Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support somekind of policy based approval / mfa for Azure AD roles

    Our customer REALLY love the new approval workflow for Azure PIM, but they would really prefer an option to define policies for which admins need approval and for does who just need to elevate their own permissions using Azure MFA.

    https://blogs.technet.microsoft.com/enterprisemobility/2017/05/24/azure-ad-privileged-identity-management-approval-workflows-are-now-in-public-preview/

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. For access denied page, show least privilege role needed to encourage PIM

    When I get an access denied page in Azure AD portal, it would be VERY useful to add the least privileged role [needed to see this resource] as part of the error message page. This will help me know specifically which PIM role to activate (or to add this user to for future access) ...otherwise, it's often just ~easier~ to simply reach too high (e.g. activate GA because it's easier than hunting down or using trial-and-error to know which role I actually need)

    This is a GREAT resource and I use it often, but just surfacing the info immediately would…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Show Info and add it to notifactions when activation expires

    We use PIM and sometimes a PIM activation expires in an opened Azure Portal session.
    Sadly, we often need some time to realize that activation expired, because the functions in Azure Portal are not blocked and therefore clickable and there are many cryptic error messages shown, when we try to use functions for which the activation is expired.

    It would be nice, if a Info is displayed when PIM activation expires.
    This info should be added to the notifactions (bell).

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Improve PIM Azure resources browsing

    Today if I am using a resource filter "Resource" to explorer Azure resources I am unable to see the real resource type of displayed resources . i.e.: Microsoft.Web/sites

    It causes problem when more than one resource have the same name. It is then impossible to distinguish which one is which, even clicking on the resource do not provide this information either in the next screen.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Require MFA for permanent highly privileged roles

    If you make a eligible role assignment for Global Administrator via PIM it enforces MFA for role activation.

    This is the case for several highly privileged roles and cannot be changed. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings#multi-factor-authentication

    However, if you assign the role permanently, shouldn't this always enforce MFA for the user?

    I understand this change could have a big UX impact and with the new baseline admin conditional access we already have a good way for protection in preview. But if thats the way Microsoft wants to go, shouldnt the baseline CA policy and the highly privileged PIM roles match?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow Azure Privileged Identity Management (PIM) to function correctly when a subscription delete lock is active on a subscription.

    After adding a subscription delete lock to a subscription AD PIM will not allow any additional members or allow any elevation of privilege. It can take up to a few days to remove the lock and allow PIM to function again. The functionality of preventing accidental deletion of resources is critical as many functions in Azure require a high level of privileged across the subscription.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. PIM

    There should be a means to force password reset on PIM enabled accounts. We do this with CyberArk today and our InfoSec department is balking on PIM due to the lack of automated password reset capability.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Bulk registration of Non-Personal Accounts (MFA - AAD)

    All our non-personal accounts are AAD users (best practise).
    However, there is no way for AD PIM vulnerability assessment to exclude them. In short "exclude" list does not do this.
    It's been suggested to "register" these - but that would mean manual registration of potentially hundreds of userid's with fake temporary emails and someone's phone number. Not a pleasant thought.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. End User to see Azure AD PIM approver details

    Hi ,

    In Azure AD PIM can we track whose the approver. I'm looking it from a end user perspective because when he activates his role it says pending for approval.

    How to check who are the approvers and so that he can chase after the approver ? Ping the approver and get his request approved.

    I don't see this option in Azure AD PIM. I understand as an Admin we can see who are the approvers but how will end user see where the request is pending at ?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Admin Consent Required for Basic PIM API Scenarios

    According to the docs, the permissions required to even perform basic scenarios (list my eligible roles, active a role) require admin consent. Can the API be improved to require less consent? I use PIM quite a bit and the portal experience can be painfully slow, I'd really like to automate it with the API.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make Azure AD role activation in PIM faster

    Currently activating an Azure AD role such as Global Admin or User Admin in Privileged Identity Management (PIM) takes 15+ minutes to fully activate (this time starts after following the step to sign-out). Even after logging out and back in again, the role will display as active in the Azure AD overview blade, but when trying to take an action such as updating a user license (in the Office 365 portal) or update an App configuration in the Azure AD Portal, the action will fail claiming access denied. After 15-30 minutes, the role finally comes fully active with no notification…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Make sure that in some situations Eligible users are selectable

    In some other parts of Azure AD, you can only select users if they are currently activated in their role. F.e. the Admin Consent reviewers are only selectable if they have the necessary roles permanent, or are activated at that time. It would be nice, that for these kind of situations you can select all the users eligible for the role as well.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Auto suggest role activation on "access denied" error messages if user is eligible

    If I have a role that woudl allow me to access a page via PIM, error messages shoulfd suggest to enable the least privilege role I am elligible for instead of just showing an access error.

    This would:
    1. allow to think about PIM as a workaround
    2. understand that Global Admin is not the role to activate by default and that less powerful roles coudl still allow to get things done
    3. add some friendliness to "access denied" error messages :-)

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Azure cli PIM activation

    To reduce churn. It would be good if there was a CLI method of activating PIM Azure Resource roles so that the process was less laborious.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. PIM - multiple approvers required

    At the moment you configure multiple approvers in the role setting details dialog. As soon a one approvers approves the request gets accepted.

    I would like to have an option to require multiple approvers, that allow the request
    eq. configure 5 approvers - 2 are required to approve the request

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add an option to display minimum roles needed to see *this* blade

    To help users get comfortable knowing that Global Admin is not needed for everything, we should add a control (e.g. into the top menu for any given blade in the Azure AD portal) that shows the least privileged roles to see (or update) this page.

    For example, if I only need "Security Admin" for configuring Identity Protection (or "Security Reader" to see it), make it easier for me to discover that's all I really need. Otherwise, asking for Global Admin becomes the path of least resistance.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add Roles and Groups from other M365 services to PIM

    Enable PIM to support roles and groups from other M365 services such as Intune Roles and AzureAD groups to support services like MCAS and Defender ATP

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Organization Management / Search and Purge

    In order to combat dangerous / phishing messages, is it possible to add the O365 Organization Management or the Search and Purge management role into PIM?

    Since these roles are very powerful, it would be great if they can be added.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable 'require approval' on a per user (vs per role) basis

    Currently, PIM only provides a "Require approval to activate this role" setting on a per role basis. I would like to see this on a PER USER basis. So a user would be either: Permanent, Eligible, or Eligible (approval required)".

    This is more in line with the trust model we want, allowing fewer permanent assignments. Some people would be trusted to self-elevate; others would require independent approval.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Access review

    Option to initiate one access review for multiple resource roles (like Owner & Contributor).

    Currently we need to create separate access review for each resource role in Azure PIM . We need option to initiate one access review for multiple roles.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base