Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Integrate PIM with Secure Score and e-mail sent to admins

    I don't get e-mails that Global Admins usually receive, unless I am elevated to Global Admin at the time when the e-mail is sent. For example: Azure AD Identity Protection weekly review has stopped been sent out to me unless Global Admin is activated.

    Also, Secure Score says that we only have 1 Global Admin (it recommends at least 2), but we are 10 techs that are eligible for Global Admin. On the other hand, if all 10 techs are elevated, Secure Score says we are too many Global Admins.

    This integration should work against user eligible for Global Admin…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. When a role is currently active, always allow future activations to be scheduled.

    When my role is elevated the 'Activate' button is not always enabled to allow me to schedule a future activation of the current role, if needed. Sometimes the Activate button is enabled and other times it is not. I do not see a consistent pattern to determine why I can sometimes schedule future activations or not.

    Currently, only seeing this for the SharePoint Service Administrator role (as that is the only role I used PIM for). I know this PIM is still in preview for this role, so may not be affecting other roles.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable MFA check via selfactivate PIM API

    Hello, when attempting to use the API "selfactivate" for certain directory roles (User Administrator in my case) it states that the action can't be conducted because MFA needs to be done in order to escalate to this role. With that said, the graph API doesn't actually begin the MFA process whatsover. Can the complete MFA process be enabled when self-activating certain directory roles?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. help victims of unauth computer access & account hijacking via MDM & Remote device management

    my personal devices and accounts have been hijacked via abuse of these features. How can I report unauth computer access as well as identify those who abuse access and recover my accounts and identity.

    my personal devices and accounts are being managed without my consent and until recently, I had no knowledge this would be done and I now have limited or no access to internet, out/inbound calls, texts, emails, social media; etc.

    Crisbnice2018@outlook.com; crisysaissync18@outlook.com; cylbbswork18@outlook,com as well as multiple gmail accounts managed via G suite without my consent or knowledge at time of implementation

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add filters for eligible PIM roles

    It would be useful if there were filters on the eligible PIM roles screen. If you have many subscriptions and many different role types, it can be time consuming to locate what role(s) you need to activate as there are many pages to navigate due to a relatively small number or roles displayed per page.

    Being able to filter on both Subscriptions and Roles would be ideal.

    So you could for example have a view of a particular role on all subscriptions, or all roles for a particular subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Resource /Subscription view

    In the search Bar ,when we type an user name it should show the list of the resource /subscription which the user has .

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. JIT Access Request

    Users have been given JIT Access to a subscription for Contributor and Owner Role. Had given Direct Access as "Reader Role ".

    If a user did not elevate its "Reader Role" to a Contributor or Owner, VM validation fails in the last step.

    Is it possible to bring up the page for elevation during the validation rather than re-doing everything from scratch? (i.e. step #1 elevate your permission first step #2 deploy your VM)

    Thank you,

    Allan

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Enable PIM for a specific device only

    If a user requests a PIM activation, approvers should have the ability to restrict privileged access from the device the access was requested from.

    Consider a scenario where an attacker is able to convince an administrator to escalate their privileges for a some (fake) legitimate reason (e.g. I need a new site collection in SharePoint Online). If we assume the attacker has compromised the administrator's identity, they would then be able to take on the administrator's privileges from a remote location.

    If the administrator's elevated privileges were restricted to a specific device, the attack would fail.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add requestor UPN and email to audit list

    Sometimes I cannot find the requestor in the Active Directory according to the entry in PIM (e.g. Azure AD does not exist as user). It would be helpful to ad the email adress and UPN to the requestor colomn and as separate column in the Excel export.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Change behavior in new tab after activating role on Azure AD PIM

    In current design of Azure AD Privileged Identity Management(PIM), it is required to open a new browser to see o365 portal for activated role (e.g. the temporary Global Admin). However I want availability by sign-in o365 in a new tab on the current browser instead of opening a new browser. Usually, users open new tab for new web page, I think.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Notification to wrong Azure AD domain

    When you enable some new tools (like Azure PIM) the notification came with information that you enable this for domain $XYZ.

    When you have more custom domains added in some order like:
    A Domain
    B Domain
    C Domain (Main domain)
    D Domain

    The notitification came for domain A Domain, not for C Domain (Main Domain). It is something to be wrong or to be considered as bad state?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Send Microsoft Service emails to Elligible Global Admins

    We recently bought new Windows 10 Enterprise E3 licenses. An email from the Microsoft Online Services Team informing us of the availablity of these licenses in out tenant was sent to all 'Assigned' Global Administrators. But not to the PIM-managed elligible Global Admins.

    Ideally we would like to have all Global Admins managed by PIM, excluding only the emergency access accounts.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Make PIM audit more robust. Should be able to filter on all of the key categories (for example, filter on Global Administrator approvals)

    Make PIM audit filtering more robust. Should be able to filter on all of the key categories (for example, ability to create a filter for Global Administrator approvals).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Make PIM more user friendly by adding flash whenever signing 1st time on azure ad PIM

    Whenever we are enabling PIM , we found that portal is not user friendly, there is ROLES, then AZURE AD ROLES then lot of confusing options and even the documentation is not for the beginners, that when we will get consent option,how to check PIM is enabled or not there are lot of people i came accross who are confused with the features and what to enable and all,
    the concepts are clear but how to reach and complete it, its confusing.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. PIM - Integrate PIM into Portal configuration of Azure Resource RBAC

    Please consider - Merge GUI elements for PIM into Azure Portal Resource Access Control Panel

    a) Azure RBAC panels should show the PIM role assignments in context, similar to (reverse of) the way that regular permanent role assignments are shown in the PIM GUI.

    b) Azure RBAC Access Control "New Role Assignment" should include the option to make the assignment eligible instead of permanent

    The current implementation puts the functionality in the wrong context - the primary function is not to "manage PIM", it is to "assign roles for a resource".

    Thanks
    Ben

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. PIM - Allow users to extend period of activation for activated eligible roles

    Several times I need to start something that requires a PIM role, when the PIM role is already active but will expire soon (say, 10 minutes). I need to extend the activation period to cover, say, 60 minutes, but this is not possible and I either need to wait until the PIM activation expires, or be disrupted by access failures mid-activity.

    Please consider a new option to PIM role management to allow the extension in time of a role that is already active.

    The current PIM "extend" functionality refers to extension of period of assignment, not period of activation for…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow PIM Members view to display all members and sort via eligible vs permanent assignment. This was recently removed.

    A feature update seems to have changed how the PIM> Azure AD Roles > Members view works. It used to show you all members with assigned roles, and allow you to sort on permanent/eligible/role/etc. Now it appears to only allow you to view one single user at a time.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Too much info all at once no direction!

    Too much info at one time and no direction! I'm sooo confused about this app. Just wanted to update privacy settings to play Realm on my xbox dang...!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Extend PIM into Enterprise Application User Assignment and Roles

    PIM for only admin of Azure and O365 is fine as a local solution, but it without broader applicability we still need to look for something else to build into our security fabric.

    Please consider extending PIM to make it relevant to account privilege escalation in any system integrated with AAD.

    Extending to just group membership would be a good halfway step, but why not natively support any OAuth2 role assignments?

    Cheers
    Ben

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Ability to disable default alerts

    The default "role assigned outside of PIM" alert generates a lot of noise to global admins due to using the Office 365 Admin center to assign roles (which is technically outside of PIM). It would be nice to be able to turn this alert off rather than re-train admins away from using the O365 Admin Center and to the Azure Portal where PIM resides.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base