Microsoft

Microsoft Intune Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Intune, though we can’t promise to reply to all posts.

Standard Disclaimer – our lawyers made us put this here ;-) We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Microsoft Intune feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Microsoft Intune. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.

How can we improve Microsoft Intune

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Prevent Save As for non-compliant devices

    If a device is not enrolled nor domain joined and access our systems, it should not be able to save as, print etc.

    10 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
    • Avoid Non-Compliance Emails when Mobile OS upgrades

      We heavily rely on ActiveSync conditional access. It is our experience that when Mobile OSs update the EASID of the device may change. Intune discovers the EASID change as a new device and sends a Non-compliance, “Get Started now email”. The next time the compliance check runs the new EASID is updated by Intune as compliant. Unfortunately the message unnerves the customer and many contact the helpdesk.

      A potential solution is an optional setting for Intune to wait for a second compliance check before flagging the device as non-compliant.

      10 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • sso
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
      • Mark Windows devices with 'Not Applicable' Compliance Policies as non-compliant

        When using DHA compliance policies for Bitlocker and SecureBoot, Windows devices that either don't have a TPM or have the TPM and SecureBoot disabled in the BIOS curently report as Compliant, thereby allowing them to pass Conditional Access compliance requirements!

        This could be considered a security risk.

        Possible ways to address this:
        - change the detection method so that devices in this state will no longer report as 'Not Applicable'
        - at the compliance policy level, allow a per-policy setting to control if a device that reports as 'Not Applicable' should be considered compliant or not.

        9 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • sso
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
        • have a report showing every time a user triggers a CA policy

          Reports in Azure to show when a user gets blocked or triggers a specific CA policy, as if now the only for us to find out which CA policy is being triggered for a user is the "What if" tool which is great, but it would very nice to have a report showing every time a user triggers a CA policy

          9 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • sso
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
          • Add conditional access support for "Microsoft Dynamics 365 for Finance and Operations"

            Allow Dynamics 365 to be blocked using conditional access, currently you cannot apply conditional access policies to Dynamics 365 ERP.

            It would be great, if the product group would add this feature! Application is called "Microsoft Dynamics ERP" and have the following App ID "00000015-0000-0000-c000-000000000000" in Azure Active Directory.

            Customers would like to add specific conditional access rules around the invoice approval.

            https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31818052-allow-dynamics-365-online-to-be-blocked-using-co

            8 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • sso
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              3 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
            • Default Rule for Activesync not working properly

              We are using Exchange Online and have purchased the EMS suite.

              We are trying to implement Conditional Access to ensure that all our staff accessing company email are using Outlook (so they have to use the MAM policies restricting copy & paste and sharing of attachments) on Intune compliant devices.

              We want to block the built in Mail Application for iOS and Android as they don't support the MAM policies we want to implement. We also want to block all other 3rd party ActiveSync clients such as Bluemail / Nine.

              I feel like this should be a very common scenario…

              8 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • sso
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
              • Extend Conditional Access possibilities

                Extend the Conditional Access policies within Intune.
                A few suggestions which I would like to see in the coming updates in Intune.

                - Conditional Access to allow specific OS/OS version (device claims)
                - Conditional Access to Block Browser access as well, now Conditional Access is only targeted to Apps.
                - Allow to create more options within Conditional Access like:
                - Conditional Access for other O365 services like CRM
                -
                - Update alle Microsoft Apps (for example Onedrive, Skype, Company Portal) to support Device claims (DRS) and certificates.

                8 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • sso
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                • Enable controlling Legacy Activation Client by Conditional Access on Azure AD.

                  As a major way to control is using AD FS claim rules at present.
                  Furthermore, it would be great if the feature will able to control "Legacy Activation Client" especially for the users not compatible with modern authentication even from Azure Management Portal.
                  I believe this implementation will help the user to reduce the time and effort for to doing the management operation.

                  Thank you for your consideration.

                  8 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • sso
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                  • Restrict enrolled devices from using native email app to connect corporate mailboxes

                    Critical security hole - can't block enrolled devices from using native email app with corporate mailboxes, this means that policy is not implemented and user can open links or files with unmanaged apps...

