Ben Hatton

My feedback

  1. 4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Web Apps » Supportability  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  2. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    triaged  ·  0 comments  ·  Networking » Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton shared this idea  · 
  3. 81 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    10 comments  ·  Networking » Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  4. 3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Active Directory » Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton shared this idea  · 
  5. 755 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    29 comments  ·  Networking » Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  6. 4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure portal » Resource management  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  7. 8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Can you give a bit more detail about why you would want to block 3rd party apps? Why are there 3rd party apps registered in your directory, that you want to block? I’m just wondering if there is a bigger issue here. Please add any feedback to the Azure feedback item.

    Thanks

    Ben Hatton commented  · 

    Hi,

    The bigger issue is that there is no effective approach to control which 3rd party applications can be registered in the directory. We can either turn on user consent control, which allows all 3rd party apps to be registered and make requests for delegated permissions; or turn it off, which blocks all third party apps from being registered. On top of that, once consent control is turned off, there is no simple way to add delegated consent for selected users (can be done by rest api only).

    The problem with 3rd party apps is that users (even highly technical users) have very poor visibility to distinguish a 'safe' app from a malicious app, and ongoing management of consent is not an easy activity for average non-technical users. Consequently, we want to be able to ensure that only pre-screened apps can be granted delegated consent.

    Regards,
    Ben

    Ben Hatton supported this idea  · 
    Ben Hatton shared this idea  · 
  8. 8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Today you can set a conditional access policy on “Microsoft Azure Management”, which will apply to any client requesting access tokens to the Azure Management API. This includes the Azure portal (https://portal.azure.com) and Azure PowerShell (e.g. Login-AzureRmAccount).

    It does not apply to Azure AD PowerShell. To apply a conditional access policy to Azure AD PowerShell (e.g. Connect-MsolService and Connect-AzureAD, for the MSOnline and AzureAD modules, repsectively), you must target the “All cloud apps”, which means all sign-ins for the targeted users must satisfy the MFA requirement. The main reason for this is that the AzureAD PowerShell module is a thin wrapper around the Azure AD Graph API, which is also used by the vast majority of Azure AD-integrated apps (e.g. Office 365, Azure, etc.) out there.

    Thus, even if there was a way to set a policy on “Azure AD Graph API” (there isn’t), the…

    Ben Hatton supported this idea  · 
    Ben Hatton commented  · 

    Hi Philippe,
    I want to call out a related problem since you highlight use of policy against "Microsoft Azure Management". When I configure this, I also as a side effect cause access to powerapps to be forced to MFA (unknown what other o365 apps might be similarly affected). This is unacceptable burden on end users for what is supposed to be a policy to protect privileged administration access only. Would very much appreciate your viewpoint and suggestion on this issue. Surely Oauth token requests to graph api can't be considered "Azure Management" activity...?
    Thanks and regards,
    Ben

  9. 6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Active Directory » Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton commented  · 

    Extending this, I can confirm that MFA via conditional access against "Microsoft Azure Management" also fails, as the setting will force MFA for (at least) powerapps.
    Get your act together please - perfoming an OAuth login or obtaining a token for Graph API is not Microsoft Azure Management - It's end-user interaction with AAD.

    Ben Hatton supported this idea  · 
  10. 121 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Azure Active Directory » Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton commented  · 

    As a workaround, a module to invoke REST API has been contributed by Jos Lieben:

    http://www.lieben.nu/liebensraum/2018/04/how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-unattended-silently/

    [apologies for previous now deleted post, didn't sufficiently read what I was suggesting]

    Ben Hatton supported this idea  · 
  11. 6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Data Factory  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton commented  · 

    I think you folk have misunderstood how DF works. The data factory instance region is not related to where data is processed. Data movement is between the data sources and the activity runtime only.

  12. 3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Active Directory » Developer Experiences  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  13. 1,080 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    33 comments  ·  Web Apps  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  14. 270 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Logic Apps » Management  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  15. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Logic Apps » Connectors  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  16. 4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Active Directory » SaaS Applications  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton commented  · 

    The concepts you have here are perfect, thanks I'm in edu.au so we have a challenging userbase that doesn't respond well to global settings.

    Ben Hatton shared this idea  · 
  17. 11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  18. 48 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
  19. 11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  (General Feedback) » azure.microsoft.com  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton commented  · 

    Yes, exactly this. Being able to drill down to see the actual policy violation detail would be super.
    Simpler approaches for an interim release: Allow each policy instance in an initiative to be individually named, or expose the parameter values against each instance in the compliance list,

    Ben Hatton supported this idea  · 
  20. 193 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    49 comments  ·  Azure Active Directory » B2C  ·  Flag idea as inappropriate…  ·  Admin →
    Ben Hatton supported this idea  · 
← Previous 1 3

Feedback and Knowledge Base