Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Eliminate role activation delay between portals open in different browser tabs

    There is a delay in role activation when the target portal (i.e. Power Platform admin center) is open in one tab and PIM activation is initiated in a separate browser tab. It can take up to 15 minutes for the role to activate in the target portal, even if the tab is refreshed multiple times following role activation. While logging out and back in resolves this delay, it is not a sustainable option for urgent troubleshooting.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support PIM for service principals

    We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

    We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

    This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

    63 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Eliminate delays when activating the SharePoint Administrator role in PIM.

    Currently it can take up to 1 hour or more to wait for permissions to be propagated in the SharePoint environment after activating the SharePoint Administrator role. Logging out, closing all browser windows -- nothing helps.

    This results in lost work time for administrators that require these permissions to do their daily job. And is even worse when there is an issue during off-hours. It does not help your relationship with a business client to tell them that you have to wait for the system to "kick in" and cannot provide an estimate for how long that may take.

    Any…

    91 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  15 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. M365 Billing Notifications with regards to Azure AD PIM

    The cx is requesting a design change so that users who are assigned eligible PIM roles (Global admin and Billing Admin) don't miss billing notifications if they haven't activated the role. It would be nice to have the option add to use a distribution list in M365 Billing > Billing Notifications.

    This is currently impacting 20,000 users in the cx tenant since mid-March 2021 and there is a major work stoppage where Teams Administrators have had not received billing notifications on time and were not able to get invoices over to the finance department to have the invoices paid on…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. need to configure which users could receive Privileged Identity Management [PIM] emails

    Please implement the feature for PIM like implemented on IP

    the uservoice is called "need to configure which users could receive Identity protection weekly digest report"

    If possible also add the option for the ad hoc emails like "PIM: A privileged directory role was assigned outside of PIM"

    This way a security officer without privileged admin roles is able to monitor and act on important info

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Enable reset of PRT to allow for immediate Eligible Device Administrator role through Azure PIM

    As it currently stands, if you want to permit specific sets of users to be Device Administrator "eligible" through Azure PIM you may have to wait up to 4 hours for the Primary Refresh Token (PRT) to be updated via Azure before your Azure AD joined devices will acknowledge the Device Administrator role.

    This is a big flaw which basically renders this PIM function useless and needs to be fixed by Microsoft. All other Azure AD roles within Azure PIM work just fine when assigning an "eligible" role.

    36 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow User/Group Admin the ability to manage external collaboration

    Our settings are most restrictive any B2B domains need added manually in the Manage External Collaboration settings. The setting should be set and amended by Global Admin. But users with the User Admin role should have the ability to add a new trusted domain in the "target domains" section

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. PIM sync on-prem so you can get Just in time for on-prem admin accounts

    Is it in the roadmap to have Some sort of sync / agent / function that allow you to use just in time functionality on-prem for admin accounts without syncing "admin accounts" up to Azure AD.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. In the absence of an approver

    Currently PIM sends notification to all approvers when a request made to activate a privileged role in PIM. It would be nice if approval workflow can be configured in hierarchy manner if the 1st approver is not available it resend the notification 2nd approver.

    for PIM roles receives an email with a link and they need to login to Azure AD to approve or deny the request that is becoming bit tedious task for managers to approve the request of a privileged role activation. A mobile app to approve or deny the request would more efficient way for the manager…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Approver mobile app to approve or deny the request

    Currently the approvers for PIM roles receives an email with a link and they need to login to Azure AD to approve or deny the request that is becoming bit tedious task for managers to approve the request of a privileged role activation. A mobile app to approve or deny the request would more efficient way for the manager to respond the requests for privileged role activation from PIM

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow Privileged Access for groups to be enabled from PowerShell or CLI etc

    When creating a group in AAD to assign to roles, I can set isAssignableToRole, which is great, but then to enable privileged access for the group - to allow assignment of members or owners in the group, I have to visit the portal to click a button - there is no record I can find of a property that exists after this to allow me to do this in PowerShell.

    This would allow the entire process to be automated - and let me assign a role to a group - then control access to the role with group membership.

    In…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Azure Databricks SCIM Connector

    Privileged Access groups cab be used as Groups (PAG) for Azure Databricks SCIM Connector . These PAG contains member users (USER01). When Provisioning happens in SCIM , PAG will be provisioned with in Databricks WS.

    Now USER01 can login to portal.azure.com and to enable eligible member role to active.

    Now Issue is: Provisioning interval is 40 Mts and Fixed. Until the provisioning cycle kicks-off , USER01 is not going to be shown in the Databricks WS.

    If we get an option with in Azure Databricks SCIM Connector to provision automatically in real time as soon as changes happen with in…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. PIM Access reviews should exclude emergency accounts

    When creating an access review there should be the ability to exclude the emergency accounts, otherwise you could lock yourself out!

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow built in local admin roles to be centrally managed in AD Azure / PIM

    Currently when you manage roles in PIM, you are able to manage the roles centrally for all Azure AD services. However there are several services where you can set roles that will only apply for that specific service as noted here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-microsoft-365-compliance-security?view=o365-worldwide#breaking-inheritance

    This can make it hard to track all the assigned permissions across all services and leave open gaps that can cause security issues. It would be great to have a central place to view and manage all the permissions across each service.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. PIM - Configure default settings for all role assignments

    Separate custom settings for every role in every resource scope is really unwieldy, and makes it infeasible to manage effectively.

    Please consider a configuration for default settings that apply to all roles and scopes (maybe separate for Azure RBAC vs AAD?) so that we can make baseline tenant level configuration change.

    e.g. I would like PIM eligible assignment to default to a maxiumum duration of 2 hours instead of 1; I would like activation to require MFA always; I would like to change the notification lists.

    Thanks
    Ben.

    33 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    started  ·  1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. fix the caching issue!

    Every time I assign myself a role, I have to log out of the O365 portal clear my browser cache then sign back in and even then it doesnt always work. Its been getting worse the more I'm using Azure PIM

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. For eligible assignment through PIM increase time upto 4 days

    Currently for PIM eligible assignment users can activate only for a maximum of 24 hours. This is good but does not work for roles like SharePoint administrator. After activating the SharePoint administrator role, SharePoint takes 24 to 72 hours for the role to activated in SharePoint. The other option is to give an active assignment to the Sharepoint role for 4 days and then wait for SharePoint to reflect the permissions. Either PIM should allow eligible assignment activation upto 4 days or SharePoint should fix it for immediate synch from Azure AD to Sharepoint.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. 3 things I think would improve PIM


    1. Option to activate multiple roles in one activate operation.
      Sometimes you just need two or three roles in your working day.


    2. Option to go directy to the service from PIM - My roles.
      I am thinking link on the role name or, from a receipt page after activating.


    3. My roles should always apper in alphabetical order.


    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. How to manage Azure Service Principal in PIM?

    We have Azure Service Principals, looking for solution to manage Service Principals, automatic onboarding and secret key rotation, Is Azure PIM the solution.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow azure PIM to have multiple selection on approvers or automatic, for any role

    There is an option on the Azure AD PIM where we modify the setting for a role to require an approver but if that option is off, the role gets automatically approved.
    What we need is to have the opportunity to have group selection whether I can decide to assign the role and have an approver or assign the role and allow my users to have it approved with no intervention.

    Otherwise, having the opportunity to clone the role and set it up as desired only on Azure PIM instead of a window that allows the mentioned selection

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base