Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Eliminate delays when activating the SharePoint Administrator role in PIM.

    Currently it can take up to 1 hour or more to wait for permissions to be propagated in the SharePoint environment after activating the SharePoint Administrator role. Logging out, closing all browser windows -- nothing helps.

    This results in lost work time for administrators that require these permissions to do their daily job. And is even worse when there is an issue during off-hours. It does not help your relationship with a business client to tell them that you have to wait for the system to "kick in" and cannot provide an estimate for how long that may take.

    Any…

    46 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  6 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support PIM for service principals

    We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

    We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

    This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. PIM - Configure default settings for all role assignments

    Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.

    Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.

    e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.

    Thanks
    Ben.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. ediscovery administrator/manager adds to PIM/PAM roles

    Pls add eDiscovery roles to PIM/PAM, seem to be mia

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Admin Consent Required for Basic PIM API Scenarios

    According to the docs, the permissions required to even perform basic scenarios (list my eligible roles, active a role) require admin consent. Can the API be improved to require less consent? I use PIM quite a bit and the portal experience can be painfully slow, I'd really like to automate it with the API.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. PIM not updating Yammer admin, and removes user when manually added to yammer admin once delegation ends.

    Issue1. When I Activate PIM role Global Admin, it does not add me to the Yammer admin group.

    Issue2. When I get manually added to the Yammer admin-- PIM will remove me once delegation ends.

    Q. Is there a way to make it so Yammer admin is not affected by PIM or can be toggled? (the manual admins that are added in yammer, not the ones parented in from being Global admins)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Customer tenants should be manageable by PIM

    PIM should be able to manage access to customer's tenants. Partner has employees with their own source of authority but should still be able to give out access based on Azure lighthouse for instance. AzLighthouse currently supports groups only, which are not supported by PIM.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. PIM - Allow permanent activation through PIM

    Our organization uses PIM to manage privileged access, as of now temporary elevation of 24 hours is what possible. We would like to allow permanent access to the privileges like allow access up to a year. After which they can request for it again if they are eligible for it.

    This simplifies our process instead of telling process X for permanent access and Process Y for permanent access..

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. End User to see Azure AD PIM approver details

    Hi ,

    In Azure AD PIM can we track whose the approver. I'm looking it from a end user perspective because when he activates his role it says pending for approval.

    How to check who are the approvers and so that he can chase after the approver ? Ping the approver and get his request approved.

    I don't see this option in Azure AD PIM. I understand as an Admin we can see who are the approvers but how will end user see where the request is pending at ?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support Diagnostic Settings for PIM Audit Logs

    Azure AD Audit Logs and Sign-in Logs can be forwarded to Log Analytics, Storage Account or Event Hub. It is crucial to have this functionality also for the PIM Audit History. Just using the Azure Portal GUI to export a CSV is not how it should be nowadays.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make Azure AD role activation in PIM faster

    Currently activating an Azure AD role such as Global Admin or User Admin in Privileged Identity Management (PIM) takes 15+ minutes to fully activate (this time starts after following the step to sign-out). Even after logging out and back in again, the role will display as active in the Azure AD overview blade, but when trying to take an action such as updating a user license (in the Office 365 portal) or update an App configuration in the Azure AD Portal, the action will fail claiming access denied. After 15-30 minutes, the role finally comes fully active with no notification…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Privileged Identity Management event into Event Grid for automation

    We would like to use Privileged Identity Management (PIM) to provide access to content within resource for example a database within a database server. To be able to hook into a successful 'just in time' request and it's timeout I would like to use something like Event Grid.

    The current alerting based on email is not good enough to be able to reliably build automation.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Notification to eligable members

    At Microsoft 365/Azure AD are many predefined notifications set to tenantadmins/global admins as the default recipients (Examples: predefined Alert Policies at S&C Center, Billing notifications, etc). If all members of that role are eligible and currently no member has that role, then it can’t happen that a notification can reach anyone. So please change this behavior that eligible members of a role will get that notification by default.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Make sure that in some situations Eligible users are selectable

    In some other parts of Azure AD, you can only select users if they are currently activated in their role. F.e. the Admin Consent reviewers are only selectable if they have the necessary roles permanent, or are activated at that time. It would be nice, that for these kind of situations you can select all the users eligible for the role as well.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enable PIM assignment for a guest user in a specific directory

    We use powershell to activate PIM for users, but when we change to a specific directory, the get-privilegedroleassignment cmdlet still lists the roles available in the "home" directory, rather than the directory that you're currently in..

    connect-pimservice -TenantName <XXXX>

    has no effect on the get-privilegedroleassignment command

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Send Microsoft Service emails to Elligible Global Admins

    We recently bought new Windows 10 Enterprise E3 licenses. An email from the Microsoft Online Services Team informing us of the availablity of these licenses in out tenant was sent to all 'Assigned' Global Administrators. But not to the PIM-managed elligible Global Admins.

    Ideally we would like to have all Global Admins managed by PIM, excluding only the emergency access accounts.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Grant multiple roles through Privilege Identity Management (PIM) to the same user during a single operation

    When assigning more than one role using PIM as "eligible" user must going through the elevation operation for each one of the assigned roles.
    My suggestion is either to allow users to be elevated to all PIM roles in one operation or to be able to customize a new role which include capabilities from different roles.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow 3rd party MFA with PIM

    Azure conditional access policies allow for 3rd party MFA, such as Duo, but Azure PIM does not allow this level of customization with the "Require MFA" configuration for a PIM role. This means that we need to manage 2 different MFA platforms if we're going to leverage both Duo MFA and Azure PIM for security. I'd like the ability to use Duo MFA when activating a PIM role.

    39 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Ability to search on all Azure resources and resource groups in the "Resource filter" experience

    Azure resources/resource groups search in PIM doesn’t search my entire pool of resources /resource groups. It only searches by page. I have to click "load more" 15+ times to find some of my resource groups which is a horrible UX and seems more like a bug to me.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Auto suggest role activation on "access denied" error messages if user is eligible

    If I have a role that woudl allow me to access a page via PIM, error messages shoulfd suggest to enable the least privilege role I am elligible for instead of just showing an access error.

    This would:
    1. allow to think about PIM as a workaround
    2. understand that Global Admin is not the role to activate by default and that less powerful roles coudl still allow to get things done
    3. add some friendliness to "access denied" error messages :-)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base