Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Make a App for AzureAD PIM to activate my roles

    Please Make a App for AzureAD PIM to activate my roles - so that the admin user that's only are using portal.office.com need to go into portal.azure.com to active the PIM roles (like global admin)

    22 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      under review  ·  4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
    • Enable synchronized AD groups (or AAD groups) to map to PIM.

      Rather than adding single accounts from AAD (which may be synched from AD), it would be great to map AAD (or synched AD) groups to eligibility rules. E.g. AAD group A is eligible for Role Exchange Admin. That way, one could administer AD groups for privileged access like in RBAC and use PIM to activate the privileges. Adding single users may be difficult to handle in large environments.

      21 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
      • PIM to work correctly with the Exchange Admin role

        PIM role activation is not working correctly with Exchange Admin. If an Exchange Admin role assignment is set to eligible, activation can take longer than the desired activation period (in this case it was 1 hour). Consequently, all our Exchange Admin assignments are set to 'permanent' making PIM obsolete for this role.
        Please ensure that all roles that are managed by PIM work correctly. I raised this issue in January and I was informed that the product team were made aware.

        17 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          5 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
        • PIM in Office 365 Admin Portal

          Will be nice, if Azure AD PIM funcionality and user and admin controls will be somewhere accessible also from Office 365 Admin Portal, not only Azure Portal.

          For example, if PIM is enabled for user and he has not proper rights and go to Admin Center, he is automatically redirected to PIM console.

          13 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
          • Enable PIM role assignment by Group membership.

            It would be nice to enable PIM roles to be linked not only to direct assignment to users but also to groups. This enables integration with on-premise IAM solutions that have not been extended to support the Graph API calls to PIM for role management.

            12 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              under review  ·  3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
            • Apply the role faster on the backend

              Our customers often mentioned it takes a long time for the role to become active for the end users.

              Can you make it apply the role faster on the backend. They expect maybe 30 seconds for the role to become active.

              10 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                planned  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
              • Additional Email Notifications when Azure AD PIM

                We would like to suggest the ability to request additional email notifications when an Azure AD Privileged Identity Management admin role has been enabled. Only the user themselves can receive email notices that their admin role has been activated. We would like the ability for additional emails to be sent to other sources for auditing reasons. Currently that functionality is not available.

                10 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                • Expose AzureAD PIM Alerts via an API

                  AzureAD (AAD) PIM generates alerts when there is suspicious or unsafe activity in the environment. When an AAD PIM alert is triggered, it shows up on the PIM dashboard. We would like for the PIM alerts to be exposed via an API so that we can integrate these alerts with our SIEM solution.

                  9 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                  • Azure AD Privileged Identity Management - Display elevation propagation process

                    It would be beneficial to be able to track how the role elevation is propagating in the various components in Azure AD/Office 365. It's possible the you activate a role but it would only come effective several minutes later. From a user experience standpoint, the expectation is that everything is active right away once we receive the notification from the Azure Portal. If everything cannot get activated right away, it would be beneficial to be able to track the progress of the activation.

                    9 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                    • Add support for Time-bound Group membership in Azure AD like Active Directory 2016

                      Please add support for Time-bound Group membership in Azure AD like Active Directory 2016. It would be a very appreciated option for managing access like in MIM PIM.

                      And if you consider doing this... Please also extend the functionality to Azure PIM to manage temporary membership and approval

                      8 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                      • Support webhooks for Azure PIM Approval Request

                        It would be really great, if you would consider adding support for Webhooks as part of the newly introduced Azure PIM Approval workflowfeature. We would be able to do a lot of interesting stuff with this option :). Alternatively we would have to perform a pull for new approval request all the time. #automation #flow #apps

                        https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

                        7 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                        • Force admins to verify via MFA with every activation request

                          If PIM role activation requires MFA verification the MFA back-end will abide by the "Don't prompt me again for X days" option which results in admins not being prompted to verify for a role activation.

                          PIM should allow for the ability to ignore this setting and prompt admins every time they activate an admin role even though they may not have been prompted when logging into the Azure portal. Placing the MFA gate in front of admin role activation is the whole point to PIM.

                          7 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                          • Powershell Enable PIM Role Assignment

                            We plan to utilize PIM for Azure Resources (Resource Groups), however it is currently not possible to automate thorugh Powershell. It would be nice if existing Roles could be made eligable and configurated with it's settings thorugh powershell when creating resources/resource groups through powershell.

                            6 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                            • Be able to select multiple roles for a single user in PIM

                              Currently when a new admin is added in AAD, his admin roles can be added only one by one in PIM. It would be great to have another PIM UI workflow to start with the user and not the role. You would select the user and then select any amount of valid roles for this user.

                              5 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                              • Add support for a member reviewed PIM audit to flow to a reviewer PIM audit workflow.

                                When performing an Audit Review using PIM it would be great if we could take the results of a Member reviewed audit and flow that directly into a reviewer controlled audit so that if a user stated Approved but their reason was not sufficient that their access could be revoked through the process. Additionally when adding this it would be great to support a reviewer comments section in addition to a member comments section.

                                5 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                • Allow approval only for specific users in specific roles

                                  We would like to enable approval for specific users in specific roles only. This way some people are exempt from approval, but others will have to request approval anyhow. Right now this is role based, but for example we have a few Global Administrators who need to be able to activate without approval, and some we would like to request approval.

                                  4 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                  • When PIM is enabled, prevent User Admins from changing the activation of an account

                                    When PIM is enabled, prevent role changes via Azure AD using the User Admin role.
                                    Currently, User Admins are able to assign directory roles (via classic portal and new portal, although new portal gives more options via the limited administrator option). It is also possible to change an eligible assignment to permanent using AAD. This stops PIM from being a true privileged management tool as it is too easy to subvert.
                                    Also, the notification email has been changed to just state that an assignment has occurred and not (as it did previously) to say that this occurred outside of PIM.…

                                    4 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                    • PIM

                                      There should be a means to force password reset on PIM enabled accounts. We do this with CyberArk today and our InfoSec department is balking on PIM due to the lack of automated password reset capability.

                                      3 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                      • PIM option to request access to AD groups

                                        PIM option to request access to AD groups

                                        In our environment, we have AD groups with specific resource rights for the different environments. (OTAP).
                                        It would be nice if it is possible to ask permission to be added temporarily to an Azure group for the time specified.

                                        3 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Bulk registration of Non-Personal Accounts (MFA - AAD)

                                          All our non-personal accounts are AAD users (best practise).
                                          However, there is no way for AD PIM vulnerability assessment to exclude them. In short "exclude" list does not do this.
                                          It's been suggested to "register" these - but that would mean manual registration of potentially hundreds of userid's with fake temporary emails and someone's phone number. Not a pleasant thought.

                                          3 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Feedback and Knowledge Base