Azure Active Directory

Welcome to the Azure Active Directory Forum.

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Make a App for AzureAD PIM to activate my roles

    Please Make a App for AzureAD PIM to activate my roles - so that the admin user that's only are using portal.office.com need to go into portal.azure.com to active the PIM roles (like global admin)

    15 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)

      We’ll send you updates on this idea

      2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
    • PIM in Office 365 Admin Portal

      Will be nice, if Azure AD PIM funcionality and user and admin controls will be somewhere accessible also from Office 365 Admin Portal, not only Azure Portal.

      For example, if PIM is enabled for user and he has not proper rights and go to Admin Center, he is automatically redirected to PIM console.

      10 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)

        We’ll send you updates on this idea

        4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
      • Enable synchronized AD groups (or AAD groups) to map to PIM.

        Rather than adding single accounts from AAD (which may be synched from AD), it would be great to map AAD (or synched AD) groups to eligibility rules. E.g. AAD group A is eligible for Role Exchange Admin. That way, one could administer AD groups for privileged access like in RBAC and use PIM to activate the privileges. Adding single users may be difficult to handle in large environments.

        10 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
        • Add automation to PIM so that you can script the process of enabling administrative users, right now it is a manual process

          PIM currently does not support powershell or automated configuration for adding new users.

          7 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)

            We’ll send you updates on this idea

            1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
          • Enable PIM role assignment by Group membership.

            It would be nice to enable PIM roles to be linked not only to direct assignment to users but also to groups. This enables integration with on-premise IAM solutions that have not been extended to support the Graph API calls to PIM for role management.

            7 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)

              We’ll send you updates on this idea

              2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
            • PIM to work correctly with the Exchange Admin role

              PIM role activation is not working correctly with Exchange Admin. If an Exchange Admin role assignment is set to eligible, activation can take longer than the desired activation period (in this case it was 1 hour). Consequently, all our Exchange Admin assignments are set to 'permanent' making PIM obsolete for this role.
              Please ensure that all roles that are managed by PIM work correctly. I raised this issue in January and I was informed that the product team were made aware.

              7 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)

                We’ll send you updates on this idea

                1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
              • Additional Email Notifications when Azure AD PIM

                We would like to suggest the ability to request additional email notifications when an Azure AD Privileged Identity Management admin role has been enabled. Only the user themselves can receive email notices that their admin role has been activated. We would like the ability for additional emails to be sent to other sources for auditing reasons. Currently that functionality is not available.

                6 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                • Support webhooks for Azure PIM Approval Request

                  It would be really great, if you would consider adding support for Webhooks as part of the newly introduced Azure PIM Approval workflowfeature. We would be able to do a lot of interesting stuff with this option :). Alternatively we would have to perform a pull for new approval request all the time. #automation #flow #apps

                  https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

                  5 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                  • Add support for Time-bound Group membership in Azure AD like Active Directory 2016

                    Please add support for Time-bound Group membership in Azure AD like Active Directory 2016. It would be a very appreciated option for managing access like in MIM PIM.

                    And if you consider doing this... Please also extend the functionality to Azure PIM to manage temporary membership and approval

                    5 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                    • Azure AD Privileged Identity Management - Display elevation propagation process

                      It would be beneficial to be able to track how the role elevation is propagating in the various components in Azure AD/Office 365. It's possible the you activate a role but it would only come effective several minutes later. From a user experience standpoint, the expectation is that everything is active right away once we receive the notification from the Azure Portal. If everything cannot get activated right away, it would be beneficial to be able to track the progress of the activation.

                      4 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                      • Add support for a member reviewed PIM audit to flow to a reviewer PIM audit workflow.

                        When performing an Audit Review using PIM it would be great if we could take the results of a Member reviewed audit and flow that directly into a reviewer controlled audit so that if a user stated Approved but their reason was not sufficient that their access could be revoked through the process. Additionally when adding this it would be great to support a reviewer comments section in addition to a member comments section.

                        4 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                        • Apply the role faster on the backend

                          Our customers often mentioned it takes a long time for the role to become active for the end users.

                          Can you make it apply the role faster on the backend. They expect maybe 30 seconds for the role to become active.

                          4 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                          • Mail & SMS Alert for any changes to Azure AD's Global Admin Privilege Role.

                            Send out a automatic mail & sms alert when an account is added or removed from Azure AD's Global Admin Privilege Role (which also used as super admin role in 365 services). And give a option to define (or chose) a recipient list of email ID(s)/Phone numbers. Do not enable the alert for all existing global admin accounts. Additional approval workflow will also be great. Right now there is hardly any security measure around this Role.

                            4 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

                              Azure AD PIM, currently in preview, sends notifications when an account is added to the Global Admin role outside of PIM, such as through PowerShell or Azure Management Portal. The email will be sent to users in the Privileged Role Administrator role.

                            • Approvers for Azure Resources - PIM

                              Approvers for Azure Resources workflow. Would like to see the approval function added to the azure resources. the JIT/DA is too board, where people can just escalate without mediation. Is it possible to see the approver/request ticket functionaility brought over to Azure Resources?

                              3 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                              • When PIM is enabled, prevent User Admins from changing the activation of an account

                                When PIM is enabled, prevent role changes via Azure AD using the User Admin role.
                                Currently, User Admins are able to assign directory roles (via classic portal and new portal, although new portal gives more options via the limited administrator option). It is also possible to change an eligible assignment to permanent using AAD. This stops PIM from being a true privileged management tool as it is too easy to subvert.
                                Also, the notification email has been changed to just state that an assignment has occurred and not (as it did previously) to say that this occurred outside of PIM.…

                                3 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                • Force admins to verify via MFA with every activation request

                                  If PIM role activation requires MFA verification the MFA back-end will abide by the "Don't prompt me again for X days" option which results in admins not being prompted to verify for a role activation.

                                  PIM should allow for the ability to ignore this setting and prompt admins every time they activate an admin role even though they may not have been prompted when logging into the Azure portal. Placing the MFA gate in front of admin role activation is the whole point to PIM.

                                  3 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Add requestor UPN and email to audit list

                                    Sometimes I cannot find the requestor in the Active Directory according to the entry in PIM (e.g. Azure AD does not exist as user). It would be helpful to ad the email adress and UPN to the requestor colomn and as separate column in the Excel export.

                                    2 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Support administration of Azure Information Protection with a PIM account.

                                      Azure Information Protection requires a permanent Global Administrator permission to be assigned and does not support a eligible Global Administrator account.

                                      2 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Change behavior in new tab after activating role on Azure AD PIM

                                        In current design of Azure AD Privileged Identity Management(PIM), it is required to open a new browser to see o365 portal for activated role (e.g. the temporary Global Admin). However I want availability by sign-in o365 in a new tab on the current browser instead of opening a new browser. Usually, users open new tab for new web page, I think.

                                        2 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

                                          Thanks for your feedback, we will be investigating how to get tighter integration between Azure AD PIM and the Office365 management portal. — Mark Wahl, Principal program manager, identity governance and administration engineering team

                                        • Alphanumeric Tickets incidents

                                          Please allow the Incident/Ticket field to accept alpha-numeric values. A lot of organizations identify tickets with some sort of prefix or post fix so that they know if the ticket is an Incident (INC00001 for example) or if this is just a service request (SR00001 for another example). It would be great if PIM allowed alphanumeric values in this field to create a hook with a ticketing system via the API. The idea is that if you knew the API, one could just create a hook in from their ticketing system, okay I start working on SR0002, I need Role…

                                          2 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Feedback and Knowledge Base