Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Chris Visscher

My feedback

  1. 120 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Azure Active Directory » B2B  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Chris Visscher commented  · 

    To be able to use Azure Active Directory to authenticate securely, a company's IT department needs to have the ability to enforce MFA for all (Cloud) applications that are being used by its users. This means ALL Cloud Apps, not just the ones that are registered in it's own Tenant.

    In Conditional Access there is a control stating "Control user access based on all or specific cloud apps or actions". Setting this to All Cloud Apps does not actually apply to all cloud apps, it just applies to the Enterprise Apps registered in one's Tenant. Cloud Apps used in remote Tenants (where the user is B2B invited to as a Guest user) do not fall in this category, nor can they be included in any way at the moment.

    The only sure, logical, and proper way of guaranteeing that users are forced to authenticate with MFA when using Cloud Apps in another AAD Tenant, is to make the user go through the MFA process inside it's own Tenant. Unfortunately, Microsoft currently does not (yet) support that.

    As also already mentioned, going through one's own Tenant MFA process would make this a much more clear and straightforward experience for the End User. On top, it would save on (indirect) AAD Premium license cost in every remote Tenant used by an organization since they would not have to get an additional license to support MFA for Guest users in those remote Tenants. (This last part might not be a great incentive for Microsoft to change anything though).

    In the AAD sign-ins log in one's own Tenant, the sign-ins to B2B provided / remote Tenant hosted Cloud Apps are visible including the remote App ID, so it would already be useful if Conditional Access would allow configuring specific (remote) App ID's to be included in an "MFA enforced" policy to allow better control as a first step to solve this problem.

    Chris Visscher supported this idea  · 
  2. 109 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Azure Portal » Other  ·  Flag idea as inappropriate…  ·  Admin →
    Chris Visscher supported this idea  · 
  3. 1,064 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Chris Visscher supported this idea  · 
  4. 358 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    42 comments  ·  Azure Active Directory » Domain Join  ·  Flag idea as inappropriate…  ·  Admin →
    Chris Visscher supported this idea  · 

Feedback and Knowledge Base