starred/CIPP

Fork 0

mirror of https://github.com/KelvinTegelaar/CIPP.git synced 2026-04-25 16:26:09 +03:00

[GH-ISSUE #1220] [Feature Request]: Schedule Conditional Access Exceptions #680

New issue

Closed

opened 2026-03-02 12:44:17 +03:00 by kerem · 4 comments

kerem commented

2026-03-02 12:44:17 +03:00

Owner

Originally created by @sembeeuk on GitHub (Nov 16, 2022).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1220

Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole.

I see from Discord that scheduling is coming soon - so this could fit with that.

We use conditional access to restrict countries that users can login from, which I think is a fairly common use of CA. That is fine until a user goes on holiday or visits a supplier outside of the home country and needs to take work devices with them.

Sites where they know that we are using that conditional access rule will often have users who email the helpdesk team to say that they are traveling in advance and when they will be back. However a ticket then has to be created to remind people to setup the exception rule the day before, then either leave the ticket open for two weeks (oh the metrics chaos), create another one, create a manual calendar entry or use some other process to remove the exception. What often happens is that the exception just remains in place until the user asks next time, or there is just a long list which someone updates every Monday by hand.

Therefore it would help if the exception rule could be setup as soon as notified to activate on the specified date, with an end date also set to remove the rule when the user returns. It would not only allow more granular control of conditional access, but for the helpdesk technician it is a set and forget task, which will not require follow up work.
As a bonus, if it could show on the user's properties page that an exception is in place and its expiry (perhaps that is where it is actually set) it would help a technician diagnose a country conditional access issue, avoid duplications etc.
A further benefit is that it allows a helpdesk to setup the rule, without having to go in to the Conditional Access ruleset which could cause them to lock the user or others out.

PowerShell commands you would normally use to achieve above request

No response

Originally created by @sembeeuk on GitHub (Nov 16, 2022). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1220 ### Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole. I see from Discord that scheduling is coming soon - so this could fit with that. We use conditional access to restrict countries that users can login from, which I think is a fairly common use of CA. That is fine until a user goes on holiday or visits a supplier outside of the home country and needs to take work devices with them. Sites where they know that we are using that conditional access rule will often have users who email the helpdesk team to say that they are traveling in advance and when they will be back. However a ticket then has to be created to remind people to setup the exception rule the day before, then either leave the ticket open for two weeks (oh the metrics chaos), create another one, create a manual calendar entry or use some other process to remove the exception. What often happens is that the exception just remains in place until the user asks next time, or there is just a long list which someone updates every Monday by hand. Therefore it would help if the exception rule could be setup as soon as notified to activate on the specified date, with an end date also set to remove the rule when the user returns. It would not only allow more granular control of conditional access, but for the helpdesk technician it is a set and forget task, which will not require follow up work. As a bonus, if it could show on the user's properties page that an exception is in place and its expiry (perhaps that is where it is actually set) it would help a technician diagnose a country conditional access issue, avoid duplications etc. A further benefit is that it allows a helpdesk to setup the rule, without having to go in to the Conditional Access ruleset which could cause them to lock the user or others out. ### PowerShell commands you would normally use to achieve above request _No response_

kerem

2026-03-02 12:44:17 +03:00

closed this issue
added the
enhancement

no-priority
labels

kerem commented

2026-03-02 12:44:18 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Nov 16, 2022):

Thank you for creating a feature request!
Your current priority is set to "No Priority". No Priority Feature requests automatically get closed in two days if a contributor does not accept the FR.

If you are a sponsor you can request an upgrade of priority. To upgrade the priority type "I would like to upgrade the priority".
If you want this feature to be integrated you can always do this yourself by checking out our contributions guide at https://cipp.app/docs/dev/. Contributors to the CIPP project reserve the right to close feature requests at will.
If you'd like this feature request to be assigned to you, please comment "I would like to work on this please!".

@github-actions[bot] commented on GitHub (Nov 16, 2022): Thank you for creating a feature request! Your current priority is set to "No Priority". No Priority Feature requests automatically get closed in two days if a contributor does not accept the FR. If you are a sponsor you can request an upgrade of priority. To upgrade the priority type "I would like to upgrade the priority". If you want this feature to be integrated you can always do this yourself by checking out our contributions guide at https://cipp.app/docs/dev/. Contributors to the CIPP project reserve the right to close feature requests at will. If you'd like this feature request to be assigned to you, please comment "I would like to work on this please!".

kerem commented

2026-03-02 12:44:18 +03:00

Author

Owner

@KelvinTegelaar commented on GitHub (Nov 16, 2022):

Would you like a unicorn with those fries? ;)

Seriously; this sounds like a really cool feature but performing a correct implementation of this that does not decrease security as a whole is nigh-impossible. My suggestion would be to create your CA policies with a default exclusion group in place, and monitor that group membership instead.

Closing as it's a wontfix.

@KelvinTegelaar commented on GitHub (Nov 16, 2022): Would you like a unicorn with those fries? ;) Seriously; this sounds like a really cool feature but performing a correct implementation of this that does not decrease security as a whole is nigh-impossible. My suggestion would be to create your CA policies with a default exclusion group in place, and monitor that group membership instead. Closing as it's a wontfix.

kerem commented

2026-03-02 12:44:18 +03:00

Author

Owner

@sembeeuk commented on GitHub (Nov 16, 2022):

It is being done by another product... so can be done.

@sembeeuk commented on GitHub (Nov 16, 2022): It is being done by another product... so can be done.

kerem commented

2026-03-02 12:44:18 +03:00

Author

Owner

@KelvinTegelaar commented on GitHub (Nov 16, 2022):

It is being done by another product... so can be done.

Yes, it can be done. But not correctly and securely, without detriment to security, which are the pillars of CIPP. We don't allow users to shoot themselves in the foot.

@KelvinTegelaar commented on GitHub (Nov 16, 2022): > It is being done by another product... so can be done. Yes, it can be done. But not correctly and securely, without detriment to security, which are the pillars of CIPP. We don't allow users to shoot themselves in the foot.

kerem referenced this issue

2026-03-02 13:56:14 +03:00

[PR #680] [MERGED] Individual Domain #2964

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#680

No description provided.

Rows
Columns