Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Make SPN (non-interactive) login events logged and available
Currently in Azure AD when using SPN (non-interactive) logins via code (.Net, Powershell, etc.) for automated processes (server to server communication/API) that interact with Azure, there is no event in Azure AD logs to show that this login has occurred. Please make this exposed in the logs in the same fashion that an interactive user login is logged. This is not only beneficial for troubleshooting, but more importantly from a security, compliance, and risk audit trail standpoint.
67 votesWe are working on this but we don’t have a public ETA to share at this time. We will keep you updated as we get closer.
-
Feed Operations Manager Suite with Azure Active Directory Security logs
It would be nice to have the Azure Active Directory Security logs in the Operations Manager Suite. To track events and display them in dashboards or just query them.
There already is a Azure possibility to see Azure Active Directory Reports. It would be nice to have this data in OMS.
37 votesYou can get Azure AD logs in Log Analytics today. Check out the https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor for more info. We are working on making the Azure AD Identity Protection events log available, and we will keep you updated when we have more details.
-
Log all Service Principal activity, including logging, failed logins, password changes, etc.
As a PCI compliant application we need to capture logs of when a Service Principal is being used. This would include failed logins, successful logins, password changes, etc. We would then like these logs to go to OMS for reporting and alerting.
30 votes -
Ensure Sign-in log show authentication log event from client_credential authentications
Today the Sign-In Activity log in AAD contains end-user authentication events, but does not have any log events when an application authenticate with AAD using client_credential grants. This must be logged or we are not able to trace successful or failed logon event for debugging and this is also a security concern as we can not trace and detect successful or failed logon events from unknown sources.
14 votes -
please show "Users with Leaked Credentials" with a zero count even if there are none detected
in the azure active directory risk events section please show "Users with Leaked Credentials" with a zero count even if there are none detected.
It would be ideal to set up a mail alert with this alert as well.The logic would be:
if this alert shows up then we know it is working. if it doesnt show up then there is a problem with setup11 votes -
Add some more fields to the App Registration
When adding an app to the app registration there should be additional fields to capture metadata about the app like a description and some other fields. Or If you could implement the Tags features around the App Registration that would work as well.
10 votes -
To provide a list of the applications the users have consented to access their data.
We are unable to determine the list of the applications the users have consented to access their data.
7 votes -
Audit log
Extend the audit logs to allow for retention for more than 30 days to 90 days.
6 votes -
Time in downloaded report Sign ins after multiple failures
The date and time is displayed properly (shows user time) in Sign ins after multiple failures report when displayed on the webpage. However, when the report is downloaded the time is in UTC format ... it would be helpful if downloaded report could display user time as set in settings.
5 votes -
Reporting of IP addresses blocked by Smart Lockout
It would be beneficial if an admin could have insight into what IP addresses are being blocked by Smart Lockout. If a user is experiencing connectivity issues it would be nice to be able to query a report for their IP address to validate that Smart Lockout is not denying them access.
4 votes -
Anomalous Activity Reports from old portal not in new?
The old Azure Portal has a group of Anomalous Activity reports. We have found these very useful in finding compromised accounts.
In fact, last month we had a user show up with a login from Nigeria in the "Sign ins from multiple geographies" report. We immediately changed their password, and found that the account was being used to send out spam at the same moment we were disabling it.
Without that report, more spam would have gone out and we wouldn't know until much later.
That same user never showed up under "Risky sign-ins" or "Users flagged for risk" in…
4 votes -
weely reports
I would like weekly Sign-In reports sent to my email
so I can see when OneDrive is broken or if we are getting hit with “KnockKnock” attack4 votes -
Azure AD sign-in logs record the userDisplayName and the userPrincipalName in GUID format instead of the actual user name
In case of failed authentication (for example users not passing the MFA challenge), Azure AD sign-in logs record the userDisplayName and the userPrincipalName in GUID format instead of the actual user name. Is it possible to change this to display the actual user name? We analyze the Azure AD sign-in log data with a 3rd party SIEM and need this data in the correct format. For example, "userPrincipalName":"c3ert3aa-5fc8-44fa-89a5-de51dfseteee7" is being recorded instead of the actual one: "userPrincipalName":"user@domain.com"
3 votes -
Add the ability to filter with an "Equals" or "Does Not Equal" operator in the Sign-in activity reports in the Azure Active Directory portal
Currently, the filters for the Azure Active Directory "Sign-Ins" log only allows for filtering with values that equal the input. It would be beneficial to have the option to have the "does not equal" operator for this filtering so that the user could also filter out values that commonly occur in the log. Example: filter would be "Client app" DOES NOT EQUAL "Browser" ... or "Operating System" DOES NOT EQUAL "Windows 10" ... or "Location" DOES NOT EQUAL "US".
3 votes -
Adhere to ISO27001 compliance obligations for Office365
Per https://servicetrust.microsoft.com , Microsoft's cloud services including Exchange Online adhere to ISO27001 and have been audited against ISO27001.
However, I have been informed that there is no log generated when an end-user or customer signs-out of their account: 'Customer is asking for a new feature, sign-out logs, that today is not supported.'Specifically, ISO27001 states in section 12:
ISO 27001 – A.12.4 – Logging and Monitoring
Objective: To record events and generate evidence.
Control 12.4.1 A.12.4.1 Event logging – Event logs recording user activities, exceptions, faults, and information security events shall be produced, kept and regularly reviewed.
I contend that…
3 votes -
Resolve Issues with the Script for the Sign-in Activity Report
Currently when you download and run the PowerShell Script for the Sign-in Activity Report, you get flawed results in the output:
1) The Success/Failure entries for the 'Status' column are nowhere to be found in the downloaded file.
2) The downloaded report does have a ‘Status' column but the column is broken and instead has incorrectly formatted data for ‘Error Code, Failure Reason, and Additional Details’.
3) The Location column is broken as it contains header information, City, State, Country, CountryOrRegion and GeoCoordinates all in one column instead of breaking them out to different columns.
I confirmed with Microsoft that…
3 votes -
Include actor IP address and Useragent in activity logs for security investigation
AAD Activity logs currently don't contain basic information like the IP address and Useragent of the actor in activity logs. This information is very critical for security investigations
3 votes -
Provide reporting around Passwordless Phone sign in
Reporting/management on Passwordless phone sign in including who its available to, who has enabled it, frequency of use, and management options to administratively enroll/unenroll users from it.
3 votes -
Provide more detail in audit logs
It would be good if some of the AzureAD audit log Activity categories had more detail, eg "Set Company Information" - that's all that is logged for this activity, with no detail into what property was changed.
3 votes -
Audit logs for azure ad policies
assigning Azure AD policy to service principal and application registration should be consistant from the audit log entry perspective. There are different type of policies and by info from Microsoft at the some point they should be assigned to Service principals i.e. HDR and as they are assigned they create the entry into Audit log (there is different issue as those entries are generic and will not tell you what change was done on service pricinpal). On the other hand for SAML1.1 type of policy, we were notified to assign the policy to App registration, and this activity is not…
3 votes
- Don't see your idea?