Add a option to enforce authentication every time you access a SSO app (e.g. SaaS):
- Option could be possible per app
- Option could be 1) re-enter password (ignore SSO) 2) guaranteed MFA prompt (ignore MFA token)
Shared PCs, Personal Logins, SaaS App has sensitive payroll data, Concern: People don't log off -> anyone can walk to the PC and get into SaaS app via SSO. As of now even MFA doesn't help due to MFA token or Windows Hello strong auth. You could only play with token life-time.240 votes
Thank you for your feedback. We will review this request. Kepp voting to help us prioritize.
When the Conditional Access Policy is configured with All cloud Apps option, Office activation is also blocked, although there isn´t any cloud app dedicated for Office activation exclusion. Please create one dedicated cloud app for Office activation.214 votes
For Conditional Access Policy applicable for B2B Guest Users, in Azure AD > CA Policy we do not have option for selective selection of B2B Guest users under 'Users and Group' section in CA Policy. But for Cloud Member users we have option for selective selection of users. Why we don't have same capability and functionality kept for B2B Guest for which we have for Cloud Member users in CA Policy? Also why we are saying it as Preview Mode?29 votes
We’re reviewing this item. Currently you can apply policy to specific B2B guests using the option to select users and groups. Are there users missing from that list, or is the suggestion to have a filtered list of only B2B users under the guest checkbox?
First of all thank you very much for the Custom Controls functionality for Azure AD.
I just found through an Azure Support channel that today, you need to contact Microsoft to become a "valid" provider for custom controls.
It would be great if you could make the registration process online and automated as I see a lot of potential for customers to want to implement their own validation logic during the authentication pipeline.
Having to offline register with Microsoft in order to have a compatible service will make it much harder to push this feature forward.13 votes
Thanks for the interest. We’re currently updating the process to approving new custom control providers and will share the details when they are available.
The baseline conditional access policy (https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Baseline-security-policy-for-Azure-AD-admin-accounts-in-public/ba-p/245426) does not allow trusted locations. It would be great if this was an option8 votes
Thanks for the feedback. We will consider adding this in a future update.
Consider adding an option within Azure Active Directory Conditional Access that allow security administrators to with whether the companies conditional access rules are applied effectively for all users and groups.
- The solution should list all users and groups that is targeted a specific conditional access policy and also does who are not hit by the policy
- The solution should also be able to be used for troubleshooting which policies that a user is getting applied.
This request is also listed on the Intune Feedback uservoice: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/19152421-effective-conditional-access-policies-for-users-an8 votes
Some of this is now possible using the conditional access whatIf tool. It can be used to troubleshoot which policies apply to a specific user.
The second part of the request; listing impact of a policy on all users is something we’ll consider. We’re continuing to invest in tools that help with understanding impact policies and will make sure it is easy to assess policy coverage.
Generate an email alert to ADMINS if any sign-in is FAILED\SUCCESS due to Conditional Access policy.
We do have a conditional access policy to block sign-in from specific set of countries, in case if some one tries to access from the blocked countries, we would like to get an email alert for both FAILURE and SUCCESS (As CA policy cannot be linked with Active sync, we need to Successful login from blocked countries too )4 votes
I recommend taking a look at Log Analytics and how to use them with the Azure AD sign in reports :
You can use Log Analytics to send notification on detail in the sign in report, like blocked policies.
We’ll also keep this in mind as we look at further reporting and notification improvements.
Please add the possibility to block the app:
Microsoft Azure Signup Portal
Can you please provide more detail about why you would like to do this? We want to make sure this is the best way to address your scenario.
When creating Conditional Access Policies, users are forced to exit the creation process and define Named Locations, the addition of the New Location button while in blade would decrease the number of steps required for those already in the creation process3 votes
Thanks for the feedback, we’ll add this to our backlog.
When creating Conditional Access rules and choosing "Cloud apps", it only displays a limited number of applications. You can search for other applications but you need to already know their name. There is no other way to get a larger list of applications or more pages.
We need a way to discover what applications are available for us to secure.
Having applications that we could better secure without being able to know what these applications are sounds like a big security risk.3 votes
We’ve added this to our backlog and reviewing how best to address this.
Thanks for the feedback.
When testing a policy that blocks sign-in by country, we want to know if the IP address we are connecting from will be blocked.
We want to know which country Conditional Access thinks the IP address is in.1 vote
Thanks for the feedback. We’ll add this to the backlog and watch for more votes to help prioritize.
- Don't see your idea?