just a quick update. This is still on the roadmap, but not work that has started. The comments here are useful as we start the design. Thanks
we set up Named Locations in Azure ID to "avoid" risky Azure AD logins.
I added all our IPv4 public IPs/ranges but could not enter the IPv6 IPs/ranges. I got in touch with the Azure support and they said it is not possible yet.
As we also use IPv6 surf IPs, could you enable the feature to add IPv6 IPs/ranges as well?
This work is started.
We have around 200 locations that use dynamic IP addresses that change frequently. We have the ability to pull the public IP addresses via REST API/PowerShell, but there is currently no way to update the Named Locations list programmatically. Without PowerShell, we are forced to manually dump the list to a CSV and upload the new file.
We would like to have the ability to add, remove, update Named Locations and entries in the IP Ranges of a Named Location.86 votes
We’ve begun this work.
I would like to be able to block ALL sign-ins from anonymous IP addresses.69 votes
This feature work is planned, but hasn’t started yet.
We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.
Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.67 votes
When the Conditional Access Policy is configured with All cloud Apps option, Office activation is also blocked, although there isn´t any cloud app dedicated for Office activation exclusion. Please create one dedicated cloud app for Office activation.50 votes
can you please introduce the possibility to set priorities for Conditional Access policies.
In complex environments (with different CA policies for different use cases) it's very hard to create CA polices without any open doors. Therefore it would be fantastic if you can create a catch all CA policy and allow selective one service after another (like on a firewall).
Many Thanks45 votes
We’re continuing design work in this area.
We need myapps.microsoft.com (Access Panel) to support conditional access. Currently it is a quit bad user experience when accepting an Azure B2B invite in a tenant that have implemented Azure Conditional Access that does not have the option to exclude "myapps.microsoft.com (Access Panel)"
@Adam Steenwyk41 votes
We’re looking at how best to implement this, given various service dependencies with the myapp portal. Thank you for the continued feedback.
It would be great, if any future "Conditional Access" provided for SharePoint Online could be done on a per. Site Collection Level.
Talk to the SharePoint Online team regarding this39 votes
enabling policy on a site collection is on our roadmap.
This is a scenario that we want to support in the future. No date as of now, but definitely something we are planning to enable.
Currently the "Require approved client app" list of apps does not include the Microsoft Authenticator app, thus preventing adoption of cool features such as 'passwordless sign-in' which is apparently signing in as the user and therefore getting blocked.34 votes
This is a problem we’re aware of and working on how best to address this use case.
Support some kind of change tracking or auditing in regards to changes made for Conditional Access Policies?34 votes
Support sorting of conditional access policy by name and if policy is enabled28 votes
After replacing and disabling Classic Policies migrated from Intune, you cannot remove them. The old policies are stuck there forever and cause warnings in other areas that Classic Policies exist. We should be able to remove them somehow.27 votes
I have a scenario where azure active directory users login to fronend app and will be able to handle user administration using graph apis. These users will not having access to subscription/resources these users are access to only Azure AD who can update/create/delete usrs/profiles. To achieve those actions users should have user admin directory role. But the issue here is these users can login to azure portal and have admin assess to all users. For ex: if I have few applications where users are different i can manage from frontend app and business logic to show only users to related to those app but if these users are logging in to the portal then they will be able to access all the users.
Currently there an option to block no-admin users but i didn't find any non admin role who can update their profile so that we can block them atleast to have access in azure portal.
Basically what we need is user should be able to access azure ad including admin related but should have an option to avoid portal access.
I have a scenario where azure active directory users login to fronend app and will be able to handle user administration using graph apis. These users will not having access to subscription/resources these users are access to only Azure AD who can update/create/delete usrs/profiles. To achieve those actions users should have user admin directory role. But the issue here is these users can login to azure portal and have admin assess to all users. For ex: if I have few applications where users are different i can manage from frontend app and business logic to show only users to related…25 votes
Valid feedback. Open for customer upvotes
For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?21 votes
We’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?
Baseline Policy: Require MFA for Admins (Preview) needs to be able to exclude groups.
This policy does not pay attention to trusted location. Therefore, your global admin or other admin SERVICE ACCOUNTS will get blocked unless you exclude them one-by-one.
This is very disruptive. This policy used to allow excluding groups and they changed it to only excluding users. Not all companies can move at the pace Microsoft is enforcing. We cannot make all of our service accounts into some other solution which won't get impacted and still work for us.
Bring back group exclusion for manageability!!21 votes
Support comments/description for Conditional Access policies21 votes
When federated identities are authenticated using CBA (Certificate Based Authentication) against ADFS, it would be nice to be able to have Azure AD recognize this in Azure AD Conditional Access rules and allow or deny access access to apps based on this.20 votes
We’ve continued to hear this feedback and have cert auth support on the roadmap. The main use case will be to allow certs to be used for strong user auth.
- Don't see your idea?