Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Devop Roles for PIM to control

    Currently, using Azure Devops with PIM is not supported at the moment.

    We can connect our Active Directory to Azure Devops; but not really control the users; as it is managed via the Devops Administrator.

    Right now only one Azure Devop Admin role exists in AAD; with which you can't manage much in Devops; except the AAD Policy in the Organization Settings.

    Why not to to add the Azure Devop Roles like Project administrators
    , Project Contributors and Project Readers in Azure Active Directory; so one can enforce the PIM concept also to the the Azure Devops Tenants environment.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. PIM Groups

    Allow nested groups, or dynamic groups to be controlled by PIM

    We have some dynamic groups for job roles, it would be good if we could manage these in PIM and attach role assignments to the job titles.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Extend PIM role activation time

    Extend PIM role activation time to 30 days

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Rename PIM Assignments

    It would be good if you rename an assignment group that its updated in PIM - it would also be good if you delete an assignment group that it is removed from PIM.

    If you rename the underlying group at the moment after you have enabled it in PIM, it does not change in PIM
    If you remove an underlying group from Azure AD it remains in PIM

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. PIM Email Delivery Notification Delay

    According the the public article (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications#email-timing-for-activation-approvals), related to the PIM email notifications, the current expected delay is as follows:
    1. The first two emails sent by the request approval engine can be delayed.
    2. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.

    Can the wait time be decreased?

    Thank you!

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Insider Risk Management Role In PIM

    Insider Risk Management Role is not available in PIM role at the moment. Please add the below Role groups to PIM so that users can manage insider risk management features

    insider Risk Management Admin
    Insider Risk Management
    Insider Risk Management Analysts

    Insider Risk Management Investigators

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Let it detect if there's one allready.

    Allow your device to detect if someone already has the authenticator, cause this just globs up my phone. Refuse to pay 4 anything you have when I can aquire for free. Help should be free!

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow Privileged Identity Management of Enterprise Application Provisioned Roles

    When you enable provisioning for an application, say another SaaS provider, you can enable roles within the application such as admin or other roles that exist at the other SaaS provider. Having PIM being able to manage that would allow PIM on roles that exist outside of Azure AD.

    Not sure if this is possible but would be great if it could.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Make justification field mandatory for assignment of roles (Eligible or Active)

    Currently the Justification field only pops up when assigning an Active role to a user. This should be mandatory for any role assignment so that there is an audit record of why a user was assigned a role, active or eligible.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Activity-Based Automated Admin Role Search

    A feature where a user can enter in the type of activity they are needing to perform (like app registration), and Azure would suggest the appropriate admin role (ie. App Admin). User can then request eligibility approval for that role. This allows users to select the admin role most aligned with their needs, as many do not know which admin role is the most appropriate, and they might be requesting admin roles with more privileges than are necessary for their work activity.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow Privileged Identity MFA on time intervals

    If a user activates a PIM role with a valid Azure AD claim, they are prompted for MFA authentication only once - at the first login. As long as the claim remains valid, it allows the user to skip MFA for PIM.

    We should be able to set a timeout that requires a user to re-authenticate after a certain amount of time. For example, if I PIM to an Owner role against Azure resources, I should be prompted for MFA if a week has passed since my last time doing so.

    This allows us to ensure stringent security on sensitive…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Make PIM more user friendly by adding flash whenever signing 1st time on azure ad PIM

    Whenever we are enabling PIM , we found that portal is not user friendly, there is ROLES, then AZURE AD ROLES then lot of confusing options and even the documentation is not for the beginners, that when we will get consent option,how to check PIM is enabled or not there are lot of people i came accross who are confused with the features and what to enable and all,
    the concepts are clear but how to reach and complete it, its confusing.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    unplanned  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Extend PIM into Enterprise Application User Assignment and Roles

    PIM for only admin of Azure and O365 is fine as a local solution, but it without broader applicability we still need to look for something else to build into our security fabric.

    Please consider extending PIM to make it relevant to account privilege escalation in any system integrated with AAD.

    Extending to just group membership would be a good halfway step, but why not natively support any OAuth2 role assignments?

    Cheers
    Ben

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Reevaluate "potential stale accounts in a privileged role" alert

    This alert is to identify "Accounts in a privileged role that have not changed their password in the past 90 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers."

    Rotating of passwords is not the best way to identify stale accounts. SecureScore has a control that encourages setting passwords to never expire based on research which also led NIST to update their position on password expiration policies and the Microsoft security baseline for win 10 to recommend not expiring passwords. (see below)

    A stale account is one that has not been…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. enforced privileged identity management for CSP and report on costumer security blade among other normal security measure.

    Costumers even thrusting their CSP need to have a view and a control over their activities PIM is one of them , and report should be send to the security center that have the abilities to be linked to a SIEM .
    it's also part of a compliance audit, we should not need to add that partner as a B2B guest to do so , it's too much combersome as the trust between the azure AD is exisiting .

    begin to put the admin agent and helpdesk agent as eligible role (i would even suggest by default" .

    CSP Cloud…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. The approver to be able to set all at once in PIM.

    "Require approval" and "SELECTED APPROVER" can be set in “Default for all roles” of PIM.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Automatically elevate users in approver-groups

    Automatically elevate eligible requests from group members selected as approvers. Optionally make it possible to exclude users from requiring approval.

    Example; Developer team should be eligible for elevating to Contributor. Developer Tech Leads are Approver for requests. But should not be required to approve their own requests as they are also part of Develeoper team.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Extend PIM to include support for Exchange Online Role Groups. Currently it is only for Azure AD and Azure Subscription

    Extend PIM to include support for Exchange Online Role Groups. Currently it is only for Azure AD and Azure Subscription

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Grant co-admin permission (with owner) to manage azure subscriptions with PIM

    Please add the option to grant permission to owner+co-admin (to managed subscriptions with classic API) with PIM.

    https://github.com/MicrosoftDocs/azure-docs/issues/15094#issuecomment-422116208

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Log all activities (outside of AAD)

    When assigning Global-Admin Roles it would be very helpful if also Events are logged that are not in AAD for example when the Admin changes something in Intune etc.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →

    We’ve had feedback from customers they want to use Azure Monitor or Sentinel for this. We send all our events to the Azure AD Audit log. These events can be sent to Azure Monitor and Sentinel. Does this solve the ask?

  • Don't see your idea?

Feedback and Knowledge Base