Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Get Privilege Role with their Eligible and Permanent Members List using Powershell

    Please add Azure PIM command, which can provide all roles & their members list (should show Eligible & Permanent attribute too) ?

    Get-PrivilegedRoleAssignment shows role details for logged in user only.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Be able to select multiple roles for a single user in PIM

    Currently when a new admin is added in AAD, his admin roles can be added only one by one in PIM. It would be great to have another PIM UI workflow to start with the user and not the role. You would select the user and then select any amount of valid roles for this user.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable PIM assignment for a guest user in a specific directory

    We use powershell to activate PIM for users, but when we change to a specific directory, the get-privilegedroleassignment cmdlet still lists the roles available in the "home" directory, rather than the directory that you're currently in..

    connect-pimservice -TenantName <XXXX>

    has no effect on the get-privilegedroleassignment command

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Ability to search on all Azure resources and resource groups in the "Resource filter" experience

    Azure resources/resource groups search in PIM doesn’t search my entire pool of resources /resource groups. It only searches by page. I have to click "load more" 15+ times to find some of my resource groups which is a horrible UX and seems more like a bug to me.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow Organisations to force users to complete a new MFA challenge when elevating to a role in Privileged Identity Management

    Currently the behavior is that if a user signed into the Azure Portal and completed an MFA challenge they will not be prompted again when they elevate to a role in PIM even if the role settings are set to "Require MFA on elevation" as PIM will use the existing MFA claim/token that was completed upon sign-in.

    Please allow us to force PIM to acquire a new MFA claim on elevation.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow longer activation duration for all roles

    Allow a larger max activation duration for all roles. Increase the existing 72 hours max to at least 120 hours (Full work week).

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. PIM make incident/request ticket number visible in approve/deny flow

    If the option "Require incident/request ticket number during activation" is enabled it should also be visible to the approver when making the decision on approve or deny.

    As it is now it is only visible after the decision on approve or deny is made.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add support to group multiple Azure Resource Role assignments for one single activation

    We're using Azure AD PIM to assign permissions for our admins and developers. We're using Resource Groups as the scope for all role assignments. We have divided our Azure resources in a different resource groups depending on the application or service life-cycles.
    Using Resource Groups as the scope in PIM works good but sometimes it results in many activations for our users. If we have an app service in one RG that relies on an App Service Environment that's located in another RG that relies on a vNet located in a third RG the users needs to activate three role…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Ability for Azure AD PIM users to opt-out of e-mail notifications

    It would be nice with an ability to opt-out of the automatic notification that is sent after people elevate their account. Especially for external consultants using their Azure B2B account at multiple customers.

    I get about 10+ mails each that about customers / colleagues that enable their roles using Azure AD PIM:

    Please make it possible to opt-out of the notification mails: "xxxxx activated the THE ROLE in the xxxx.onmicrosoft.com directory"

    Thanks.
    Peter Selch Dahl - Azure MVP

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. When PIM is enabled, prevent User Admins from changing the activation of an account

    When PIM is enabled, prevent role changes via Azure AD using the User Admin role.
    Currently, User Admins are able to assign directory roles (via classic portal and new portal, although new portal gives more options via the limited administrator option). It is also possible to change an eligible assignment to permanent using AAD. This stops PIM from being a true privileged management tool as it is too easy to subvert.
    Also, the notification email has been changed to just state that an assignment has occurred and not (as it did previously) to say that this occurred outside of PIM.…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Push notification when new request is pending of approval on PIM

    Currently, the only option for PIM approvers to receive notification of a new request is email (or my log in at AAD PIM -> Approve Requests).
    By having a push notification, the approval process would be faster when email is not monitored.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure AD PIM directory roles audit history support for 1 year

    For customers that have purchased the Microsoft Office 365 E5 license for there users and new logging feature exist that extends standard logging in Azure AD for 1 year. The feature is known as "Long-term Office 365 audit log private preview" and is mentioned in this article: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance

    Please allow "Directory roles audit history" to search back in time for at least a year, if customers have the proper logs available in there Azure AD tenants.

    Workaround: As a work around for now. I'm using Azure Log Analytics for storing role changes for long-term history. Customers would like to see…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Notify PIM administrators when available roles are added or removed

    There have been recent changes to the roles that are managed by PIM. As an example, "Email Verified User Creator" has been removed and "Guest Inviter" has been added. It would be useful for existing holders of the role Privileged Role Administrator to be notified so they can impact assess the change.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add support for a member reviewed PIM audit to flow to a reviewer PIM audit workflow.

    When performing an Audit Review using PIM it would be great if we could take the results of a Member reviewed audit and flow that directly into a reviewer controlled audit so that if a user stated Approved but their reason was not sufficient that their access could be revoked through the process. Additionally when adding this it would be great to support a reviewer comments section in addition to a member comments section.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Error Insufficent roles or permission

    It has been observed that after enabling the GA role in the tenant , access to AIP is restricted.

    The below screen shot is from the Azure Portal itself and does show that after activating a PIM role for all services in the security and compliance center the role can take up to a few hours to activate.

    In the below screen shot this will confirm it is a known issue with PIM in Azure and they are working on resolving it. Unfortunately, the time delay will fluctuate from a few minutes some days to a “few hours”. Because Azure…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. PIM's Email notification is not supported multi-language.

    I would like to receive E-mails is written "Japanese" when following key events occur in PIM.

    When a privileged role activation is pending approval
    When a privileged role activation request is completed
    When a privileged role is activated
    When a privileged role is assigned
    When Azure AD PIM is enabled

    But I think that E-mails is not supported multi-language.
    Except for English-speaking countries, PIM's Email notification may be not easy to use now.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add support for role assignment based on Administrative Unit (AU) in Azure PIM

    Consider adding support for Administrative Unit (AU) within Azure PIM. It would be great to have in larger enterprises and smaller that have many locations around the world.

    I currently have the need at a couple of customers to due assignment to different location and would like to provide "User Administrator" for some specific locations using Administrative Unit (AU). I still would like the users to elevate them self.

    I am currently left with to options. Either assign permanent "User Administrator" with Administrative Unit (AU) or using Azure PIM to assign a eligible "User Administrator" role for ALL user objects.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow approval only for specific users in specific roles

    We would like to enable approval for specific users in specific roles only. This way some people are exempt from approval, but others will have to request approval anyhow. Right now this is role based, but for example we have a few Global Administrators who need to be able to activate without approval, and some we would like to request approval.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow time bound admin access

    Currently we have the need to allow someone to add a user to an admin role which is then automatically deleted after a specific time period or date/time. The role should be completely removed at that point in time, so the user should also not be eligible anymore to activate the role.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Privileged Identity Management Activations duration should have both Maximum and Default activation duration.

    Privileged Identity Management Activations duration should have another configuratuion settings together with Maximum activation duration.

    - Maximum activation duration set to 8 hours
    - Default activation duration set to 4 hours

    This way administrators can extend the time if requered, replaces the need for automaticly have maximum activation time

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base