Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. When PIM is enabled, prevent User Admins from changing the activation of an account

    When PIM is enabled, prevent role changes via Azure AD using the User Admin role.
    Currently, User Admins are able to assign directory roles (via classic portal and new portal, although new portal gives more options via the limited administrator option). It is also possible to change an eligible assignment to permanent using AAD. This stops PIM from being a true privileged management tool as it is too easy to subvert.
    Also, the notification email has been changed to just state that an assignment has occurred and not (as it did previously) to say that this occurred outside of PIM.…

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. PIM in Office 365 Admin Portal

    Will be nice, if Azure AD PIM funcionality and user and admin controls will be somewhere accessible also from Office 365 Admin Portal, not only Azure Portal.

    For example, if PIM is enabled for user and he has not proper rights and go to Admin Center, he is automatically redirected to PIM console.

    47 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  7 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support somekind of policy based approval / mfa for Azure AD roles

    Our customer REALLY love the new approval workflow for Azure PIM, but they would really prefer an option to define policies for which admins need approval and for does who just need to elevate their own permissions using Azure MFA.

    https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Enable PIM for a specific device only

    If a user requests a PIM activation, approvers should have the ability to restrict privileged access from the device the access was requested from.

    Consider a scenario where an attacker is able to convince an administrator to escalate their privileges for a some (fake) legitimate reason (e.g. I need a new site collection in SharePoint Online). If we assume the attacker has compromised the administrator's identity, they would then be able to take on the administrator's privileges from a remote location.

    If the administrator's elevated privileges were restricted to a specific device, the attack would fail.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Notify PIM administrators when available roles are added or removed

    There have been recent changes to the roles that are managed by PIM. As an example, "Email Verified User Creator" has been removed and "Guest Inviter" has been added. It would be useful for existing holders of the role Privileged Role Administrator to be notified so they can impact assess the change.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Notification to wrong Azure AD domain

    When you enable some new tools (like Azure PIM) the notification came with information that you enable this for domain $XYZ.

    When you have more custom domains added in some order like:
    A Domain
    B Domain
    C Domain (Main domain)
    D Domain

    The notitification came for domain A Domain, not for C Domain (Main Domain). It is something to be wrong or to be considered as bad state?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add filters for eligible PIM roles

    It would be useful if there were filters on the eligible PIM roles screen. If you have many subscriptions and many different role types, it can be time consuming to locate what role(s) you need to activate as there are many pages to navigate due to a relatively small number or roles displayed per page.

    Being able to filter on both Subscriptions and Roles would be ideal.

    So you could for example have a view of a particular role on all subscriptions, or all roles for a particular subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Extend PIM to include support for Exchange Online Role Groups. Currently it is only for Azure AD and Azure Subscription

    Extend PIM to include support for Exchange Online Role Groups. Currently it is only for Azure AD and Azure Subscription

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. PIM

    There should be a means to force password reset on PIM enabled accounts. We do this with CyberArk today and our InfoSec department is balking on PIM due to the lack of automated password reset capability.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Grant co-admin permission (with owner) to manage azure subscriptions with PIM

    Please add the option to grant permission to owner+co-admin (to managed subscriptions with classic API) with PIM.

    https://github.com/MicrosoftDocs/azure-docs/issues/15094#issuecomment-422116208

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Log all activities (outside of AAD)

    When assigning Global-Admin Roles it would be very helpful if also Events are logged that are not in AAD for example when the Admin changes something in Intune etc.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

    We’ve had feedback from customers they want to use Azure Monitor or Sentinel for this. We send all our events to the Azure AD Audit log. These events can be sent to Azure Monitor and Sentinel. Does this solve the ask?

  12. JIT Access Request

    Users have been given JIT Access to a subscription for Contributor and Owner Role. Had given Direct Access as "Reader Role ".

    If a user did not elevate its "Reader Role" to a Contributor or Owner, VM validation fails in the last step.

    Is it possible to bring up the page for elevation during the validation rather than re-doing everything from scratch? (i.e. step #1 elevate your permission first step #2 deploy your VM)

    Thank you,

    Allan

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add support for a member reviewed PIM audit to flow to a reviewer PIM audit workflow.

    When performing an Audit Review using PIM it would be great if we could take the results of a Member reviewed audit and flow that directly into a reviewer controlled audit so that if a user stated Approved but their reason was not sufficient that their access could be revoked through the process. Additionally when adding this it would be great to support a reviewer comments section in addition to a member comments section.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add requestor UPN and email to audit list

    Sometimes I cannot find the requestor in the Active Directory according to the entry in PIM (e.g. Azure AD does not exist as user). It would be helpful to ad the email adress and UPN to the requestor colomn and as separate column in the Excel export.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Change behavior in new tab after activating role on Azure AD PIM

    In current design of Azure AD Privileged Identity Management(PIM), it is required to open a new browser to see o365 portal for activated role (e.g. the temporary Global Admin). However I want availability by sign-in o365 in a new tab on the current browser instead of opening a new browser. Usually, users open new tab for new web page, I think.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
1 2 4 Next →
  • Don't see your idea?

Feedback and Knowledge Base