Azure Active Directory

Welcome to the Azure Active Directory Forum.

How can we improve Azure Active Directory?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. JIT Access Request

    Users have been given JIT Access to a subscription for Contributor and Owner Role. Had given Direct Access as "Reader Role ".

    If a user did not elevate its "Reader Role" to a Contributor or Owner, VM validation fails in the last step.

    Is it possible to bring up the page for elevation during the validation rather than re-doing everything from scratch? (i.e. step #1 elevate your permission first step #2 deploy your VM)

    Thank you,

    Allan

    1 vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
    • Azure AD Privileged Identity Management - Display elevation propagation process

      It would be beneficial to be able to track how the role elevation is propagating in the various components in Azure AD/Office 365. It's possible the you activate a role but it would only come effective several minutes later. From a user experience standpoint, the expectation is that everything is active right away once we receive the notification from the Azure Portal. If everything cannot get activated right away, it would be beneficial to be able to track the progress of the activation.

      4 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
      • Add a schedule option to PIM request.

        When a user requests elevation, it should optionally include a schedule. For example -If I need global admin access on 10/25/2017 from 5:00 PM to 8:00 PM. I should be able to make the request and have it approved in advance.

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
        • Allow approval only for specific users in specific roles

          We would like to enable approval for specific users in specific roles only. This way some people are exempt from approval, but others will have to request approval anyhow. Right now this is role based, but for example we have a few Global Administrators who need to be able to activate without approval, and some we would like to request approval.

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)

            We’ll send you updates on this idea

            1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
          • Allow time bound admin access

            Currently we have the need to allow someone to add a user to an admin role which is then automatically deleted after a specific time period or date/time. The role should be completely removed at that point in time, so the user should also not be eligible anymore to activate the role.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
            • Be able to select multiple roles for a single user in PIM

              Currently when a new admin is added in AAD, his admin roles can be added only one by one in PIM. It would be great to have another PIM UI workflow to start with the user and not the role. You would select the user and then select any amount of valid roles for this user.

              2 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
              • Enable PIM role assignment by Group membership.

                It would be nice to enable PIM roles to be linked not only to direct assignment to users but also to groups. This enables integration with on-premise IAM solutions that have not been extended to support the Graph API calls to PIM for role management.

                5 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                • Enable PIM for a specific device only

                  If a user requests a PIM activation, approvers should have the ability to restrict privileged access from the device the access was requested from.

                  Consider a scenario where an attacker is able to convince an administrator to escalate their privileges for a some (fake) legitimate reason (e.g. I need a new site collection in SharePoint Online). If we assume the attacker has compromised the administrator's identity, they would then be able to take on the administrator's privileges from a remote location.

                  If the administrator's elevated privileges were restricted to a specific device, the attack would fail.

                  1 vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                  • Approvers for Azure Resources - PIM

                    Approvers for Azure Resources workflow. Would like to see the approval function added to the azure resources. the JIT/DA is too board, where people can just escalate without mediation. Is it possible to see the approver/request ticket functionaility brought over to Azure Resources?

                    3 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                    • Support somekind of policy based approval / mfa for Azure AD roles

                      Our customer REALLY love the new approval workflow for Azure PIM, but they would really prefer an option to define policies for which admins need approval and for does who just need to elevate their own permissions using Azure MFA.

                      https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                      • Support webhooks for Azure PIM Approval Request

                        It would be really great, if you would consider adding support for Webhooks as part of the newly introduced Azure PIM Approval workflowfeature. We would be able to do a lot of interesting stuff with this option :). Alternatively we would have to perform a pull for new approval request all the time. #automation #flow #apps

                        https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

                        5 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                        • Apply the role faster on the backend

                          Our customers often mentioned it takes a long time for the role to become active for the end users.

                          Can you make it apply the role faster on the backend. They expect maybe 30 seconds for the role to become active.

                          4 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                          • PIM to work correctly with the Exchange Admin role

                            PIM role activation is not working correctly with Exchange Admin. If an Exchange Admin role assignment is set to eligible, activation can take longer than the desired activation period (in this case it was 1 hour). Consequently, all our Exchange Admin assignments are set to 'permanent' making PIM obsolete for this role.
                            Please ensure that all roles that are managed by PIM work correctly. I raised this issue in January and I was informed that the product team were made aware.

                            5 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                            • PIM audit filter shouldn't be persisted across sessions

                              When a PIM audit filter is applied, the settings are persisted across sessions, so if I close the audit blade and re-open the list is already filtered. This doesn't work the same as other audit filters (e.g. activity log). I assume this is different since AAD doesn't use activity logs as it isn't managed by ARM.
                              Please change so a new session defaults to 'no filter'.
                              Alternatively, filter profiles could be used to allow for a bespoke default filter.

                              1 vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                              • PIM role assignment blade filter to include select all/select none

                                When filtering the list of roles/users, there is no option to 'select all/select none' making it several clicks to see the users for a single role, or just a few roles.

                                1 vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                • Notify PIM administrators when available roles are added or removed

                                  There have been recent changes to the roles that are managed by PIM. As an example, "Email Verified User Creator" has been removed and "Guest Inviter" has been added. It would be useful for existing holders of the role Privileged Role Administrator to be notified so they can impact assess the change.

                                  2 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                  • When PIM is enabled, prevent User Admins from changing the activation of an account

                                    When PIM is enabled, prevent role changes via Azure AD using the User Admin role.
                                    Currently, User Admins are able to assign directory roles (via classic portal and new portal, although new portal gives more options via the limited administrator option). It is also possible to change an eligible assignment to permanent using AAD. This stops PIM from being a true privileged management tool as it is too easy to subvert.
                                    Also, the notification email has been changed to just state that an assignment has occurred and not (as it did previously) to say that this occurred outside of PIM.…

                                    2 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Force admins to verify via MFA with every activation request

                                      If PIM role activation requires MFA verification the MFA back-end will abide by the "Don't prompt me again for X days" option which results in admins not being prompted to verify for a role activation.

                                      PIM should allow for the ability to ignore this setting and prompt admins every time they activate an admin role even though they may not have been prompted when logging into the Azure portal. Placing the MFA gate in front of admin role activation is the whole point to PIM.

                                      3 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Alphanumeric Tickets incidents

                                        Please allow the Incident/Ticket field to accept alpha-numeric values. A lot of organizations identify tickets with some sort of prefix or post fix so that they know if the ticket is an Incident (INC00001 for example) or if this is just a service request (SR00001 for another example). It would be great if PIM allowed alphanumeric values in this field to create a hook with a ticketing system via the API. The idea is that if you knew the API, one could just create a hook in from their ticketing system, okay I start working on SR0002, I need Role…

                                        2 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Support administration of Azure Information Protection with a PIM account.

                                          Azure Information Protection requires a permanent Global Administrator permission to be assigned and does not support a eligible Global Administrator account.

                                          2 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Feedback and Knowledge Base