Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Access review

    Option to include non user Service principals in Access review of Azure PIM resource roles.

    All Elevated members access ( owners , contributors) to Azure subscription need to be reviewed as part of SOX compliance and currently Non user service principals ( like VSO Service principals used for automated deployments in Azure) are not included in the Access reviews initiated for Azure Resource roles.

    16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support Diagnostic Settings for PIM Audit Logs

    Azure AD Audit Logs and Sign-in Logs can be forwarded to Log Analytics, Storage Account or Event Hub. It is crucial to have this functionality also for the PIM Audit History. Just using the Azure Portal GUI to export a CSV is not how it should be nowadays.

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable PIM assignment for a guest user in a specific directory

    We use powershell to activate PIM for users, but when we change to a specific directory, the get-privilegedroleassignment cmdlet still lists the roles available in the "home" directory, rather than the directory that you're currently in..

    connect-pimservice -TenantName <XXXX>

    has no effect on the get-privilegedroleassignment command

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. When PIM is enabled, prevent User Admins from changing the activation of an account

    When PIM is enabled, prevent role changes via Azure AD using the User Admin role.
    Currently, User Admins are able to assign directory roles (via classic portal and new portal, although new portal gives more options via the limited administrator option). It is also possible to change an eligible assignment to permanent using AAD. This stops PIM from being a true privileged management tool as it is too easy to subvert.
    Also, the notification email has been changed to just state that an assignment has occurred and not (as it did previously) to say that this occurred outside of PIM.…

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Ability to search on all Azure resources and resource groups in the "Resource filter" experience

    Azure resources/resource groups search in PIM doesn’t search my entire pool of resources /resource groups. It only searches by page. I have to click "load more" 15+ times to find some of my resource groups which is a horrible UX and seems more like a bug to me.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Make Azure AD role activation in PIM faster

    Currently activating an Azure AD role such as Global Admin or User Admin in Privileged Identity Management (PIM) takes 15+ minutes to fully activate (this time starts after following the step to sign-out). Even after logging out and back in again, the role will display as active in the Azure AD overview blade, but when trying to take an action such as updating a user license (in the Office 365 portal) or update an App configuration in the Azure AD Portal, the action will fail claiming access denied. After 15-30 minutes, the role finally comes fully active with no notification…

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. PowerShell module to manage and configure Azure RM PIM roles

    It is tedious and error-prone to manually configure PIM roles on multiple individual resources/resource groups through the portal. Would be nice to have a PowerShell module to make this task easier.

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add support for role assignment based on Administrative Unit (AU) in Azure PIM

    Consider adding support for Administrative Unit (AU) within Azure PIM. It would be great to have in larger enterprises and smaller that have many locations around the world.

    I currently have the need at a couple of customers to due assignment to different location and would like to provide "User Administrator" for some specific locations using Administrative Unit (AU). I still would like the users to elevate them self.

    I am currently left with to options. Either assign permanent "User Administrator" with Administrative Unit (AU) or using Azure PIM to assign a eligible "User Administrator" role for ALL user objects.

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Push notification when new request is pending of approval on PIM

    Currently, the only option for PIM approvers to receive notification of a new request is email (or my log in at AAD PIM -> Approve Requests).
    By having a push notification, the approval process would be faster when email is not monitored.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Privileged Identity Management Activations duration should have both Maximum and Default activation duration.

    Privileged Identity Management Activations duration should have another configuratuion settings together with Maximum activation duration.


    • Maximum activation duration set to 8 hours

    • Default activation duration set to 4 hours

    This way administrators can extend the time if requered, replaces the need for automaticly have maximum activation time

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. PIM's Email notification is not supported multi-language.

    I would like to receive E-mails is written "Japanese" when following key events occur in PIM.

    When a privileged role activation is pending approval
    When a privileged role activation request is completed
    When a privileged role is activated
    When a privileged role is assigned
    When Azure AD PIM is enabled

    But I think that E-mails is not supported multi-language.
    Except for English-speaking countries, PIM's Email notification may be not easy to use now.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Eliminate role activation delay between portals open in different browser tabs

    There is a delay in role activation when the target portal (i.e. Power Platform admin center) is open in one tab and PIM activation is initiated in a separate browser tab. It can take up to 15 minutes for the role to activate in the target portal, even if the tab is refreshed multiple times following role activation. While logging out and back in resolves this delay, it is not a sustainable option for urgent troubleshooting.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. PIM - multiple approvers required

    At the moment you configure multiple approvers in the role setting details dialog. As soon a one approvers approves the request gets accepted.

    I would like to have an option to require multiple approvers, that allow the request
    eq. configure 5 approvers - 2 are required to approve the request

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. For access denied page, show least privilege role needed to encourage PIM

    When I get an access denied page in Azure AD portal, it would be VERY useful to add the least privileged role [needed to see this resource] as part of the error message page. This will help me know specifically which PIM role to activate (or to add this user to for future access) ...otherwise, it's often just ~easier~ to simply reach too high (e.g. activate GA because it's easier than hunting down or using trial-and-error to know which role I actually need)

    This is a GREAT resource and I use it often, but just surfacing the info immediately would…

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. To provide the option to the admins to enforce the Password complexity options by selecting all the 4 combinations of properties.

    admins should be able to manage AD as well as Azure AD to enforce password complexity by using all 4 options. Currently only 3 out of 4 are applied while changing user password,

    Characters allowed

    A – Z
    a - z
    0 – 9
    @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ " ( ) ;
    blank space

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

  16. Allow Azure AD member to request role eligibility in Azure AD PIM

    I heard from customers that they would like the ability to switch on a toggle in Azure AD PIM that would allow normal users to request eligibility for a Azure AD Role.

    Basically:


    1. Toggle On - > Allow members to request Azure AD Role

    2. User/Member request role eligibility / Azure AD role

    3. Azure AD PIM admin approves the request for becoming member of the Azure AD role and with either eligibility/approval depending on the default roles.

    4. The member/user would afterwards be able to request approval / eligibility and get approval by the defined approver.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Notify PIM administrators when available roles are added or removed

    There have been recent changes to the roles that are managed by PIM. As an example, "Email Verified User Creator" has been removed and "Guest Inviter" has been added. It would be useful for existing holders of the role Privileged Role Administrator to be notified so they can impact assess the change.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow User/Group Admin the ability to manage external collaboration

    Our settings are most restrictive any B2B domains need added manually in the Manage External Collaboration settings. The setting should be set and amended by Global Admin. But users with the User Admin role should have the ability to add a new trusted domain in the "target domains" section

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Privileged Identity Management event into Event Grid for automation

    We would like to use Privileged Identity Management (PIM) to provide access to content within resource for example a database within a database server. To be able to hook into a successful 'just in time' request and it's timeout I would like to use something like Event Grid.

    The current alerting based on email is not good enough to be able to reliably build automation.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow approval only for specific users in specific roles

    We would like to enable approval for specific users in specific roles only. This way some people are exempt from approval, but others will have to request approval anyhow. Right now this is role based, but for example we have a few Global Administrators who need to be able to activate without approval, and some we would like to request approval.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base