Microsoft

Microsoft Endpoint Manager Intune Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Manager Intune, though we can’t promise to reply to all posts.

Standard Disclaimer – our lawyers made us put this here ;-) We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Intune feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Intune. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. include/exclude apps in conditional access rules using Graph API

    Conditional access allows to include/Exclude apps from a specific list provided by microsoft. Some apps are not in there. When it is blocked by conditional access, the user error shows the id of the blocked app. My request is to be able to include/exclude this app id using the Graph API for example. Currently this is not possible. I tried this with for example the whiteboard application and received this response:
    {

    "error": {
    
    "code": "BadRequest",
    "message": "Policy contains invalid applications: 57336123-6e14-4acc-8dcf-287b6088aa28",
    "innerError": {
    "request-id": "ba0e5817-a336-4164-9f49-773d813fc61a",
    "date": "2019-11-29T10:02:20"
    }
    }

    }

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Conditional Access that require device to be Azure AD joined

    At the moment there is an option to grant access to devices that Domain Joined which does not include Azure AD join. For those who fully on the Cloud/O365 this feature would be very useful. Thanks

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. VVX 600/500 + Lync phone edition support

    Hello,

    We are using All Skype for Business Certified Phones for our Skype Server.

    We are currently using conditional access for the Exchange side but not the skype side currently.

    Lync phone edition, and Polycom UC (VVX phones) both use EWS in order to pull call logs, Visual Voicemail, Calendar information,etc.

    Currently, there is no bypass for these deskphones to allow them to connect to exchange online when you enable and enforce device based conditional access.

    A simple fix would be to add the models into the bypass models in Intune.

    The longer fix is being tackled from two sources.

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. 3rd Party MDM support via IntuneMAMUPN

    Hi There,

    We currently use a 3rd party MDM (In our case AirWatch) and we're looking for a way to only allow AirWatch (or insert another MDM here) to authenticate to AAD. Since there is no non-windows compliance integration I would like to propose the following:

    Only Allow "Approved Apps" to authenticate as documented here:
    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#approved-client-app-requirement

    And test to see if the IntuneMAMUPN AppConfig key is present in the approved app. Why? AppConfig keys can only be implemented via MDM, if the key is present that can be used as an attestation that the device is in good standing on…

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Mark Windows devices with 'Not Applicable' Compliance Policies as non-compliant

    When using DHA compliance policies for Bitlocker and SecureBoot, Windows devices that either don't have a TPM or have the TPM and SecureBoot disabled in the BIOS curently report as Compliant, thereby allowing them to pass Conditional Access compliance requirements!

    This could be considered a security risk.

    Possible ways to address this:
    - change the detection method so that devices in this state will no longer report as 'Not Applicable'
    - at the compliance policy level, allow a per-policy setting to control if a device that reports as 'Not Applicable' should be considered compliant or not.

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Block enrollment based on user not having an Intune licence assigned to them

    Block enrollment based on user not having an Intune licence assigned to them.

    Blocking based on device isn't efficient

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable Conditional Access for Intune Company Portal Web Site

    Enable Conditional Access for Intune Company Portal Web Site (portal.manage.microsoft.com)
    The website is available for Intune users to view their own devices info and execute remotte actions such as wipe, sync and passcode reset.
    Admins want to restrict access to these features from outsiders or non-compliant devices so that only compliant devices and users can execute actions.

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Effective Conditional Access Policies for users and groups

    Consider adding an option within Azure Active Directory Conditional Access that allow security administrators to with whether the companies conditional access rules are applied effectively for all users and groups.


    • The solution should list all users and groups that is targeted a specific conditional access policy and also does who are not hit by the policy

    • The solution should also be able to be used for troubleshooting which policies that a user is getting applied.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Ability to block all cloud apps except the ones for Intune enrollment (Windows 10)

    We have a Conditional Access policy which is configured to grant access to All cloud Apps only if you are Hybrid domain join or compliant.

