Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Change tracking for Conditional Access Policies
Support some kind of change tracking or auditing in regards to changes made for Conditional Access Policies?
268 votesThis is in progress, you can see a preview when creating policy thought the Conditional Access API. Coming soon to polices created in the Conditional Access UX.
-
Support conditional access for MyApps.microsoft.com
We need myapps.microsoft.com (Access Panel) to support conditional access. Currently it is a quit bad user experience when accepting an Azure B2B invite in a tenant that have implemented Azure Conditional Access that does not have the option to exclude "myapps.microsoft.com (Access Panel)"
@Adam Steenwyk
213 votes -
Support for 3rd party EMM solutions when requiring device compliance
We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.
Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.
183 votesThanks for your feedback. Microsoft is currently working with third party MDM providers to enable this scenario. We will update this thread once we have more information to share.
-
Restricting Access Of Azure Service Principals – Using Conditional Access
If anyone has the below information, can connect to Azure from any network and issue Azure PS commands.
<#
Display Name : MS-PoC-ServicePrincipal
APP ID : XXXXXXXXXXXX
Tenant ID : YYYYYYYYYYY
Object ID : ZZZZZZZZZZZZZ
Key : oooooooooo
MS Link
https://github.com/squillace/staging/blob/master/articles/resource-group-authenticate-service-principal.md>
Best possible scenario is to restrict is using RBAC. Agreed.
An extra layer of conditional access to the Azure Service Principal would be good. This security flaw can compromise the AAD data, since most of the Service Principals have OAuth2 enabled and Read access to AAD.
Can MS look into this please.
I had raised case with MS…127 votesWe’ve started work on this, focused on policy based on IP range.
-
Provide "Conditional Access" on a SharePoint Online Site Collection Level
It would be great, if any future "Conditional Access" provided for SharePoint Online could be done on a per. Site Collection Level.
Talk to the SharePoint Online team regarding this
73 votes -
Abilty to sort Conditional Access Policies alphabetically
It would be usefull to be able to sort Conditional Access Policies alphabetically.
So, for example if the naming conventon starts with ALLOW: or BLOCK: then when you create new ones and sort alphabetically they will all be in the right order. Right now they are listed in the order of creation.
64 votes -
Support sorting of conditional access policy by name and if policy is enabled
Support sorting of conditional access policy by name and if policy is enabled
64 votes -
Allow the possibility to assign Dynamics Device Groups to Conditional Access policies
I'd like to enforce enrollment for Corporate devices but not for Personal devices; for the same user account. So I can create Dynamics Device Groups but I if I assign these groups to Conditional Access policies, it doesn't work.
48 votes -
Add the option to block only one drive and not the hole sharepoint
Many large organizations that move to Office 365 have the need to block One Drive for certain users, but leave them the ability to use Sharepoint Online. After opening a support case, the responce was that it is currently not supported and the only option is to block both One Drive and Sharepoint Online.
41 votes -
App grouping
Currently conditional access policies can be scoped only to individual applications.
This has strong limitations:
* No more than hundreds of applications per policy
* In large environments with lots of applications, this gets very complex and unmanageable
* Changes to Conditional Access policies are always risky and should be minimized
* Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automationAll these issues can be solved by the following set of features:
* Provide a mechanism to group apps
* Allow CA policies to be scoped to these app groupsDepending…
28 votes -
Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity
Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.
It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.
Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"
Att.: Caleb and Dhanyah
/Peter Selch Dahl
16 votes -
Create Policy differentiation from a BYOD vs CYOD device both PC and Mobile devices.
Many organizations would like to specify certain applications can only be accessed via corporate owned assets but would still like to take advantage of BYOD scenarios for other applications. To that end a differentiation of devices from BYOD and CYOD through to PC's would be great.
Also there should be a process to move devices between the two groups.
16 votes -
Sort or add a sort button to named location ip based list in conditional access
Currently named locations that are IP list based, just sort the IPs in the order they are entered. This makes it very difficult to compare lists or find an IP that needs to be removed. Please either sort them automatically or give us a sort button.
1 voteHey folks,
We’ve started this work. We hope to be able to share something with you really soon.
@MarkMorow
- Don't see your idea?