Microsoft

Microsoft Endpoint Manager Intune Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Manager Intune, though we can’t promise to reply to all posts.

Standard Disclaimer – our lawyers made us put this here ;-) We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Intune feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Intune. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. MAM

    I would like to request a Conditional Access Logon banner, similar to the terms of use (TOU) functionality. The TOU doesn't fit our existing need of having the end user sign off on a login banner each login to Outlook (any MAM app). See specifics below:

    Login banners shall be displayed stating:
    1. the computer being accessed is private;
    2. unauthorized access is prohibited;
    3. conditions for access (including consent to monitoring and recording), acceptable use, and access limitations; and
    4. privacy and security notices.
    The user shall be required to acknowledge the login banner to continue with the log-on.

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Is it Possible to Provide Device Registration Service via Azure AD Connect, as in latest Update for Pass through authentication Preview,

    Is it Possible to Provide Device Registration Service via Azure AD Connect, as in latest Update for Pass through authentication Preview,

    When we restrict User to access Office 365 Services Using Conditional access Using Intune, there is need to AAD Device Registration which is Only possible via ADFS DRS, if this DRS available like Pass Through Authentication & SSO using Azure AD Connect, its very easy to Rollout Onedrive for Business & Other workloads with leading customers,
    this big blocker to redirect whole traffic through ADFS just due to DRS,
    "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup"

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. More granular compliance rules

    It would be nice if there were more granular controls for conditional access. for example, iOS devices that are less than V7.0 should get an email that they need to upgrade for a period of time before email is blocked. Or if encryption is not enabled perform the following actions over a set period before blocking mail.

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Conditional Access should apply to external sharing (e.g. business partners)

    I need to share sensitive documents from SharePoint Online (SPO) with limited users of a business partner. One of the risk needs to be mitigated is external is able downloading documents to non-managed devices, however we do not manage their devices. Apply Trusted IP conditional access policy would allow those users access our site from their corp network, so that documents will not be downloaded to non-managed devices. This policy works only if the user is our internal user - according to MS "Conditional access doesn't apply to external sharing". Without conditional access SPO external sharing add a big risk…

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. 4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Managed Application Satate as a Condition

    The ability to exclude Managed Applications as a condition in Conditional Access. Specifically, relating to WIP policies and browser access.

    For example, this would allow admins to provide different user experiences to SharePoint Online based on if the user was using a WIP protected browser versus a browser on a non-enrolled, non-hybrid-joined device. Currently, if you enable Browser only access to SharePoint Online using the builtin CA policies, it will prevent downloading data regardless if the browser is WIP protected. It would be useful to allow a WIP protected browser on an un-enrolled device to access SPO like any other…

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. The check antivirus of compliance policy per product

    I understand the check of antivirus of compliance policy on windows 10 is checking compliance using antivirus solutions that are registered with Windows Security Center. But some antivirus solution is unreliable, so I want to check antivirus is specific product.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Non-Compliance Email should be sent whenever a device becomes non-compliant

    Currently the first time a device becomes non-compliant, a policy configured to send a non-compliance alert will send the alert. Subsequent times that the device becomes non-compliant, the user will not receive a non-compliance email. This was reported to me by MS support as being "as designed".

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Encryption setting should have either a slider or a Yes/No drop down. Providing both makes for a confusing and convoluted experience

    Windows 10 mobile reports 'not compliant' and I cannot access company email, I only have conditional policy for exchange online and sharepoint online deployed.

    When looking for the policy error I can see it's the encryption setting which is causing the issue, but for the encryption setting I selected 'No' which I assume means the device doesn't not have to be encrypted to be compliant.

    The device it self has encryption turned on, should that block access?

    I turned off the encryption on the device and everything is working again, is this a bug as clearly the settings I have…

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Ah. Yeah, that’s feedback we’ve had before. At this time there are not any plans to fix it, but I am not gong to mark this as declined. I moved it from Issues to Suggestions, and I changed the title to match the bug we have internally. I won’t promise that getting a lot of feedback on this will change our plans, but I will say that getting a lot of feedback would help us have a better discussion about whether we should fix it. More data is helpful.

  10. Access Control: Create advanced rules with logic operators

    Extend the Access Control ruleset with the option to combine AND / OR.

    Example: Here we say that we always want to require Approved Client App, and that if the user has enrolled their device then they dont have to enter MFA. Today this is requires several rules to set up, and makes the configuration quite messy. Mess = higher change of errors.
    Grant Access if: Require Approved Client App AND (Require MFA OR Require Device to be compliant)

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support Azure Conditional Access for Azure SQL Server

    Allow clients with a Azure Conditional Access compliant device to access the Azure SQL database independently of the IP location.

    Basically great a just-in-time access for Azure AD compliant devices that are able to authenticate using some kind of PKAuth (Public Key Authentication Protocol) against the Microsoft Azure SQL server that allows access for that specific client.

    @Caleb

    https://feedback.azure.com/forums/908035-sql-server/suggestions/35919877-support-azure-conditional-access-for-sql-connectiv

    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35919889-support-azure-conditional-access-for-azure-sql-ser

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to enforce different compliance policy to per device type

    For example:
    Desktop does not require BitLocker Compliance Policy, but Laptops do.

    And no - Dynamic Groups won't do, you can't filter by Chassis.
    And if I want to filter by Model - we have more than 40, a lot of maintenance, I'm all about simple solutions.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. (Dynamic) Groups for (Enterprise) applications to attach to CA policies

    If you work with a lot of Enterprise Applications and have to make policies for these apps, it takes a lot of time to edit all your polcies each time a new application is added. Also, if you forget to add the single application to a policy, this app would not be protected trough Conditional Access. If you could create a dynamic group, for example for all applicaties that have a suffix "secure-app" , then you could attach that to the CA policy, instead of all the single applications.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Adjust Order of Conditional Access Policies

    Adjust order to create related policies one after the other. E.g. Move Up/Down to have a better overview.

    The last policy is simply added at the bottom. one loses the overview.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add "Compliance status validity period" or device last check in as an option in the device compliance policies

    Add "Compliance status validity period" or device last check in etc as an option in the device compliance policies.
    This will allow user notifications to be sent, for example "if you aren't using this device please return it".
    It can also give some warning to the user before a device is marked non-complaint by the built in policy or deleted by the device cleanup rules.

    While the built-in device compliance policy has this setting to trigger non-compliance, you cannot assign a notification.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Ability to block the native mail app on iOS with on-premise Exchange on a per user basis

    We're using a shared Exchange environment and want to block the native iOS/Android app on a per user basis. If we block it Exchange wide, other tenants will have issues with this.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Provide a dashboard which shows non compliant devices and reason for non compliance

    Provide an easy to use dashboard or exportable report which shows devices non complaint with Conditonal Access and the non complaince reason

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Conditional Access Based on Hostname and Serialnumber

    For us it is important that a device can get access to Azure/O365 based on business device. Which means we want to be sure the device is a company device and nog a private device. So want want to check it based on hostname en serial number. Else device and/or user cannot access apps and data.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. SharePoint Online Conditional Access don't work with DEM enrolled devices

    Our devices was enrolled with DEM, and as it turns out SharePoint Online Conditional Access didn't support this. Condition was that the devices is "Compliant" in Intune, which it was, but still no SharePoint Access. Intune support told me that it's not supported. Why? Please fix....

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Use IMEI as unique device identifier and provide possibility to create policies based on IMEI.

    Use IMEI as unique device identifier and provide possibility to create policies based on IMEI.
    The desired functionalities are; white/black list IMEIs, pre-stage device enrolment based on IMEI
    Link/bind IMEI to the end user

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base