Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Insider Risk Management Role In PIM

    Insider Risk Management Role is not available in PIM role at the moment. Please add the below Role groups to PIM so that users can manage insider risk management features

    insider Risk Management Admin
    Insider Risk Management
    Insider Risk Management Analysts

    Insider Risk Management Investigators

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Let it detect if there's one allready.

    Allow your device to detect if someone already has the authenticator, cause this just globs up my phone. Refuse to pay 4 anything you have when I can aquire for free. Help should be free!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Privileged Identity Management of Enterprise Application Provisioned Roles

    When you enable provisioning for an application, say another SaaS provider, you can enable roles within the application such as admin or other roles that exist at the other SaaS provider. Having PIM being able to manage that would allow PIM on roles that exist outside of Azure AD.

    Not sure if this is possible but would be great if it could.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Make justification field mandatory for assignment of roles (Eligible or Active)

    Currently the Justification field only pops up when assigning an Active role to a user. This should be mandatory for any role assignment so that there is an audit record of why a user was assigned a role, active or eligible.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Activity-Based Automated Admin Role Search

    A feature where a user can enter in the type of activity they are needing to perform (like app registration), and Azure would suggest the appropriate admin role (ie. App Admin). User can then request eligibility approval for that role. This allows users to select the admin role most aligned with their needs, as many do not know which admin role is the most appropriate, and they might be requesting admin roles with more privileges than are necessary for their work activity.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow Privileged Identity MFA on time intervals

    If a user activates a PIM role with a valid Azure AD claim, they are prompted for MFA authentication only once - at the first login. As long as the claim remains valid, it allows the user to skip MFA for PIM.

    We should be able to set a timeout that requires a user to re-authenticate after a certain amount of time. For example, if I PIM to an Owner role against Azure resources, I should be prompted for MFA if a week has passed since my last time doing so.

    This allows us to ensure stringent security on sensitive…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make PIM more user friendly by adding flash whenever signing 1st time on azure ad PIM

    Whenever we are enabling PIM , we found that portal is not user friendly, there is ROLES, then AZURE AD ROLES then lot of confusing options and even the documentation is not for the beginners, that when we will get consent option,how to check PIM is enabled or not there are lot of people i came accross who are confused with the features and what to enable and all,
    the concepts are clear but how to reach and complete it, its confusing.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    unplanned  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Extend PIM into Enterprise Application User Assignment and Roles

    PIM for only admin of Azure and O365 is fine as a local solution, but it without broader applicability we still need to look for something else to build into our security fabric.

    Please consider extending PIM to make it relevant to account privilege escalation in any system integrated with AAD.

    Extending to just group membership would be a good halfway step, but why not natively support any OAuth2 role assignments?

    Cheers
    Ben

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Reevaluate "potential stale accounts in a privileged role" alert

    This alert is to identify "Accounts in a privileged role that have not changed their password in the past 90 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers."

    Rotating of passwords is not the best way to identify stale accounts. SecureScore has a control that encourages setting passwords to never expire based on research which also led NIST to update their position on password expiration policies and the Microsoft security baseline for win 10 to recommend not expiring passwords. (see below)

    A stale account is one that has not been…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. enforced privileged identity management for CSP and report on costumer security blade among other normal security measure.

    Costumers even thrusting their CSP need to have a view and a control over their activities PIM is one of them , and report should be send to the security center that have the abilities to be linked to a SIEM .
    it's also part of a compliance audit, we should not need to add that partner as a B2B guest to do so , it's too much combersome as the trust between the azure AD is exisiting .

    begin to put the admin agent and helpdesk agent as eligible role (i would even suggest by default" .

    CSP Cloud…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. The approver to be able to set all at once in PIM.

    "Require approval" and "SELECTED APPROVER" can be set in “Default for all roles” of PIM.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Automatically elevate users in approver-groups

    Automatically elevate eligible requests from group members selected as approvers. Optionally make it possible to exclude users from requiring approval.

    Example; Developer team should be eligible for elevating to Contributor. Developer Tech Leads are Approver for requests. But should not be required to approve their own requests as they are also part of Develeoper team.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Extend PIM to include support for Exchange Online Role Groups. Currently it is only for Azure AD and Azure Subscription

    Extend PIM to include support for Exchange Online Role Groups. Currently it is only for Azure AD and Azure Subscription

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Grant co-admin permission (with owner) to manage azure subscriptions with PIM

    Please add the option to grant permission to owner+co-admin (to managed subscriptions with classic API) with PIM.

    https://github.com/MicrosoftDocs/azure-docs/issues/15094#issuecomment-422116208

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Log all activities (outside of AAD)

    When assigning Global-Admin Roles it would be very helpful if also Events are logged that are not in AAD for example when the Admin changes something in Intune etc.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

    We’ve had feedback from customers they want to use Azure Monitor or Sentinel for this. We send all our events to the Azure AD Audit log. These events can be sent to Azure Monitor and Sentinel. Does this solve the ask?

  16. Insider Risk Management Role In PIM

    Insider Risk Management Role is not available in PIM role at the moment. Please add the below Role groups to PIM so that users can manage insider risk management features

    insider Risk Management Admin
    Insider Risk Management
    Insider Risk Management Analysts

    Insider Risk Management Investigators

    0 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
1 2 3 5 Next →
  • Don't see your idea?

Feedback and Knowledge Base