Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Notification to wrong Azure AD domain

    When you enable some new tools (like Azure PIM) the notification came with information that you enable this for domain $XYZ.

    When you have more custom domains added in some order like:
    A Domain
    B Domain
    C Domain (Main domain)
    D Domain

    The notitification came for domain A Domain, not for C Domain (Main Domain). It is something to be wrong or to be considered as bad state?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Make Azure AD role activation in PIM faster

    Currently activating an Azure AD role such as Global Admin or User Admin in Privileged Identity Management (PIM) takes 15+ minutes to fully activate (this time starts after following the step to sign-out). Even after logging out and back in again, the role will display as active in the Azure AD overview blade, but when trying to take an action such as updating a user license (in the Office 365 portal) or update an App configuration in the Azure AD Portal, the action will fail claiming access denied. After 15-30 minutes, the role finally comes fully active with no notification…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Make sure that in some situations Eligible users are selectable

    In some other parts of Azure AD, you can only select users if they are currently activated in their role. F.e. the Admin Consent reviewers are only selectable if they have the necessary roles permanent, or are activated at that time. It would be nice, that for these kind of situations you can select all the users eligible for the role as well.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Make PIM audit more robust. Should be able to filter on all of the key categories (for example, filter on Global Administrator approvals)

    Make PIM audit filtering more robust. Should be able to filter on all of the key categories (for example, ability to create a filter for Global Administrator approvals).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Make PIM more user friendly by adding flash whenever signing 1st time on azure ad PIM

    Whenever we are enabling PIM , we found that portal is not user friendly, there is ROLES, then AZURE AD ROLES then lot of confusing options and even the documentation is not for the beginners, that when we will get consent option,how to check PIM is enabled or not there are lot of people i came accross who are confused with the features and what to enable and all,
    the concepts are clear but how to reach and complete it, its confusing.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. PIM - Integrate PIM into Portal configuration of Azure Resource RBAC

    Please consider - Merge GUI elements for PIM into Azure Portal Resource Access Control Panel

    a) Azure RBAC panels should show the PIM role assignments in context, similar to (reverse of) the way that regular permanent role assignments are shown in the PIM GUI.

    b) Azure RBAC Access Control "New Role Assignment" should include the option to make the assignment eligible instead of permanent

    The current implementation puts the functionality in the wrong context - the primary function is not to "manage PIM", it is to "assign roles for a resource".

    Thanks
    Ben

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. PIM - Configure default settings for all role assignments

    Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.

    Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.

    e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.

    Thanks
    Ben.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. PIM - Allow users to extend period of activation for activated eligible roles

    Several times I need to start something that requires a PIM role, when the PIM role is already active but will expire soon (say, 10 minutes). I need to extend the activation period to cover, say, 60 minutes, but this is not possible and I either need to wait until the PIM activation expires, or be disrupted by access failures mid-activity.

    Please consider a new option to PIM role management to allow the extension in time of a role that is already active.

    The current PIM "extend" functionality refers to extension of period of assignment, not period of activation for…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow PIM Members view to display all members and sort via eligible vs permanent assignment. This was recently removed.

    A feature update seems to have changed how the PIM> Azure AD Roles > Members view works. It used to show you all members with assigned roles, and allow you to sort on permanent/eligible/role/etc. Now it appears to only allow you to view one single user at a time.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Too much info all at once no direction!

    Too much info at one time and no direction! I'm sooo confused about this app. Just wanted to update privacy settings to play Realm on my xbox dang...!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Extend PIM into Enterprise Application User Assignment and Roles

    PIM for only admin of Azure and O365 is fine as a local solution, but it without broader applicability we still need to look for something else to build into our security fabric.

    Please consider extending PIM to make it relevant to account privilege escalation in any system integrated with AAD.

    Extending to just group membership would be a good halfway step, but why not natively support any OAuth2 role assignments?

    Cheers
    Ben

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to disable default alerts

    The default "role assigned outside of PIM" alert generates a lot of noise to global admins due to using the Office 365 Admin center to assign roles (which is technically outside of PIM). It would be nice to be able to turn this alert off rather than re-train admins away from using the O365 Admin Center and to the Azure Portal where PIM resides.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow Granular Privileged Role Admin Assignments. E.g. Privileged Role Admin (Azure resource)

    Large organisations will often separate/delegate tenant-wide access management and administration from lower-level (Azure) resource-level assignments. If this were extended to PIM, such that we could delegate the management of PIM Azure Resource role assignments to different Admins than those that manage the PIM AAD Admin role assignments this would be better than the all-or-nothing scenario with the Privileged Role Administrator role.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Reevaluate "potential stale accounts in a privileged role" alert

    This alert is to identify "Accounts in a privileged role that have not changed their password in the past 90 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers."

    Rotating of passwords is not the best way to identify stale accounts. SecureScore has a control that encourages setting passwords to never expire based on research which also led NIST to update their position on password expiration policies and the Microsoft security baseline for win 10 to recommend not expiring passwords. (see below)

    A stale account is one that has not been…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. enforced privileged identity management for CSP and report on costumer security blade among other normal security measure.

    Costumers even thrusting their CSP need to have a view and a control over their activities PIM is one of them , and report should be send to the security center that have the abilities to be linked to a SIEM .
    it's also part of a compliance audit, we should not need to add that partner as a B2B guest to do so , it's too much combersome as the trust between the azure AD is exisiting .

    begin to put the admin agent and helpdesk agent as eligible role (i would even suggest by default" .

    CSP Cloud…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. More info on audit of resources

    Want to see more activities information when accessing resource audit. Activities detail did not show tickets number info and reason input by user during the activation stage.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. The approver to be able to set all at once in PIM.

    "Require approval" and "SELECTED APPROVER" can be set in “Default for all roles” of PIM.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. PIM Review Settings

    For PIM, there should be a way and documentation regarding how to change reviewers. Currently when it's set to self-review, there is no way to change the setting except by deleting the review and starting over.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Integrate PIM with Secure Score and e-mail sent to admins

    I don't get e-mails that Global Admins usually receive, unless I am elevated to Global Admin at the time when the e-mail is sent. For example: Azure AD Identity Protection weekly review has stopped been sent out to me unless Global Admin is activated.

    Also, Secure Score says that we only have 1 Global Admin (it recommends at least 2), but we are 10 techs that are eligible for Global Admin. On the other hand, if all 10 techs are elevated, Secure Score says we are too many Global Admins.

    This integration should work against user eligible for Global Admin…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. help victims of unauth computer access & account hijacking via MDM & Remote device management

    my personal devices and accounts have been hijacked via abuse of these features. How can I report unauth computer access as well as identify those who abuse access and recover my accounts and identity.

    my personal devices and accounts are being managed without my consent and until recently, I had no knowledge this would be done and I now have limited or no access to internet, out/inbound calls, texts, emails, social media; etc.

    Crisbnice2018@outlook.com; crisysaissync18@outlook.com; cylbbswork18@outlook,com as well as multiple gmail accounts managed via G suite without my consent or knowledge at time of implementation

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base