Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Rename PIM Assignments

    It would be good if you rename an assignment group that its updated in PIM - it would also be good if you delete an assignment group that it is removed from PIM.

    If you rename the underlying group at the moment after you have enabled it in PIM, it does not change in PIM
    If you remove an underlying group from Azure AD it remains in PIM

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. PIM Email Delivery Notification Delay

    According the the public article (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications#email-timing-for-activation-approvals), related to the PIM email notifications, the current expected delay is as follows:
    1. The first two emails sent by the request approval engine can be delayed.
    2. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.

    Can the wait time be decreased?

    Thank you!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. PIM - Allow the assignment of a scope to be pre configured

    When requesting access to a role via PIM the user has to click the scope tab in order to specify where to assign the role, however they are presented with the activate button without having to specify a scope so it defaults to the root of the subscription.

    It would be really helpful for admins to preconfigure a list of allow scopes and the user is forced to select the on they wish. This prevent accidental assigning at the root and giving out more permissins than needed.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Onboard Azure AD groups to PIM and make them read-only outside of PIM

    Please allow to onboard ANY Azure AD security group to PIM.
    Once it is onboarded, no one should be able to modify it outside of PIM, most importantly with User Administrator role (servicedesk).
    Thank you.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add detailed information in the weekly PIM digest

    The weekly PIM digest currently gives only numerical information on each category of events and the links lead to a view that can be used to searech for information on events.

    It would be beneficial to either include detailed information of events as attachments in the weekly digest or more preferably as links to portal that would show through filtering only the events that are counted in the weekly digest.

    For example, if there is a count of 1 on the "assignments outside of PIM" the link would lead to a portal view that is filtered to show this one…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Insider Risk Management Role In PIM

    Insider Risk Management Role is not available in PIM role at the moment. Please add the below Role groups to PIM so that users can manage insider risk management features

    insider Risk Management Admin
    Insider Risk Management
    Insider Risk Management Analysts

    Insider Risk Management Investigators

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Insider Risk Management Role In PIM

    Insider Risk Management Role is not available in PIM role at the moment. Please add the below Role groups to PIM so that users can manage insider risk management features

    insider Risk Management Admin
    Insider Risk Management
    Insider Risk Management Analysts

    Insider Risk Management Investigators

    0 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support the notion of "silos" or "roles" that grant access to multiple resources using PIM

    If we have multiple related resources created in different resource groups, it is quite tedious to use PIM to elevate into multiple resource groups for management or troubleshooting. PIM should provide a way to elevate into a role that grants access to multiple resources/resource groups with a single activation.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Let it detect if there's one allready.

    Allow your device to detect if someone already has the authenticator, cause this just globs up my phone. Refuse to pay 4 anything you have when I can aquire for free. Help should be free!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Bug: Login/Logout needed after activating roles with Azure AD PIM

    I consider this is a bug and should be fixed, I need to login and logout from the Azure Portal after I activate a role with Azure AD PIM

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow Privileged Identity Management of Enterprise Application Provisioned Roles

    When you enable provisioning for an application, say another SaaS provider, you can enable roles within the application such as admin or other roles that exist at the other SaaS provider. Having PIM being able to manage that would allow PIM on roles that exist outside of Azure AD.

    Not sure if this is possible but would be great if it could.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Make justification field mandatory for assignment of roles (Eligible or Active)

    Currently the Justification field only pops up when assigning an Active role to a user. This should be mandatory for any role assignment so that there is an audit record of why a user was assigned a role, active or eligible.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Activity-Based Automated Admin Role Search

    A feature where a user can enter in the type of activity they are needing to perform (like app registration), and Azure would suggest the appropriate admin role (ie. App Admin). User can then request eligibility approval for that role. This allows users to select the admin role most aligned with their needs, as many do not know which admin role is the most appropriate, and they might be requesting admin roles with more privileges than are necessary for their work activity.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Restrict ability to view PIM information by Role

    As a general user (albeit an eligible but inactive administrator) I can view PIM information to discover who has privileged access. Using PowerShell I can enumerate privileged assignments to discover privileged user details.

    This opens attack vectors for Account Discovery and Permissions Group Discovery

    The ability to do this should be restricted to those with active administrator permissions.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow Privileged Identity MFA on time intervals

    If a user activates a PIM role with a valid Azure AD claim, they are prompted for MFA authentication only once - at the first login. As long as the claim remains valid, it allows the user to skip MFA for PIM.

    We should be able to set a timeout that requires a user to re-authenticate after a certain amount of time. For example, if I PIM to an Owner role against Azure resources, I should be prompted for MFA if a week has passed since my last time doing so.

    This allows us to ensure stringent security on sensitive…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Notification to eligable members

    At Microsoft 365/Azure AD are many predefined notifications set to tenantadmins/global admins as the default recipients (Examples: predefined Alert Policies at S&C Center, Billing notifications, etc). If all members of that role are eligible and currently no member has that role, then it can’t happen that a notification can reach anyone. So please change this behavior that eligible members of a role will get that notification by default.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. PIM not updating Yammer admin, and removes user when manually added to yammer admin once delegation ends.

    Issue1. When I Activate PIM role Global Admin, it does not add me to the Yammer admin group.

    Issue2. When I get manually added to the Yammer admin-- PIM will remove me once delegation ends.

    Q. Is there a way to make it so Yammer admin is not affected by PIM or can be toggled? (the manual admins that are added in yammer, not the ones parented in from being Global admins)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. End User to see Azure AD PIM approver details

    Hi ,

    In Azure AD PIM can we track whose the approver. I'm looking it from a end user perspective because when he activates his role it says pending for approval.

    How to check who are the approvers and so that he can chase after the approver ? Ping the approver and get his request approved.

    I don't see this option in Azure AD PIM. I understand as an Admin we can see who are the approvers but how will end user see where the request is pending at ?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Send Microsoft Service emails to Elligible Global Admins

    We recently bought new Windows 10 Enterprise E3 licenses. An email from the Microsoft Online Services Team informing us of the availablity of these licenses in out tenant was sent to all 'Assigned' Global Administrators. But not to the PIM-managed elligible Global Admins.

    Ideally we would like to have all Global Admins managed by PIM, excluding only the emergency access accounts.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Support PIM for service principals

    We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.

    We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.

    This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.

    28 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base