Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Enable PIM for a specific device only

    If a user requests a PIM activation, approvers should have the ability to restrict privileged access from the device the access was requested from.

    Consider a scenario where an attacker is able to convince an administrator to escalate their privileges for a some (fake) legitimate reason (e.g. I need a new site collection in SharePoint Online). If we assume the attacker has compromised the administrator's identity, they would then be able to take on the administrator's privileges from a remote location.

    If the administrator's elevated privileges were restricted to a specific device, the attack would fail.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add requestor UPN and email to audit list

    Sometimes I cannot find the requestor in the Active Directory according to the entry in PIM (e.g. Azure AD does not exist as user). It would be helpful to ad the email adress and UPN to the requestor colomn and as separate column in the Excel export.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Change behavior in new tab after activating role on Azure AD PIM

    In current design of Azure AD Privileged Identity Management(PIM), it is required to open a new browser to see o365 portal for activated role (e.g. the temporary Global Admin). However I want availability by sign-in o365 in a new tab on the current browser instead of opening a new browser. Usually, users open new tab for new web page, I think.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Notification to wrong Azure AD domain

    When you enable some new tools (like Azure PIM) the notification came with information that you enable this for domain $XYZ.

    When you have more custom domains added in some order like:
    A Domain
    B Domain
    C Domain (Main domain)
    D Domain

    The notitification came for domain A Domain, not for C Domain (Main Domain). It is something to be wrong or to be considered as bad state?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. More info on audit of resources

    Want to see more activities information when accessing resource audit. Activities detail did not show tickets number info and reason input by user during the activation stage.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. The approver to be able to set all at once in PIM.

    "Require approval" and "SELECTED APPROVER" can be set in “Default for all roles” of PIM.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add Roles and Groups from other M365 services to PIM

    Enable PIM to support roles and groups from other M365 services such as Intune Roles and AzureAD groups to support services like MCAS and Defender ATP

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. To provide the option to the admins to enforce the Password complexity options by selecting all the 4 combinations of properties.

    admins should be able to manage AD as well as Azure AD to enforce password complexity by using all 4 options. Currently only 3 out of 4 are applied while changing user password,

    Characters allowed
    A – Z
    a - z
    0 – 9
    @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ " ( ) ;
    blank space

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

  9. PIM Review Settings

    For PIM, there should be a way and documentation regarding how to change reviewers. Currently when it's set to self-review, there is no way to change the setting except by deleting the review and starting over.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Organization Management / Search and Purge

    In order to combat dangerous / phishing messages, is it possible to add the O365 Organization Management or the Search and Purge management role into PIM?

    Since these roles are very powerful, it would be great if they can be added.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. PowerShell module to manage and configure Azure RM PIM roles

    It is tedious and error-prone to manually configure PIM roles on multiple individual resources/resource groups through the portal. Would be nice to have a PowerShell module to make this task easier.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Access review

    Option to initiate one access review for multiple resource roles (like Owner & Contributor).

    Currently we need to create separate access review for each resource role in Azure PIM . We need option to initiate one access review for multiple roles.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Integrate PIM with Secure Score and e-mail sent to admins

    I don't get e-mails that Global Admins usually receive, unless I am elevated to Global Admin at the time when the e-mail is sent. For example: Azure AD Identity Protection weekly review has stopped been sent out to me unless Global Admin is activated.

    Also, Secure Score says that we only have 1 Global Admin (it recommends at least 2), but we are 10 techs that are eligible for Global Admin. On the other hand, if all 10 techs are elevated, Secure Score says we are too many Global Admins.

    This integration should work against user eligible for Global Admin…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Change Email notifications of PIM

    I'd like to change Email notifications of PIM.
    We would like to select users who can receive email.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. help victims of unauth computer access & account hijacking via MDM & Remote device management

    my personal devices and accounts have been hijacked via abuse of these features. How can I report unauth computer access as well as identify those who abuse access and recover my accounts and identity.

    my personal devices and accounts are being managed without my consent and until recently, I had no knowledge this would be done and I now have limited or no access to internet, out/inbound calls, texts, emails, social media; etc.

    Crisbnice2018@outlook.com; crisysaissync18@outlook.com; cylbbswork18@outlook,com as well as multiple gmail accounts managed via G suite without my consent or knowledge at time of implementation

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Download the User's list in Alerts for Azure AD

    At the moment we are not able to download the information with the users listed in Azure AD roles - Alerts. It would be very helpful if we had this option as we have in Access Reviews.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Automatically elevate users in approver-groups

    Automatically elevate eligible requests from group members selected as approvers. Optionally make it possible to exclude users from requiring approval.

    Example; Developer team should be eligible for elevating to Contributor. Developer Tech Leads are Approver for requests. But should not be required to approve their own requests as they are also part of Develeoper team.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Extend PIM to include support for Exchange Online Role Groups. Currently it is only for Azure AD and Azure Subscription

    Extend PIM to include support for Exchange Online Role Groups. Currently it is only for Azure AD and Azure Subscription

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Grant co-admin permission (with owner) to manage azure subscriptions with PIM

    Please add the option to grant permission to owner+co-admin (to managed subscriptions with classic API) with PIM.

    https://github.com/MicrosoftDocs/azure-docs/issues/15094#issuecomment-422116208

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Include whatever permissions are necessary to access the newer Teams & Skype admin center in the Skype for Business Administrator role.

    There is a AAD role for Skype for Business Administrator, but it doesn't work properly with the new Teams & Skype admin center in O365. You have to do a PIM request for Global Admin to get to it.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base