Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Resource /Subscription view

    In the search Bar ,when we type an user name it should show the list of the resource /subscription which the user has .

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. JIT Access Request

    Users have been given JIT Access to a subscription for Contributor and Owner Role. Had given Direct Access as "Reader Role ".

    If a user did not elevate its "Reader Role" to a Contributor or Owner, VM validation fails in the last step.

    Is it possible to bring up the page for elevation during the validation rather than re-doing everything from scratch? (i.e. step #1 elevate your permission first step #2 deploy your VM)

    Thank you,

    Allan

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable PIM for a specific device only

    If a user requests a PIM activation, approvers should have the ability to restrict privileged access from the device the access was requested from.

    Consider a scenario where an attacker is able to convince an administrator to escalate their privileges for a some (fake) legitimate reason (e.g. I need a new site collection in SharePoint Online). If we assume the attacker has compromised the administrator's identity, they would then be able to take on the administrator's privileges from a remote location.

    If the administrator's elevated privileges were restricted to a specific device, the attack would fail.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add requestor UPN and email to audit list

    Sometimes I cannot find the requestor in the Active Directory according to the entry in PIM (e.g. Azure AD does not exist as user). It would be helpful to ad the email adress and UPN to the requestor colomn and as separate column in the Excel export.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Change behavior in new tab after activating role on Azure AD PIM

    In current design of Azure AD Privileged Identity Management(PIM), it is required to open a new browser to see o365 portal for activated role (e.g. the temporary Global Admin). However I want availability by sign-in o365 in a new tab on the current browser instead of opening a new browser. Usually, users open new tab for new web page, I think.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Notification to wrong Azure AD domain

    When you enable some new tools (like Azure PIM) the notification came with information that you enable this for domain $XYZ.

    When you have more custom domains added in some order like:
    A Domain
    B Domain
    C Domain (Main domain)
    D Domain

    The notitification came for domain A Domain, not for C Domain (Main Domain). It is something to be wrong or to be considered as bad state?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Extend PIM into Enterprise Application User Assignment and Roles

    PIM for only admin of Azure and O365 is fine as a local solution, but it without broader applicability we still need to look for something else to build into our security fabric.

    Please consider extending PIM to make it relevant to account privilege escalation in any system integrated with AAD.

    Extending to just group membership would be a good halfway step, but why not natively support any OAuth2 role assignments?

    Cheers
    Ben

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Ability to disable default alerts

    The default "role assigned outside of PIM" alert generates a lot of noise to global admins due to using the Office 365 Admin center to assign roles (which is technically outside of PIM). It would be nice to be able to turn this alert off rather than re-train admins away from using the O365 Admin Center and to the Azure Portal where PIM resides.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow Granular Privileged Role Admin Assignments. E.g. Privileged Role Admin (Azure resource)

    Large organisations will often separate/delegate tenant-wide access management and administration from lower-level (Azure) resource-level assignments. If this were extended to PIM, such that we could delegate the management of PIM Azure Resource role assignments to different Admins than those that manage the PIM AAD Admin role assignments this would be better than the all-or-nothing scenario with the Privileged Role Administrator role.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add an option to display minimum roles needed to see *this* blade

    To help users get comfortable knowing that Global Admin is not needed for everything, we should add a control (e.g. into the top menu for any given blade in the Azure AD portal) that shows the least privileged roles to see (or update) *this* page.

    For example, if I only need "Security Admin" for configuring Identity Protection (or "Security Reader" to see it), make it easier for me to discover that's all I really need. Otherwise, asking for Global Admin becomes the path of least resistance.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. For access denied page, show least privilege role needed to encourage PIM

    When I get an access denied page in Azure AD portal, it would be VERY useful to add the least privileged role [needed to see this resource] as part of the error message page. This will help me know specifically which PIM role to activate (or to add this user to for future access) ...otherwise, it's often just ~easier~ to simply reach too high (e.g. activate GA because it's easier than hunting down or using trial-and-error to know which role I actually need)

    This is a GREAT resource and I use it often, but just surfacing the info immediately would…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Reevaluate "potential stale accounts in a privileged role" alert

    This alert is to identify "Accounts in a privileged role that have not changed their password in the past 90 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers."

    Rotating of passwords is not the best way to identify stale accounts. SecureScore has a control that encourages setting passwords to never expire based on research which also led NIST to update their position on password expiration policies and the Microsoft security baseline for win 10 to recommend not expiring passwords. (see below)

    A stale account is one that has not been…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Customer tenants should be manageable by PIM

    PIM should be able to manage access to customer's tenants. Partner has employees with their own source of authority but should still be able to give out access based on Azure lighthouse for instance. AzLighthouse currently supports groups only, which are not supported by PIM.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. enforced privileged identity management for CSP and report on costumer security blade among other normal security measure.

    Costumers even thrusting their CSP need to have a view and a control over their activities PIM is one of them , and report should be send to the security center that have the abilities to be linked to a SIEM .
    it's also part of a compliance audit, we should not need to add that partner as a B2B guest to do so , it's too much combersome as the trust between the azure AD is exisiting .

    begin to put the admin agent and helpdesk agent as eligible role (i would even suggest by default" .

    CSP Cloud…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. More info on audit of resources

    Want to see more activities information when accessing resource audit. Activities detail did not show tickets number info and reason input by user during the activation stage.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. The approver to be able to set all at once in PIM.

    "Require approval" and "SELECTED APPROVER" can be set in “Default for all roles” of PIM.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add Roles and Groups from other M365 services to PIM

    Enable PIM to support roles and groups from other M365 services such as Intune Roles and AzureAD groups to support services like MCAS and Defender ATP

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. To provide the option to the admins to enforce the Password complexity options by selecting all the 4 combinations of properties.

    admins should be able to manage AD as well as Azure AD to enforce password complexity by using all 4 options. Currently only 3 out of 4 are applied while changing user password,

    Characters allowed
    A – Z
    a - z
    0 – 9
    @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ " ( ) ;
    blank space

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

  19. PIM Review Settings

    For PIM, there should be a way and documentation regarding how to change reviewers. Currently when it's set to self-review, there is no way to change the setting except by deleting the review and starting over.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Organization Management / Search and Purge

    In order to combat dangerous / phishing messages, is it possible to add the O365 Organization Management or the Search and Purge management role into PIM?

    Since these roles are very powerful, it would be great if they can be added.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base