Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow approval only for specific users in specific roles

    We would like to enable approval for specific users in specific roles only. This way some people are exempt from approval, but others will have to request approval anyhow. Right now this is role based, but for example we have a few Global Administrators who need to be able to activate without approval, and some we would like to request approval.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add support for a member reviewed PIM audit to flow to a reviewer PIM audit workflow.

    When performing an Audit Review using PIM it would be great if we could take the results of a Member reviewed audit and flow that directly into a reviewer controlled audit so that if a user stated Approved but their reason was not sufficient that their access could be revoked through the process. Additionally when adding this it would be great to support a reviewer comments section in addition to a member comments section.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Privileged Identity Management event into Event Grid for automation

    We would like to use Privileged Identity Management (PIM) to provide access to content within resource for example a database within a database server. To be able to hook into a successful 'just in time' request and it's timeout I would like to use something like Event Grid.

    The current alerting based on email is not good enough to be able to reliably build automation.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support Diagnostic Settings for PIM Audit Logs

    Azure AD Audit Logs and Sign-in Logs can be forwarded to Log Analytics, Storage Account or Event Hub. It is crucial to have this functionality also for the PIM Audit History. Just using the Azure Portal GUI to export a CSV is not how it should be nowadays.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. ediscovery administrator/manager adds to PIM/PAM roles

    Pls add eDiscovery roles to PIM/PAM, seem to be mia

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Error Insufficent roles or permission

    It has been observed that after enabling the GA role in the tenant , access to AIP is restricted.

    The below screen shot is from the Azure Portal itself and does show that after activating a PIM role for all services in the security and compliance center the role can take up to a few hours to activate.

    In the below screen shot this will confirm it is a known issue with PIM in Azure and they are working on resolving it. Unfortunately, the time delay will fluctuate from a few minutes some days to a “few hours”. Because Azure…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Access Review Alerts sent to Alternative email

    we do have the option to input an alternative email into the users account, but when performing an access review, the users dont get any notification through alternative email.
    If we could have another method to send notifications to the users and reviewers in access reviews would be great.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. PIM's Email notification is not supported multi-language.

    I would like to receive E-mails is written "Japanese" when following key events occur in PIM.

    When a privileged role activation is pending approval
    When a privileged role activation request is completed
    When a privileged role is activated
    When a privileged role is assigned
    When Azure AD PIM is enabled

    But I think that E-mails is not supported multi-language.
    Except for English-speaking countries, PIM's Email notification may be not easy to use now.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Recurring re-certification schedules

    Currently if I wish to re-certify membership of AD roles I need to manually add every new workflow. I would like to specify this once, and then schedule it to re-occur every 6 months (for example)

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. A Restricted Role Administrator directory role

    It would be beneficial to have a Restricted Role Administrator (RRA) directory role in Azure AD. It would be similar to the Privileged Role Administrator, but you could select the priveleges you want the RRA to have. For example, an admin with more priveleges (ie Global Admin or Priveleged Role Admin) could decide if they want the RRA to have access to PIM and the admin could restrict the roles that the RRA could assign to other users, so if they don't want the RRA to be able to assign other users to the Global Admin role or specific Limited…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow time bound admin access

    Currently we have the need to allow someone to add a user to an admin role which is then automatically deleted after a specific time period or date/time. The role should be completely removed at that point in time, so the user should also not be eligible anymore to activate the role.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support somekind of policy based approval / mfa for Azure AD roles

    Our customer REALLY love the new approval workflow for Azure PIM, but they would really prefer an option to define policies for which admins need approval and for does who just need to elevate their own permissions using Azure MFA.

    https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enable multi-select when activating roles in Privileged Identity Management - My roles

    My daily job requires me to activate multiple roles through PIM. I need to be able to do this in one go instead of activate, reason, duration, wait, repeat for all the roles I need that day. Let me just select them all and go through the screen only once.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. PIM - Privileged Identity Management - Different policies for one role

    Would be great to have the possibility to have different policies for same role.

    Example

    PIM Policy - Global Admin Require Approval: No
    User1 will have to request access to 'Global Admin' through PIM and will be automatically granted the role

    PIM Policy - Global Admin Require Approval: Yes
    User2 will have to request access to 'Global Admin' through PIM and request needs to be 'Approved' by any 'Global Admin'

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. PowerShell module to manage and configure Azure RM PIM roles

    It is tedious and error-prone to manually configure PIM roles on multiple individual resources/resource groups through the portal. Would be nice to have a PowerShell module to make this task easier.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Access review

    Option to include non user Service principals in Access review of Azure PIM resource roles.

    All Elevated members access ( owners , contributors) to Azure subscription need to be reviewed as part of SOX compliance and currently Non user service principals ( like VSO Service principals used for automated deployments in Azure) are not included in the Access reviews initiated for Azure Resource roles.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Improve PIM Azure resources browsing

    Today if I am using a resource filter "Resource" to explorer Azure resources I am unable to see the real resource type of displayed resources . i.e.: Microsoft.Web/sites

    It causes problem when more than one resource have the same name. It is then impossible to distinguish which one is which, even clicking on the resource do not provide this information either in the next screen.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. PIM Notification Additional Fields

    It would be handy to add the additional fields in the email if they are selected in the setup of the PIM controls.

    mail template.
    Is there an option/ability to add the ticket information fields in the email alongside the justification?

    Ticket Number
    Ticket System

    Currently it only shows the justification

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Require MFA for permanent highly privileged roles

    If you make a eligible role assignment for Global Administrator via PIM it enforces MFA for role activation.

    This is the case for several highly privileged roles and cannot be changed. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings#multi-factor-authentication

    However, if you assign the role permanently, shouldn't this always enforce MFA for the user?

    I understand this change could have a big UX impact and with the new baseline admin conditional access we already have a good way for protection in preview. But if thats the way Microsoft wants to go, shouldnt the baseline CA policy and the highly privileged PIM roles match?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. PIM

    There should be a means to force password reset on PIM enabled accounts. We do this with CyberArk today and our InfoSec department is balking on PIM due to the lack of automated password reset capability.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base