Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add requestor UPN and email to audit list

    Sometimes I cannot find the requestor in the Active Directory according to the entry in PIM (e.g. Azure AD does not exist as user). It would be helpful to ad the email adress and UPN to the requestor colomn and as separate column in the Excel export.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Change behavior in new tab after activating role on Azure AD PIM

    In current design of Azure AD Privileged Identity Management(PIM), it is required to open a new browser to see o365 portal for activated role (e.g. the temporary Global Admin). However I want availability by sign-in o365 in a new tab on the current browser instead of opening a new browser. Usually, users open new tab for new web page, I think.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Notification to wrong Azure AD domain

    When you enable some new tools (like Azure PIM) the notification came with information that you enable this for domain $XYZ.

    When you have more custom domains added in some order like:
    A Domain
    B Domain
    C Domain (Main domain)
    D Domain

    The notitification came for domain A Domain, not for C Domain (Main Domain). It is something to be wrong or to be considered as bad state?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. PIM sync on-prem so you can get Just in time for on-prem admin accounts

    Is it in the roadmap to have Some sort of sync / agent / function that allow you to use just in time functionality on-prem for admin accounts without syncing "admin accounts" up to Azure AD.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. In the absence of an approver

    Currently PIM sends notification to all approvers when a request made to activate a privileged role in PIM. It would be nice if approval workflow can be configured in hierarchy manner if the 1st approver is not available it resend the notification 2nd approver.

    for PIM roles receives an email with a link and they need to login to Azure AD to approve or deny the request that is becoming bit tedious task for managers to approve the request of a privileged role activation. A mobile app to approve or deny the request would more efficient way for the manager…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Approver mobile app to approve or deny the request

    Currently the approvers for PIM roles receives an email with a link and they need to login to Azure AD to approve or deny the request that is becoming bit tedious task for managers to approve the request of a privileged role activation. A mobile app to approve or deny the request would more efficient way for the manager to respond the requests for privileged role activation from PIM

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Databricks SCIM Connector

    Privileged Access groups cab be used as Groups (PAG) for Azure Databricks SCIM Connector . These PAG contains member users (USER01). When Provisioning happens in SCIM , PAG will be provisioned with in Databricks WS.

    Now USER01 can login to portal.azure.com and to enable eligible member role to active.

    Now Issue is: Provisioning interval is 40 Mts and Fixed. Until the provisioning cycle kicks-off , USER01 is not going to be shown in the Databricks WS.

    If we get an option with in Azure Databricks SCIM Connector to provision automatically in real time as soon as changes happen with in…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow built in local admin roles to be centrally managed in AD Azure / PIM

    Currently when you manage roles in PIM, you are able to manage the roles centrally for all Azure AD services. However there are several services where you can set roles that will only apply for that specific service as noted here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-microsoft-365-compliance-security?view=o365-worldwide#breaking-inheritance

    This can make it hard to track all the assigned permissions across all services and leave open gaps that can cause security issues. It would be great to have a central place to view and manage all the permissions across each service.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. fix the caching issue!

    Every time I assign myself a role, I have to log out of the O365 portal clear my browser cache then sign back in and even then it doesnt always work. Its been getting worse the more I'm using Azure PIM

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. For eligible assignment through PIM increase time upto 4 days

    Currently for PIM eligible assignment users can activate only for a maximum of 24 hours. This is good but does not work for roles like SharePoint administrator. After activating the SharePoint administrator role, SharePoint takes 24 to 72 hours for the role to activated in SharePoint. The other option is to give an active assignment to the Sharepoint role for 4 days and then wait for SharePoint to reflect the permissions. Either PIM should allow eligible assignment activation upto 4 days or SharePoint should fix it for immediate synch from Azure AD to Sharepoint.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. How to manage Azure Service Principal in PIM?

    We have Azure Service Principals, looking for solution to manage Service Principals, automatic onboarding and secret key rotation, Is Azure PIM the solution.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Global Administrator role via group

    When I will assign Global Administrator role via a security group to someone he/she is not able to access Exchange Admin portal.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow additional recipient email for Request to approve an activation

    Our privileged identities and PIM approvers, do not have an email address assigned to them. This means that the Approvers never see an email to approve a request.
    Please allow us to add the approver's personal email address in additional recipients for Request to approve an activation.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Authentication Policy Admin role

    The new role "AUTHENTICATION POLICY ADMINISTRATOR" lets you import the OAUTH hardware token seed file and then it shows the error that the import failed.
    When the same file is imported by the Global Admin role, it goes through successfully.

    Looks like the broken or untested functionality of the new role.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. PIM - Powershell for Azure Roles

    The AzureADPreview module includes PIM commandlets that purport to enable reporting on PIM role assignments for Azure resources (https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadmsprivilegedroleassignment), but it doesn't seem to work, and there is no documentation or examples that include how to get subscription-level assignments (i.e. what is the "ResourceID" for a subscription?). There is documentation on doing this for AAD (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles), but nothing for ARM.

    Please make PIM for Azure Resources completely manageable from PowerShell.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. PIM - Powershell for Azure Roles

    The AzureADPreview module includes PIM commandlets that purport to enable reporting on PIM role assignments for Azure resources (https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadmsprivilegedroleassignment), but it doesn't seem to work, and there is no documentation or examples that include how to get subscription-level assignments (i.e. what is the "ResourceID" for a subscription?). There is documentation on doing this for AAD (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles), but nothing for ARM.

    Please make PIM for Azure Resources completely manageable from PowerShell.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Additional detail in email subject for Azure Resources

    When escalating to gain access to an Azure resource, in our case an Azure subscription, the email that is sent mentions the fact we have elevated to owner, but does not mention which Azure subscription we are working with.

    When you have hundreds of these emails it makes it difficult for anyone overseeing the PIM service to know which elevations are in need of a closer inspection.

    The AAD roles does display this level of detail, so the Azure Resources side of PIM needs to work in a similar way.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. PIM groups for B2B accounts

    When trying to manage PIM groups as an owner + privileged admin role using a B2B account you cannot access the PIM preview feature. This works fine for tenant accounts but with same access using a b2b account the PIM blade shows no groups and in Azure AD when opening the PIM blade under a group no information is shown

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. BUG: Email notifications for PIM going to all eligible users

    At present its only happening for Resource Group level PIM role assignments.

    Basically all the email notifications that should go to "Admin" (a very vague description too BTW) seem to be going to everyone who could possibly elevate to that role as well. This doesnt happen for any other sub wide or AAD role activations through PIM.

    I dont believe we see this on any custom roles.

    for example
    RG-test-uks
    Owner role for this RG activated by a user 'A'
    All other users who could also activate, receive the notification that user 'A' has activated that role.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. PIM (Privileged Identity Management). We have a need to

    Similar to PIM - Different policies for one role.

    In this case, two users: both are put into the "eligible" list in the same role. One requires a request to be accepted by a manager. The other is automatically granted the request when he "activate" his role.

    Currently, to do this, one user has to be permanently in the "active" tab, and the other has to be in the "eligible" tab.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base