    We would like to setup exclusions within this CA for Intune enrollment apps, because selecting Microsoft Intune and Microsoft Intune Enrollment are not encompassing enough.

    During the enrollment process (e.g. Windows10 device BYOD or during Autopilot Account setup) Microsoft Application Command Service app is used, unfortunately it can be excluded.

    I have raised and identified this issue with MS support in the case number 119091321001371

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Conditional Access should be able to restrict access to Skype on Windows

    Intune Conditional Access of Skype for business online is working for iOS and Android platform after enabling Modern Authentication. However, we can still log into Skype for Business on PCs.
    Please see the comment of Chris_Shalda in the following link:
    https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-skype-for-business-online-with-microsoft-intune

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add MS Whiteboard to the predefined list of "approved applications"

    Currently using a CA policy to require "approved applications" prevents colleagues from using MS Whiteboard
    As these new o365 apps are released they must be configured to work with Conditional Access. It's becoming more difficult to explain why a MS app is not compatible with the MS MDM

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Block end users to be able to access corporate email through native apps on iOS/Android/

    Currently, an iOS, Android or Windows Phone device that is enrolled and compliant can access Office 365 corporate resources (like SharePoint, OneDrive, Exchange Online) through applications that are not fully managed apps. Examples native apps.

    We want to enforce users to be able to configure corporate emails on their outlook app only.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Conditional Access based on device enrollment

    Extend Conditional access to look at Device enrolment status or if the device is classed as a corporate device.
    Reason being, If we had devices that are not compliant, you cannot do a conditional access rule to block them as this will then require all devices that user is using to be marked as compliant, but what if they wish to use their personal device with MAM only ? You can only make the device compliant by enrolling it.
    Thanks

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Block External Access to All of Office 365 Except Intune

    We need the ability to block external access to Office 365 and yet allow Intune to communicate with ADFS (and synchronize AD traffic). The claims rule intended to block external access to office 365 except Active Sync, unfortunately, blocks AD synch with Intune.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Default Rule for Activesync not working properly

    We are using Exchange Online and have purchased the EMS suite.

    We are trying to implement Conditional Access to ensure that all our staff accessing company email are using Outlook (so they have to use the MAM policies restricting copy & paste and sharing of attachments) on Intune compliant devices.

    We want to block the built in Mail Application for iOS and Android as they don't support the MAM policies we want to implement. We also want to block all other 3rd party ActiveSync clients such as Bluemail / Nine.

    I feel like this should be a very common scenario…

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Compliance Policies that make use of Workplace Join to define device compliance

    It would be useful to control access to Office 365 resources based on whether the device is WorkPlace Joined and registered. This is an option in ADFS.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Windows update status to Windows 10 Device Compliance

    It would be great that in device compliance you could manage Windows' update patch compliance as part of device compliance. Use case example: If you have patched windows you are compliant and you can give access to end-device without MFA.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Conditial Access Exemption on Devices or Groups containing Devices

    It would be nice to exempt individual devices or devices which are member of a specific group from Conditional Access. This will allow ability to use devices which can not report compliance correctly or for VIPs.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Better navigation in Conditional Access blade

    The conditional access blade is missing navigation et searching options. Once you have a lot of rules, it can be a nightmare for operation.

    You can't pinpoint specific rule from 20 rules without opening them all. The only way to categorize the rule is by creating a naming structure.

    Otherwise, why don't adding these parameters?


    • Sort or Filter by column name (policy name, enabled)

    • Adding more column based on rules settings (application, browser, platform, etc)

    • Search field where you can search for these rules settings

    Giving the possibility to users to change their conditional access blade view will be easier…

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Conditional Access for Browsers

    Extend conditional access to support web browsers on compliant machines. SharePoint Online CA does us no good without this feature. We don't want users downloading stuff from OneDrive for Business if they're not on a domain joined PC.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base