Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. ediscovery administrator/manager adds to PIM/PAM roles

    Pls add eDiscovery roles to PIM/PAM, seem to be mia

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow Organisations to force users to complete a new MFA challenge when elevating to a role in Privileged Identity Management

    Currently the behavior is that if a user signed into the Azure Portal and completed an MFA challenge they will not be prompted again when they elevate to a role in PIM even if the role settings are set to "Require MFA on elevation" as PIM will use the existing MFA claim/token that was completed upon sign-in.

    Please allow us to force PIM to acquire a new MFA claim on elevation.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. PIM - Configure default settings for all role assignments

    Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.

    Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.

    e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.

    Thanks
    Ben.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Enable PIM assignment for a guest user in a specific directory

    We use powershell to activate PIM for users, but when we change to a specific directory, the get-privilegedroleassignment cmdlet still lists the roles available in the "home" directory, rather than the directory that you're currently in..

    connect-pimservice -TenantName <XXXX>

    has no effect on the get-privilegedroleassignment command

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Ability to search on all Azure resources and resource groups in the "Resource filter" experience

    Azure resources/resource groups search in PIM doesn’t search my entire pool of resources /resource groups. It only searches by page. I have to click "load more" 15+ times to find some of my resource groups which is a horrible UX and seems more like a bug to me.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. When PIM is enabled, prevent User Admins from changing the activation of an account

    When PIM is enabled, prevent role changes via Azure AD using the User Admin role.
    Currently, User Admins are able to assign directory roles (via classic portal and new portal, although new portal gives more options via the limited administrator option). It is also possible to change an eligible assignment to permanent using AAD. This stops PIM from being a true privileged management tool as it is too easy to subvert.
    Also, the notification email has been changed to just state that an assignment has occurred and not (as it did previously) to say that this occurred outside of PIM.…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Privileged Identity Management Activations duration should have both Maximum and Default activation duration.

    Privileged Identity Management Activations duration should have another configuratuion settings together with Maximum activation duration.


    • Maximum activation duration set to 8 hours

    • Default activation duration set to 4 hours

    This way administrators can extend the time if requered, replaces the need for automaticly have maximum activation time

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add support to group multiple Azure Resource Role assignments for one single activation

    We're using Azure AD PIM to assign permissions for our admins and developers. We're using Resource Groups as the scope for all role assignments. We have divided our Azure resources in a different resource groups depending on the application or service life-cycles.
    Using Resource Groups as the scope in PIM works good but sometimes it results in many activations for our users. If we have an app service in one RG that relies on an App Service Environment that's located in another RG that relies on a vNet located in a third RG the users needs to activate three role…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Access review

    Option to include non user Service principals in Access review of Azure PIM resource roles.

    All Elevated members access ( owners , contributors) to Azure subscription need to be reviewed as part of SOX compliance and currently Non user service principals ( like VSO Service principals used for automated deployments in Azure) are not included in the Access reviews initiated for Azure Resource roles.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add support for role assignment based on Administrative Unit (AU) in Azure PIM

    Consider adding support for Administrative Unit (AU) within Azure PIM. It would be great to have in larger enterprises and smaller that have many locations around the world.

    I currently have the need at a couple of customers to due assignment to different location and would like to provide "User Administrator" for some specific locations using Administrative Unit (AU). I still would like the users to elevate them self.

    I am currently left with to options. Either assign permanent "User Administrator" with Administrative Unit (AU) or using Azure PIM to assign a eligible "User Administrator" role for ALL user objects.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support PIM for service principals

    We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

    We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

    This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support Diagnostic Settings for PIM Audit Logs

    Azure AD Audit Logs and Sign-in Logs can be forwarded to Log Analytics, Storage Account or Event Hub. It is crucial to have this functionality also for the PIM Audit History. Just using the Azure Portal GUI to export a CSV is not how it should be nowadays.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Push notification when new request is pending of approval on PIM

    Currently, the only option for PIM approvers to receive notification of a new request is email (or my log in at AAD PIM -> Approve Requests).
    By having a push notification, the approval process would be faster when email is not monitored.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Notify PIM administrators when available roles are added or removed

    There have been recent changes to the roles that are managed by PIM. As an example, "Email Verified User Creator" has been removed and "Guest Inviter" has been added. It would be useful for existing holders of the role Privileged Role Administrator to be notified so they can impact assess the change.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. To provide the option to the admins to enforce the Password complexity options by selecting all the 4 combinations of properties.

    admins should be able to manage AD as well as Azure AD to enforce password complexity by using all 4 options. Currently only 3 out of 4 are applied while changing user password,

    Characters allowed

    A – Z
    a - z
    0 – 9
    @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ " ( ) ;
    blank space

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

  16. PowerShell module to manage and configure Azure RM PIM roles

    It is tedious and error-prone to manually configure PIM roles on multiple individual resources/resource groups through the portal. Would be nice to have a PowerShell module to make this task easier.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow Azure AD member to request role eligibility in Azure AD PIM

    I heard from customers that they would like the ability to switch on a toggle in Azure AD PIM that would allow normal users to request eligibility for a Azure AD Role.

    Basically:


    1. Toggle On - > Allow members to request Azure AD Role

    2. User/Member request role eligibility / Azure AD role

    3. Azure AD PIM admin approves the request for becoming member of the Azure AD role and with either eligibility/approval depending on the default roles.

    4. The member/user would afterwards be able to request approval / eligibility and get approval by the defined approver.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. A Restricted Role Administrator directory role

    It would be beneficial to have a Restricted Role Administrator (RRA) directory role in Azure AD. It would be similar to the Privileged Role Administrator, but you could select the priveleges you want the RRA to have. For example, an admin with more priveleges (ie Global Admin or Priveleged Role Admin) could decide if they want the RRA to have access to PIM and the admin could restrict the roles that the RRA could assign to other users, so if they don't want the RRA to be able to assign other users to the Global Admin role or specific Limited…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow approval only for specific users in specific roles

    We would like to enable approval for specific users in specific roles only. This way some people are exempt from approval, but others will have to request approval anyhow. Right now this is role based, but for example we have a few Global Administrators who need to be able to activate without approval, and some we would like to request approval.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Support somekind of policy based approval / mfa for Azure AD roles

    Our customer REALLY love the new approval workflow for Azure PIM, but they would really prefer an option to define policies for which admins need approval and for does who just need to elevate their own permissions using Azure MFA.

    https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base