Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Dan Carr

My feedback

  1. 27 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Today you can set a conditional access policy on “Microsoft Azure Management”, which will apply to any client requesting access tokens to the Azure Management API. This includes the Azure portal (https://portal.azure.com) and Azure PowerShell (e.g. Login-AzureRmAccount).

    It does not apply to Azure AD PowerShell. To apply a conditional access policy to Azure AD PowerShell (e.g. Connect-MsolService and Connect-AzureAD, for the MSOnline and AzureAD modules, repsectively), you must target the “All cloud apps”, which means all sign-ins for the targeted users must satisfy the MFA requirement. The main reason for this is that the AzureAD PowerShell module is a thin wrapper around the Azure AD Graph API, which is also used by the vast majority of Azure AD-integrated apps (e.g. Office 365, Azure, etc.) out there.

    Thus, even if there was a way to set a policy on “Azure AD Graph API” (there isn’t), the…

    An error occurred while saving the comment
    Dan Carr commented  · 

    We can't block users from accessing AAD, but we want to be able to block them from using PowerShell to access AAD (it appears to be a path someone is trying to use to exploit our user accounts). Unfortunately Powershell is a client, not a resource/target for CA policies. If the endpoint that AAD PowerShell was a distinct endpoint then we could target it with CA policies, but as it stands it's just MS Graph which is very broad and not available as a CA policy target.

    Dan Carr supported this idea  · 
  2. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Dan Carr shared this idea  · 
  3. 9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Active Directory » Directory  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Dan Carr commented  · 

    I found out today that this is also a B2B/guest user issue. We have separate Dev and Prod Tenants, and I was trying to invite my production account to be a guest in my Dev Tenant, but this kept erroring out because I had set the email address of my Dev identity to be my Prod email address (I only have one mailbox!). To get around this issue I had to delete the mail attribute from my conflicting Dev identity and reissue the invite to my Prod identity. Unfortunately, experience has shown that when I don't populate the email attribute AAD will send notifications for that account to the account's UPN - which is not an email address and has no associated mailbox, so the messages go to the big bit bucket in the ether.

    Dan Carr shared this idea  · 
  4. 40 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Azure Portal » Monitoring + troubleshooting  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr supported this idea  · 
  5. 203 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    29 comments  ·  Azure Active Directory » Reporting  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    We are working on this but we don’t have a public ETA to share at this time. We will keep you updated as we get closer.

    Dan Carr supported this idea  · 
  6. 1,695 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  Azure AD Team responded

    Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.

    Chen

    Dan Carr supported this idea  · 
  7. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr shared this idea  · 
  8. 4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr supported this idea  · 
  9. 279 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    35 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr supported this idea  · 
  10. 43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Dan Carr supported this idea  · 
  11. 76 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  5 comments  ·  Azure Active Directory » Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr supported this idea  · 
  12. 3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Active Directory » PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr shared this idea  · 
  13. 43 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  7 comments  ·  Azure Active Directory » Access Reviews  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr supported this idea  · 
  14. 133 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Dan Carr supported this idea  · 
  15. 11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Dan Carr supported this idea  · 
  16. 13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Active Directory » Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr supported this idea  · 
  17. 157 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Azure Active Directory » Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Dan Carr commented  · 

    This is even more critical when we migrate to PHS as recommended by Microsoft. Cloud-first users who may never log in on premises show no logins at all - last login doesn't appear as an attribute of the user in either AzureAD or MSOnline cmdlets, and doesn't feedback any such information to the on-premises AD, so there's no way of knowing if this user is active or not. I've seen some solutions where people save their sign-in logs to a Log Analytics workspace and then look for accounts with the last sign-in being greater than a specified period (e.g. 90 days), but that won't show any users that have never signed in or whose last sign-in was longer ago than the data retention of the logs!

    Dan Carr supported this idea  · 
  18. 309 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    43 comments  ·  Azure Active Directory » Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr supported this idea  · 
  19. 227 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  Azure Active Directory » Devices  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for your feedback. We are looking into it and evaluating different options for solving the use cases mentioned in this thread. We will update this thread once we have more information to share.

    Dan Carr supported this idea  · 
  20. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Active Directory » PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
    Dan Carr shared this idea  · 
← Previous 1

Feedback and Knowledge Base