Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Make SPN (non-interactive) login events logged and available
Currently in Azure AD when using SPN (non-interactive) logins via code (.Net, Powershell, etc.) for automated processes (server to server communication/API) that interact with Azure, there is no event in Azure AD logs to show that this login has occurred. Please make this exposed in the logs in the same fashion that an interactive user login is logged. This is not only beneficial for troubleshooting, but more importantly from a security, compliance, and risk audit trail standpoint.
204 votesWe are working on this but we don’t have a public ETA to share at this time. We will keep you updated as we get closer.
-
Add the ability to filter with an "Equals" or "Does Not Equal" operator in the Sign-in activity reports in the Azure Active Directory portal
Currently, the filters for the Azure Active Directory "Sign-Ins" log only allows for filtering with values that equal the input. It would be beneficial to have the option to have the "does not equal" operator for this filtering so that the user could also filter out values that commonly occur in the log. Example: filter would be "Client app" DOES NOT EQUAL "Browser" ... or "Operating System" DOES NOT EQUAL "Windows 10" ... or "Location" DOES NOT EQUAL "US".
57 votes -
please show "Users with Leaked Credentials" with a zero count even if there are none detected
in the azure active directory risk events section please show "Users with Leaked Credentials" with a zero count even if there are none detected.
It would be ideal to set up a mail alert with this alert as well.The logic would be:
if this alert shows up then we know it is working. if it doesnt show up then there is a problem with setup13 votes -
Fix signin resulttype 50053
In your documentation you say that signing error ID 50053 is "Account is locked because the user tried to sign in too many times with an incorrect user ID or password." however, when i search for this error using loganalytics i also get the description "Sign-in was blocked because it came from an IP address with malicious activity."
Can this be fixed?
12 votes -
Provide more detail in audit logs
It would be good if some of the AzureAD audit log Activity categories had more detail, eg "Set Company Information" - that's all that is logged for this activity, with no detail into what property was changed.
12 votes -
expose tenant id in sign-in audit log
Sign-in logs in Azure AD (and also in Graph) don't expose, if an access request was towards the user's tenant or towards another tenant where the user is a guest.
Because of this, there is no way to differentiate between the 2 cases.
As a result IT, security gets a lot of false alarms each time their users access any resource in another tenant.
What they see, is that their user signed in successfully to Teams, without any Conditional Access Policy applied, no MFA enforced, etc.
There is no way to tell from the logs, that the user accessed another…11 votes -
Audit log
Extend the audit logs to allow for retention for more than 30 days to 90 days.
8 votes -
Adhere to ISO27001 compliance obligations for Office365
Per https://servicetrust.microsoft.com , Microsoft's cloud services including Exchange Online adhere to ISO27001 and have been audited against ISO27001.
However, I have been informed that there is no log generated when an end-user or customer signs-out of their account: 'Customer is asking for a new feature, sign-out logs, that today is not supported.'Specifically, ISO27001 states in section 12:
ISO 27001 – A.12.4 – Logging and Monitoring
Objective: To record events and generate evidence.
Control 12.4.1 A.12.4.1 Event logging – Event logs recording user activities, exceptions, faults, and information security events shall be produced, kept and regularly reviewed.
I contend that…
7 votes -
Report on users that are not syncing a device to Enterprise State Roaming
Enterprise State Roaming (ESR) turned on for the entire tenant:
Currently the only way to see if a user is syncing their device to ESR is to open the specific user account in Azure AD or in Endpoint Management and look at "Devices> Devices Syncing Settings and App Data".We would like to be able to report on what user accounts do not show any device syncing settings and app data.
This is because the majority of our devices have been upgraded from 1809 to 1909 so 'may" not start syncing automatically when ESR is enabled for the entire tenant.
5 votes -
Provide reporting around Passwordless Phone sign in
Reporting/management on Passwordless phone sign in including who its available to, who has enabled it, frequency of use, and management options to administratively enroll/unenroll users from it.
5 votes -
Reporting of IP addresses blocked by Smart Lockout
It would be beneficial if an admin could have insight into what IP addresses are being blocked by Smart Lockout. If a user is experiencing connectivity issues it would be nice to be able to query a report for their IP address to validate that Smart Lockout is not denying them access.
5 votes -
Log source IP address with AzureAD password reset events
When a user's password is reset, either by the user or by an admin, the source IP address is not logged. Searching password reset events in Azure Sentinel shows a field named InitiatedBy.user.ipAddress, however, this field always has a "null" value. Checking the user object's Audit log in AzureAD shows password reset events but no source IP addresses.
This information is critical for security incident audits and investigations. If a user account has sign in events from California and Florida, for example, and then a password reset event is logged, we have no known way of identifying which session actually…
4 votes -
Add filter for adfs server / mfa in Usage and Insights Report
Within "Usage & insights | AD FS application activity" blade,
Allow for filtering by ADFS Server and/or allow for grouping of servers reporting.
Report on MFA used on app logins.
3 votes -
Audit logs for azure ad policies
assigning Azure AD policy to service principal and application registration should be consistant from the audit log entry perspective. There are different type of policies and by info from Microsoft at the some point they should be assigned to Service principals i.e. HDR and as they are assigned they create the entry into Audit log (there is different issue as those entries are generic and will not tell you what change was done on service pricinpal). On the other hand for SAML1.1 type of policy, we were notified to assign the policy to App registration, and this activity is not…
3 votes -
Display DEPARTMENT in Sign-ins Report and Filtering capability
We need to be able to filter the Sign-In Activity Reports/Logs by the DEPARTMENT field. We are currently utilizing the DEPARTMENT field in a User's Profile in Azure AD to identify the user's organization and today, there is no way to filter those Activity logs using that field.
Would be great to have the DEPARTMENT as one of the fields that is displayed in the report. Having a built-in filter for DEPARTMENT in the Portal would be even better.
3 votes -
Alerting on expiring service principles in AAD
It would be great if there was the ability to create alerts for expiring service principles.
2 votes -
2 votes
-
Add ability to filter out more than just startswith in Password Reset - Usage & Insights
We have service account and accounts sourced from other sources that show up in Azure AD. We'd like to be able to see what accounts tied to just our permanent people have not registered for SSPR. Currently, you can only filter Name in the reporting with a StartsWith search. Please add the ability to filter by wildcards or EndsWith or even regular expressions.
2 votes -
Alerting to non-admin mailboxes
Current alerts of Azure AD can only be send to Tenant administrators. As it is a good security practice not to use your administrative credentials in a production environment it is not wise to use a mailbox either. So the request is to enable other email contacts that are not tenant administrators, or even distribution groups.
This means that employees that are involved in the security process can not really receive emails, without having one tentant administrator having forwarders on a mailbox (= also bad practice to have forwarders)
Why using the workarounds cannot be used (use an admin account…
2 votes -
Bring back "Sign-ins after multiple failures" report OR createa new policy to alert users/admins of when an account has been compromised.
I have too many users whom accounts are getting targeted from foreign IP address. For example, no part of our business operates in China thus I know all attempts to access a users account from this region are malicious attacks. I can see when attempts are being made on an account, but I cannot see when a successful attack has been made.
It would be fantastic to create a policy that will send out an email after x failed attempts within y minutes and 1 successful login.
I believe you could previously view "Sign-ins after multiple failures" in Classic Azure,…
2 votes
- Don't see your idea?