Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Bulk registration of Non-Personal Accounts (MFA - AAD)

    All our non-personal accounts are AAD users (best practise).
    However, there is no way for AD PIM vulnerability assessment to exclude them. In short "exclude" list does not do this.
    It's been suggested to "register" these - but that would mean manual registration of potentially hundreds of userid's with fake temporary emails and someone's phone number. Not a pleasant thought.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Auto suggest role activation on "access denied" error messages if user is eligible

    If I have a role that woudl allow me to access a page via PIM, error messages shoulfd suggest to enable the least privilege role I am elligible for instead of just showing an access error.

    This would:
    1. allow to think about PIM as a workaround
    2. understand that Global Admin is not the role to activate by default and that less powerful roles coudl still allow to get things done
    3. add some friendliness to "access denied" error messages :-)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Azure cli PIM activation

    To reduce churn. It would be good if there was a CLI method of activating PIM Azure Resource roles so that the process was less laborious.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. PIM - multiple approvers required

    At the moment you configure multiple approvers in the role setting details dialog. As soon a one approvers approves the request gets accepted.

    I would like to have an option to require multiple approvers, that allow the request
    eq. configure 5 approvers - 2 are required to approve the request

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add an option to display minimum roles needed to see *this* blade

    To help users get comfortable knowing that Global Admin is not needed for everything, we should add a control (e.g. into the top menu for any given blade in the Azure AD portal) that shows the least privileged roles to see (or update) this page.

    For example, if I only need "Security Admin" for configuring Identity Protection (or "Security Reader" to see it), make it easier for me to discover that's all I really need. Otherwise, asking for Global Admin becomes the path of least resistance.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. For access denied page, show least privilege role needed to encourage PIM

    When I get an access denied page in Azure AD portal, it would be VERY useful to add the least privileged role [needed to see this resource] as part of the error message page. This will help me know specifically which PIM role to activate (or to add this user to for future access) ...otherwise, it's often just ~easier~ to simply reach too high (e.g. activate GA because it's easier than hunting down or using trial-and-error to know which role I actually need)

    This is a GREAT resource and I use it often, but just surfacing the info immediately would…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add Roles and Groups from other M365 services to PIM

    Enable PIM to support roles and groups from other M365 services such as Intune Roles and AzureAD groups to support services like MCAS and Defender ATP

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. To provide the option to the admins to enforce the Password complexity options by selecting all the 4 combinations of properties.

    admins should be able to manage AD as well as Azure AD to enforce password complexity by using all 4 options. Currently only 3 out of 4 are applied while changing user password,

    Characters allowed

    A – Z
    a - z
    0 – 9
    @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ " ( ) ;
    blank space

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

  9. Organization Management / Search and Purge

    In order to combat dangerous / phishing messages, is it possible to add the O365 Organization Management or the Search and Purge management role into PIM?

    Since these roles are very powerful, it would be great if they can be added.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enable 'require approval' on a per user (vs per role) basis

    Currently, PIM only provides a "Require approval to activate this role" setting on a per role basis. I would like to see this on a PER USER basis. So a user would be either: Permanent, Eligible, or Eligible (approval required)".

    This is more in line with the trust model we want, allowing fewer permanent assignments. Some people would be trusted to self-elevate; others would require independent approval.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Show Info and add it to notifactions when activation expires

    We use PIM and sometimes a PIM activation expires in an opened Azure Portal session.
    Sadly, we often need some time to realize that activation expired, because the functions in Azure Portal are not blocked and therefore clickable and there are many cryptic error messages shown, when we try to use functions for which the activation is expired.

    It would be nice, if a Info is displayed when PIM activation expires.
    This info should be added to the notifactions (bell).

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Access review

    Option to initiate one access review for multiple resource roles (like Owner & Contributor).

    Currently we need to create separate access review for each resource role in Azure PIM . We need option to initiate one access review for multiple roles.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. When a role is currently active, always allow future activations to be scheduled.

    When my role is elevated the 'Activate' button is not always enabled to allow me to schedule a future activation of the current role, if needed. Sometimes the Activate button is enabled and other times it is not. I do not see a consistent pattern to determine why I can sometimes schedule future activations or not.

    Currently, only seeing this for the SharePoint Service Administrator role (as that is the only role I used PIM for). I know this PIM is still in preview for this role, so may not be affecting other roles.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Enable MFA check via selfactivate PIM API

    Hello, when attempting to use the API "selfactivate" for certain directory roles (User Administrator in my case) it states that the action can't be conducted because MFA needs to be done in order to escalate to this role. With that said, the graph API doesn't actually begin the MFA process whatsover. Can the complete MFA process be enabled when self-activating certain directory roles?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add filters for eligible PIM roles

    It would be useful if there were filters on the eligible PIM roles screen. If you have many subscriptions and many different role types, it can be time consuming to locate what role(s) you need to activate as there are many pages to navigate due to a relatively small number or roles displayed per page.

    Being able to filter on both Subscriptions and Roles would be ideal.

    So you could for example have a view of a particular role on all subscriptions, or all roles for a particular subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Resource /Subscription view

    In the search Bar ,when we type an user name it should show the list of the resource /subscription which the user has .

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. JIT Access Request

    Users have been given JIT Access to a subscription for Contributor and Owner Role. Had given Direct Access as "Reader Role ".

    If a user did not elevate its "Reader Role" to a Contributor or Owner, VM validation fails in the last step.

    Is it possible to bring up the page for elevation during the validation rather than re-doing everything from scratch? (i.e. step #1 elevate your permission first step #2 deploy your VM)

    Thank you,

    Allan

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enable PIM for a specific device only

    If a user requests a PIM activation, approvers should have the ability to restrict privileged access from the device the access was requested from.

    Consider a scenario where an attacker is able to convince an administrator to escalate their privileges for a some (fake) legitimate reason (e.g. I need a new site collection in SharePoint Online). If we assume the attacker has compromised the administrator's identity, they would then be able to take on the administrator's privileges from a remote location.

    If the administrator's elevated privileges were restricted to a specific device, the attack would fail.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add requestor UPN and email to audit list

    Sometimes I cannot find the requestor in the Active Directory according to the entry in PIM (e.g. Azure AD does not exist as user). It would be helpful to ad the email adress and UPN to the requestor colomn and as separate column in the Excel export.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Change behavior in new tab after activating role on Azure AD PIM

    In current design of Azure AD Privileged Identity Management(PIM), it is required to open a new browser to see o365 portal for activated role (e.g. the temporary Global Admin). However I want availability by sign-in o365 in a new tab on the current browser instead of opening a new browser. Usually, users open new tab for new web page, I think.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base