                    8 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • sso
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                    • Device whitlisting based on IMEI or UUID

                      As part of migrating to O365 Exchange, IT-Security department concluded that they can no longer have a White List of which devices that are allowed to access the O365 services.
                      Today, a normal AS / VPN is used to access the on-prem environment and therefore only approved devices can connect.
                      - Company is buying devices for there users and they want to assure that users can only access the Company data from the devices that they got from the company, and access to the Company data from personal phones should be blocked.
                      - based on IMEI/UUID Company Devices should specified…

                      8 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • sso
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                      • Conditional Access and Health Enforcement Integration for DirectAccess

                        With the deprecation of network access protection (NAP) it would be great to have an a health enforcement that integrates with DirectAccess.

                        8 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • sso
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                        • VVX 600/500 + Lync phone edition support

                          Hello,

                          We are using All Skype for Business Certified Phones for our Skype Server.

                          We are currently using conditional access for the Exchange side but not the skype side currently.

                          Lync phone edition, and Polycom UC (VVX phones) both use EWS in order to pull call logs, Visual Voicemail, Calendar information,etc.

                          Currently, there is no bypass for these deskphones to allow them to connect to exchange online when you enable and enforce device based conditional access.

                          A simple fix would be to add the models into the bypass models in Intune.

                          The longer fix is being tackled from two sources.

                          8 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • sso
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                          • MS Intune does not support condition access to Sharepoint Online for OSX

                            Universally, companies use Sharepoint to manage / secure their data. So if it's not possible to control which user devices have access, the Office 365 Online model, is not realistic for companies to migrate their operation to the Cloud. Or at least, not without having to buy a non Microsoft Security Broker.

                            You provide this service for Windows users so please could you say if there's a date when you will fix this gap for OSX businesses.

                            Many thanks

                            7 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • sso
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                            • Compliance Policies that make use of Workplace Join to define device compliance

                              It would be useful to control access to Office 365 resources based on whether the device is WorkPlace Joined and registered. This is an option in ADFS.

                              7 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • sso
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                              • Block enrollment based on user not having an Intune licence assigned to them

                                Block enrollment based on user not having an Intune licence assigned to them.

                                Blocking based on device isn't efficient

                                7 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • sso
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  2 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                                • Intune Exchange Online Conditional Access block 3rd party Apps

                                  With Intune App Protection > Exchange Online conditional access, add functionality to this feature to block third party mail apps to facilitate cutover of users to Outlook App in byod scenario. atm just block native mail Apps

                                  7 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • sso
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Optimize enrollment for devices already configured with email

                                    When telling end users to enroll prior to activating Conditional Access all Android users will be locked out when enabling Conditional Access towards On-premise Exchange until they activate their EAS id.
                                    It would be a lot better if we could distribute the same email when telling end users to enroll, it would increase the enrollment rate and make the process of enabling Conditional Access easier.

                                    6 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • sso
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Compliance policy only works when location services is set to Always

                                      Currently if you want to detect jailbroken devices and make them non compliant you have to set the location services to Always. If the user disables the location services their device becomes non compliant and theiir access or apps will be revoked. Having location always on have privacy issues and also drains the battery. If a user turns it off by accident then they lose access to apps/resources.

                                      Other MDMs have different solutions for this problem for instance one sends a silent Apple Push Notifications from the server/cloud service and check for jailbroken device or policy updates in a interval…

                                      6 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • sso
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                                      • white list discovered devices to be left alone when intune checks for conditional access.

                                        I work in the legal field and Blackberry is still very much a part of our mobile strategy. I have many attorneys that use a blackberry as their main device and then have a iPad as a secondary device. Currently as intune exists today there is no way to support that scenario and still have conditional access turned on. When you turn on Conditional access, it will affect all active sync devices under a mailbox. It would greatly help migration and coexistence if there was a way to white list discovered devices to be left alone when intune checks for…

                                        6 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • sso
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Effective Conditional Access Policies for users and groups

                                          Consider adding an option within Azure Active Directory Conditional Access that allow security administrators to with whether the companies conditional access rules are applied effectively for all users and groups.

                                          - The solution should list all users and groups that is targeted a specific conditional access policy and also does who are not hit by the policy
                                          - The solution should also be able to be used for troubleshooting which policies that a user is getting applied.

                                          5 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • sso
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            1 comment  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Don't see your idea?

                                          Feedback and Knowledge Base