Users that have a presence in multiple tenants need a way to self update their MFA methods for "other organizations you belong to" on the myworkaccount.microsoft.com/organizations. Currently there is only a link to "leave organization". Please add a link to "update MFA methods".

The OMS code doesn't allow name changes for the tenants that starts with "testtest".
This is an standard naming convention for test tenants, and the code enforce this rule to ensure that test tenants do not get renamed.
Would be great to add this to the public information, this should be a "must know" before creating a tenant.

User-Agent string is being retrieved as part of Azure\o365 audit log. The User-Agent is being used by security tools.

Google is planning to deprecate the User-Agent string in their Chromium engine (will affect Chrome, Edge and any app or browser that users Chromium). more info can be found here: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ. the current timeline is mid of 2020. Instead of the User-Agent string, they plan to add the User-Agent Client Hints as described here: https://wicg.github.io/ua-client-hints/

Need to have the new User-Agent information available in the audit log and the APIs.

Implement the possibility for users to personalize their MyApps user experience by making it possible for them to hide and unhide tiles on their MyApps portal of applications that they don't use and make it possible for them to rearrange tiles, so that their often used applications can always be accessed directly from the top of the page.

As per documentation here: https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
Sign in with Azure AD Credentials feature available only for full Windows Server 2019 Datacenter installations. Would be great if Server Core images of server 2019 will also have this feature enabled.

Managing user memberships for administrative units should be make possible by dynamic membership!

So for instance the memberships should be auto-updated based on the department field of the user. (or any other attribute)

When a user receives an MFA notification, it would be nice to see the following communicated in the notification:
- Login Location (City, State, Country)
- Service being logged into (Office 365 Portal, SharePoint Online, OneDrive, Client Apps, etc.)
- Device OS/Type (Windows 10/Laptop, iOS 13.5.1/iPhone, Android 10.0/Tablet)
- Device Compliance (Yes/No)

This would further help users determine if the request is legitimate.

There's an app visible to users in the portal - MicrosoftAzureActiveAuthn (https://account.activedirectory.windowsazure.com/applications/signin/MicrosoftAzureActiveAuthn/0000001a-0000-0000-c000-000000000000?tenantId=REDACTED) - that is not a "real" app and shouldn't really be visible. Users that do click it arrive at an error page. We're not able to change its visibility via the Azure AD blade in the Azure Portal, however - the field is missing. I think that either the AAD or My Apps portal teams should take action to ensure this infrastructure app is not visible to users.

As it currently stands, if you want to permit specific sets of users to be Device Administrator "eligible" through Azure PIM you may have to wait up to 4 hours for the Primary Refresh Token (PRT) to be updated via Azure before your Azure AD joined devices will acknowledge the Device Administrator role.

This is a big flaw which basically renders this PIM function useless and needs to be fixed by Microsoft. All other Azure AD roles within Azure PIM work just fine when assigning an "eligible" role.

Currently only able to manage this list in the Portal. Request for the ability to upload the list from the command line so that a secure process can be implemented without the need to cut and paste the list into a web browser.

We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

SSPR should have functionality to allow for a lighter/less strict SSPR policy when the user account have never signed in before.
This would effectively kill the need for distributing first-time passwords for newly onboarded resources, while still ensuring that a strict enough policy is used (2 authentication methods) for the user in SSPR later on.

Currently the ARM template schema for AAD only supports Domain Services (https://docs.microsoft.com/en-us/azure/templates/microsoft.aad/allversions)

Please add support for AAD app registration so an offer can add and configure the registration for the customer.

To easily get a report via PowerShell for "MC191153, beginning October 13, 2020, we will retire Basic Authentication"

If AuthenticationMethodsUsed would be populated to show who is using Basic Authentication currently.