- In MyAccess portal, change the view by Catalogs and not by Access Packages
- combine MyApps and MyAccess portals for better user experience
- Add an option to add Logo and company icon to MyApps and MyAccess that the end user will know he in the right place (the new myapps portal)
MIM graph connector missing key information like Licenses,mailbox created time,Provisioned plans, Extended attributes, etc..2 votes
In Azure AD PIM can we track whose the approver. I'm looking it from a end user perspective because when he activates his role it says pending for approval.
How to check who are the approvers and so that he can chase after the approver ? Ping the approver and get his request approved.
I don't see this option in Azure AD PIM. I understand as an Admin we can see who are the approvers but how will end user see where the request is pending at ?4 votes
Azure AD SCIM client is not compatible with applications, which do not support "filtering".
If “filtering” is not supported by 3rd party app, do not ignore that.
Use the “matching” attribute defined in mappings during the initial cycle to check, if the resource exists.
If resource exists (HTTP-200), save “ID” persistently.
Use “ID” in every subsequent request
cf. RFC7644 section 4: https://tools.ietf.org/html/rfc7644#section-44 votes
We recently bought new Windows 10 Enterprise E3 licenses. An email from the Microsoft Online Services Team informing us of the availablity of these licenses in out tenant was sent to all 'Assigned' Global Administrators. But not to the PIM-managed elligible Global Admins.
Ideally we would like to have all Global Admins managed by PIM, excluding only the emergency access accounts.3 votes
Hybrid Reporting saves MIM Service Request objects as JSON. The resulting JSON has different formats for the CreatedTime property.
Sometimes it looks like:
CreatedTime: 2020-05-14 17:44:57.270
Other times it looks like:
CreatedTime: 5/14/2020 5:45:10 PM
The different formats make it difficult to parse and use.5 votes
(Provision null attributes) Add option to have properties be emptied after clearing them in Azure AD
Right now, I can set a phone number and clear it again in Azure. Azure will update the phonenumber in the application but will never clear it. This is by design I understand that, but our customers would like the option to also clear this information as they consider AAD the source/leading system and it's primary task is to make sure all other applications have the same data, which currently is not the case as the data is never removed from applications after it is removed from AAD5 votes
We apply and update our Azure infrastructure through a CI workflow with ARM templates. To do this the CI authenticates with a service principal.
We often deploy resource-group wide or subscription-wide deployments which require Owner or Contributor permissions to apply ARM templates. To up the security we would like support for PIM both through the CLI and for service principals.
This way we can tell something is wrong if suddenly our CI is assigned the "owner" role and we have not run a CI job for a while.76 votes
When access package requests are being approved, the user receives a generic email informing of "You now have access to XYZ".
It would improve the service vastly if the contents of this "approved-mail" could be customized with further instructions for where the user may access the resources they have been assigned.
As it is now, the user even get's a misleading button in the email saying "Get started" which just leads back to the My Access portal.12 votes
Workday to Azure AD provisioning application under attribute mapping, under target object action delete feature deleting users in Azure
Workday to Azure AD provisioning application
under attribute mapping, under target object action delete feature deleting users from Azure AD. Instead of deleting user from Azure AD the account should disable in AD3 votes
According to the docs, the permissions required to even perform basic scenarios (list my eligible roles, active a role) require admin consent. Can the API be improved to require less consent? I use PIM quite a bit and the portal experience can be painfully slow, I'd really like to automate it with the API.3 votes
In the Azure Consent Workflow (currently in preview) once a user is approved they receive an email. It would be great if the approved resource / app was linked so that the user can navigate from the approval email directly to the approved site / resource / app.7 votes
Thanks for the great suggestion! Sending users emails about their approvals and having a link to the resource would be very helpful. I’ll take this back to the team and will update here when we make some progress!
Right now AAD supports a "Permission Sets"attribute, however this is not usable. Salesforce users have multiple Permission Sets, which are dependent on their O365 groups. For example, members of the O365 group "IT Services Team" would get the permission set "IT Services" in Salesforce. Until AAD's Salesforce connector supports mapping Permission Sets based on group membership in AAD, most organizations will not be able to use AAD for Salesforce provisioning.13 votes
Make PIM audit more robust. Should be able to filter on all of the key categories (for example, filter on Global Administrator approvals)
Make PIM audit filtering more robust. Should be able to filter on all of the key categories (for example, ability to create a filter for Global Administrator approvals).2 votes
Box supports the ability to specify an account to which user files are transferred. We rely on this functionality to ensure that user's files are transferred to a backup service account when a user leaves the organization. It would be very nice to have this capability too.1 vote
Thanks for the feedback. We are evaluating the functionality. Would you want one account that all files are sent to or moved up to the manager?
This may be "cosmetic" but in the Salesforce - Users and groups
Assignment page, 1 Azure AD Security Group is mapped to something called a Role. It's actually a Profile in Salesforce. Aligning the terminology could be good as Salesforce Role are different.1 vote
Would be great to add the support for Salesforce Permission Set Group in the Salesforce Connector.14 votes
In access reviews, it would be helpful to see the current status of the account. For example, we have accounts that are recommended for "Deny" but in AAD the account is already blocked from signing-in.
Also accounts surface in the access review that have been removed from AAD.1 vote
Thanks for submitting the feedback!
You’re right that currently we don’t reflect the status of the account in real time, because when the review is created we take a snapshot of the users in the review right before the review starts, so the reviewers get a view of the user’s activity X days before the review. This has been an audit requirement for some customers. I’d like to hear more about your use case in dynamically updating the user’s status, and how that contributes to your audits (if any).
We’ll keep this feedback in mind when planning, thanks again!
If I have a role that woudl allow me to access a page via PIM, error messages shoulfd suggest to enable the least privilege role I am elligible for instead of just showing an access error.
1. allow to think about PIM as a workaround
2. understand that Global Admin is not the role to activate by default and that less powerful roles coudl still allow to get things done
3. add some friendliness to "access denied" error messages :-)3 votes
When I create a custom Role from a Build-In-Role, this new rule is no longer updated by Microsoft. Because it is custom. I would like to have a way that I can set a delta on a Build-In-Role and create a new Role from it. So I have a custom rule that always receives updates from Microsoft.2 votes
Thank you for taking the time to submit feedback! This is an interesting request, we certainly have customers who want it one way or the other. We’ll consider a mechanism to specify a role is ‘inherited’ from a parent role and thus gets updates based on that role. However, we don’t have a timeline for that just yet.
Azure Active Directory Team
- Don't see your idea?