Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Eliminate delays when activating the SharePoint Administrator role in PIM.

    Currently it can take up to 1 hour or more to wait for permissions to be propagated in the SharePoint environment after activating the SharePoint Administrator role. Logging out, closing all browser windows -- nothing helps.

    This results in lost work time for administrators that require these permissions to do their daily job. And is even worse when there is an issue during off-hours. It does not help your relationship with a business client to tell them that you have to wait for the system to "kick in" and cannot provide an estimate for how long that may take.

    Any…

    64 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  10 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support PIM for service principals

    We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

    We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

    This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable reset of PRT to allow for immediate Eligible Device Administrator role through Azure PIM

    As it currently stands, if you want to permit specific sets of users to be Device Administrator "eligible" through Azure PIM you may have to wait up to 4 hours for the Primary Refresh Token (PRT) to be updated via Azure before your Azure AD joined devices will acknowledge the Device Administrator role.

    This is a big flaw which basically renders this PIM function useless and needs to be fixed by Microsoft. All other Azure AD roles within Azure PIM work just fine when assigning an "eligible" role.

    32 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. PIM - Allow the assignment of a scope to be pre configured

    When requesting access to a role via PIM the user has to click the scope tab in order to specify where to assign the role, however they are presented with the activate button without having to specify a scope so it defaults to the root of the subscription.

    It would be really helpful for admins to preconfigure a list of allow scopes and the user is forced to select the on they wish. This prevent accidental assigning at the root and giving out more permissins than needed.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. PIM - Configure default settings for all role assignments

    Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.

    Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.

    e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.

    Thanks
    Ben.

    20 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support the notion of "silos" or "roles" that grant access to multiple resources using PIM

    If we have multiple related resources created in different resource groups, it is quite tedious to use PIM to elevate into multiple resource groups for management or troubleshooting. PIM should provide a way to elevate into a role that grants access to multiple resources/resource groups with a single activation.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. ediscovery administrator/manager adds to PIM/PAM roles

    Pls add eDiscovery roles to PIM/PAM, seem to be mia

    33 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add detailed information in the weekly PIM digest

    The weekly PIM digest currently gives only numerical information on each category of events and the links lead to a view that can be used to searech for information on events.

    It would be beneficial to either include detailed information of events as attachments in the weekly digest or more preferably as links to portal that would show through filtering only the events that are counted in the weekly digest.

    For example, if there is a count of 1 on the "assignments outside of PIM" the link would lead to a portal view that is filtered to show this one…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Bug: Login/Logout needed after activating roles with Azure AD PIM

    I consider this is a bug and should be fixed, I need to login and logout from the Azure Portal after I activate a role with Azure AD PIM

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Rename PIM Assignments

    It would be good if you rename an assignment group that its updated in PIM - it would also be good if you delete an assignment group that it is removed from PIM.

    If you rename the underlying group at the moment after you have enabled it in PIM, it does not change in PIM
    If you remove an underlying group from Azure AD it remains in PIM

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. PIM Email Delivery Notification Delay

    According the the public article (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications#email-timing-for-activation-approvals), related to the PIM email notifications, the current expected delay is as follows:
    1. The first two emails sent by the request approval engine can be delayed.
    2. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.

    Can the wait time be decreased?

    Thank you!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Onboard Azure AD groups to PIM and make them read-only outside of PIM

    Please allow to onboard ANY Azure AD security group to PIM.
    Once it is onboarded, no one should be able to modify it outside of PIM, most importantly with User Administrator role (servicedesk).
    Thank you.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Restrict ability to view PIM information by Role

    As a general user (albeit an eligible but inactive administrator) I can view PIM information to discover who has privileged access. Using PowerShell I can enumerate privileged assignments to discover privileged user details.

    This opens attack vectors for Account Discovery and Permissions Group Discovery

    The ability to do this should be restricted to those with active administrator permissions.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Make Azure AD role activation in PIM faster

    Currently activating an Azure AD role such as Global Admin or User Admin in Privileged Identity Management (PIM) takes 15+ minutes to fully activate (this time starts after following the step to sign-out). Even after logging out and back in again, the role will display as active in the Azure AD overview blade, but when trying to take an action such as updating a user license (in the Office 365 portal) or update an App configuration in the Azure AD Portal, the action will fail claiming access denied. After 15-30 minutes, the role finally comes fully active with no notification…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Insider Risk Management Role In PIM

    Insider Risk Management Role is not available in PIM role at the moment. Please add the below Role groups to PIM so that users can manage insider risk management features

    insider Risk Management Admin
    Insider Risk Management
    Insider Risk Management Analysts

    Insider Risk Management Investigators

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. PIM not updating Yammer admin, and removes user when manually added to yammer admin once delegation ends.

    Issue1. When I Activate PIM role Global Admin, it does not add me to the Yammer admin group.

    Issue2. When I get manually added to the Yammer admin-- PIM will remove me once delegation ends.

    Q. Is there a way to make it so Yammer admin is not affected by PIM or can be toggled? (the manual admins that are added in yammer, not the ones parented in from being Global admins)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Customer tenants should be manageable by PIM

    PIM should be able to manage access to customer's tenants. Partner has employees with their own source of authority but should still be able to give out access based on Azure lighthouse for instance. AzLighthouse currently supports groups only, which are not supported by PIM.

    22 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Let it detect if there's one allready.

    Allow your device to detect if someone already has the authenticator, cause this just globs up my phone. Refuse to pay 4 anything you have when I can aquire for free. Help should be free!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support Diagnostic Settings for PIM Audit Logs

    Azure AD Audit Logs and Sign-in Logs can be forwarded to Log Analytics, Storage Account or Event Hub. It is crucial to have this functionality also for the PIM Audit History. Just using the Azure Portal GUI to export a CSV is not how it should be nowadays.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow Privileged Identity Management of Enterprise Application Provisioned Roles

    When you enable provisioning for an application, say another SaaS provider, you can enable roles within the application such as admin or other roles that exist at the other SaaS provider. Having PIM being able to manage that would allow PIM on roles that exist outside of Azure AD.

    Not sure if this is possible but would be great if it could.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base