Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Change Email notifications of PIM

    I'd like to change Email notifications of PIM.
    We would like to select users who can receive email.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Improve PIM Azure resources browsing

    Today if I am using a resource filter "Resource" to explorer Azure resources I am unable to see the real resource type of displayed resources . i.e.: Microsoft.Web/sites

    It causes problem when more than one resource have the same name. It is then impossible to distinguish which one is which, even clicking on the resource do not provide this information either in the next screen.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. PIM Notification Additional Fields

    It would be handy to add the additional fields in the email if they are selected in the setup of the PIM controls.

    mail template.
    Is there an option/ability to add the ticket information fields in the email alongside the justification?

    Ticket Number
    Ticket System

    Currently it only shows the justification

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Access Review Alerts sent to Alternative email

    we do have the option to input an alternative email into the users account, but when performing an access review, the users dont get any notification through alternative email.
    If we could have another method to send notifications to the users and reviewers in access reviews would be great.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Require MFA for permanent highly privileged roles

    If you make a eligible role assignment for Global Administrator via PIM it enforces MFA for role activation.

    This is the case for several highly privileged roles and cannot be changed. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings#multi-factor-authentication

    However, if you assign the role permanently, shouldn't this always enforce MFA for the user?

    I understand this change could have a big UX impact and with the new baseline admin conditional access we already have a good way for protection in preview. But if thats the way Microsoft wants to go, shouldnt the baseline CA policy and the highly privileged PIM roles match?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. PIM

    There should be a means to force password reset on PIM enabled accounts. We do this with CyberArk today and our InfoSec department is balking on PIM due to the lack of automated password reset capability.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Recurring re-certification schedules

    Currently if I wish to re-certify membership of AD roles I need to manually add every new workflow. I would like to specify this once, and then schedule it to re-occur every 6 months (for example)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. A Restricted Role Administrator directory role

    It would be beneficial to have a Restricted Role Administrator (RRA) directory role in Azure AD. It would be similar to the Privileged Role Administrator, but you could select the priveleges you want the RRA to have. For example, an admin with more priveleges (ie Global Admin or Priveleged Role Admin) could decide if they want the RRA to have access to PIM and the admin could restrict the roles that the RRA could assign to other users, so if they don't want the RRA to be able to assign other users to the Global Admin role or specific Limited…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Bulk registration of Non-Personal Accounts (MFA - AAD)

    All our non-personal accounts are AAD users (best practise).
    However, there is no way for AD PIM vulnerability assessment to exclude them. In short "exclude" list does not do this.
    It's been suggested to "register" these - but that would mean manual registration of potentially hundreds of userid's with fake temporary emails and someone's phone number. Not a pleasant thought.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support somekind of policy based approval / mfa for Azure AD roles

    Our customer REALLY love the new approval workflow for Azure PIM, but they would really prefer an option to define policies for which admins need approval and for does who just need to elevate their own permissions using Azure MFA.

    https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Enable multi-select when activating roles in Privileged Identity Management - My roles

    My daily job requires me to activate multiple roles through PIM. I need to be able to do this in one go instead of activate, reason, duration, wait, repeat for all the roles I need that day. Let me just select them all and go through the screen only once.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. PIM - Privileged Identity Management - Different policies for one role

    Would be great to have the possibility to have different policies for same role.

    Example

    PIM Policy - Global Admin Require Approval: No
    User1 will have to request access to 'Global Admin' through PIM and will be automatically granted the role

    PIM Policy - Global Admin Require Approval: Yes
    User2 will have to request access to 'Global Admin' through PIM and request needs to be 'Approved' by any 'Global Admin'

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow Azure AD member to request role eligibility in Azure AD PIM

    I heard from customers that they would like the ability to switch on a toggle in Azure AD PIM that would allow normal users to request eligibility for a Azure AD Role.

    Basically:

    1. Toggle On - > Allow members to request Azure AD Role
    2. User/Member request role eligibility / Azure AD role
    3. Azure AD PIM admin approves the request for becoming member of the Azure AD role and with either eligibility/approval depending on the default roles.
    4. The member/user would afterwards be able to request approval / eligibility and get approval by the defined approver.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Enable 'require approval' on a per user (vs per role) basis

    Currently, PIM only provides a "Require approval to activate this role" setting on a per role basis. I would like to see this on a PER USER basis. So a user would be either: Permanent, Eligible, or Eligible (approval required)".

    This is more in line with the trust model we want, allowing fewer permanent assignments. Some people would be trusted to self-elevate; others would require independent approval.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Show Info and add it to notifactions when activation expires

    We use PIM and sometimes a PIM activation expires in an opened Azure Portal session.
    Sadly, we often need some time to realize that activation expired, because the functions in Azure Portal are not blocked and therefore clickable and there are many cryptic error messages shown, when we try to use functions for which the activation is expired.

    It would be nice, if a Info is displayed when PIM activation expires.
    This info should be added to the notifactions (bell).

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Access review

    Option to include non user Service principals in Access review of Azure PIM resource roles.

    All Elevated members access ( owners , contributors) to Azure subscription need to be reviewed as part of SOX compliance and currently Non user service principals ( like VSO Service principals used for automated deployments in Azure) are not included in the Access reviews initiated for Azure Resource roles.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. When a role is currently active, always allow future activations to be scheduled.

    When my role is elevated the 'Activate' button is not always enabled to allow me to schedule a future activation of the current role, if needed. Sometimes the Activate button is enabled and other times it is not. I do not see a consistent pattern to determine why I can sometimes schedule future activations or not.

    Currently, only seeing this for the SharePoint Service Administrator role (as that is the only role I used PIM for). I know this PIM is still in preview for this role, so may not be affecting other roles.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enable MFA check via selfactivate PIM API

    Hello, when attempting to use the API "selfactivate" for certain directory roles (User Administrator in my case) it states that the action can't be conducted because MFA needs to be done in order to escalate to this role. With that said, the graph API doesn't actually begin the MFA process whatsover. Can the complete MFA process be enabled when self-activating certain directory roles?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add filters for eligible PIM roles

    It would be useful if there were filters on the eligible PIM roles screen. If you have many subscriptions and many different role types, it can be time consuming to locate what role(s) you need to activate as there are many pages to navigate due to a relatively small number or roles displayed per page.

    Being able to filter on both Subscriptions and Roles would be ideal.

    So you could for example have a view of a particular role on all subscriptions, or all roles for a particular subscription.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Resource /Subscription view

    In the search Bar ,when we type an user name it should show the list of the resource /subscription which the user has .

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base